I just ran into this article dated May of last year. Simone Massaro of Iconics describes the direction that they went with OPC UA development. It's a bit technical, but a good read.
I stumbled across this article that, quite honestly, at first pissed me off. After a little reflection, I can only laugh. It reminds me of someone trying too hard to sell those $150, short gold plated digital Monster audio cables - Oxygen free or whatever. (If the engineer inside you doesn't laugh, then cry for the sake of the suckers, read on).
Swiss Army knife with a spork, usb memory stick, and a wine glass. Now they're caught with their pants down, desperately scrambling to recovery their enourmous sunk costs (my favorite business term).
I probably sound like a broken record by now, but SCADA security is not going anywhere. This applies to almost anything electronic that is connected to a network.
Wurldtech Security Technologies has committed to apply their Achilles testing technology and certification methodology to Matrikon's OPC products. Successful completion will place the Matrikon OPC Tunneller and servers at the top of my recommendation list. This is a big plus for the world of SCADA security! Now, if only we could do something about our legacy systems...
I stumbled upon the "Risks Digest - Forum On Risks To The Public In Computers And Related Systems" from another blog post. Some of the stories certainly made me laugh - I spent way too much time there!
I had an interesting poolside conversation with "Jeff" at a resort in Bali. He works for Juniper networks, setting up core networks for huge accounts overseas. He told me of the $400 million project in Malaysia that will go on for the next 3 years, and about his project in Brazil. He said that he's gotten used to the long flight back that he takes monthly, but hey, how bad could business class be? More importantly he mentioned that Cisco's IOS is outdated - that engineers left there after being turned away with (then) cutting edge ideas of using ASICS (specialized integrated circuits as opposed to generalized processors) in routers. They maintain a monsterous market share and provide lots of enterprise services (like voice and conferencing over IP). It was weird to hear him refer to enterprise accounts as the small ones (compared to major telecoms and infastructure).
I literally visited Inductive Automation the day before Gary Mintchell did. I didn't get the opportunity to meet him, but I did get a glimpse of his insight. He quoted the company as a "database company" - as a foundation, which is an insightful perspective.
In the spirit of catching up with my backlogged blogging (recent personal Japan trip from January), I'll post about a few topics that I missed.
New standards are a funny thing - everyone knows they're coming, everyone knows they'll benefit from them, but you're not ready to commit until the next guy has. Kudos to Inductive Automation for getting the ball rolling. Kudos to Kepware and Iconics for the same. Siemens has comitted to an entire product line! Wonderware's been talking the talk, as has Rockwell (both in 2006). Here's to them coding away in their secret labs! Don't believe me - here's a video of how great and mature OPC UA really is, complements of Eric Murphy of Matrikon! It's a riot - I promise :)!
I hadn't expected to be blown away by Inductive Automation's Using Open Standards, web-based modern SCADA technology to manage your water operations webinar, but the collection of speakers and content was phonomenial!
I just got back from a Las Vegas weekend trip. The poker gods were good on the cheapest ($1/2) tables Bellagio had to offer. My hourly return wasn't impressive, but I had a great time chatting with a variety of gamblers.A perspective worth reading - http://www.wurldtech.com/blog/?p=119
And another - Walt, I don't agree with every detail, but the message is spot on!
Google just released a Beta version of their browser - Chrome. Never thought I'd drop Firefox so quickly. First day and it seems killer.
Wonderware selects Kepware as endorsed partner for expanding device communications offerings. They're offering a branded version of KepServer Ex as "Kepware for Wonderware".Rockwell did it, why not Wonderware. I'm a fan of collaboration and standardization. Sounds good to me.
http://www.pandct.com/media/shownews.asp?ID=18531
Su-weet! You know what this means!? FactoryPMI on an iPhone or iTouch. What a cool idea! Unfortunately, they're currently only developing the ME (Micro Edition), which may only contain a subset of the necessary JVM. 
Couldn't believe that I followed the link on a forum post. This video equitably knocks everyone, and it's damned funny.
WebDock has been running a highly capable Linux version (60k transactions/min) in a plant since 2000. It works with Allen Bradley Ethernet PLC 5s and SLCs. I haven't had a chance to try it, so I'd appreciate, and will update this post with, feedback. Be warned, of course, that you get no promises, support, etc. That said, awesome! Maybe someone will put the project on Slashdot and get it moving!
From Toms Hardware News. Pretty self explanatory.
Industrial software users always seem to dependent on old operating systems. Browse the PLC forums and you'll quickly realize everyone's asking about XP and complaining about Vista. This article provides good info on the Major PC vendor's stances on shipping machines pre-installed with XP.
Sign up for a free, vendor-neutral webinar on the Top 20 OPC questions for integrators and end users presented by representatives from: Kepware, Software Toolbox, and the OPC Training Institute.
Join the session to get insight into some of the following issues:
- When should I consider using an OPC Tunneling product?
- Can OPC UA (Unified Architecture) be used on non-Windows Operating Systems?
- What are the security holes when working with OPC?
- Why can I not see OPC Servers when ‘browsing’?
- How many OPC servers can I install on a single PC?
- What is OpcEnum and why do I need it?
- My OPC application cannot connect to an OPC server. Why?
- In light of the OPC UA (Unified Architecture) specification, should I avoid OPC servers based on the DA (Data Access) specification?
- Can I run an OPC Server as a Windows service and what would be the benefits?
- Why do I get DCOM error 0x80040202 when my OPC application fails to receive a callback from an OPC server?
- What is the difference between synchronous and asynchronous reads?
- What ports does DCOM use?
- What is the OPC Interoperability session?
- What is the OPC Subscription feature and when would I use it?
- Why can I not ‘browse’ an OPC Server?
- Where does OPC get its timestamp from?
- How do I know when my OPC Server has lost its connection with the PLC?
- How fast can an OPC Server transfer values?
- Will OPC work across a firewall?
- What is OPC self certification?
It's interesting to see the shift from nobody knowing what SCADA is to the emphasis of security in the space. IT Blogger Matt Hines comments on SCADA vulnerabilities and tips on keep SCADA systems safe. It's pretty obvious that he has no industrial/controls experience, but his tips and points are sound. These systems are no longer proprietary and often touch public networks. It's time we apply the standard security practices used by corporations and the military to defend our assets from cyber-crime. Chances are if you're reading this blog you have a good idea of the disconnect here.
Web based, web launched, AJAX, Java, OPC UA - these terms are commonly thrown around along with HMI, SCADA, and even DCS these days. What's the big deal? More importantly, what's the point and what does it mean for you? The common thread is ubiquity. Yes, I'll say it again, ubiquity. I don't know why there's not a more common word with the same meaning - to be, or appear to be, everywhere at once. It's the perfect word to describe the Internet. So when somebody says, "Web based", think, "That means I can access it anywhere". That means it's firewall and VPN friendly. Nobody said anything about web browsers, static HTML, http, or the likes! Web applications, particularly Java and Macromedia Flash, run and feel just like local applications. They support multimedia, run constantly, and can initiate and receive updates without "refreshing". They're locally running programs with the huge benefit of not requiring a traditional "installation" process!
Hoff's one smart dude when it comes to computer and network security - truly top notch. The context of this commentary was his field, but it's scary how spot on he is with respect to Industrial Automation software - particularly the early stages of FactorySQL and FactoryPMI. Sigh...Ah, the innovator's dilemma...
If you have a product that well and truly does X, Y and Z, where X is a feature that conforms and fits into a defined category but Y and Z -- while truly differentiating and powerful -- do not, you're forced to focus on, develop around and hype X, label your product as being X, and not invest as much in Y and Z.
If you miss the market timing and can't afford to schmooze effectively and don't look forward enough with a business model that allows for flexibility, you may make the world's best X, but when X commoditizes and Y and Z are now the hottest "new" square, chances are you won't matter anymore, even if you've had it for years.
The product managers, marketing directors and salesfolk are forced to fit a product within an analyst's arbitrary product definition or risk not getting traction, miss competitive analysis/comparisons or even get funding; ever try to convince a VC that they should fund you when you're the "only one" in the space and there's no analyst recognition of a "market?"
Yech.
A vendor's excellent solution can simply wither and die on the vine in a battle of market definition attrition because the vendor is forced to conform and neuter a product in order to make a buck and can't actually differentiate or focus on the things that truly make it a better solution.
Who wins here?
Not the vendors. Not the customers. The analysts do.
The vendor pays them a shitload of kowtowing and money for the privilege to show up in a box so they get recognized -- and not necessarily for the things that truly matter -- until the same analyst changes his/her mind and recognizes that perhaps Y and Z are "real" or creates category W, and the vicious cycle starts anew.
So while you're a vendor struggling to make a great solution or a customer trying to solve real business problems, who watches the watchers?
/Hoff
Walt reports on Opto22 utilizing web videos "optovideos" and other web technology user education.
Pretty cool article about using superconductors for commercial power. In a nutshell, superconductors are materials that have a zero electrical resistance below a threshold temperature. These particular "warm" cables have to be maintained between 65-75 K, which is still pretty cold. Electrical current can flow indefinately without a power source meaning that you don't "lose" any power during transmission (i squared r loss). From a practical perspective in the energy industry, this technology allows great amounts of power to be transferred over physically small lines. Also beneficial for safety, is the fact that superconducting properties are quickly lost during "fault circuits" - reminds me of built in nuclear reactor safety mechanisms where the system can't function when it goes to a certain range out of spec.
This Top Ten Worst Uses for Windows article is an interesting read. It shows the general outlook on control software that you're going to get from IT geeks - and a part of me totally agrees. I think that the author, while experienced in computer security, has absolutely no idea what he's talking about with the majority of his ten topics. It's about like waking up one morning and going to Asia, then reporting on how odd it is that everyone uses chopsticks. How dare they when metals exist - diners should simply cast a fork.
Is this going to be a problem for anyone? LOL
Google recently released their proprietary storage format, Protocol Buffers, to the Open Source Community. It's a platform independent format to serialize (programmatically store/encode) data and objects. The big advantage is that it is fast and tight - at least an order of magnitude over XML (Extensible Markup Language), which often seems to be touted as the magic bullet. The truth is that, like everything else, there are strengths and weaknesses to each - it really depends on your application. Need to be human readable - go XML. Don't know who you'll be talking to on the distant end - XML. But if you want to use a small, fast format for large data transfers, Protocol Buffers may be for you!
Wonderware hired another 200 employees this year for a total of around 500. I'm no expert, but this still seems "small" for a software company and big for "nitch" software. They're developing and marketing toward specific industries and growing worldwide. They're fighting for legitimacy in the "Enterprise", even while companies like their "partner" SAP tries to compete directly, and powering the olympics. They even recently started selling Panelview style hardware to run Intouch 10 on. Great job from the leading SCADA company.
Lots more OPC UA buzz - looks like it'll be really materializing soon - hopefully later this year. I personally can't wait! Remember, Iconics and Kepware already pledged to bring an end to end UA solution soon.
What a great day - another SCADA security vulnerability uncovered! I don't want to see any industrial software fail, but I know the nitch products were written in a vacuum without security in mind. HMI packages are buggy and susceptible to attack - particularly the older ones still in use! We need to get over it, confront the issue, and fix it! Hopefully vendors have the integrity to self-test and release patches on their own, but this won't solve the problem. A developer simply can't find all of his own bugs in a test environment. The more computer security research groups start looking into these "little" but significant applications the better.
Tuesday, 17JUN is Download Day (FireFox 3 if you havn't been paying attention)! Check out a graphical world pledge map here.
Press release from Matrikon and Rockwell Automation submitted to automation.com.
Software updates - What a sticky topic! Do you pay? Are they free? How frequently should you install them? Should they be installed automatically? In some cases you find yourself vulnerable to exploits by not upgrading. In this case, you might "brick" your home router. Yes, we're talking about Windows XP Service Pack 3. Changes to the network stack manage to send Billion "BiPAC 5200-series routers to go into a constant crash and reboot cycle".
An AutomatedBuildings.com interview with Tom Burke of the OPC Foundation and Sean Leonard of Matrikon.
Mozilla aims to set a one day world Download record with the official release of Firefox 3. The date isn't set, but you can sign up to pledge to download it on day one here. I for one, love Firefox and have been running the beta for some time now.
Core Security released an advisory on a Denial of Service attack where an unauthenticated user can take down a Wonderware system running Suitelink with a malformed packet. This was first brought to Wonderware's attention at the end of January. They acknowledged the bug by late March and provided a fix by late April. The advisory published in June.
Is it just me? A lot of people talk the talk about how important stability is with industrial control software. But nobody really cares. Trivial bugs (by comparison) get much more press. Could you imagine if a simple program could send a packet to crash a Windows server application? The press would go nuts! By Wonderware's account, they've sold 500 thousand copies that are running in 100,000 plants worldwide in virtually every industry. These plants are not all on closed networks! Good thing terrorists don't have access to Google, like I do.
But I digress. SCADA security is a huge bomb waiting to go off. There's a little talk on the subject, but the industry fails to take it seriously. I hope we can figure things out before the next 9/11 forces government intervention - how would you like your plant to operation like an airport? I'd like to think that level of regulation is unnecessary. We should each do our part in tightening down industrial security.
Between traveling to New Zealand and Japan I've been pretty busy. I'll try to keep up with small blog posts. I've had lots of great ideas that haven't come to fruition.
Great insight on the transition and future of OPC-UA from John Weber and Nathan Pocock of Software Toolbox. I hope he's wrong about the slow death of DCOM, but I wouldn't put a wager on it!
Lately the usual PLC forums have been unusually chatty about Linux. Perhaps it's the recent Windows update that installed the new version of the .NET Frameworks 2.0, the trend toward Open Office and Star Office, or the successful home experimentation with Ubuntu and Fedora. There's also been more complaints than ever about the complicated and equally crappy DCOM basis of OPC, which gets (probably unfairly) pinned on Microsoft. The OPC Foundation gets to be the knight in shining armor with UA. General users are correctly getting the sense that configuration, specifically security, need not be complicated and that getting rid of the old also brings the freedom ditching the entire (Windows) platform.
The consensus seems to be that programming software will remain Windows based for some time. Until users put the pressure on - and they're complaining, but not applying diddly-squat, nothing will change in that area. So it's a 90% solution - control systems can be chosen on a platform independent decision, but integrators will still be running around with Windows laptops to program the PLCs. That doesn't bother me too much. First, they break the things every couple of years - about as often as Windows seems to fail. Second, there's always virtualization, which has been getting easier and cooler over time.
