Automation systems security issues

Supervisory Control and Data Acquisition (SCADA) systems are used for remote monitoring and control in the delivery of essential services products such as electricity, natural gas, water, waste treatment and transportation. They used to be in closed networks, but nowadays more and more automation and control equipment are connected to Internet. Many of them are intentionally connected to allow remote operation and some are unintentionally connected to Internet. Many control systems connected to Internet have serious security issues (for example some have default passwords in them and some have known security vulnerabilities in their software).

Researchers at Aalto University did a study in January 2013 to look into the status of Finnish cyber-security. The researchers found 185 000 devices that answer to HTTP request in Finland. There is nothing wring in that. What is alarming that they which found in 2915 automation systems devices pretty openly connected to Internet in Finland (in re-check done in March 2013 some of them were not in network anymore, but still there were 1969 devices visible). Those open devices can be accessed from the public network and 60 per cent of found devices have known vulnerabilities. Also a number of devices have user names and passwords that are easy to get to know.

The conclusion on that was that you it would be well possible to interfere Finnish society with network attacks to open automation systems. Compromised systems were found in power plants, hospital, industrial automation systems, building automation, one prison and traffic control system. Most of the devices found hardly should be open on the Internet, because then they are vulnerable to attack.

For more details read the full report Suomen automaatioverkkojen haavoittuvuus – Raportti Internetissä julkisesti esillä olevista automaatiolaitteista. The report is written in Finnish. It is interesting reading.

The researchers used Shodan search engine to find those devices. The researchers used the information given by this search engine and did not try if those systems were hackable or not (that would have been illegal).

It is estimated that this search engine has mapped only 20 to 30 percent of Finland’s IP addresses, so in real life there are many more vulnerable devices connected to Internet in Finland. So it is well possible that in Finland would be up to 10 000 automation systems open to network attacks.

What is this Shodan the researchers used to get information on those devices? It is a special search engine that tries to map everything from desktop computers to network printers to Web servers connected to Internet. Over the past two years, Shodan has gathered data on nearly 100 million devices, recording their exact locations and the software systems that run them.

Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners (typically advertise service and version). Because Shodan makes locating devices in Internet easier. Cyber search engine Shodan exposes industrial control systems to new risks article tells that Homeland security officials have warned that the obscurity that had protected many industrial control systems was fast dis­appearing in a flood of digital light.

I also mentioned those dangers on my Security trends for 2013 article. The designers and installers who put together those automation systems should be more careful in what they do. And the people who buy those systems should also think about the safety (and demand it) instead just looking for the cheapest price. There are many ways to protect those devices and ways to do the communication through Internet safely. Advice to companies that use automation systems: check the protection of your systems.

74 Comments

  1. Tomi Engdahl says:

    Aalto University: we are not guilty of the data break

    But how has this report been made, as a port scanning is according to law trying to commit a security breach?

    Aalto University network engineering professor Jukka Manner said that the report was carried out in close cooperation with the Central Bureau of Investigation and Ficora. The researchers confirmed the authorities exactly what they are allowed to do.

    “We have not done port scanning”

    The report data are from Shodan database, which is public.

    Source: http://www.tietoviikko.fi/kaikki_uutiset/aaltoyliopisto+emme+syyllistyneet+tietomurtoon/a889072?s=r&wtm=tietoviikko/-22032013&

    Reply
  2. T says:

    Ouch. I’m getting a headache. In the report they are very clearly saying that they did use nmap for port scanning.

    If they didn’t do port scanning, why would they write that into the report?

    It’s pretty obvious that they made a big mistake together _with_ the authorities, but don’t have any other choice but to deny everything.

    My head hurts because of the incompetence.

    Reply
  3. Pet Island Forum says:

    Simply desire to say your article is as astonishing. The clearness on your publish is simply cool and that i can think you are an expert on this subject. Well with your permission allow me to grasp your RSS feed to keep up to date with approaching post. Thank you a million and please keep up the rewarding work.

    Reply
  4. Tomi Engdahl says:

    Evening newspapers seem to have also picked up this news some days after IT media:

    Suomen huolestuttava haavoittuvuus paljastui
    http://www.iltalehti.fi/uutiset/2013032516826119_uu.shtml

    Finland worrying vulnerability was revealed

    Capital’s traffic lights confused between Friday rush? Electricity and water across the Christmas holidays? A clever saboteur can do big time teases and even cause accidents automation systems because of the lack of security.

    In recent years, perhaps the most famous sabotage Iran’s nuclear program, apparently mixing USB memory stick system foisted on the Stuxnet worm. It is a Siemens Simatic devices, which are found in the Aalto University survey unprotected in Finnish automation control systems.
    - It’s a little bit easier than in Iran.

    One solution to problems could be a national system, which is maybe once a day through all of Finland’s automation systems and reports the findings to critical security authority.

    Industrial equipment used for critical systems found 77

    Buildings, heating, air conditioning, water flow, door locks, alarms, lighting and conditioning systems found 2 229

    Reply
  5. SherlinF143 says:

    Security Systems Pittsburgh provides customized security solutions for homes and businesses. They will meet your specific needs as we design, install, and monitor your security system using the latest technology, including wireless alarm equipment.

    Reply
  6. Tomi Engdahl says:

    Cyber security advice from the field highlight
    http://www.controleng.com/single-article/cyber-security-advice-from-the-field-highlights/f3e30cc7ab459b76ff12e62c913cb5c2.html

    Transcribed highlights from a Control Engineering interview with Michael Assante and Tim Conway with security suggestions for plant operators.

    Reply
  7. Tomi Engdahl says:

    Shodan: The scariest search engine on the Internet
    http://money.cnn.com/2013/04/08/technology/security/shodan/

    “When people don’t see stuff on Google, they think no one can find it. That’s not true.”

    That’s according to John Matherly, creator of Shodan, the scariest search engine on the Internet.

    It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet.

    Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.

    It’s stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

    What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them.

    “You can log into just about half of the Internet with a default password,”

    “It’s a massive security failure.”

    Scary stuff, if it got into the wrong hands.

    “You could really do some serious damage with this,”

    Penetration testers, security professionals, academic researchers and law enforcement agencies are the primary users of Shodan. Bad actors may use it as a starting point, Matherly admits.

    To date, most cyberattacks have focused on stealing money and intellectual property. Bad guys haven’t yet tried to do harm by blowing up a building or killing the traffic lights in a city.

    Security professionals are hoping to avoid that scenario by spotting these unsecured, connected devices and services using Shodan, and alerting those operating them that they’re vulnerable.

    Reply
  8. Tomi says:

    Passenger Wi-fi freezes third Shenzhen Metro train in a week
    http://www.scmp.com/news/china/article/1078165/passenger-wi-fi-freezes-third-shenzhen-metro-train-week

    Shenzhen Metro under fire about security of its wireless control system amid breakdowns

    The Shenzhen Metro is facing mounting calls to resolve questions about its wireless control system, after a train came to a halt in between stations for the third time in a week.

    The breakdown came after the Shenzhen Metro blamed interference by signals of passengers’ Wi-fi enabled mobile phones with similar incidents on the Shekou Line on Monday and the previous Thursday. Mainland media has blamed the problem on the transport company’s cost-saving move to operate its trains using the publicly- available 2.4-gigahertz wireless band – which is also used by consumer electronics.

    It was unclear if the same issue contributed to the problem on the Huanzhong Line.

    Reply
  9. Tomi Engdahl says:

    Controlling the physical world with BacNET attack framework
    http://www.net-security.org/secworld.php?id=14739

    The integration of computer technology to monitor the inner works of large office buildings, factories and plants has been evolving for years. These types of systems are often referred to as Building Automation or Building Management Systems (BMS).

    This talk from Shmoocon 2013 takes a closer look at how these systems work as well as an attacker’s view into the BacNET protocols.

    Shmoocon 2013 – How to Own a Building BacNET Attack Framework
    http://www.youtube.com/watch?feature=player_embedded&v=c4LMrKEO_t0

    Reply
  10. Tomi Engdahl says:

    Thousands of SCADA, ICS Devices Exposed Through Serial Ports
    http://it.slashdot.org/story/13/04/24/2159223/thousands-of-scada-ics-devices-exposed-through-serial-ports

    “Serial port servers are admittedly old school technology that you might think had been phased out as new IT, SCADA and industrial control system equipment has been phased in. Metasploit creator HD Moore cautions you to think again. Moore recently revealed that through his Critical IO project research, he discovered 114,000 such devices connected to the Internet, many with little in the way of authentication standing between an attacker and a piece of critical infrastructure or a connection onto a corporate network. More than 95,000 of those devices were exposed over mobile connections such as 3G or GPRS.”

    Open Serial Port Connections to SCADA, ICS and IT Gear Discovered
    http://threatpost.com/open-serial-port-connections-to-scada-ics-and-it-gear-discovered/

    Serial port servers, also known as terminal servers, provide control system or IT administrators with remote access to non-networked equipment, enable tracking of physically mobile systems, or out-of-band communication to network and power equipment in case of outages. Not only do they provide serial port connections to devices, but many are wireless-enabled.

    “The thing that opened my eyes was looking into common configurations; even if it required authentication to manage the device itself, it often didn’t require any authentication to talk to the serial port which is part of the device,” Moore told Threatpost. “At the end of the day, it became a backdoor to huge separate systems that shouldn’t be online anyway. Even though these devices do support authentication at various levels, most of the time it wasn’t configured for the serial port.”

    Attackers who are able to gain access to the serial port are golden because once they’re on the server, the device assumes they are physically present and doesn’t require an additional log-in, Moore said. Making matters worse, he added, automatic log-offs are not enabled.

    “So an administrator who logged into a device like an industrial control system, an attacker can follow behind them and take over an authenticated session to a serial port,” Moore said. “There are a huge number of devices out there are exposing an interactive administrative or command shell without any authentication because an administrator had previously authenticated and left the session open.”

    Serial Offenders: Widespread Flaws in Serial Port Servers
    https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers

    A typical serial port server is a box the size of a home router with one or more serial ports on one side and an ethernet, wireless, or mobile interface on the other. The serial port is connected to a target device, such as a router, server, or industrial control system, and the serial port server is configured to allow remote access to this port.

    There are three common ways for a user to access a remote serial port

    They login via telnet, ssh, or the web interface and directly type commands on the serial device.
    They connect to a specific TCP port that acts as a proxy for the serial port, allowing immediate access to the serial device.
    They configure vendor-specific software to access the serial port over a proprietary protocol.

    In the first case, the serial port server requires some form of authentication before the user can interact with the serial-connected device. The most secure method is over a SSH session, but unless the attacker can eavesdrop on your connection, even telnet will do in a pinch.

    In the second case, this is typically a clear-text TCP connection, accessed using the telnet command, and without any imposed authentication by the serial port server. If the serial-connected device requires authentication to access the serial console, this is the only layer of defense. The third case is usually identical, however some protocols (RealPort) can be configured to use both encryption and shared key authentication. In practice, however, these are mostly clear-text and unauthenticated as well.

    In summary, we have a serial port exposed directly to the network. If the serial port is connected to a device that requires authentication, such as a Linux server, or a Cisco IOS router, it is theoretically protected from unauthorized access unless the attacker knows the correct password. Many serial devices do not require authentication and instead assume that if you are physically connected to a serial port, you probably have the right to configure the system.

    Serial port servers change the authentication model in two significant ways. First, the concept of trusting a physical port goes out the window when that port is exposed to the internet, especially without an initial layer of authentication. Second, there is a significant difference between a SSH or telnet session and an authenticated serial console. If the user disconnects from SSH or telnet, the session is closed. This is not the case with serial consoles unless the device automatically logs out due to inactivity. Very few systems support inactivity timers on serial consoles (Cisco is one of the exceptions). An attacker just has to wait for a valid user to authenticate. Once logged in, the attacker can either hijack the serial port connection or wait for them to become idle and then steal a pre-authenticated shell on the target device.

    A handful of Metasploit modules have been written to identify and assess serial port servers made by Digi International.

    Remediation

    The biggest challenge right now is awareness. Few organizations are aware that their equipment can be accessed through serial ports connected through mobile networks. In some cases, the organization may assume that their specific mobile configuration prevents access from the internet, when that may not be the case. The wide use of mobile connections makes detection and response much more difficult. There are some basic steps that can significantly reduce the risk of an attack through an exposed serial port server.

    Only use encrypted management services (SSL/SSH)
    Set a strong password and non-default username
    Scan for and disable ADDP wherever you find it
    Require authentication to access serial ports
    Enable RealPort authentication and encryption for Digi
    Use SSH instead of telnet & direct-mapped ports
    Enable inactivity timeouts for serial consoles
    Enable remote event logging
    Audit uploaded scripts

    Reply
  11. Tomi says:

    What Happened When One Man Pinged the Whole Internet
    http://www.technologyreview.com/news/514066/what-happened-when-one-man-pinged-the-whole-internet/

    A home science experiment that probed billions of Internet devices reveals that thousands of industrial and business systems offer remote access to anyone.

    You probably haven’t heard of HD Moore, but up to a few weeks ago every Internet device in the world, perhaps including some in your own home, was contacted roughly three times a day by a stack of computers that sit overheating his spare room.

    Moore’s census involved regularly sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world (Google, in contrast, collects information offered publicly by websites).

    Why It Matters

    Many company’s IT systems have largely unknown and easily hackable backdoors.

    Those vulnerable accounts offer attackers significant opportunities, says Moore, including rebooting company servers and IT systems, accessing medical device logs and customer data, and even gaining access to industrial control systems at factories or power infrastructure. Moore’s latest findings were aided by a similar dataset published by an anonymous hacker last month, gathered by compromising 420,000 pieces of network hardware.

    Joel Young, chief technology officer of Digi International, manufacturer of many of the unsecured serial servers that Moore found, welcomed the research, saying it had helped his company understand how people were using its products. “Some customers that buy and deploy our products didn’t follow good security policy or practices,” says Young. “We have to do more proactive education for customers about security.”

    Young says his company sells a cloud service that can give its products a private, secured connection away from the public Internet. However, he also said that Digi would continue to ship products with default passwords, because it made initial setup smoother, and that makes customers more likely to set their own passwords. “I haven’t found a better way,” he says.

    Reply
  12. Tomi Engdahl says:

    Opinions vary widely on IoT security concern
    http://www.edn.com/electronics-blogs/systems-interface/4413081/Opinions-vary-widely-on-IoT-security-concern

    Will the IoT (Internet of Things) become a hacker’s paradise? Or is concern over security for the embedded systems that define the IoT overblown?

    Opinions about IoT security are as varied as the systems that will make the IoT

    A full 50% indicated they’re currently using IoT/M2M in current projects – and 69% said they expect to be using IoT/M2M in three years.

    The respondents seemed to fall into three groups – not worried, somewhat worried, and really worried.

    I have to assume that those who aren’t worried either figure IoT devices a) aren’t penetrable or b) lie below the threshold of interest of bad actors. It’s safe to say that any system can be penetrated

    I’m having a hard time with the “somewhat worried” category: If there’s a basic acknowledgement of a security problem, we all should be very worried. Even under the assumption that the IoT will comprise billions of smart sensors with hardwired operation that can’t be modified remotely, there are too many opportunities for corrupting the data stream – make that deluge – of information flowing through the IoT.

    When asked about actions taken to limit security risks, participants indicated they took the steps you’d like to see in a security-conscious development organization (Figure 3): They changed internal processes, found different products, or added security-focused resources to their team.

    Reply
  13. Tomi Engdahl says:

    Google screwed up: heating and ventilation systems at the mercy of hackers

    Hackers could have put Google’s Sydney, Australia office heating and ventilation systems turned off. The learned Cylance a company called security researchers.

    Cylancen that Google spent “a little outdated” version of the Niagara AX control system for managing the heating and ventilation.

    Niagara AX to develop a Tridium, which is owned by Honeywell.

    Cylancen researchers were able to access the encrypted passwords

    However, the company just announced their findings to Google

    Cylancen technical director Billy Rios, Google reacted quickly, taking the system out of service. Prior to this, the researchers, however, peeked into the system and quickly found a map image of the building on the third floor plumbing and heating and ventilation systems.

    Researchers could, in principle to acquire administrator privileges.

    Rios found, among other things, that users’ passwords have been adequately protected.

    Source: http://www.tietoviikko.fi/kaikki_uutiset/google+mokasi+lammitys+ja+ilmanvaihtojarjestelmat+hakkerien+armoilla/a899708?s=r&wtm=tietoviikko/-07052013&

    Reply
  14. Tomi says:

    Internet Census 2012
    Port scanning /0 using insecure embedded devices
    http://internetcensus2012.bitbucket.org/paper.html

    Abstract While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage.

    All data gathered during our research is released into the public domain for further study.

    Reply
  15. Tomi says:

    This Is the Most Detailed Picture of the Internet Ever (and Making it Was Very Illegal)
    http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever

    An anonymous researcher with a lot of time on his hands apparently shares the sentiment. In a newly published research paper, this unnamed data junkie explains how he used some stupid simple hacking techniques to build a 420,000-node botnet that helped him draw the most detailed map of the Internet known to man. Not only does it show where people are logging in, it also shows changes in traffic patterns over time with an impressive amount of precision. This is all possible, of course, because the researcher hacked into nearly half a million computers so that he could ping each one, charting the resulting paths in order to make such a complex and detailed map. Along those lines, the project has as much to do with hacking as it does with mapping.

    The resultant map isn’t perfect, but it is beautiful. Based on the parameter’s of the researcher’s study, the map is already on its way to becoming obsolete, since it shows only devices with IPv4 addresses. (The latest standard is IPv6, but IPv4 is still pretty common.) The map is further limited to Linux-based computers with a certain amount of processing power. And finally, because of the parameters of the hack, it shows some amount of bias towards naive users who don’t put passwords on their computers.

    The research also serves as another much-needed warning about Internet security. “A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that ‘nobody would connect that to the Internet, really nobody’, there are at least 1000 people who did,” says the report. “Whenever you think ‘that shouldn’t be on the Internet but will probably be found a few times’ it’s there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password.”

    Reply
  16. Tomi Engdahl says:

    Control System Security Perceptions and Practices
    http://www.controleng.com/new-products/industrial-networks/single-article/control-system-security-perceptions-and-practices/48561e9951b3ddb59cde661510df5c9f.html

    01/01/2010

    Control Engineering cyber security bloggers puzzle over recent industrial control system security assessment survey results.

    Nearly 200 responses were received to Control Engineering ’s Industrial Control Systems Cyber Security Assessment Survey that commenced in November 2009. While some trends from the responses were expected, others were quite surprising. This article will provide our analysis of the responses, starting with simple observations and concluding with analysis of less expected responses and trends.

    The first surprise was that 24% indicated they do not believe there are any threats and risks associated with their information control system that could affect their business operations. This seems very puzzling since most organizations operate with the understanding that there is no such thing as 100% security. In an environment where industrial control systems are becoming more dependent upon increased connectivity, including the Internet and remote control capabilities, we expected nearly a 100% response acknowledging the presence of such risks. The most prevalent cyber security concerns expressed by nearly 20% of respondents acknowledging the presence of disconcerting risks were viruses and malicious software.

    Another very surprising observation is only 53% indicated they are an “organization involved in an industry where you are compelled to implement specific information control system protections.” That leaves 47% that are not compelled to implement specific information control system protections

    Reply
  17. Tomi Engdahl says:

    Congressional Report: US Power Grid Highly Vulnerable To Cyberattack
    http://hardware.slashdot.org/story/13/05/22/0155228/congressional-report-us-power-grid-highly-vulnerable-to-cyberattack

    “Despite warnings that a cyberattack could cripple the nation’s power supply, a U.S. Congressional report (PDF) finds that power companies’ efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid.”

    Reply
  18. Tomi Engdahl says:

    Report: US Power Grid Highly Vulnerable to Cyberattack
    http://www.techpolitik.com/2013/05/21/report-us-power-grid-highly-vulnerable-to-cyberattack/

    Inefficiencies in how security standards are set and “haphazard” implementation of protections leaves the US power grid at high risk of damage due to cyberattacks, a Congressional report released Tuesday indicates.

    “The utility responses are sobering,” Waxman says. ”They reveal serious gaps in the security of our electric grid and Congress needs to address these gaps in a bipartisan way.” Markey added that Congress needs to push electric utilities to beef up security to protect from attacks from rogue states and terrorist groups alike.

    Power grid security is currently managed through a set of required standards set by the North American Electric Reliability Corporation that were agreed to by members, combined with a set of voluntary actions power companies can take. The report found that while a majority of the power companies complied with the mandatory standards, only one in five industry-owned utilities and less that half of all government or cooperatively owned utilities were complying with the voluntary measures.

    The apparent lax security of our power grid is reason for concern. There is evidence that hackers in China, Russia, and Iran have already probed the power grid infrastructure, and previous reports concluded that attacks on the power grid “could be carried out by knowledgeable attackers with little risk of detection or interdiction.” Such attacks could cut power to large sections of the country and take months to repair.

    Reply
  19. Tomi Engdahl says:

    US power grid the target of ‘numerous and daily’ cyber-attacks
    Report finds utilities vulnerable, threatened
    http://www.theregister.co.uk/2013/05/23/us_power_grid_cyber_attack_report/

    The US electricity grid is under near constant attack from malware and cyber-criminals, yet most utility companies implement only the barest minimum of security standards, according to a new report released by Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA).

    “National security experts say that cyber attacks on America’s electric grid top the target list for terrorists and rogue states, yet we remain highly vulnerable to attacks,” Markey said in a statement. “We need to push electric utilities to enlist all of the measures they can now, and push for stronger standards in Congress that will keep our economy and our country safe from cyber warfare.”

    Among the report’s findings, more than a dozen utilities surveyed said their systems were under “daily,” “frequent,” or “constant” attack, with one claiming to be the target of around 10,000 attempted cyber-attacks each month.

    “Cyber-attacks can create instant effects at very low cost, and are very difficult to positively attribute back to the attacker,” the report states.

    To help harden US infrastructure against such attacks, Markey and Waxman would like to see Congress grant the Federal Energy Regulatory Commission (FERC) additional authority to draft and enforce cyber-security standards among power utility companies.

    Reply
  20. Tomi Engdahl says:

    SCADA security is better and worse than we think
    ‘Kill chains’ are long and attack-stopping weak links are many
    http://www.theregister.co.uk/2013/05/23/scada_security/

    AUSCERT 2013 First the good news: for all the known vulnerabilities that exist in the SCADA world, exploiting them in a way that can actually “shut down a power plant” is harder than most people (particularly including media) realise.

    That’s because even though in a fairly short time the number of known vulnerabilities in programmable logic controllers (PLCs) has gone from zero to 171, turning the existence of a vulnerability into a successful exploit is a much more complex task than merely launching an attack against the individual device.

    If an operator notices unusual processes taking place on a system that aren’t in his operational manual, Fabro said, it’s expected that the employee will take some sort of action, or at least investigate what’s going on. So to go from “here’s a vulnerability in one system” to “here’s a nationwide blackout” takes a lot more effort than we believe.

    However, Fabro said, as attackers become more sophisticated and learn ore about both the SCADA systems and their control environments, the likelihood of more dangerous SCADA-based attacks increases.

    A key part of defending against those attacks that may occur, he said, is to start with a thorough understanding of the “kill chain” – the number of steps and scenarios an attacker is forced to step through to achieve what they want.

    “Time and time again people are the vector, the kill-chain’s tipping point is at people,” he said. “An individual who was tricked and had done something inappropriate – clicked on the link in the e-mail, let someone into the facility.”

    It points to a difficult cultural problem in defending industrial control systems, because in trying to instil a new security culture, “the people you’re risking upsetting are the ones you’re relying on to run the system.”

    Reply
  21. smart car oil change says:

    Hey! I just wish to give an enormous thumbs up for
    the great information you have here on this post.
    I will be coming back to your weblog for extra
    soon.

    Reply
  22. technology and security services inc says:

    A fascinating discussion is worth comment. I do think that you need to publish more about this subject,
    it might not be a taboo matter but generally people don’t talk about such topics. To the next! Cheers!!

    Reply
  23. rancho cucamonga emergency plumber says:

    whenever do we’d like a good plumber?

    Reply
  24. Cathryn says:

    Hello, I think your blog could be having internet browser compatibility problems.

    Whenever I look at your site in Safari, it looks fine however when opening in I.

    E., it has some overlapping issues. I simply wanted to provide you
    with a quick heads up! Other than that, great blog!

    Reply
  25. Tomi says:

    Chinese Hacking Team Caught Taking Over Decoy Water Plant
    http://www.technologyreview.com/news/517786/chinese-hacking-team-caught-taking-over-decoy-water-plant/

    A hacking group accused of being operated by the Chinese army now seems to be going after industrial control systems.

    A Chinese hacking group accused this February of being tied to the Chinese army was caught last December infiltrating a decoy water control system for a U.S. municipality, a researcher revealed on Wednesday.

    The group, known as APT1, was caught by a research project that provides the most significant proof yet that people are actively trying to exploit the vulnerabilities in industrial control systems. Many of these systems are connected to the Internet to allow remote access (see “Hacking Industrial Systems Turns Out to Be Easy”). APT1, also known as Comment Crew, was lured by a dummy control system set up by Kyle Wilhoit, a researcher with security company Trend Micro, who gave a talk on his findings at the Black Hat conference in Las Vegas.

    The attack began in December 2012, says Wilhoit, when a Word document hiding malicious software was used to gain full access to his U.S.-based decoy system, or “honeypot.” The malware used, and other characteristics, were unique to APT1, which security company Mandiant has claimed operates as part of China’s army

    “You would think that Comment Crew wouldn’t come after a local water authority,” Wilhoit told MIT Technology Review, but the group clearly didn’t attack the honeypot by accident while seeking another target. “I actually watched the attacker interface with the machine,” says Wilhoit. “It was 100 percent clear they knew what they were doing.”

    Cloud software was used to create realistic Web-based login and configuration screens for local water plants seemingly based in Ireland, Russia, Singapore, China, Japan, Australia, Brazil, and the U.S. If a person got beyond the initial access screens, they found control panels and systems for controlling the hardware of water plant systems.

    None of the attacks displayed a particularly high level of sophistication, says Wilhoit, but the attackers were clearly well versed in the all-too easily compromised workings of industrial control systems.

    Reply
  26. Tomi Engdahl says:

    Could a Counter Interrogation Service bring the European Power or Gas Networks down?
    http://blog.iec61850.com/2013/08/could-counter-interrogation-service.html

    Good question! Easy to answer: Yes! It depends on the standard and implementation used.

    Early May 2013 it almost happened in Europe. What? During a test of a new control center communication and application an IEC 60870-5-101 or –104 Broadcast “Counter interrogation” command went out to interrogate counters from ALL RTUs somehow “connected”. The command was received and answered by all these RTUs. Obviously one RTU responded with a “Broadcast” response … and obviously there was a “loop” somewhere in the network … it ended up in flooding the network for days!!!

    The operators had very severe problems to get status and measurements from the process – because first the network was sending bunches of messages back and forth and around.

    Hm!? That’s really a crucial issue with a standard protocol in operation for 15 or 20 years.

    Here is why this could happen at all: During the days IEC 60870-5-101 was designed, people thought that the communication is strictly hierarchical and looks like a tree (top-down)

    For counter interrogation the broadcast is often used in order to catch the counter values at a certain time, let’s say 20:00 h. To freeze the value at 20:00 h the control center has to send out a broadcast counter interrogation to freeze the value at 20:00 h (+/- some seconds – due to travel time …).

    Next it can send another command to start sending the values from the RTUs to the control center.

    That means: A lot of messages have to be sent at the same time … to reach all RTUs …

    The issue is here: People thought that you could start system-wide synchronous functions by synchronizing through timeliness messages. That may work in simple topologies … but … in Smart Grid systems with many (many) meters, it is unlikely that this approach will work reliably.

    The broadcast command in 101 and 104 SHOULD be REMOVED … at least utilities should no longer rely on it!!! Take this very serious … as many other utility experts do.

    Reply
  27. Tomi Engdahl says:

    English Version of Vattenfall’s “VHP READY – Virtual Heat & Power Ready” available
    http://blog.iec61850.com/2013/05/english-version-of-vattenfalls-vhp.html

    Vattenfall Europe Wärme AG (Berlin, Germany) has published the famous specification “VHP READY” for information exchange in virtual power plants based on IEC 60870-5-104 respectively IEC 61850-7-420.

    In order to integrate renewable energies into the power supply system successfully and economically, ways must be found to store and control them. The Virtual Power Plant, which stores energy in the form of heat, is a promising approach to solving this problem.

    Data transmitted between a plant and the central control system via IP networks are encrypted either according to the IEC 60870-5-104 standard or the IEC 61850 series of standards (IEC 61850-7-420 in particular). Time synchronization is via SNTP/NTP.

    Reply
  28. Tomi Engdahl says:

    The HMI of the future will look very familiar
    http://www.controleng.com/single-article/the-hmi-of-the-future-will-look-very-familiar/0c8151774361675e6ce70407148b631a.html

    HMI/SCADA applications enable companies to benefit from commercial off-the-shelf technologies adapted for industrial automation to lower costs and improve operations.

    Ever since PC-based software was introduced to industrial automation, the once very separate worlds of commercial off-the-shelf (COTS) and industrial technologies have become more aligned. Many readers will remember when PC-based software was first introduced for HMI/SCADA systems in the mid-1980s. At the time, there were concerns with reliability and speed of response, but PC-based software is now the de facto standard when it comes to HMI packages, both for operator interface and SCADA applications.

    HMI applications now routinely run on both office-grade and industrial PCs, and the software used to program these applications is also PC-based. At the same time, SCADA technologies are advancing to enable manufacturers to reduce costs through the use of COTS applications

    The word “influence” is important because industrial automation devices are not and will not be duplicates of COTS devices. An industrial PC may have the look and feel as well as some of the underlying technology of a COTS PC, but it’s also designed to withstand the demands of harsh environments, and often also includes other features to increase reliability such as solid-state data storage.

    Just as desktops were replaced with laptops in many instances, laptops are now being replaced by tablets and smartphones with multi-touch technologies. This trend is also moving into industrial settings. In addition to the way we access HMI systems, the way data is manipulated and stored is being transformed by SCADA technologies for devices first developed for personal use.

    Corporations are recognizing and reacting to these trends.

    The implication is clear: employees will be expected to use their own smartphones and tablets to access corporate computing systems, a move driven by both cost-saving potential for companies, and greater ease-of-use and mobility for their employees.

    Smartphones and tablets are great products for today’s more mobile workforce as many employees are being asked to monitor and control multiple local and remote sites, often from home offices or while on the road.

    Many HMI/SCADA software packages also provide a type of server-mobile phone app for free or at a very low cost. As with SCADA server-browser platforms, remote users benefit from full-featured two-way communication. As compared to a browser, these SCADA apps connect more quickly to remote systems, load screens faster, and provide more rapid response times

    Both browser and app access are much less expensive than providing access via a thin client or a PC connected to the corporate network, particularly if the company has adopted a BYOD policy.

    Cloud computing provides 24/7 network access to a shared pool of configurable computing resources: networks, servers, applications, services, and storage.

    Most current cloud-based SCADA systems are configured with a local SCADA application running on a PC installed at the site, and with this PC connected to the controllers. The local PC is then connected to the cloud, sending data to the cloud where it’s stored and distributed, and receiving commands from the cloud as required

    HMI/SCADA systems inherently generate tremendous amounts of data, and this data must be available for access by many users located in disparate and often widely distributed locations.

    Moving to a cloud-based HMI can significantly lower costs and enhance functionality. Users can easily view data via smartphones and tablet computers. They also receive alerts via SMS text messages and e-mail. Cloud computing also basically eliminates the high cost and problems of the hardware layer of IT infrastructure.

    Is the cloud safe?

    When the Internet is mentioned in the context of an industrial automation application such as HMI/SCADA, one of the first concerns involves security. As with any system, there’s always some chance of a security breach, but cloud-based SCADA often provides better protection than similar systems managed internally.

    In many companies, shrinking budgets have dramatically reduced IT staff and resources, and remaining IT personnel often don’t have the time or the expertise to keep current with constantly evolving potential threats. On the other hand, cloud providers specialize in providing secure access to applications along with carefully protected data storage. Their people are trained continually on how to protect their systems from internal and external security threats, and cloud providers can afford the required IT staff because they spread their costs among many customers.

    Many companies rely on a single Internet provider, but this means that if Internet service goes down, then access to HMI control and monitoring functions is lost. The cloud instead uses multiple Internet providers to ensure uptime, with data stored on more servers in diverse locations to ensure secure backup in the event of a catastrophic event.

    The future is already here

    Most employees of manufacturing firms use their smartphones and tablets to access e-mail, the web, and key data sources such as their bank accounts from virtually anywhere via a few simple touch commands. Consequently, they will expect this type of functionality in their work lives. Companies that don’t update their systems with the software required for this type of access run the risk of looking antiquated to their employees, incurring high costs and foregoing important benefits.

    The latest SCADA technologies don’t just satisfy employees’ desires; they also provide faster access to more data, which improves overall operations.

    While most manufacturers won’t immediately adopt all these new technologies—tablets, smartphones, multi-touch screens, and cloud computing—most are already using some, with more being adopted on a continuing basis. Now that SCADA packages offer an affordable and reliable way for industrial companies to use these devices for accessing automation systems, they will eventually become as common as desktops once were.

    Reply
  29. Tomi Engdahl says:

    Time to step up: Actions you can take today
    http://www.controleng.com/single-article/time-to-step-up-actions-you-can-take-today/e9c3dde92e71f7ce2f8e0b4826e0682d.html

    Your control system cyber assets were not coded with security in mind, so you have to build defenses yourself, always thinking about your complete security posture. Here are ways to start now.

    Control systems represent a high-value target and are under attack. How bad is the risk? A recent survey and webcast conducted by Control Engineering indicated that most respondents recognize that the risk is high to severe. What really is the risk? The ancient risk calculation method tries to associate the threat with the vulnerability. It requires both the actual asset vulnerability combined with a threat actor motivated to exploit that vulnerability. Increasing international tensions have increased the motivation of threat actors worldwide.

    So if you know that there is risk, what can you do? You could rip and replace immediately, but you may find your new solution is just as vulnerable as the old. You have to know what you have, build walls, monitor, and respond to threat indicators. Are your people trained to do those?

    Step one, which you can begin today, is create an inventory of your control system assets. This includes all personnel and skills, controller hardware, networking hardware, communication channels, and operational procedures. Step two, take a look into any regulations impacting your cyber, physical, and operational security requirements.

    Once you compile your initial inventories, the next steps are:

    1. Create a baseline of security needs throughout your organization and its stakeholders.

    2. Using your inventory of cyber assets, identify which are required for direct control functions. Then, identify what communication channels, applications, and services are required for each ICS cyber asset to perform its operations. This process will not be easy

    3. Remove all other communication channels, applications, and services not necessary for normal and emergency operating conditions.

    4. Review the remaining communication channels, applications, and services for vulnerabilities. Using the inventory of firmware, applications, and protocol versions, check them for out-of-date and/or vulnerable cyber asset components.

    5. Identify mitigating controls such as a network intrusion detection system (IDS). The IDS should be configured with specific rule sets for your control system protocols and communication channels, and not generic rules for traditional IT environments.

    6. Inventory your current operational procedures used by personnel to maintain the cyber assets and communication channels used for control system operations. Review the procedures for vulnerabilities, and modify them as necessary.

    This is only a start to the process of addressing the security needs of today’s control system environments. The risk is real.

    Reply
  30. Tomi Engdahl says:

    Prison Computer ‘Glitch’ Blamed for Opening Cell Doors in Maximum-Security Wing
    http://www.wired.com/threatlevel/2013/08/computer-prison-door-mishap/

    Florida prison officials say a computer “glitch” may be to blame for opening all of the doors at a maximum security wing simultaneously, setting prisoners free and allowing gang members to pursue a rival with weapons.

    But a surveillance video released this week (see above) suggests that the doors may have been opened intentionally — either by a staff member or remotely by someone else inside or outside the prison who triggered a “group release” button in the computerized system. The video raises the possibility that some prisoners knew in advance that the doors were going to open.

    It’s the second time in two months that all of the doors in the wing opened at once, officials say, raising questions about whether the first incident was a trial-run to see how long it would take guards to respond.

    Miami-Dade Corrections Director Tim Ryan acknowledged to the Herald that the circumstances around the door-release were “suspicious,” and said officials were investigating whether any staff members were responsible for opening the doors or if a problem lay with the computerized system that controls the doors.

    The control panel for the system generally features a group-release button that allows guards in minimum-security facilities to release inmates simultaneously for a head count, the Herald reports. But it’s generally not used in maximum-security settings

    It’s not the first time that an apparent glitch with the release occurred.

    So as a precaution, technicians added a security feature that was supposed to prevent accidental activation. Any time a guard touches the release feature now, a prompt is supposed to appear onscreen asking the guard to confirm the intention to open all of the cell doors.

    But this didn’t appear to help a month later when the problem with the doors recurred.

    “The software in the computer has only one kind of thing, operator error, and we don’t know what triggers that, so part of the inquiry is to find out what the software is saying,” he said.

    J.C. Dugue, Williams’s attorney, told WIRED that it’s hard to imagine the doors in Florida opened without an assist from guards or some other accomplice on the inside.

    But a trio of security researchers — John Strauchs, Teague Newman, and Tiffany Rad — say that many prison systems have vulnerabilities that can be exploited remotely by hackers or accomplices from inside or outside a prison. They have examined systems at a number of facilities and two years ago presented their findings at the DefCon hacker conference in Las Vegas.

    Some of the vulnerabilities exist in the architecture and configuration of the systems, causing them to be accessible via the internet. Other vulnerabilities exist in the programmable logic controllers that are used to control not only prison doors, but surveillance cameras and other prison systems. Many PLCs use Ladder Logic programming and a communications protocol that have no security protections built into them. There are also vulnerabilities in the Windows-based desktop machines that are used to monitor and program the PLCs. Anyone who gains access to these computers can control the PLCs and the operations they monitor, the researchers say.

    According to Strauchs, a hacker could install malware to gain control of prison computers either by getting a corrupt insider to install it via an infected USB stick — and programming the attack to kick in at 2 a.m. on someone else’s shift — or by sending it to a worker via a phishing attack aimed at tricking the staffer into clicking on a malicious attachment or link. Though control systems at prisons shouldn’t be connected to the internet, Strauchs says his team once toured a prison control room in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet. There are also computers in non-essential parts of prisons, such as in the commissaries or laundry rooms, that are sometimes connected to the networks that control critical functions, allowing someone to remotely hijack the control room system from another location in the prison.

    “Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,” the researchers wrote in a paper they released in 2011. “Access to any part, such as a remote intercom station, might provide access to all parts.”

    Prison systems have a cascading release function so that in an emergency, such as a fire, when hundreds of prisoners need to be released quickly, the system will cycle through groups of doors at a time to avoid overloading the system by releasing them all at once. But a hacker could design an attack to override the cascade release to open all of the doors at once and overload the system.

    A diagram posted on the company’s site showing the system architecture (.pdf) lists PLC’s, wireless access points and remote access as some of its features, which could potentially be vulnerable, depending on their configuration.

    Newman told WIRED that the diagram seems to indicate that control systems for doors are properly segmented and are not immediately accessible from the internet.

    Strauchs says he’s surprised that Black Creek only installed a prompt on the system to prevent an accidental activation of doors after there was already a problem. He has installed systems at prisons himself and says that any time he did, he made sure the all-release function for opening doors could only be activated with a key that the senior officer on a shift possessed — a solution that is much more secure than a prompt.

    Ryan told WIRED he had never considered the possibility that the system might have been hacked — either from an insider or an outsider — but said investigators would now look into that.

    Reply
  31. Tomi Engdahl says:

    Embedded XP big risk next year

    Microsoft will end next year XP operating system support. The same applies to the decision of embedded systems XP embedded version. The German company says embedded XP with operating systems are truly at high risk first of April 8 day.

    nnominate Security Technologies AG wants to remind industrial companies developing systems to ensure that adequate security measures to be adopted in good time. Only in this way can, for example to ensure continued production for sure.

    Innominate that XP can still be found constantly vulnerabilities. In July this year, Microsoft had already announced the 31 important security update system. Of these, 18 were classified as critical.

    The most obvious solution would be to upgrade the operating system or replace the whole extract of the base, but this can be very expensive, depending on the system and. Innominate suggests it is easier to protect critical components by separate software or tools.

    Source: http://www.elektroniikkalehti.fi/index.php?option=com_content&view=article&id=282:sulautettu-xp-iso-riski-ensi-vuonna&catid=13&Itemid=101

    Reply
  32. Tomi Engdahl says:

    Industrial Ethernet: factory floor apps aided by new deal
    http://www.edn.com/electronics-blogs/fpga-gurus/4419142/Industrial-Ethernet–factory-floor-apps-aided-by-new-deal

    Last week, we told you about the ubiquity of 10G Ethernet, as new applications arrive for 10-Gbit speeds in vertical applications. But in the industrial realm, slower Ethernet speeds on the factory floor finally are making inroads into long-standing protocols such as CAN and Fieldbus. At the end of July, Altera Corp reached a deal with the EtherCAT Technology Group and Softing Industrial Automation GmbH of Germany, allowing EtherCAT protocols to be embedded in FPGAs without additional licensing fees for users.

    If this sounds a bit familiar, there have been predictions for close to two decades that Ethernet soon would dominate process-control and SCADA (Supervisory Control and Data Acquisition) applications in factories. The price of ruggedized Ehternet controllers at 10 and 100 Mbits/sec always was reasonable enough to be considered for SCADA, and in recent years, 1-Gbit controller cards started to be cost-effective. The problem lay in the transition of Layer 2 and 3 protocols. Older networks used simpler control protocols, and those like Softing who developed useful solutions, often priced their licensing too high to make high-volume SCADA a reasonable application.

    EtherCAT was developed in the early 2000s by long-time logic controller players like Beckhoff and Hilscher, using elements of Fieldbus physical-layer technology with a slave licensing model adopted from CAN

    Major FPGA players realize the necessity of supporting EtherCAT—Xilinx, for example, has worked with Beckhoff on an IP core for a slave interface. The Altera-Softing pact, however, could broaden acceptance of EtherCAT by lowering the price of a network node. The deal will allow designers to develop a range of products such as sensor interfaces, accelerators, and control logic, all based on one reprogrammable FPGA design with embedded EtherCAT IP.

    The SCADA and factory-floor markets are notoriously conservative in adopting new protocols, so the Altera-Softing-ETG deal does not guarantee an automatic stampede to real-time Ethernet. But it may hasten the inevitable shift from CAN and Fieldbus to Ethernet everywhere.

    Reply
  33. Tomi Engdahl says:

    Stuxnet Expert Proposes New Framework For ICS/SCADA Security
    http://www.darkreading.com/management/stuxnet-expert-proposes-new-framework-fo/240160846

    CS/SCADA expert Ralph Langner shoots down risk management mindset in critical infrastructure security and proposes a more process-oriented approach

    Critical infrastructure operators that have adopted the security industry’s popular risk management mindset are doing it wrong, according to Ralph Langner.

    Langner, the German security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran’s Natanz nuclear facility, today released a proposed cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government’s Cyber Security Framework (PDF), which is currently in draft form.

    The so-called Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST-led Cyber Security Framework. It all starts with these organizations establishing a “security capability,” Langner says.

    “ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent,” Langner told Dark Reading.

    Then there’s the patching conundrum for ICS/SCADA systems: while most of these organizations claim to have a patching regimen, it’s mostly only an annual patching cycle, he says. “If you dig even deeper, you may find that from the systems that should have been patched per policy, only about half of them really are,” Langner says.

    The bottom line is that cybersecurity is a low priority in private ICS environments. Langner estimates that some 95 percent of critical infrastructure operators don’t have a dedicated security professional for their systems, and their ICS security makes up less than one percent of their IT budget for process and ICS equipment and services.

    “An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF.”

    Risk management has basically become a “religion” in security, says Richard Bejtlich, CSO at Mandiant. “Risk management has been beaten into everyone’s head, but below the business level, I don’t think most IT security people” are focused on it, he says.

    Reply
  34. Tomi Engdahl says:

    Cisco Drives Security in Modernizing the Connected Grid
    http://rtcmagazine.com/articles/view/103176

    The core mission of utilities, as well as their regulatory mandate, is to provide safe and reliable power. Cisco has announced expanded solutions and services to help utilities enhance grid operations with greater levels of automation and security and changing regulatory requirements. Cisco’s strong security knowledge and history combines a security strategy that addresses both the physical and cyber security layers, coupled with utility-specific service offerings for the electric grid based on Cisco’s Connected Grid Security Architecture. Cisco also extended its hardened network solutions for substations to allow utilities better visibility and management of the grid.

    The Cisco Connected Grid Security Architecture is a blueprint that simplifies policy administration, strengthens security controls and gives businesses more flexibility and increased visibility into operations via a layered security architecture in which the communication network serves as a platform tool to detect, control, alert and mitigate against threats. Context-aware policies are enforced across the entire utility infrastructure network to meet rapidly evolving regulatory requirements and correlate directly with potential threats and business rules.

    In addition, physical security solutions include integrated video surveillance along with physical access control tools such as card readers and sensor networks, for monitoring the status and location of assets and users. Cisco Services for Grid Security assists utilities in defining security requirements, developing future-state grid security architectures, coordinating the deployment and integration of security solutions, and delivering ongoing optimization and managed services.

    Reply
  35. Tomi Engdahl says:

    Only 500 People in the World Understand Security
    http://www.designnews.com/author.asp?section_id=1386&doc_id=266202

    “There are only about 500 people in the world who really understand industrial control system security.”

    I heard this comment at an event recently, the Siemens Automation Fair in New Orleans. It was stated by Marc Ayala, ICS/SCADA security manager at Cimation, a security solutions company specializing in automation, industrial IT, and enterprise data solutions, including oil and gas.

    I wasn’t sure if I heard correctly, or if Marc may have been off base, so I followed up with him after the event. He didn’t back off the statement. He did qualify that he was referring to people who are protecting the control system side, and not the enterprise or IT security.

    Here’s an element of security that I would not have thought of (I’m clearly not on the list of 500): Adobe Acrobat Reader is the de-facto standard for control systems deployed to read your online manuals. Adobe Acrobat is a crucial vulnerability point.

    Reply
  36. Criminal Case Facebook says:

    It’s rather a interesting plus beneficial part of information. I’m happy that you contributed this handy information here. Make sure you stop us up to date like that. Many thanks for revealing.

    Reply
  37. Tomi Engdahl says:

    Smartphones & Tablets as Remote HMIs
    http://www.designnews.com/author.asp?section_id=1386&doc_id=267763&cid=nl.dn14

    Smartphones and tablets as remote HMIs (human-machine interfaces) are becoming more and more of a reality. The real usage is more limited to remote monitoring devices, but still new technology is offering an interesting and useful way to track critical plant production information, for example. With new tools that rely on browser technology and limit the amount of development effort required, this is an approach that I think will continue to gain momentum.

    “Small to mid-sized businesses have taken ‘mobile HMI’ and run with it,” David Hill, marketing communications manager at Opto 22, told Design News in an email. “Customers knew exactly what they wanted to do with a mobile HMI, which they usually wanted on a smartphone, but the cost and complexity of getting there had been too great.” For two water industry customers who connected to an HMI using remote desktop software, the existing solution was limited and cumbersome.

    What’s interesting is to see how midsized businesses are using this approach.

    To provide security, the obvious concern with these types of systems, Opto 22 recommends using VPN access and separating an organization’s control and computer networks. And beyond that, the key is careful assignment of user rights. The Groov appliance also implements SSL communications using software developed by the OpenSSL Project for use in the OpenSSL Toolkit.

    While the examples above are obviously not extremely complex manufacturing systems, they do point out the way that connectivity solutions, even with limited capabilities, can offer very significant advances in productivity and flexibility.

    Reply
  38. Tomi Engdahl says:

    If it ain’t broke, don’t automate it?
    http://www.controleng.com/single-article/if-it-aint-broke-dont-automate-it/5523bc17067074d9ef96803a332bcc9f.html

    Maybe it is broke, and you just don’t recognize it. Sometimes problems and inefficiencies in our plants persist simply because nobody wants to take responsibility for finding a solution. Effective automation might be the key.

    As a card-carrying member of the control engineering community, I’ve never understood the level of disdain some industries have for automating their processes.

    “Remember, I can make paper in manual.”

    So many of our industrial facilities are still running with many of their control loops in manual. When I ask why that is, the usual answer falls into one of two categories:

    “Oh, that never worked right,” and,
    “I’m waiting on maintenance to fix something.”

    There are variations of course, but the answers generally fall under one of these headings.

    So, why do our plant managers and area superintendants allow this to continue? The easy answer is money, but it’s rarely the whole answer. As long as managers are making their production targets, there’s little or no incentive to spend money to make it better. A change might even make things worse. That attitude is fostered by the feeling that there isn’t a way to make it better, which is exacerbated by the lack of a system champion.

    They had operated for five years with the system just the way the original vendor had left it, untested and untuned. Why? No one owned the system, and it wasn’t until they had a project manager join them who had a background in controls that they had someone question why they couldn’t fix this problem. So ask yourself, what’s running in your plant that has no real owner? Where are you losing money because no one has the vision that things can be made better? What are you just living with because no one knows how to fix it? What are you just ignoring because you’re making your production targets? As a controls engineer, you should be able to see opportunities where you can apply your knowledge and realize real benefits.

    Reply
  39. Tomi Engdahl says:

    Growth in Model-Based Design for Automation Control
    http://www.designnews.com/author.asp?section_id=1386&doc_id=267765&cid=nl.dn14

    If we look back five years at the number of automation system suppliers that could import a control algorithm into their automation software tools from a simulation environment, there were very few companies on the list. Not many automation systems were building targets for importing from a simulation environment into their automation control platform through code generation.

    But now, according to industry experts at The MathWorks, the list has grown much longer. Systems are adding new sophisticated functions and tools.

    “Siemens has a new target for their PC platform, and Omron just created a target for their PLCs that works with Simulink, The MathWorks’ PLC coder product,” Tony Lennon, The MathWorks industry manager for North America, told Design News. “The build-up over time is significant and it is a trend where machine builders know [it] is important to move to system simulations earlier in the design process.”

    Typically, machine builders have been experts at mechanical design and sizing motors for a given static load, for example. But system integration gets more difficult for the OEM when adding software sophistication to machines for controlling more complex systems with multiple axes and for coordinating large numbers of motors.

    “What I can confirm is that in the mechatronic development process, software is growing in importance and is the main part of OEM machines,”

    Lennon said that the aerospace and automotive industries use simulation tools because they realize people can’t always be testing physical prototypes. But now the level of complexity and amount of code going into modern machines is causing machine builders to recognize the value of simulation, as well. Automation vendors are helping to build this bridge between the simulation environments and automation-control products. The code in a system-level simulation can now be easily ported into the actual production software that is used to drive machines.

    “With the challenges going forward, from the CAD point of view, we have a very accurate animation of machines and seeing the 3D motion of the parts, which captures the dynamics of the machine”,

    Reply
  40. Tomi Engdahl says:

    Convergence at the Operator Panel
    http://www.designnews.com/author.asp?section_id=1386&doc_id=267760&cid=nl.dn14

    An important ongoing trend for automation and control over the past decade has been the convergence of machine control systems on fewer pieces of control hardware. As Moore’s Law has continued to do its thing with processing power, and distributed network-based systems have emerged to link in processing power from intelligent devices, system architectures (in terms of hardware controllers) have been converging.

    While the functionality of standalone motion and IO controllers has often been gobbled up, machine controllers have increasingly been converging on the operator panel. The lowly operator panel — once a complex set of pushbuttons used as a dumb terminal — has gone through many transformations. Now we’re moving into a new era with touchscreen interfaces and operator panels that can serve as the main machine controller in some applications.

    Along with the hardware shift and the centralization of processing power at the operator panel, we have the separate phenomenon of a changing role of the HMI. The operator interface is now often viewed as the dashboard for the machine, and the influence of consumer technology from smartphones and tablets is unleashing a new wave of software approaches.

    With systems now being deployed with heavy input from the operator and evolving into intelligent, analytical systems, the whitepaper concludes there is also a need to provide value-added information to users and not just data for visibility. Going into the future, collaboration will be more important, and so will interoperability standards within software suites to achieve faster rollouts and more flexibility on module selection across vendors.

    Reply
  41. panasonic convection microwave says:

    0 cubic feet that can definitely accommodate any large food item that needs defrosting or reheating.
    The operation of this microwave is very easy and simple.
    With GE’s sensor cooking controls the microwave automatically adjusts the time and power for exceptional
    cooking results every time.

    Reply
  42. Tomi Engdahl says:

    A Broken Gauge Could Blow Up a Plant
    http://www.designnews.com/author.asp?section_id=1386&doc_id=268779&cid=nl.dn14

    It’s no secret that a broken gauge can put a process plant at risk. That’s why gauge producer Wika conducts audits of gauges in plants at oil, gas, and chemical companies.

    Wika’s executives believe as many as 25 percent of pressure gauges in a typical plant are broken, failing, or misapplied. The company has conducted hundreds of audits at oil and gas processing facilities

    Part of the problem is that gauges are often not systematically monitored to determine if they are functioning properly. “There is very little scheduled maintenance for gauges.”

    Faulty gauges can give dangerously false information. In a book about BP’s Deepwater Horizon blowout in the Gulf of Mexico, Carl Safina noted that two pressure gauges told two different stories about what was happening below the water. One gauge showed pressure building, the other one didn’t. Technicians on the scene decided to trust the one that showed no problem.

    While there are many reasons for gauge failure, the real culprit may be the inability of plant personnel to identify a faulty gauge. Maupin points to dwindling resources at plants. “At a lot of the process plants, about 50 percent of their process engineers have retired or will retire over the next couple of years,” he told us. “The knowledge of how and when to replace the gauges goes out the door with the retired engineers.”

    While Maupin noted that many plants now have transmitters that can offer feedback to the process engineers so they can maintain control, most gauges are simply neglected.

    Reply
  43. security news says:

    What’s up everyone, it’s my first go to see at this site, and article is truly fruitful in support of me, keep up posting such articles or reviews.

    Reply
  44. Tomi Engdahl says:

    Security Measures in Power Grids – often ignored
    http://blog.iec61850.com/2013/10/security-measures-in-power-grids-often.html

    Vulnerabilities in the automation of power grids are more often on the radar screen of information and control system experts. It seems that some people are using the situation of aging infrastructures to make money with finger-pointing to the vulnerabilities of implementations of protocols like DNP3 or others. Or is it just fun to discover “holes” in the often low level secured information and communication systems?

    There are – in my view – two crucial issues (among other) when it comes to security measures for information exchange systems in power systems:

    1. Lack in Expertise
    2. Lack in Resources

    There are a lot of discussions regarding aging infrastructures these days. I hope the discussions will have a real impact of securing our infrastructures, especially the electrical power system delivery systems!

    Open standard protocols allow remote access to a lot of critical systems like substations or power generation sites. ENEL (Italian Power Company) operates some 400.000 Substations worldwide – some 100.000 are remotely monitored. So, 300.000 substations cannot be reached by protocols. Hundreds of protocols may be in use in the power industry. This makes it quite hard to easily break into most of the substations worldwide. With the application of standards like IEC 60870-5-104, DNP3, Modbus IP, or IEC 61850 this will change soon.

    Reply
  45. Tomi Engdahl says:

    Do we need Blackouts to Expose Flaws in the Grid?
    http://blog.iec61850.com/2013/11/do-we-need-blackouts-to-expose-flaws-in.html

    From the viewpoint of a engineers: No! There are many engineers or other technicians that are aware of the condition of the whole system – including the aging work force. From the viewpoint of many people in charge to make decisions to invest or not to invest: Yes!

    The article states: “The improvements were ideas that engineers had always liked, but had trouble persuading utility executives and public service commissions to pay for.”

    I hope that the voice of the engineers will convince more decision-makers to allocate sufficient resources for keeping the aging power infrastructure running, the power flowing, the grass green, and the sky blue.

    Some 10 years after the first substation automation systems have been equipped with IEC 61850 based devices, a lot of smart engineers see the need to invest into defining a second layer on top of the standards and the many options they provide. This second layer could be named: Interoperability Profile Specifications.

    Reply
  46. Tomi Engdahl says:

    Hear that? It’s the sound of BadBIOS wannabe chatting over air gaps
    LANs-free prototype mimics notorious rootkit
    http://www.theregister.co.uk/2013/12/05/airgap_chatting_malware/

    Computer scientists have brewed up prototype malware that’s capable of communicating across air gaps using inaudible sounds.

    The mesh network capable of covertly communicating without wireless or wired connections was developed by Michael Hanspach and Michael Goetz. It borrows its founding principles from established systems for robust underwater communication.

    the abstract of a paper for a recent edition of the Journal of Communications explains.

    “Two computers that are not connected to each other via established types of network interfaces (e.g. IEEE 802.3 Ethernet [2] or IEEE 802.11 WLAN [3]) or that are prohibited from communicating with each other over these established types of network interfaces are, nevertheless, able to communicate with each other by using their audio input and output devices (microphones and speakers).”

    A painfully slow speed of just 20 bps was achieved using the method but nonetheless it might be workable for a keylogger, providing there’s no external interference.

    The possibility of malware that can communicate over air-gapped machines, or worse still, spread onto them, is a nightmare scenario for those in charge of otherwise well designed ultra-secure networks (think some military systems, power plants etc). Why? Because a “covert acoustical mesh network” wouldn’t respond to any of the well-established security measures typically taken by organisations, and disabling the audio components is not always feasible.

    The type of malware outlined by the researchers bears an uncanny resemblance to features of the BadBIOS malware said to have afflicted machines run by computer security researcher Dragos Ruiu.

    Dubbed BadBIOS, the mysterious rootkit can supposedly jump over air gaps, screw with a number of different operating systems

    Reply
  47. craigslist in phoenix jobs says:

    Hello to all, how is the whole thing, I think every one is getting more from this web
    site, and your views are good in support of new users.

    Reply
  48. Tomi Engdahl says:

    Monju power plant facility PC infected with virus
    http://www.japantoday.com/category/national/view/monju-power-plant-facility-pc-infected-with-virus

    A computer being used at the Monju prototype fast-breeder reactor facility in Tsuruga, Fukui Prefecture, was recently discovered to have contracted a virus, and officials believe that some data from the computer may have been leaked as a result.

    It is believed that the computer was infected with the virus when a video playback program was attempting to perform a regular software update.

    Reply
  49. Tomi Engdahl says:

    Malware suspected in Japanese nuclear plant control room – but don’t panic
    http://nakedsecurity.sophos.com/2014/01/09/malware-suspected-in-japanese-nuclear-plant-control-room-but-dont-panic/

    The control centre of a nuclear power plant really doesn’t sound like the sort of place you’d want to see a malware infection.

    So, when we hear that an infection is suspected to have hit a machine at a Japanese plant, it raises immediate fears of cyber-terrorism, or at the very least advanced state-sponsored espionage.

    From the sound of it, it seems like little more than incompetence and lack of proper caution in what is without doubt a sensitive setting, but is perhaps not quite as dangerous a place as it might at first sound.

    Unusual behaviour was spotted by an admin on January 2nd, with over 30 unexpected connections made, thought to originate from South Korea.

    Investigations are still ongoing, but it seems the system in question was not pivotal to the safety of the plant. The shared-use machine did however contain data including a large amount of employee email and training information which may have been leaked by the compromise.

    Monju is a prototype sodium-cooled fast breeder reactor, commissioned in the mid-1990s

    So, a non-serious infection on a non-crucial machine at a non-operational plant. But there may still be some lessons to be learnt here.

    The suspected infection is said to have occurred “after an employee updated free software”, with the product in question elsewhere described as “video playback software”.

    Either way, it seems like the plant’s IT is not too well protected, and is running freeware video software which any user can tinker with at will.

    A minor malware infection may not sound as serious as leaking radioactive material, but it should be seen as an indicator of potentially bigger problems to come.

    Reply
  50. air conditioning riverside ca says:

    continuously i used to read smaller articles or reviews that as well clear their motive, and
    that is also happening with this article which I am reading at this
    place.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*