Thursday, December 23, 2010
1. First, get the best "bang for your buck" - take care of your low hanging fruit. Embarrasingly, in industrial systems this means: get rid of shared accounts and no passwords, don't connect the control network to the Internet or harden your business necessary connection point, ensure that you have a working backup, check your backdoors (old modems, etc).
2. The strength of your system lies in a Defense in Depth approach, meaning taking advantage of strengths of overlapping security mechanisms. While adhering to point #1, knock out the really easy and obvious ones. There's no reason to get fancy until you have your basics covered.
3. Architect your system with security in mind. For example, if you decide to start with Windows XP SP 1, you're just asking for trouble. I get it that patching often has negative side effects with industrial/SCADA software, but you need to (minimally) begin with a baseline that isn't hugely vulnerable. Design around industry standard technologies and protocols such as OPC-UA. Don't try to roll your own security solutions!
4. Develop a security policy and train your users. It's important that management understands and accepts the level of risk that the system takes on. It's important that users know what's allowed and that consequences are serious. Require that they sign an Acceptable Use Policy (AUP). A successful security program is as much about users, policy, and procedure than equipment, applications, and configuration.
5. Establish individual accountability (auditing). Ensure that users have individual accounts and that their activity on the system is logged and periodically reviewed. I know this often doesn't happen in manufacturing, but it should.
You have far too much value in your HMI, SCADA, industrial system. Ask yourself, how much does downtime cost? How can you afford to not secure your control system?
Wednesday, December 22, 2010
Sure there are red flags - you will probably have an increased requirement for security including physical access, user accountability (auditing), and all the typical considerations. For most organizations the benefits will most likely outweigh the risk and cost. Security is a mature enough field - if the credit card companies, banks, financial institutions, and even the military can be successful with it, so can you. Apply defense in depth, implement/follow your company policy, adhere to strong practices, hire experts if you need it - nothing new here.
From my perspective, industrial computing has been following the path of commercial computing. Those same basic technologies that have become widespread in your office will usually show up on the plant floor in some form. You can trace industrial controls from relays to PLCs as opposed to vacuum tubes then transistors, but the technologies have been converging and are basically one in the same.
Perhaps a driving force of computing paradigms is the relative shift in local processing power versus the capability of the "network". How thick versus thin is the ideal environment - in other words, do we want to perform the computing locally or remotely? We've seen this shift between centralized and de-centralized SCADA systems - the balance between central administration versus local setup, scalability and performance, and dependence on the network. The models roughly share the considerations we've seen in the migration between: Mainframe, Micro, Mini, and PC.
So where are we going next? Cloud computing or even thinner clients? To me, mobile computing represents an advance in both categories. That's not to say that smart phones won't get more computationally capable - they will continue to shrink and get faster and faster. However, with the increasing reliability of infrastructure, "the network", it makes more sense to centralize your control applications. Why? In one word, ubiquity. For the same reason the web has standardized on HTML. Users will demand access from anywhere they deem appropriate, regardless of the mobile platform. Will they create a separate app for each: iPods/iPads, Blackberry, Droid, Win 7 phones, Palm PDAs, embedded MS OSs, Linux devices, etc, etc? Each of those platforms has a large enough user base to support its own "apps" - Solitare, or a web browser, which turns out to be the common denominator.
I don't think organizations will put up with only supporting one mobile platform. This is somewhat akin to requiring you to buy a Bell phone in order to use the phone network. Nor is it acceptable for a complex installation or configuration. Successful SCADA vendors will need to support feature rich mobile applications that run on most, if not all, mobile devices out of the box. As our networks get more robust, secure, and cheap, we'll be rewarded with new levels of capability that make that transition from novelty to necessity - just like PCs once did. In the end, competitive organizations from all industries will benefit from these incredible mobile technologies.
Friday, October 8, 2010
Friday, June 18, 2010
Virtualization has been an interest of mine for awhile. I live by VMWare Workstation on my desktop and await the day when I get a laptop that's powerful enough to support my too-many VMs at once habit. For the Industrial Integrator/programmer/professional, Virtualization makes too much sense! Check it out if you haven't already! It readily solves problems that Industrial Software vendors have created (you need this version of Windows without a patch, can't run with competing software, older programming tools for some customers, etc, etc). Using multiple Virtual Machines, you can have exactly the right tool for whatever task at hand - without ever needing to make any changes. You get additional benefits of features like "snapshots" and "cloning". The only real issue is that none of the vendors have decided to support PCMCIA/PC Cards, so you'll have to use serial or USB connectors. This should matter less and less as time goes on.
On the server side (which is what the VCP is all about), VMWare may or may not make sense for your Industrial applications. Don't get me wrong - ESX and ESXi are awesome packages, but if you don't have a competent IT department - you're adding another layer of complexity for what might benefit you. For those larger companies that provide a lot of server based services - you're probably already using a virtualized environment. It just doesn't make sense not to.
Friday, March 5, 2010
From a security perspective, I disagree that IT technologies are "more susceptable to cyber attacks" than "rigid proprietary software". The cyber attacks will come since systems are being networked and remotely accessbile, which is a productivity enhancing user requirement in modern manufacturing. Proprietary software tends to be less secure than modern IT technologies, especially as the Internet makes exploits more widely available.
Good article, though!
Wednesday, February 24, 2010
Thursday, February 4, 2010
We've been getting a huge number of hits to the new website by a number of companies across the world. We've also been getting a lot of interest in when more drivers will be available, like Siemens, Modbus, and Automation Direct in addition to the existing Allen Bradley suite. I suppose this isn't surprising considering that we're the only cross-platform OPC-UA server available. While it shouldn't be too long before we get those drivers developed, this brings me to my next point...
Where are the other OPC-UA servers? We're really looking forward to a more vibrant marketplace for OPC-UA products. Kepware says they'll be releasing their OPC-UA server soon - we're looking forward to being able to test it with Ignition. This really excites me because it brings their extensive PLC product line to the table via OPC-UA. Unfortunately, I don't think it will be cross platform.
So, how about it? OPC vendors: the gauntlet has been thrown. The industry wants OPC-UA products! And if they're cross platform, all the better. When will we start seeing them?
It's 2010 - many systems end up touching the Internet or outside world somehow, whether you like it or not. Common practices in the 90s, like allowing users to share passwords are unacceptable - that audit trail is a must. Having PLCs on the same network as office computers - professionally irresponsible. Your company uses 25 year old hardware that was never designed for security - it's up to you to isolate that network. Provide access with a "hardened" dual-homed (2 network cards) computer that is patched and protected by a firewall. Utilize VPNs, DMZs, VLANs, SSL, IDSs, and anything else in your IT department's arsenal. They know how to secure a network - it's their job. Gone are the days of operating behind their back, not letting them touch anything for fear that updates will break your system. Pick a vendor that IT will support. Practice Defense in Depth. Let them help you. It's 2010. Embrace positive change!
Tuesday, January 19, 2010
Say goodbye to rationing clients, patchwork control systems and project development constraints caused by oppressive licensing systems.
Ignition by Inductive Automation is being released January 27th. Ignition is a major next step in the evolution of FactorySQL and FactoryPMI.
Join us for this new release webinar to see how the Ignition platform opens up possibilities in the industrial automation industry. The webinar will give an overview and demonstration of Ignition's features and its capabilities, such as:
- Web-based clients that enable scalability
- Unlimited clients and tags, licensed by the server
- A flexible database-centered architecture
- OPC-UA support
- 100% cross platform: Windows and Linux
- Simplified software setup and ...
Also accompanying the product launch is Inductive Automation's new website design at http://www.inductiveautomation.com/, which will launch January 27th with details about Ignition.
Register here to attend the new release webinar.
Title: Introducing Ignition by Inductive Automation - Web-based, cross-platform SCADA
Date: Thursday, January 28, 2010
Time: 9:00 AM - 10:00 AM PST
After registering you will receive a confirmation email containing information about joining the Webinar.
Required: Windows® 2000, XP Home, XP Pro, 2003 Server, Vista
Macintosh®-based attendeesRequired: Mac OS® X 10.4 (Tiger®) or newer
Space is limited.
Reserve your Webinar seat now at: https://www2.gotomeeting.com/register/273245266
Thursday, January 14, 2010
The plan is a single product platform that replaces the separate functionality of FactorySQL and FactoryPMI. They really went all out with levering technologies! The product is platform independent (Windows 32 or 64 bit, Linux, Mac, etc), fully web based (no client installation), and supports separate "modules" that all have access to the same powerful core technologies. Everything runs from a cluster aware web server similar to the current FactoryPMI Gateway but they had new behind the scene tricks (Non-Blocking IO for multithreading, advanced serialization schemes for saving/storing projects, and a whole slew of security upgrades consistent with the OPC-UA specification).
They showed me an OPC-UA application that securely connected to different PLCs (many AB, Siemens, and AD) via different PCs without an OPC tunneller. All this worked equally well on Windows and Linux systems. Once the data is accessible from the PLC, you get the full visualization spectrum that FactoryPMI already offers (graphics, multimedia, historical trends, reporting, etc).
The coolest part is that development time should be cut down substantially, for both Inductive Automation proper and 3rd parties/end users as the API is released, since the platform performs so much native functionality (network, database, project launching/hosting/editing, clustering, storage, alerting, auditing, authentication, etc, etc.). The Ignition platform should become to controls software what Metasploit is to ethical hackers/penetration testers.