Wednesday, September 21, 2011

Microsoft In Process Manufacturing

Microsoft announced the launch of the ChemRA initiative, an endeavor led by Microsoft and its industry partners. 
“This initiative is not a Microsoft product-mandated system.  Rather, it seeks to develop an IT framework that allows for the easy flow of information across organizations.  ChemRA is based on a set of principles that map to the most common use cases of technology for users in the chemical and oil refining industries.” 
The five pillars of ChemRA are:  Natural User Experience, Application Interoperability, Enhanced Collaboration, Business Insight, Solid Infrastructure. 
The five pillars of ChemRA
The five pillars of ChemRA

Tuesday, September 20, 2011

MESA – “Cloudy With A Chance For Profits”

Greetings from Orlando, Florida where I am attending the 2011 MESA North American Conference2011 MESA North American Conference.
This year some of topics slated for discussion are:The CloudChance for Profits (the theme of turning problems into solutions to get us all thinking differently), Cut Through the Clutter (the good, the bad and the ugly about implementations) and Real Time (what is real time in my business?).  I providing key highlights in the weeks to come.  Check back tomorrow for a recap of an announcement from Microsoft.
For those not familiar, MESA (Manufacturing Enterprise Solutions Association) International is a global community of manufacturers, producers, industry leaders and solution providers who are focused on improving Operations Management capabilities through the effective application of technology solutions and best practices.

Wednesday, September 7, 2011

Stuxnet and What it Means to Our Security

If you have paid much attention at all to Control Systems news in the past year, you undoubtedly have heard of the Stuxnet worm.  For those of you not in the know, the worm was found to have infected many industrial systems that ran Siemens PCS7.  After analysis of the software and its payload, it was discovered that the worm was a targeted attack against a system exhibiting certain characteristics.  When it found these markers, the worm would inject itself into the Siemens PLC running the process and surreptitiously change VFD settings on certain drives.
It was speculated, then later confirmed, that the target of the attack was the Natanz nuclear facility in Iran, specifically destroying centrifuges used to enrich uranium.  The attack appeared successful in that hundreds of centrifuges were damaged at the site, causing replacements to be needed, and stalling, for a while, enrichment programs.
Should we fear an attack like this? Not really.  This was a highly sophisticated attack, which probably had some sort of government backing and resources that are out of reach to the large majority of hackers.  If a group is dedicated and has sufficient funding and time, they will be able to break through your security.  Our job is to make that threshold so high that it is unreasonable for them to do so.
The only sure-fire way of locking down your system is to completely disconnect it from the outside and disallow physical access to the controllers/servers.  This, of course, is impossible to do as more and more systems are being tied together using SCADA software so that real-time monitoring can be used on the enterprise level.  Listed below are some simple strategies that are effective, and when used together, forms stronger security by creating a “defense in depth” strategy.  This is not an exhaustive list, but it will get you started heading in the right direction:
Segregate your networks
You should never have your control and business networks on the same network.  The security implications are obvious in that one malicious email attachment could bring down both networks, but there are also performance gains that can be achieved by separating the two.
Utilize DMZs
A DMZ (demilitarized zone) is a section of a network which can be accessed by both your control network and your business network. It provides an intermediate layer of security in that the business network can only access certain servers that reside in the DMZ, such as a data historian, and the control network can push data into this DMZ, but the control and business networks never speak directly.
Anti-virus (AV) integration into control system networks can be a tricky thing.  For anti-virus products to be effective, they need regular updates to stay on top of new attacks.  In a locked-down or validated system, patching is almost non-existent and anti-virus products would not get the updates they need.  Another problem with AV solutions is that vendors require certain files and folders to be excluded from scans in order for the products to play nicely together.  This can cause a system to lose responsiveness and AV effectiveness can be lost.
One way to utilize anti-virus products is to have it sitting on a gateway server, so that any files transferring in and out of the system must pass through and be scanned before being allowed into the main servers.  This server could also vet any USB drives or CDs that would be used on the other servers.
Deny Access by Default
Configuring firewalls between networks is something that many companies fail to do adequately.  Many configurations are rushed, leaving them incomplete with gaping security holes.  It’s akin to barricading your front door while leaving your window wide open.  The best policy is to deny all traffic by default, and only allow connections on an exception basis, a concept called ‘whitelisting’.  This may be time consuming, as you need to figure out exactly what traffic or programs are necessary to allow through the firewall, but it provides much better security overall.
Restrict Physical Access
You’d be surprised how many installations have very good IT infrastructure security, but allow anyone to be able to walk up to a cabinet in the field and hook up their laptop directly to the PLC or network switch.  Simple solutions, such as locking control panels, and allowing only certain pre-screened engineering laptops on the control network can increase security and stop the proliferation of harmful worms and viruses.
Disable USB/CD Autoplay
The original vector for Stuxnet was through infected USB drives that integrators took with them around the world and plugged into control systems.  It is good practice to disable Autoplay in Windows, so these infections are not spread through merely inserting a USB device.
To disable Autoplay on Windows XP:
  1. Bring up the Run prompt using Win+R
  2. Type gpedit.msc and press Ok.
  3. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > System
  4. Under the settings in the right-hand window pane, double-clickTurn off Autoplay
  5. Select the Enabled radio button and select All Drives from the drop-down menu to disable Autoplay on all drives.
  6. Press OK.
I believe lasting legacy of Stuxnet will not be that of a new era of attacks on control systems, but an era of focusing more on the security of these systems. For too long has the industry relied on security through obscurity; it’s time to be more proactive in our security practices.
Below are some links for further reading about industrial control system security:
[Original post by:  Kevin Rawls] 

Friday, September 2, 2011

Why did “X” happen? (Or why did “X” not happen…)

Posts have been scarce lately… But there is plenty to come!  Now without further delay.
There is an easy and overlooked method to provide first steps to the question “Why did X happen? Or why did X not happen?”.   Not only is it an easy method, it is already there waiting for you to review…  The Windows Event Viewer!  OK, some of you are thinking, “Oh, that gee – so?”  For those of you who didn’t think of it, you are not alone… the Windows Event Viewer (or Dr. Watson for those reminiscing) provides detailed information about significant events on your computer. It can be helpful (and yet overlooked) when troubleshooting problems and errors with Windows and other programs.  A key point that I will make here is to look for information on the application and dependant technologies that the application uses:  DCOM, MSDTC and such for correlations.

Event Viewer
Event Viewer
For a quick refresher, you can access the Event Viewer several ways, but I typically typically click Start, Run, and type eventvwr. There are typically three logs available:
  • Application: applications running under Windows are supposed to log their events here.
  • Security: when enabled Windows, can log a host of security-related events which are logged here.
  • System: the operating system logs its events here.
  • If you are really luckily, the MES or SCADA system you use might create its own heading too… (really, really lucky).
For those of you who haven’t bothered to look in the Event Viewer – don’t panic on your first view – there will be informational events logged aside from errors.  THIS IS NORMAL!  Another point is get a feel for what events are logged under NORMAL conditions so that you don’t chase a dead end for a missing printer driver (or somebody RDPing).

Now hop to it and check it out!