#ISAutowk: World-class technical content at Nashville automation event!

11/11/2013

ISA’s Automation Week: Technology and Solutions Event 2013 wrapped up on Thursday (7/11/2013), in the well known Music City, Nashville in the USA. Three days of comprehensive technical sessions, keynote addresses, networking events, standards meetings, and training courses were availed of by hundreds of automation professionals.

Nashville, TN, USA. 5-7 November 2013.Follow events on twitter #ISAutowk

Releases received at Read-out from ISA and others about the event!

# Industrial Security Expert Eric Byres Receives ISA Award (David Greenfield, Automation World, 4/11/2013)

# Peter Martin speaks at #ISAutoWk as replacement keynote (Walt Boyes, ControlGlobal, 5/11/2013)

# Preventing a Cyber Pearl Harbor (David Greenfield, Automation World, 5/11/2013)

# Building an ROI for Industrial Cyber Security (Eric Knap, Security Week, 6/11/2013)

#  Maverick Technologies’ Paul Galeski explains his strategy for drawing higher attendance. (Interview with Control Engineering’s Peter Welendre, 7/11/2013)

# ISA104Meeting (Terry Blevins, Modelling & Control, 25/11/2013)

The Automation Value Proposition (Walt Boyes, Sound Off, 10/12/2013)

The ISA Automation Week program also included 24 technical sessions, organized into six educational tracks. These tracks, which included Industrial Network Security; Creating Business Value through Automation; The Connected Enterprise; Wireless Applications; Industrial Automation and Control; and Asset Lifecycle Management and Optimization/Strategy, were organised with a focus on the critical components of successful automation – safety, people, business and technology.

This was the first time we have actually been unable to travel to the event and so we had to rely on the tweets of those who were happy to share information. The number of tweeters was surprisingly small though some were very good a keeping us informed especially Control  Global’s  Walt Boyes and Joel Don who was tweeting under the ISA Interchange identity. There were one or two sharings commenting on the paradox of an excellent high class programme and the fact that the number of delegates was small. “The program is terrific. The audience is small,” said one, and another “I don’t know what we have to do to build it up again.” It has always been a bit of a mystery to me how the incredibly valuable and unaligned resource treasure of ISA does not appear to attract American professionals in the way it seems to internationally.

The event was preceded by some governance meetings of the ISA itself which had delegates from throught the world discussing and voting on important changes in how the Societ is governed. The delegates were also treated to a pre-view of a new ISA website which is the result of mammoth work behind the scenes. This will make the virtual leviathan of information already on the ISA site more easily accessible to members and other visitor. The beta-version should be on line in matter of weeks. Watch out for it!

Eric Byres accepts his award!

Eric Byres accepts his award!

Another stalwart of Automation Week is the eve event of the ISA Honours & Awards Banquet where Automation Professionals are honoured by their peers. These included Eric Byres, of Tofino, one of the pioneers in expertise and leadership in the quest for cybersecurity solutions to protect industrial control systems.

Yes! Automation can!
Dr Peter Martin, vice president of business value solutions for the Software and Industrial Automation division of Invensys, delivered the opening keynote address on the Tuesday morning, entitled “The Future of Automation.” He focused on the importance of automation professionals in solving the world’s most significant problems. “When people say you’re biting off too much of a project, they might use the expression that you’re trying to solve world hunger. I want you to understand that in the automation industry, we can solve world hunger. We can do it, and we’re the only people who can do it.”

Dr. Martin stressed that the barriers to solving the world’s most significant problems include access to energy, water, food, material goods and chemicals. Automation professionals, he said, can figure out how to solve those access problems, and “that challenge must be a rallying cry for the next generation to pursue careers in our industries and make a real difference in our futures.”

One phrase impressed our tweeters “Collaborate, it’s a nice thing to do, just doesn’t work. You need to incent for it.”

Preventing a cyber Pearl Harbour
Wednesday morning’s keynote address was delivered by an American General, Robert E. Wheeler, Deputy Chief Information Officer of the United States Department of Defense. He is responsible for Command, Control, Communications and Computers (C4) and Information Infrastructure Capabilities (DCIO for C4IIC) and serves on the executive staff of the US Secretary of Defense. This address focused on the importance of industrial infrastructure cybersecurity and the threats posed daily to our nation’s critical infrastructure networks.

General Robert Wheeler USAF

General Robert Wheeler USAF

“In the Department of Defense, our job is to assure mission execution in the face of cyber warfare by the most capable adversaries in the world,” said Wheeler. “We have to get the bad guys, protect the good guys, take out insurgents, and not hurt anyone else. That’s very hard.”

Wheeler went on to discuss the protection of America’s SCADA systems, power grid, and other key infrastructure assets. “Information assurance must be baked in from the very beginning of your work as engineers and automation professionals – you can’t just bolt it on,” he said and this was reported by our tweeters. The Automation Federation and ISA cybersecurity experts have been invited by the White House and NIST to participate in developing the framework for the President Barack Obama’s executive order PPD-21 calling for the cybersecurity of industrial automation and control systems and critical infrastructure.

Other tweets: “We have not gone down the BYOD (Buy your own device) road. We don’t think it’s going to save us that much money in the long run.” and “We are always going to have some cyber weakness because it is open- this is not the same view in other countries.” Perhaps more rivetting were these:  “The closed systems of yesteryear are open today” and more bluntly  “SCADA has lost its protection by connecting to the Internet.”

When asked about the importance of training and recruiting future cybersecurity professionals, Wheeler stressed the importance of STEM education initiatives combined with mentoring programs that can ignite the curiosity and intellect of future engineers, inspiring them to become the next cyber warriors in the fight to keep American companies and infrastructure safe and secure.

Workforce Development
Thursday’s keynote address, the final keynote of the conference, featured a distinguished panel of experts discussing workforce development issues within our industries. Moderated by Maurice Wilkins, Ph.D., vice president of the Global Strategic Marketing Center, Yokogawa Corporation of America, the panel included Paul Galeski, CEO & founder of MAVERICK Technologies; Dr. Martin of Invensys; and Steve Huffman, vice president of marketing and business development for Mead O’Brien, Inc. “Workforce development is one of the largest issues facing industry and one that will have a quick and lasting impact on process automation personnel,” commented Dr. Wilkins. “We need to bring together supplier, systems integrator, and educational communities to reverse the trends and inevitabilities that will affect us all – they each bring a unique and valuable perspective.”

“Our rich technical sessions and thought-provoking keynotes provided attendees with new take-home tools, tips and techniques to help them deliver even better performance in their jobs,” said ISA Automation Week Program Chair Paul Galeski. “We are very proud of the technical content we’ve put together for this unique, world-class event.” Or as we have ready quoted above:  “The program is terrific”

Attendees agreed with Galeski’s sentiments about the depth and breadth of the technical content in the program. “I have been attending ISA Automation Week for three consecutive years. The conference offers great technical sessions, always something new, and always something to learn,” said Hector Torres, senior process and control engineer, at Eastman Chemical.

In addition to technical sessions and keynote addresses, the event also featured a networking hub with ISA partner companies, technology briefings and social events.

BYVaRyjIMAAO5s_As the event drew to an end this somewhat plaintive tweet, “Need titles for the flight home? Check out the #ISAutoWk bookstore, across from the Networking Hub.” This is of course the indefatigable Publications Department which issues a regular supply of books, the Society Magazine, the incomparable ISA Transactions, the Journal of Automations and innumerable papers since the formation of the Society almost 70 years ago. The proceedings for this years are now available free to members for download!

“ISA Automation Week was a great opportunity to meet new prospects, spend time with our customers and network with experts,” noted Ned Espy, Technical Director at Beamex, which was announced as ISA’s Premier Strategic Partner for Calibration earlier in the week. “The presentation content was the best in years with relevant topics. I also learned we are part of an organization that is striving to end world hunger!”

Additional ISA partners participating at ISA Automation Week included ISA’s Premier Strategic Partner for Systems Integration, MAVERICK Technologies; ISA’s Corporate Partners, Honeywell and OSIsoft; and ISA’s Automation Week Partners, aeSolutions, ARC Advisory Group, Eaton, ExperTune, and Falcon Electric.

<hr>

Automation Week 2012 – Orlando, Florida USA

Automation Week 2011 – Mobile, Alabama (USA)

Advertisements

Cloud Computing for SCADA

05/09/2013
Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability, says Larry Combs, vice president of customer service and support, InduSoft.

Although cloud computing is becoming more common, it’s relatively new for SCADA (supervisory control and data acquisition) applications. Cloud computing provides convenient, on-demand network access to a shared pool of configurable computing resources including networks, servers, storage, applications, and services. These resources can be rapidly provisioned and released with minimal management effort or service provider interaction.

By moving to a cloud-based environment, SCADA providers and users can significantly reduce costs, achieve greater reliability, and enhance functionality. In addition to eliminating the expenses and problems related to the hardware layer of IT infrastructure, cloud-based SCADA enables users to view data on devices like smartphones and tablet computers, and also through SMS text messages and e-mail.

Our company (InduSoft), along with a number of others, provides SCADA software and services for firms that want to use their own IT infrastructure, the cloud, or a combination of both to deploy their applications. We provide upfront consulting and advice to help customers make the best choice depending on their specific requirements and capabilities.

A cloud can be public or private. A public cloud infrastructure is owned by an organization and sold as services to the public. A private cloud infrastructure is operated solely for a specific customer. It may be managed by the customer or by a third party; it may exist on premise or off premise. Hybrid clouds consist of private and public clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.

Cloud computing can support SCADA applications in two fashions:

  • The SCADA application is running on-site, directly connected to the control network and delivering information to the cloud where it can be stored and disseminated, or
  • The SCADA application is running entirely in the cloud and remotely connected to the control network.
Figure 1: A public cloud formation in which the SCADA system is running onsite and delivers data via the cloud

Figure 1: A public cloud formation in which the SCADA system is running onsite and delivers data via the cloud

The first method is by far the most common and is illustrated in Figure 1 (right). The control functions of the SCADA application are entirely isolated to the control network. However, the SCADA application is connected to a service in the cloud that provides visualization, reporting, and access to remote users. These applications are commonly implemented using public cloud infrastructures.

The implementation illustrated in Figure 2 (below) is common to distributed SCADA applications where a single, local SCADA deployment is not practical. The controllers are connected via WAN links to the SCADA application running entirely in the cloud. These applications are commonly implemented using private or hybrid cloud architectures.

Service Choices
Most experts divide the services offered by cloud computing into three categories: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

Figure 2: A private/hybrid cloud in which the controllers are connected via WAN links to the SCADA application running entirely in the cloud.

Figure 2: A private/hybrid cloud in which the controllers are connected via WAN links to the SCADA application running entirely in the cloud.

An IaaS such as Amazon Web Services is the most mature and widespread service model. IaaS enables service provider customers to deploy and run off-the-shelf SCADA software as they would on their own IT infrastructure. IaaS provides on-demand provisioning of virtual servers, storage, networks, and other fundamental computing resources.

Users only pay for capacity used, and can bring additional capacity online as necessary. Consumers don’t manage or control the underlying cloud infrastructure but maintain control over operating systems, storage, deployed applications, and select networking components such as host firewalls.

PaaS, like Microsoft’s Azure or Google Apps, is a set of software and product development tools hosted on the provider’s infrastructure. Developers use these tools to create applications over the Internet. Users don’t manage or control the underlying cloud infrastructure but have control over the deployed applications and application hosting environment configurations. PaaS is used by consumers who develop their own SCADA software and want a common off-the-shelf development and runtime platform.

SaaS, like web-based e-mail, affords consumers the capability to use a provider’s applications running on a cloud infrastructure from various client devices through a thin client interface like a web browser. Consumers don’t manage or control the underlying cloud infrastructure but instead simply pay a fee for use of the application.

SCADA vendors have been slow to adopt the SaaS service model for their core applications. This may change as the uncertainty of cloud computing begins to clear. For now, vendors are beginning to release only certain SCADA application components and functions as SaaS, such as visualization and historical reporting.

Economical Scalability
With all three service models, scalability is dynamic and inexpensive because it doesn’t involve the purchase, deployment, and configuration of new servers and software. If more computing power or data storage is needed, users simply pay on an as-needed basis.

Companies don’t have to purchase redundant hardware and software licenses or create disaster recovery sites they may never use. Instead they can provision new resources on demand when and if they need them. Add in the costs that a company would otherwise incur to manage an IT infrastructure, and the savings of moving to the cloud could be huge.

Instead of numerous servers and backups in different geographic locations, the cloud offers its own redundancy. On-demand resource capacity can be used for better resilience when facing increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents. The scalability of cloud computing facilities offers greater availability. Companies can provision large data servers for online historical databases, but only pay for the storage they’re using.

Building an IT infrastructure is usually a long-term commitment. Systems can take months to purchase, install, configure, and test. Equivalent cloud resources can be running in as little as a few minutes, and on-demand resources allow for trial-and-error testing.

The ability to easily switch back to a previous configuration makes it easier to make changes without having to start from scratch by taking a snapshot of a known working configuration. If a problem occurs when deploying a patch or update, the user can easily switch back to the previous configuration.

On-site IT projects involve significant cost, resources, and long timelines—and thus include significant risk of failure. Cloud computing deployments can be completed in a few hours with little or no financial and resource commitments, and therefore are much less risky.

Manageability, Security, and Reliability
The structure of cloud computing platforms is typically more uniform than most traditional computing centers. Greater uniformity promotes better automation of security management activities like configuration control, vulnerability testing, security audits, and security patching of platform components.

A traditional IT infrastructure environment poses the risk that both the primary and the single backup server could fail, leading to complete system failure. In the cloud environment, if one of the cloud computing nodes fails, other nodes take over the function of the failed cloud computing node without a blip.

If a company chooses to implement its own IT infrastructure, access to user data in this infrastructure generally depends on the company’s single Internet provider. If that provider experiences an outage, then users don’t have remote access to the SCADA application. Cloud computing providers have multiple, redundant Internet connections. If users have Internet access, they have access to the SCADA application.

The backup and recovery policies and procedures of a cloud service may be superior to those of a single company’s IT infrastructure, and if copies are maintained in diverse geographic locations as with most cloud providers, may be more robust. Data maintained within a cloud is easily accessible, faster to restore, and often more reliable. Updates and patches are distributed in real time without any user intervention. This saves time and improves system safety by enabling patches to be implemented very quickly.

Challenges and Risks
Cloud computing has many advantages over the traditional IT model. However, some concerns exist in regard to security and other issues. Data stored in the cloud typically resides in a shared environment. Migrating to a public cloud requires a transfer of control to the cloud provider of information as well as system components that were previously under the organization’s direct control. Organizations moving sensitive data into the cloud must therefore determine how these data are to be controlled and kept secure.

Applications and data may face increased risk from network threats that were previously defended against at the perimeter of the organization’s intranet, and from new threats that target exposed interfaces.

Access to organizational data and resources could be exposed inadvertently to other subscribers through a configuration or software error. An attacker could also pose as a subscriber to exploit vulnerabilities from within the cloud environment to gain unauthorized access. Botnets have also been used to launch denial of service attacks against cloud infrastructure providers.

Having to share an infrastructure with unknown outside parties can be a major drawback for some applications, and requires a high level of assurance for the strength of the security mechanisms used for logical separation.

Ultimately to make the whole idea workable, users must trust in the long-term stability of the cloud provider and must trust the cloud provider to be fair in terms of pricing and other contractual matters. Because the cloud provider controls the data to some extent in many implementations, particularly SaaS, it can exert leverage over customers if it chooses to do so.

As with any new technology, these issues must be addressed. But if the correct service model (IaaS, PaaS, or SaaS) and the right provider are selected, the payback can far outweigh the risks and challenges. The cloud’s implementation speed and ability to scale up or down quickly means businesses can react much faster to changing requirements.

The cloud is creating a revolution in SCADA system architecture because it provides very high redundancy, virtually unlimited data storage, and worldwide data access—all at very low cost.

fig3

Remote SCADA with Local HMI Look and Feel
Vipond Controls in Calgary provides control system and SCADA solutions to the oil and gas industry, including Bellatrix Exploration. To keep up with customer demand for faster remote data access, Vipond developed iSCADA as a service to deliver a high-performance SCADA experience for each client.

One of the greatest challenges in developing iSCADA was the state of the Internet itself as protocols and web browsers weren’t designed for real-time data and control. Common complaints of previous Internet-based SCADA system users included having to submit then wait, or pressing update or refresh buttons to show new data.

Many systems relied only on web-based technologies to deliver real-time data. Because the HTTP protocol was never designed for real-time control, these systems were always lacking and frustrating to use whenever an operator wanted to change a setpoint or view a process trend.
Users were asking for an Internet-based SCADA system with a local HMI look and feel, and that became the goal of Vipond Controls. This goal was reached with iSCADA as a service by giving each customer an individual virtual machine within Vipond’s server cloud.

All data is now kept safe and independent of other machines running in the cloud. A hypervisor allows multiple operating systems or guests to run concurrently on a host computer, and to manage the execution of the guest operating systems. The hypervisors are highly available and portable, so in the event of a server failure, the virtual machine can be restarted on another hypervisor within minutes.

All the SCADA software runs within the virtual machine, and users are offered a high degree of personal customization. Customers can connect directly to on-site controllers, and Vipond can also make changes to controllers and troubleshoot process problems.

This cloud-based SCADA solution can reduce end-user costs up to 90% over a traditional SCADA system, thanks to the provision of a third-party managed service and the reduction of investment required for IT and SCADA integration, development, hardware, and software.


A handy compilation of expert cybersecurity resources!

01/08/2013

“…the latest cybersecurity strategies, recommendations and tools that can immediately be applied to protect your industrial control systems and process control networks..”

A complete list of inclusions in the Cybersecurity Tech Pack.

Technical papers
cybersecurityshieldCyber Security Implications of SIS Integration with Control Networks
Practical Nuclear Cyber Security
Establishing an Effective Plant Cybersecurity Program
LOGIIC Benchmarking Process Control Security Standards
Stronger than Firewalls: Strong Cyber-Security Protects the Safety of Industrial Sites
Integrated Perimeter and Critical Infrastructure Protection with Persistent Awareness
Applying ISA/IEC 62443 to Control Systems
Establishing an Effective Plant Cybersecurity Program
Getting Data from a Control System to the Masses While Maintaining Cybersecurity–The Case for “Data Diodes”
Reconciling Compliance and Operation with Real Cyber Security in Nuclear Power Plants
Wastewater Plant Process Protection—Process Hazard Analysis
Water/Wastewater Plant Process Protection: A different approach to SCADA cyber security
Using Cyber Security Evaluation Tool (CSET) for a Wastewater Treatment Plant
Improving Water and Wastewater SCADA Cyber Security
An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Technical books
Industrial Automation and Control Systems Security Principles by Ronald L. Krutz
Industrial Network Security, Second Edition by David J. Teumim

InTech magazine articles
“ISA Fully Engaged in Cybersecurity”
“Leveraging DoD wireless security standards for automation and control”
“13 ways through a firewall: What you don’t know can hurt you”
“Defense in Depth”
“Executive Corner: What’s on YOUR mind?”
“The Final Say: Securing industrial control systems”
“Uninterruptible power supplies and cybersecurity”
“Physical Security 101: Evolving ‘defense in depth’”
“Web Exclusive: Control network secure connectivity simplified”
“The Final Say: Network security in the Automation world”
“Executive Corner: Defense in depth: It’s more than just the technology”
“Web Exclusive: Stuxnet: Cybersecurity Trojan horse”

To help manufacturers and plant and facility operators improve their cybersecurity defenses and better confront the growing dangers of cyberwarfare, the International Society of Automation (ISA) has produced the ISA Cybersecurity Tech Pack.

“The ISA  Cybersecurity Tech Pack is an assembly of the latest technical papers, PowerPoint presentations, technical books and InTech articles developed by some of the world’s leading experts in cybersecurity and industrial automation and control systems security,” says Susan Colwell, manager of publications development at ISA. “These materials—which can be downloaded from the ISA website—include the latest cybersecurity strategies, recommendations and tools that can immediately be applied to protect your industrial control systems and process control networks.”

As a widely recognized, world leader in cybersecurity standards development, training and educational resources, ISA provides the proven technical expertise and know-how to help safeguard industrial automation and control systems.

For instance, the ANSI/ISA99 (IEC 62433), Industrial Automation and Control Systems Security standards—developed by a cross-section of international cybersecurity subject-matter experts from industry, government and academia—represent a comprehensive approach to cybersecurity in all industry sectors. ISA and its sister organization, the Automation Federation, is currently assisting the Obama administration and US federal agency officials develop the initial version of a national cybersecurity framework—as called for by President Obama in February of this year.

The ISA Cybersecurity Tech Pack also includes two cybersecurity-focused ISA books: the popular Industrial Network Security by David J. Teumim; and the recently introduced Industrial Automation and Control Systems Security Principles by Ronald L. Krutz, Ph.D. As an added bonus, the compilation includes many highly relevant and informative cybersecurity articles published in InTech magazine, ISA’s bi-monthly magazine for automation and control professionals.

• See also our ICS & SCada Security page


Your plan for better cyber security!

17/02/2012
If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices.

Since that early monday morning in July 2010 when we had that e-mail from Eric Byres, forshadowed in a tweet from Gary Mintchel slightly earlier we have tried to follow the “fortunes” of this malware, this Security threat to the control system world (July 2010)! We have written a few blogs and have listed as many links to stories on Stuxnet in particular in our Abominable security commitment! #Stuxnet (August 2011) when Eric expressed his alarm at the way in which Siemens in particular, but indeed not uniquely, appeared to be treating this problem.

Indeed the past two years may be said to have been a real wakeup call for the industrial automation industry both users and vendors. For the first time ever it has been the target of sophisticated cyber attacks like Stuxnet, Night Dragon and Duqu. As we said we have endevoured to follow the varios updates on this story and Byres Security have been well in the forefront in the battle to get this “little varmint!”

In addition to the actual attacks, an unprecedented number of security vulnerabilities have been exposed in industrial control products. In response regulatory agencies are demanding compliance to complex and confusing regulations. Cyber security has quickly become a serious issue for professionals in the process and critical infrastructure industries.

If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organisation can get moving on more robust cyber security practices.

In order to provide you with guidance in this area, Byres have condensed material from numerous industry standards and best practice documents. They also combined our experience in assessing the security of dozens of industrial control systems.

The Paper & The Authors

7 Steps to ICS and SCADA Security 

Two industry veterans, Eric Byres and John Cusimano, combine industry standards, best practice materials, and their real-world experience to provide an easy-to-follow 7-step process for improved ICS and SCADA security.

Eric Byres, P. Eng., ISA Fellow, CTO and VP Engineering, Tofino Security, Belden Inc.
John Cusimano,CISSP, CFSE, Director of Security, exida Consulting LLC

The result is an easy-to-follow 7-step process. These are outlined below and a more extensive white paper they have just published, 7 Steps to ICS and SCADA Security by Eric Byres (Byres Security) & John Cusimano (Exida Consulting). Downloading the paper requires registration but it is free to do so.

The 7 Steps

Step 1 – Assess Existing Systems
Your first step is to do a risk assessment to quantify and rank the risks that post a danger to your business. This is necessary so you know how to prioritize your security dollars and efforts. Far too often we see the assessment step skipped and companies throw money into a solution for a minor risk, leaving far more serious risks unaddressed.

While risk assessment might seem daunting, it can be manageable if you adopt a simple, lightweight methodology. Our white paper provides an example, as well as tips on how to do this.

Step 2 – Document Policies and Procedures
Byres Security highly recommend that organisations develop ICS-specific documents describing company policy, standards and procedures around control system security. These documents should refer back to corporate IT security documents. In their experience, separate ICS security documents greatly benefit those responsible for ICS security, helping them clearly understand their security-related expectations and responsibilities.

You should also become familiar with applicable security regulations and standards for your industry.

Step 3 – Train Personnel & Contractors
Once policies and procedures have been documented, you need to make sure that your staff is aware of them and is following them. An awareness program should be carried out, with the support of senior management, to all applicable employees. Then, a training program should be conducted. It is highly recommend that A role-based training program for control systems security is highly recommended, and Byres provide an example of one in the white paper.

Step 4 – Segment the Control System Network
Network segmentation is the most important tactical step you can take to improve the security of your industrial automation system. Eric Byres wrote about this in the article “…No More Flat Networks Please…” (Nov 2010). The white paper explains the concepts of “zones” and “conduits” and provides a high level network diagram showing them.

Step 5 – Control Access to the System
Once you’ve partitioned your system into security zones, the next step is to control access to the assets within those zones. It is important to provide both physical and logical access controls.

Typical physical access controls are fences, locked doors, and locked equipment cabinets. The goal is to limit physical access to critical ICS assets to only those who require it to perform their job.

The same concepts apply to logical access control, including the concept of multiple levels of control and authentication. Once authenticated, users can be authorised to perform certain functions.

Step 6 – Harden the Components
Hardening the components of the system means locking down the functionality of the various components in your system to prevent unauthorised access or changes, remove unnecessary functions or features, and patch any known vulnerabilities.

This is especially important in modern control systems which utilize extensive commercial off-the-shelf technology. In such systems, it is critical to disable unused functions and to ensure that configurable options are set to their most secure settings.

Step 7 – Monitor & Maintain System Security
As an owner or operator of an industrial control system, you must remain vigilant by monitoring and maintaining security throughout the lifecycle of your system. This involves activities such as updating antivirus signatures and installing security patches on Windows servers. It also involves monitoring your system for suspicious activity.

It is important to periodically test and assess your system. Assessments involve periodic audits to verify the system is still configured for optimal security as well as updating security controls to the latest standards and best practices.

Not a One-Time Project
Now the bad news – effective ICS and SCADA security is not a one-time project. Rather it is an ongoing, iterative process. You will need to repeat the 7 steps and update materials and measures as systems, people, business objectives and threats change.

Your hard work will be rewarded with the knowledge that your operation has maximum protection against disruption, safety incidents and business losses from modern cyber security threats.

• Download the White Paper  in pdf  format – 7 Steps to ICS and SCADA Security!


#SPS 2012: Successful if not quite hitting secure note!

01/12/2011

“Arriving at #SPS/IPC/DRIVES. Looking forward to a great show”

Busy entrance area! (IE Book)

This was one of the first tweets we saw on this, possibly the biggest automation exhibition in the world this year. The SPS/IPC/Drives show is held annually in the Northern Bavarian city of Nuremberg. This year the dates were the 27 to 29th of November, As last year we were unable to make it this time, however there were some excellent reports which we have used (and linked to) in compiling this brief impression.

As might be expected the automation industry presented its capabilities in full force at the exhibition. There was a record number of 1.429 exhibitors which attracted more visitors than in the past, as 56.321 trade visitors filled the 12 halls to gather information about the latest products and solutions in electric automation. Well may it be said that SPS IPC Drives 2011 set a clearly positive sign for the future despite the gale-force winds blowing in financial circles for the last three years.

The conference which took place in parallel to the exhibition also recorded an increase this year with an attendance of 349 delegates. For three days the conference provided a platform for intensive discussions between product developers, suppliers and users. The opportunities for users to exchange information and knowledge were at the heart of the newly introduced user sessions.

Attendance: 2011 (2010)
Exhibitors: 1,429 (1,323)
Visitors: 56,321 (52.028)
Conference delegates: 349 (302))

Like a lot of European events there was not a small number of tweets from various sources and in various languages, but those that did tweet helped form an impression of how things were. One of the most prolific of these was Leo Ploner of the IE Book who gave us a sort of running commentary on his day interspersed with twitpics of stands and products which impressed him. This comprehensive collection of pictures have been added to the IE Book Facebook Page and we recommend that you pay a visit and see who you know and what products impressed him. “#SPS/IPC/Drives very busy on the first day of the show. Big crowds at all the stand” he reported after day one.

Put on those cans!
Also present on the first day was Control’s Walt Boyes, who gave up his Thanksgiving to be in Europe for the show. This is an interesting account in that it gives an American take on how things are done in Europe, simultaneous translations and the non-English keyboards (Now he knows how Europeans might feel in the U.S!)

Gary Mintchel of Automation World also found himself in Nuremberg during this week. His blog, Feed Forward,  provides us with “a roundup of various announcements that I gathered during my sprint around the halls and press conferences.” He managed to squeeze in a visit to the Siemens plant in Amberg on the day before the show opened!

The Control Engineering Europe team attended the show in force, collecting a great deal of feature ideas, as well as details about some of the most innovative launches at the show. They promise that further details of the most exciting product launches from the event will be presented in the February issue of the magazine.

ARC Reports
ARC Advisory also discuss day one in an article by Florian Gueldnerwhich looks at the Automation Outlook for 2012.  He bases this report on that of the ZVEI, as well as companies interviewed at the event. Their David Humphrey reports on The big trends in a further report on day two.

A busy corner at the show!

Come hither!
Of course exhibitors tweeted on their own stands and new products. Heading the posse was Siemens, who were on their home ground and virtually occupied one complete hall (There were twelve halls in all!). They mounted an impressive press conference on the first day. Their “big” announcement was the naming of their full motor range, now called “Simotics”. They also introduced some extensions to their TIA (Totally Integrated Automation) portal. Jochun Koch’s blog features some video presentations with English voice-over – Automation and IT (their Scalance range) – take a look and remember to click for the English translation if needed!

Phoenix Contact have a video tour of their stand – as it was being set-up – which they entitle “Solutions for the future – Phoenix Contact.” There are in fact a number of other videos from Phoenix Contact on theie YouTube site. Their final tweet from the show as they rolled up the tent was, “What innovation! More than 3,000 visitors @ Phoenix Contact.”

The Pilz Stand!

Also using video to press their message is Beckhoff who have produced reports for each day. This is Day One.  They exhibited their complete range of PC- and EtherCAT-based control technology and a large number of new products in all technological areas (IPC, I/O, Automation and Motion). The focus was on their new generation of controllers from the CX2000 series, the new proprietary-developed AM8000 servomotors and the release of the TwinCAT 3 software.

News of PROFINET and PROFIBUS at SPS/IPC/Drives is trickling out  said Carl Henning of his ProfiBlog reports.

Suzanne Gill of Control Engineering Europe reports here on some of the latest innovations that were introduced, which evidenced consumer technology moving into the industrial space and multi product combinations continuing to gain momentum.

We give some more releases from exhibitors on our Conf/Exhibitors pages.

Eric & Joann Byres at the show!

No security!
Another American braving the Bavarian winter was Eric Byres of Byres Technology, recently acquired by Belden (see our article Major acquisition strengthens war on Stuxnet and other malware Sept20’11). It is I suppose unusual that a supplier reports on an exhibition so his viewpoint is welcome. Obviously he has a certain slant on things viewing the exhibits from the security standpoint. He advises that SCADA Security Solutions were scarce at show. “What concerned me was the lack of booth space dedicated to security of any type. Of the 1,429 exhibitors, only 16 reported supplying ‘Industrial security’ technologies or services according to the show guide. This is a hopelessly small number.” He was proud to report however that their “Tofino Security technology accounted for nearly 25% of that total!” More alarmingly he reports that many vendors stated that security wasn’t a concern for them, while users were very concerned and indeed did not quite know what to do about it! Not a pretty picture! He concludes “If the automation world is going to adopt industrial Ethernet with such enthusiasm (which I support), it might want to consider securing it too!”

We referred to the excellent tweeting by Leo Ploner of the IE Book earlier and his very comprehensive report Industrial networking still looking good  tells in great detail what he saw as he moved through the halls. We’ve referred to their pictures above and here is a video which he took of an exhibit at the Sercos Stand.

Re-inventing the electric guitar

Equipped with an MLP industrial control from Bosch Rexroth, the robot guitar can read and play MIDI files. Bus terminals from Phoenix Contact are used to actuate lifting solenoids. Six to pluck the strings and 24 to operate the finger board. The automation bus from Sercos ensures the optimum operation of all components.

One final tweet from KUHNKE Automation sums up one impression “SPS/IPC/DRIVES was a complete success for us! Thank you for coming and the great constructive high-level talks!”

Next year’s automation filled show is scheduled for  Nov. 27. – 29 2012. Will you be there?


 Releases received at the Read-out Offices!

#SPS11: Cybersecurity, certification, safety & other highlights from Wind River – Wind River made several exciting announcements at this year’s faire. On day one of the event, they announced a strategic partnership with ISaGRAF, headquartered in Canada and part of the Rockwell Automation Company, a global leading automation software partner. Together, Wind … Continue reading →

#SPS11 Test drive industry’s first virtual target for software development on SoC FPGAs – Altera Corporation demonstrated its latest industrial embedded solutions for energy-efficient and safety-integrated drive systems. They highlighted how its Cyclone® series of FPGAs enables integrated, high-performance industrial systems such as drive systems with a high-performance control loop in floating point. Visitors … Continue reading →

#SPS11: Industrial Networking and Motor Control Systems from Xilinx – New capabilities for boosting design productivity and using Spartan-6 FPGAs for better system performance and lower bill-of-materials Xilinx announced new Ethernet protocol support and motor control building blocks for its Industrial Targeted Design Platforms, including new EtherCAT, Ethernet POWERLINK, PROFINET … Continue reading →

#SPS11: Hydrostatic actuation desifn concept from Moog – Reliable hybrid technology used in a new energy-saving solution for a variety of industrial applications Moog Industrial Group featured a prototype for a new Electro Hydrostatic Actuator (EHA). Combining hydraulic and electric technology in a self-contained system, Moog’s innovative EHA … Continue reading →

#SPS11: Minicarrier board! – congatec AG presented the conga-QMCB, a new mini carrier baseboard for space-critical applications based on the Qseven standard. The baseboard is ideal for fast prototype design and compact, mobile applications. Measuring just 145×95 mm, the easy-to-integrate mini carrier board is … Continue reading →

#SPS11: TE Connectivity solutions – TE Connectivity showcases its Hybrid Connectivity Solutions Both the Power4Net and the Motorman hybrid connectors integrate several functions into a single compactly designed connector. The flexible Power4Net hybrid connector has space for up to eight power and four Ethernet contacts … Continue reading →

#SPS11: Siemens extends TIA and unveils Simotics as full motor range – Siemens showcased the latest extension to its TIA (Totally Integrated Automation) Portal and unveiled the new name of its full motor range which will be called “Simotics” from now on. In advancing its automation and drives portfolio, Siemens is placing … Continue reading →

#SPS11 Dynamic reporting in process or energy management – COPA-DATA is to present their zenon Analyzer to the public for the first time COPA-DATA will present its new product for dynamic reporting, the zenon Analyzer, for the first time at the SPS/IPC/DRIVES 2011 trade fair. The software is designed … Continue reading →

#SPS11 Green automation initiative

Industrial communication technology facilitates plant-wide energy management within automation systems. HMS Industrial Networks presented a number of solutions targeting energy management in automation systems. Recent research from the AIDA group of German automobile manufacturers (Audi, BMW, Daimler, Porsche, VW) and … Continue reading →


SCADA, ICS and HMI vulnarabilities

29/03/2011

Last week an Italian researcher, Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products. “Selling the concept of security for SCADA and ICS might still be struggling, but publishing vulnerabilities for SCADA and ICS equipment seems to be a growth industry.” according to the Eric Byres of Byres Security on their blog The Italian job!, on 23rd March 2011.

Last Friday Joel Langill CSO of  SCADAhacker.com blogged on Protecting your ICONICS GENESIS SCADA HMI System from Security Vulnerabilities as they published a white paper providing six actions (also known as compensating controls) that users of ICONICS GENESIS products should take to protect their systems. Operators of other HMI products were advised to consider similar measures.

This morning Byes and Langill have released another White Paper, Analysis of the 7-Technologies IGSS Security Vulnerabilities for Industrial Control System Professionals, that may be important in protecting Industrial Control and SCADA Systems.

This paper analyses the vulnerabilities of the 7-Technologies IGSS SCADA/HMI system published by Auriemma. Moreover they state even if readers do not have this vendor’s products, it may be helpful to review the six Compensating Controls recommended, and apply ones that are relevant for their systems. They say: “Initial analysis seems to indicate that these vulnerabilities only affect IGSS Versions 8 and 9.  This is due primarily to the fact that these vulnerabilities focus on a single IGSSdataServer application that is not believed to have existed in prior versions of the software.  Until the vendor has posted an official response to these vulnerabilities, increased security diligence should be used based on the recommendations provided in this document.”

Due to the sensitive nature of this white paper, Analysis of the 7-Technologies IGSS Security Vulnerabilities for Industrial Control System Professionals, you must be logged in to the tofino.com site to access it.

See also: SCADA Vulnerabilities for 7-Technologies on the ISS Source website.


Growth of the European HMI Market

28/01/2011

Frost and Sullivan appear very active these past few days as far as the automation sector is concerned. A few days ago they came out with the Top Ten Energy Trends which included the observation that, amongst the others noted that most energy producers are seeking to “improve their measurement and monitoring network structure by implementing smart technologies.”

Now in a new paper they examine the HMI market in Europe and the opportunites and challenges that is and will present to industry.

Factors such as the need for technically enhanced human machine interface (HMI) in Europe and the availability of growth opportunities in price-sensitive markets such as Eastern Europe will intensify the competition among vendors in the HMI market. Although the financial crisis affected most end-user sectors across the world, the demand for HMI has been sustained through government-aided stimulus packages in key end-user segments. Steady market expansion will derive from end users looking beyond conventional HMI functionalities to more advanced technical features.

Their study Strategic Analysis of the European Human Machine Interface Market, finds that the market earned revenues of $541.9 million in 2009 and estimates this to reach $819.7 million in 2016. The study covers discrete and process industries.

The increasing importance of sophisticated and high-definition displays will support market prospects. The visualisation factor, which communicates the system parameters and displays the execution of the process on a screen, is highly valued by shop floor operators.

“The need for newer and more sophisticated displays is gaining importance,” notes Industry Analyst Sivakumar Narayanaswamy. “The ability of an HMI to fulfill this demand is continuing to drive the growth of the HMI market.”

Increased government spending on infrastructure, including power and water, is also strengthening the market’s growth potential. As an effect of the recession of 2008-2009, governments of developed economies have been aiding investments in infrastructure development, primarily in the power segment and for smart grid projects. This has resulted in a boom in the utilities segment, especially in the use of HMI applications.

A main challenge relates to the fact that end users are looking beyond the conventional functionality of HMI. Currently, customers are not satisfied with the usual features of data monitoring offered by HMI. They want the system to be more intelligent and intuitive.

“Software is the key to intelligent HMI solutions,” states Narayanaswamy.

Additionally, the advent of HMI integrated with video capabilities will enable proactive diagnostics in the event of a fault. HMI vendors need to focus on such intuitive trends to meet customer requirements.