Posts Tagged ‘emerson’
Thursday, March 7, 2013 @ 05:03 PM gHale
Emerson released a hotfix that mitigates an uncontrolled resource consumption vulnerability on the DeltaV MD and SD controllers, according to a report on ICS-CERT.
This vulnerability, discovered by researcher Joel Langill, can lead to a denial of service (DoS). Exploitation of this vulnerability could cause loss of availability.
RELATED STORIES
Mitigation for Emergency Broadcast System
Report: Holes Not Vulnerabilities After All
Schneider Faces Product Bugs
Mitigation for Enterprise Buildings Integrator
The following products suffer from the issue:
• DeltaV SE3006 SD Plus Controller Version 11.3.1 and earlier,
• DeltaV VE3005 Controller MD Hardware Version 10.3.1 and earlier,
• DeltaV VE3005 Controller MD Hardware Version 11.3.1 and earlier,
• DeltaV VE3006 Controller MD PLUS Hardware Version 10.3.1 and earlier, and
• DeltaV VE3006 Controller MD PLUS Hardware Version 11.3.1 and earlier.
Successful exploitation of this vulnerability also affects process controls as the controller restarts.
Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.
Emerson’s DeltaV is a general purpose process control system used worldwide primarily in the oil and gas and chemical industries.
Publicly available network mapping tools can produce a list of available ports including 23/tcp, 513/tcp, and 161/udp. Sending a specially crafted packet to these ports could result in a restart of the controller causing a DoS.
CVE-2012-4703 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.1. This vulnerability can be exploited using commonly available network mapping tools. This vulnerability is not exploitable remotely.
Public exploits may exist that could target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.
A customer notification will go out to customers who own a DeltaV control system. The notification provides details of the vulnerability, recommended mitigations, and instructions on obtaining and installing the hotfix.
Emerson recommends customers using DeltaV v7.x, v8.x, v9.3.x, v10.3, and v11.3 or earlier update to DeltaV v10.3.1 or v11.3.1 or install the DeltaV Controller Firewall to mitigate this vulnerability. Users can obtain the customer notification by contacting their Emerson sales office.
Emerson said — and confirmed by Joel Langill — the DeltaV Controller Firewall mitigates this vulnerability. However, Emerson recommends all users install the hotfix.
Tuesday, October 9, 2012 @ 09:10 AM gHale
By Gregory Hale
Whether it is working with a team to put together a safety system or an integrator to ensure the security program is up and running, the idea of partnerships continues to grow in the industry.
Travis Capps knows all about the challenges facing a manufacturing automation professional these days – and he found a way to solve the issues through partnerships.
RELATED STORIES
Emerson: Securing Future
Smart Grid Needs to get Smarter
Protecting Data a Must for Firms
Security Discord between CEO, CISO
The vice president of energy and gases at San Antonio, TX-based Valero, looked at the challenges he faces every day. Things like increased regulations, global competition, demographic shifts where 40 percent of his workforce is retirement eligible, technology changes and the speed of change continuing to accelerate.
He also knew in this day and age, tackling those challenges needed more than just the folks he works with. Yes, the company was looking to be the best company, not necessarily the biggest they also wanted to leverage their capabilities, but not bring on more staff. That is why they decided to fill the gaps in their system by going out and finding a technology partner.
“People and expertise are walking out the door through retirement,” said Steve Sonnenberg, executive vice president at Emerson and president of Emerson Process Management during a Monday presentation talking about challenges facing automation professionals at the Emerson Global Users Exchange. “The most critical challenge is 95 million high- and medium-skilled workers could be leaving the industry by 2020.”
That is what leads Capps to say his company is an energy producer and he will leave working out the technology aspect to his partner.
“I don’t have time to understand Emerson’s technology,” Capps said. “I trust our partners.”
“You can have all the technology in the world, if you don’t have the people you could be in trouble,” said Jim Nyquist, president of PlantWeb Solutions Group.
While others from companies like Cargill, Shell and Valero also gave presentations discussing how partnership pacts helped save what could have been a messy and costly endeavor, the end result was finding the right partner that can handle technology areas that are not part of the company’s core competency is more important today than it ever has been.
Monday, October 1, 2012 @ 06:10 PM gHale
Emerson created a hotfix that mitigates a buffer-overflow vulnerability in its DeltaV application.
A remote attacker could exploit this vulnerability and cause a denial of service (DoS), however at this point no known exploits exist, according to a report on ICS-CERT.
RELATED STORIES
Optimalog Closes Optima PLC Hole
Siemens has Fix for CA Vulnerability
ORing SCADA Line Vulnerability
SCADA Directory Traversal Vulnerability
Researcher Kuang-Chun Hung of the Security Research and Service Institute-Information and Communication Security Technology Center (ICST) discovered the vulnerability and the organization tested the hotfix and confirms it fully resolves the vulnerability.
“While no one enjoys having a security issue, Emerson appreciated working with the staff at ICS-CERT and the Taiwanese researcher in resolving these vulnerabilities in a professional manner,” said Jeff Potter, director — security architecture for PlantWeb Technology at Emerson. “ICS-CERT in turn indicated they were pleased with the diligence and timeliness of Emerson’s response.”
The following supported Emerson products are affected: DeltaV V9.3.1, V10.3.1, V11.3, and V11.3.1
Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.
The DeltaV service allows a string to copy without bounds checking. By sending a large string to a specific port, an attacker could cause a crash. CVE-2012-3035 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
Emerson distributed a notification in KBA NK-1200-0170 to customers who own a DeltaV Control System; the notification provides details of the vulnerability, recommended mitigations, and instructions on obtaining and installing the hotfix. Customers using DeltaV V9.3.1 and V10.3 should update to V10.3.1 as there is no hotfix for those versions.
Thursday, May 31, 2012 @ 02:05 PM gHale
A hotfix is available to mitigate the multiple vulnerabilities in the Emerson DeltaV application, according to a report from ICS-CERT.
Researcher Kuang-Chun Hung of the Security Research and Service Institute–Information and Communication Security Technology Center (ICST), who found the holes, tested this hotfix and confirms it fully resolves the vulnerabilities.
“While no one enjoys having a security issue, Emerson appreciated working with the staff at ICS-CERT and the Taiwanese researcher in resolving these vulnerabilities in a professional manner,” said Jeff Potter, director — security architecture for PlantWeb Technology at Emerson. “ICS-CERT in turn indicated they were pleased with the diligence and timeliness of Emerson’s response.”
RELATED STORIES
RuggedCom Fixes Vulnerability
Update Patches xArrow Holes
Measuresoft ScadaPro Upgrade
Wonderware SuiteLink Vulnerability
The following products suffer from the issues:
• DeltaV and DeltaV Workstations,
• V9.3.1, V10.3.1, V11.3, and V11.3.1,
• DeltaV ProEssentials Scientific Graph, and
• V5.0.0.6
These remotely exploitable vulnerabilities could allow denial of service, information disclosure, or remote code execution.
Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.
One of the vulnerabilities is a cross-site scripting issue, which can enable an attacker to inject client side script into web pages viewed by other users or bypass client side security mechanisms imposed by modern web browsers. If successfully exploited, this vulnerability could allow arbitrary code execution and may require social engineering to exploit. CVE-2012-1814 is the number assigned to this vulnerability, which has a CVSS V2 base score of 7.5.
Another bug is for SQL injection, which an attacker could use to perform database operations unintended by the web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if successfully exploited, could allow arbitrary code execution. CVE-2012-1815 is the number assigned to this vulnerability, which also has a CVSS V2 base score of 7.5.
A denial of service can occur by sending a specially crafted packet to PORTSERV.exe on both TCP/111 and UDP/111. This attack will cause the software to crash, denying service to legitimate users. CVE-2012-1816 is the number assigned to this vulnerability, which has a CVSS V2 base score of 5.
One more vulnerability is a buffer overflow, which in the affected version, DeltaV does not properly sanitize the inputs from project files. Invalid information in certain fields can cause the program to crash and could execute arbitrary code. CVE-2012-1817 is the number assigned to this vulnerability, which has a CVSS V2 base score of 4.6.
File manipulation is another hole, where if successfully exploited, an attacker can overwrite arbitrary files on the victim’s computer in the context of the vulnerable application using the ActiveX control. CVE-2012-1818 is the number assigned to this vulnerability, which has a CVSS V2 base score of 7.5.
Right now, there are no known exploits specifically targeting these vulnerabilities. An attacker with a medium skill level would be able to exploit these vulnerabilities.
Emerson created a hotfix that resolves these vulnerabilities. Emerson has distributed a notification in KBA NK-1200-0091 ICS-CERT ADVISORY– ICSA-12-137-01 Emerson Multiple Vulnerabilities: Impact and Recommended Actions to customers who own a DeltaV Control System. The notification provides details of the vulnerabilities, recommended mitigations, and instructions on obtaining and installing the hotfix.
Tuesday, May 17, 2011 @ 11:05 AM gHale
Emerson released DeltaV Analyze V2.0 software to help process automation operators manage alarm system performance.
In addition, Emerson inked an alliance pact with automation safety certification and consulting firm exida whose alarm rationalization software can optimize Emerson’s DeltaV process automation system alarms.
“After just six weeks using Emerson’s DeltaV Analyze software we had identified and eliminated nuisance alarms for an overall 40% reduction in alarms seen by our operators,” said Steve Elwart, systems engineering director for Ergon Refining and an early user of the software.
Nuisance alarms are a common problem in industrial plants since the application of digital computers to process control in the 1980’s. The ease with which a user can implement alarms has led to overload, alarm floods, and incorrectly prioritized alarms, all of which diminish control room operators’ effectiveness.
“New industry standards that define good alarm management engineering practice combined with heightened scrutiny by safety, health and environmental regulatory agencies and the insurance industry are making plant managers take notice,” said Emerson’s Kim Van Camp, making reference to ANSI/ISA18.2-2009 Management of Alarm Systems for the Process Industries and the forthcoming complimentary IEC standard, IEC 62682.
Emerson’s DeltaV Analyze V2.0 software provides out-of-the-box reports that measure alarm system performance as prescribed by the new standards, such as peak and average incoming alarm rate and priority distribution. Reports contain “top 20” lists of nuisance alarms of various types, such as the sources of the most frequent occurring alarms and those that remain active for the longest time.
Emerson’s alliance with exida leverages exida’s SILAlarm alarm rationalization software to optimize the DeltaV system’s alarm performance.
“Alarm rationalization is one of the key activities in ISA-18.2’s alarm management lifecycle and is critical to create a sustainable and effective alarm management program,” said exida’s Todd Stauffer, director of Alarm Management services. “SILAlarm delivers benefits to operations that previously would have considered rationalization too burdensome and expensive. The results include reduced alarm load on the operator, no more nuisance alarms and improved operator response.”
Thursday, February 24, 2011 @ 04:02 PM gHale
Emerson Process Management won a multi-million dollar purchase order from State Nuclear Power Engineering Corporation (SNPEC) to supply Fisher control valves for the Westinghouse AP1000 pressurized water reactors at the Sanmen 2 and Haiyang 2 nuclear power plants in China.
The order includes valves for two applications at each plant: A start-up or bypass valve and the main feedwater valve.
The bypass valve is a specially-designed six-inch valve with a seismically qualified actuator and special trim to ensure a smooth transition with the main regulation valve.
The main feedwater valve is a 20- by 16-inch valve with specially characterized trim and actuation to ensure rapid but stable response. The actuators for both valves have been sized using EPRI guidelines to meet industry standards.
Tuesday, January 25, 2011 @ 06:01 PM gHale
Emerson Process Management’s DeltaV SIS process safety system is in compliance with three burner management system (BMS) standards.
TÜV certified the DeltaV SIS system as meeting the requirements for the National Fire Protection Association NFPA 85: Boiler and Combustion Systems Hazards Code, the European Standard EN 298: Automatic gas burner control systems for gas burners and gas burning appliances with or without fans, and the European Standard EN 50156: Electrical equipment for furnaces and ancillary equipment. All of these standards cover the design and installation of fuel burning equipment and their associated systems.
Fire-heated equipment plays a critical role in the production process, so safety, reliability, and availability are paramount. The DeltaV SIS system can meet BMS needs (large or small), gives operators increased visibility for BMS operations, and reduces engineering and complexity for BMS applications. DeltaV SIS simplex and redundant logic solvers gained certification for use in SIL 3 applications in accordance with IEC 61508.
“With many existing DeltaV SIS installations already being used in burner management applications, the NFPA 85, EN 298 and EN 50156 product certifications give users additional assurance that the DeltaV SIS system is well-suited for use with fired equipment,” said Mike Boudreaux, Emerson’s brand manager for the DeltaV SIS system.
Click here to learn more about Emerson’s smart SIS.
Tuesday, December 7, 2010 @ 12:12 PM gHale
Emerson Process Management’s Smart Wireless Gateway earned Achilles certification.
Based on rigorous testing by independent consultant Wurldtech Security Technologies, the certification gives customers added assurance the security measures built into Emerson’s Smart Wireless networks meet the demands of industrial automation applications.
“Emerson’s commitment to developing robust products has been demonstrated by their multiple Achilles Certified devices,” said Kevin Yoo, Achilles Certification Program Lead for Wurldtech. “They are continuing their emphasis on network robustness with the Emerson Smart Wireless Gateway, which is the first device in the new ‘network components’ category to achieve Achilles Certification.”
The Achilles Certified Communications program provides an independently verified benchmark for assessing the network security and resilience of applications, devices, and systems in critical industrial infrastructures.
“Security has been a top priority for our Smart Wireless technology right from the start,” said Jeff Potter, Emerson’s security and IT-integration manager. “Achieving Achilles certification validates our approach and will further enhance customer confidence in the security and reliability of our wireless networks.”
The Smart Wireless Gateway is a key part of Emerson’s self-organizing wireless field network technology. Based on the IEC 62591 or WirelessHART, standard, these networks use multiple strategies including encryption, network keys, integrity codes, and anti-jamming techniques to provide secure, reliable communications even in harsh industrial environments.
Thursday, December 2, 2010 @ 04:12 PM gHale
Emerson Process Management introduced the Rosemount 2130 for (Safety Integrity Level) SIL 2 safety instrumented systems. This new version features built-in fault monitoring/self-checking diagnostics and works with high and low level alarms.
After gaining third-party evaluation by global organization exida, the Rosemount 2130 has the required Failure Modes, Effects and Diagnostic Analysis (FMEDA) report. As a result, companies in the oil & gas production, refining, petrochemical, chemical and power industries can benefit from the almost maintenance free vibration fork technology while ensuring compliance with associated IEC industry standards.
With several output types with a Safe Failure Fraction (SFF) over 90%, the resulting FMEDA report, shows SIL 2 suitability. As per IEC 61508 and IEC 61511 the documentation provides safety instrumentation engineers with the required failure data and with proof test recommendations. With a five-year-plus proof test interval, the proof test can co-ordinate with plant turnaround, minimizing process interruption and reducing risk to personnel.
The new 2130 version is simple and easy-to-use, reliable in a wide range of applications and requires no on-site calibration. The visible “heart-beat” LED gives an instant visual indication the unit is operational. In addition, the built-in fault monitoring/self diagnostics can detect extreme corrosion of the forks, or any other internal or external damage to the fork sensor, which triggers a warning LED and safe handling of the load.
Further functionality in the new version includes a low-density option suitable for liquids with a specific gravity down to 0.5 (500 kg/m3), a wide choice of electronic output options for use on their own, or as part of an analog or digital plant monitoring network.
The Rosemount 2130 works in extreme temperatures ranging from -70 to + 260 °C (-94 to +500°F) and like other models in the Rosemount 2100 range, the new model is available with 316L stainless steel as standard, ECTFE/PFA copolymer coated 316L stainless steel or corrosion resistant alloy C wet side as well as a choice of electronic output types and aluminum or stainless steel housing options.
Monday, November 1, 2010 @ 05:11 PM gHale
Wurldtech Security Technologies now has over 25 certified process automation, control and safety systems.
The Achilles Communications Certification program, developed by Wurldtech and its partners to provide a benchmark for the secure development of the applications, devices and systems found in critical industrial infrastructure, is able to assess the network robustness of industrial devices and certify they meet a formal and comprehensive set of requirements and conformance.
The certification process presents device manufacturers with an independently verified result from which to communicate their product security to customers, while providing the operators of control systems with the most complete, accurate, and trustworthy information possible about the network resilience of their deployed products.
“As a community we need to understand that we all have roles to play to improve the resilience of our critical industrial networks and certification is a great way for vendors to validate the robustness of the systems being supplied to industrial end-users,” said Peter Kwaspen, with Shell’s strategy and development area in its control & automation systems engineering department. “The Achilles Certified designation saves Shell a lot of time in the specification and procurement process and provides us with the assurance that the process control systems we buy have met an industry-accepted benchmark for security and robustness.”
In the utility area, Sensus, a supplier of metering solutions, said their FlexNet 2.2 communications system is the Smart Grid industry’s first Achilles Certified metering system. During the six-month certification process, the technology underwent a battery of rigorous tests to identify and eliminate vulnerabilities.
“Our utility customers recognize that independently verified and repeatable assurances of security are critical for defining a reliable standard of security for the entire Smart Grid industry,” said Peter Mainz, president and chief executive at Sensus.
On the wireless front, Emerson Process Management said its Smart Wireless Gateway is the first wireless device to be Achilles Certified.
“From the start, security has been a top priority for Emerson Smart Wireless solutions. Incorporating the Achilles certification program into our product development process builds upon that foundation and shows our continued commitment to providing secure and reliable solutions,” said Jeff Potter, Emerson’s Security and IT Integration Manager.
Invensys Operations Management’s I/A Series Model P92 workstations are the first host-based devices (HBD) to achieve the Achilles Certified designation, which include HMIs, engineering workstations, historian servers and domain controllers.
“Our customers demand the utmost in secure process control systems,” said Ernie Rakaczky, Invensys Operations Management security program manager. “We see the certification of the Foxboro I/A Series Operator Workstations as another step toward helping our clients achieve safety and control excellence, and look forward to driving more of our products, applications and practice though a defined Achilles Certification.”
Wind River’s VxWorks is the first real-time operating system to gain certification under the Achilles certification program. This certification enables Wind River’s customers in the process automation, power and energy, oil and gas, transportation, and medical market segments to deploy VxWorks with certified defenses against cyber attacks.
“As cyber threats to mission-critical systems continue to grow in frequency and complexity, it is critical to have a secure infrastructure that protects vital data against hackers,” said Jens Wiegand, GM of industrial and medical solutions at Wind River.