Posts Tagged ‘emerson’

Thursday, May 22, 2014 @ 03:05 PM gHale

Emerson created a patch that mitigates two authorization vulnerabilities in its DeltaV application, according to a report on ICS-CERT.

These vulnerabilities came directly to Emerson by Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov, and Timur Yunusov of Positive Technologies.

RELATED STORIES
RuggedCom ROX-based Device Vulnerability
Wonderware Patches Heartbleed Hole
CSWorks Fixes SQL Injection Vulnerability
Patches for CENTUM CS 3000 Holes

DeltaV Versions 10.3.1, 11.3, 11.3.1, and 12.3 suffer from the issues.

An attacker that has local access to the affected product may be able to read and replace configuration files and log into accounts for which they do not have the correct authorization. A successful exploit of these vulnerabilities is likely to cause a denial of service.

Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.

Emerson’s DeltaV is a general purpose process control system that sees use worldwide primarily in the oil and gas and chemical industries.

A local attacker with engineering level user privileges can read and replace DeltaV configuration files in the DeltaV directory.

CVE-2014-2349 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.2.

Several DeltaV service processes have diagnostic telnet ports using hardcoded credentials that an attacker could discover and use.

CVE-2014-2350 is the case number assigned to this vulnerability, which has a v2 base score of 2.4.

These vulnerabilities are not exploitable remotely and cannot end up leveraged without user interaction.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

Emerson send out a notification (KBA NK-1400-0031) that provides details of the vulnerabilities, recommended mitigations, and instructions on obtaining and installing the patch. This document is available on Emerson’s support site to users who have support contracts with Emerson.

Tuesday, October 1, 2013 @ 01:10 PM gHale

By Gregory Hale
Richard Clark and Dale Mostat know first-hand why pervasive sensing is a safety enhancer.

Their company, Spectra Energy, knew they needed a safer environment for workers after a colleague suffered burns in an accident at a gas facility, said Clark, the maintenance team lead for the PTC Pipeline at Spectra in Saskatchewan, Canada, during a presentation at the 2013 Emerson Global Users Exchange in Dallas, TX.

RELATED STORIES
Emerson: A Problem Solver
Grant to Boost Wireless Security
DoE Awards to Boost Security Tools
Petrobras Moves to Hike Security

The problem, he said, was a small gas facility had a gas leak and the gas would end up stored in the building until one day it exploded. What they wanted to do was to remove the building and expose the wellheads and piping to the elements. While that presented other problems, like having the equipment buried under two to three feet of snow, it also allowed for the gas to not collect in a building which could lead to another explosion.

They still needed to figure out a way to detect if there was a gas leak as that could end up being a safety issue along with continuously losing product. With the open air environment, Clark said their existing technology was not really able to detect a leak if the wind was carrying propane vapors away from the gas head. Plus, when snow fell and the well head would become buried, they not able to detect any data.

Through Emerson’s new ultrasonic wide area gas monitoring device, they were able to find gas leaks much faster to prevent any kind of accidents and save more money.

That real life case history is just one scenario where “pervasive sensing is changing the game in site safety,” said Tom Moser, president of Emerson’s Rosemount Measurement division.

Pervasive sensing is all about there being an increased emphasis on other business-critical issues like equipment reliability, environmental concerns, energy use, security and personnel safety. However, with the cost of monitoring those areas dropping because of the advanced use of wireless technology, there are more sensors that can gather data and therefore there is more capability to learn detailed information.

The problem, though, is data is not good unless it is “actionable information,” said Peter Zornio, chief strategy officer at Emerson. “Pervasive sensing is realtime information throughout the plant.”

Pervasive sensing relies on:
• Innovative sensors that are multivariable and nonintrusive wide area
• Easily commissioned wireless self powered and configuration free
• No maintenance that is accurate, calibration free with lifetime reliability

Nick Jude used pervasive sensing to solve a problem he had at the Flint Hills Resources Pine Bend Minnesota Refinery.

A risk study at the refinery identified 72 high risk pumps, said Jude, the rotating EQ reliability engineer. After further assessment, the number actually grew to 110 pumps. These pumps represent a risk of vapor clouds releasing which could lead to an explosion.

“Priority number one was safety and priority number 2 was reliability,” Jude said. “You can’t have safety without reliability and you can’t have reliability without safety.”

By installing a wireless vibration transmitter and detailing various alarms, they saw an increase in reliability at the refinery.

“This project was to prevent a bad day,” Jude said. “I am happy to say we have gone five years without a pump fire.”

Tuesday, October 1, 2013 @ 11:10 AM gHale

By Gregory Hale
Always striving to improve, Steve Sonnenberg heard Emerson Process Management heard from customers the company was sometimes difficult to do business with and users felt the company sometimes acted as separate companies and was too slow to deliver products.

The president of the leading industry process control supplier said that will end because the company will now become more of a problem solving organization.

RELATED STORIES
Grant to Boost Wireless Security
DoE Awards to Boost Security Tools
Petrobras Moves to Hike Security
NIST Grants to Improve Security, Privacy

“We want to become a trusted advisor,” Sonnenberg said Monday during his keynote address at the 2013 Emerson Global Users Exchange in Dallas, TX. “Anyone can be an advisor. Anybody with an opinion is an advisor, but to be a trusted advisor is something different. My goal is to make Emerson a trusted advisor.”

After devoting a good chunk of last year listening to what customers wanted and needed, Sonnenberg came back with some answers. In short, Sonnenberg wants Emerson to be an easier company to do business with and a true problem solver.

Four pillars, he said, that will allow the company to achieve this goal is to:
• Connect to the customer
• Technology innovation
• Lifecycle services
• Perfect execution

One of the interesting things Emerson is talking about is creating products that meld into the way a user works. Understanding automation professionals often have a hard time changing the way they work a process, Emerson focused its efforts over the past few years on the Human Centered Design concept where they make products work for the user in the user’s environment. They don’t try to create a one size fits all solution.

“We are striving to make our products more human centered design,” said Peter Zornio, Emerson’s chief strategic officer during his technology keynote Monday. “We don’t want (users) to change the way you do your job.”

One of the other areas Emerson will look to advance is its Pervasive Sensing program. They understand with technology advancing, end users are getting more data coming at them all the time. But data is no good unless the user can analyze it with some kind of context. That, Sonnenberg said, is where their Integrated Operations Center will come into play. The center will be able to get the data, analyze it and then the right people will be able to view it and act upon it.

Technology, always an Emerson strength, also has to work hand-in-hand with the human aspect of working with the end user to find the right solution for whatever issue they are dealing with. That falls in line with Sonnenberg’s fourth pillar of perfect execution.

“For you to improve your operations, we have to improve our operations,” Sonnenberg said. Toward that end, he said they are adding more people to focus on project management. They also added in seven service centers and plan to add 12 more. The goal is to add as many service centers as close to their customers as possible.

“We need to be easier to do business with. That includes having simpler business processes, consistent project execution and delivery dates you can count on,” he said. Delivery dates is improving. “Our on time delivery is the best it has ever been.”

Thursday, March 7, 2013 @ 05:03 PM gHale

Emerson released a hotfix that mitigates an uncontrolled resource consumption vulnerability on the DeltaV MD and SD controllers, according to a report on ICS-CERT.

This vulnerability, discovered by researcher Joel Langill, can lead to a denial of service (DoS). Exploitation of this vulnerability could cause loss of availability.

RELATED STORIES
Mitigation for Emergency Broadcast System
Report: Holes Not Vulnerabilities After All
Schneider Faces Product Bugs
Mitigation for Enterprise Buildings Integrator

The following products suffer from the issue:
• DeltaV SE3006 SD Plus Controller Version 11.3.1 and earlier,
• DeltaV VE3005 Controller MD Hardware Version 10.3.1 and earlier,
• DeltaV VE3005 Controller MD Hardware Version 11.3.1 and earlier,
• DeltaV VE3006 Controller MD PLUS Hardware Version 10.3.1 and earlier, and
• DeltaV VE3006 Controller MD PLUS Hardware Version 11.3.1 and earlier.

Successful exploitation of this vulnerability also affects process controls as the controller restarts.

Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.

Emerson’s DeltaV is a general purpose process control system used worldwide primarily in the oil and gas and chemical industries.

Publicly available network mapping tools can produce a list of available ports including 23/tcp, 513/tcp, and 161/udp. Sending a specially crafted packet to these ports could result in a restart of the controller causing a DoS.

CVE-2012-4703 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.1. This vulnerability can be exploited using commonly available network mapping tools. This vulnerability is not exploitable remotely.

Public exploits may exist that could target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.

A customer notification will go out to customers who own a DeltaV control system. The notification provides details of the vulnerability, recommended mitigations, and instructions on obtaining and installing the hotfix.

Emerson recommends customers using DeltaV v7.x, v8.x, v9.3.x, v10.3, and v11.3 or earlier update to DeltaV v10.3.1 or v11.3.1 or install the DeltaV Controller Firewall to mitigate this vulnerability. Users can obtain the customer notification by contacting their Emerson sales office.

Emerson said — and confirmed by Joel Langill — the DeltaV Controller Firewall mitigates this vulnerability. However, Emerson recommends all users install the hotfix.

Tuesday, October 9, 2012 @ 09:10 AM gHale

By Gregory Hale
Whether it is working with a team to put together a safety system or an integrator to ensure the security program is up and running, the idea of partnerships continues to grow in the industry.

Travis Capps knows all about the challenges facing a manufacturing automation professional these days – and he found a way to solve the issues through partnerships.

RELATED STORIES
Emerson: Securing Future
Smart Grid Needs to get Smarter
Protecting Data a Must for Firms
Security Discord between CEO, CISO

The vice president of energy and gases at San Antonio, TX-based Valero, looked at the challenges he faces every day. Things like increased regulations, global competition, demographic shifts where 40 percent of his workforce is retirement eligible, technology changes and the speed of change continuing to accelerate.

He also knew in this day and age, tackling those challenges needed more than just the folks he works with. Yes, the company was looking to be the best company, not necessarily the biggest they also wanted to leverage their capabilities, but not bring on more staff. That is why they decided to fill the gaps in their system by going out and finding a technology partner.

“People and expertise are walking out the door through retirement,” said Steve Sonnenberg, executive vice president at Emerson and president of Emerson Process Management during a Monday presentation talking about challenges facing automation professionals at the Emerson Global Users Exchange. “The most critical challenge is 95 million high- and medium-skilled workers could be leaving the industry by 2020.”

That is what leads Capps to say his company is an energy producer and he will leave working out the technology aspect to his partner.

“I don’t have time to understand Emerson’s technology,” Capps said. “I trust our partners.”

“You can have all the technology in the world, if you don’t have the people you could be in trouble,” said Jim Nyquist, president of PlantWeb Solutions Group.

While others from companies like Cargill, Shell and Valero also gave presentations discussing how partnership pacts helped save what could have been a messy and costly endeavor, the end result was finding the right partner that can handle technology areas that are not part of the company’s core competency is more important today than it ever has been.

Monday, October 1, 2012 @ 06:10 PM gHale

Emerson created a hotfix that mitigates a buffer-overflow vulnerability in its DeltaV application.

A remote attacker could exploit this vulnerability and cause a denial of service (DoS), however at this point no known exploits exist, according to a report on ICS-CERT.

RELATED STORIES
Optimalog Closes Optima PLC Hole
Siemens has Fix for CA Vulnerability
ORing SCADA Line Vulnerability
SCADA Directory Traversal Vulnerability

Researcher Kuang-Chun Hung of the Security Research and Service Institute-Information and Communication Security Technology Center (ICST) discovered the vulnerability and the organization tested the hotfix and confirms it fully resolves the vulnerability.

“While no one enjoys having a security issue, Emerson appreciated working with the staff at ICS-CERT and the Taiwanese researcher in resolving these vulnerabilities in a professional manner,” said Jeff Potter, director — security architecture for PlantWeb Technology at Emerson. “ICS-CERT in turn indicated they were pleased with the diligence and timeliness of Emerson’s response.”

The following supported Emerson products are affected: DeltaV V9.3.1, V10.3.1, V11.3, and V11.3.1

Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.

The DeltaV service allows a string to copy without bounds checking. By sending a large string to a specific port, an attacker could cause a crash. CVE-2012-3035 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

Emerson distributed a notification in KBA NK-1200-0170 to customers who own a DeltaV Control System; the notification provides details of the vulnerability, recommended mitigations, and instructions on obtaining and installing the hotfix. Customers using DeltaV V9.3.1 and V10.3 should update to V10.3.1 as there is no hotfix for those versions.

Thursday, May 31, 2012 @ 02:05 PM gHale

A hotfix is available to mitigate the multiple vulnerabilities in the Emerson DeltaV application, according to a report from ICS-CERT.

Researcher Kuang-Chun Hung of the Security Research and Service Institute–Information and Communication Security Technology Center (ICST), who found the holes, tested this hotfix and confirms it fully resolves the vulnerabilities.

“While no one enjoys having a security issue, Emerson appreciated working with the staff at ICS-CERT and the Taiwanese researcher in resolving these vulnerabilities in a professional manner,” said Jeff Potter, director — security architecture for PlantWeb Technology at Emerson. “ICS-CERT in turn indicated they were pleased with the diligence and timeliness of Emerson’s response.”

RELATED STORIES
RuggedCom Fixes Vulnerability
Update Patches xArrow Holes
Measuresoft ScadaPro Upgrade
Wonderware SuiteLink Vulnerability

The following products suffer from the issues:
• DeltaV and DeltaV Workstations,
• V9.3.1, V10.3.1, V11.3, and V11.3.1,
• DeltaV ProEssentials Scientific Graph, and
• V5.0.0.6

These remotely exploitable vulnerabilities could allow denial of service, information disclosure, or remote code execution.

Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.

One of the vulnerabilities is a cross-site scripting issue, which can enable an attacker to inject client side script into web pages viewed by other users or bypass client side security mechanisms imposed by modern web browsers. If successfully exploited, this vulnerability could allow arbitrary code execution and may require social engineering to exploit. CVE-2012-1814 is the number assigned to this vulnerability, which has a CVSS V2 base score of 7.5.

Another bug is for SQL injection, which an attacker could use to perform database operations unintended by the web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if successfully exploited, could allow arbitrary code execution. CVE-2012-1815 is the number assigned to this vulnerability, which also has a CVSS V2 base score of 7.5.

A denial of service can occur by sending a specially crafted packet to PORTSERV.exe on both TCP/111 and UDP/111. This attack will cause the software to crash, denying service to legitimate users. CVE-2012-1816 is the number assigned to this vulnerability, which has a CVSS V2 base score of 5.

One more vulnerability is a buffer overflow, which in the affected version, DeltaV does not properly sanitize the inputs from project files. Invalid information in certain fields can cause the program to crash and could execute arbitrary code. CVE-2012-1817 is the number assigned to this vulnerability, which has a CVSS V2 base score of 4.6.

File manipulation is another hole, where if successfully exploited, an attacker can overwrite arbitrary files on the victim’s computer in the context of the vulnerable application using the ActiveX control. CVE-2012-1818 is the number assigned to this vulnerability, which has a CVSS V2 base score of 7.5.

Right now, there are no known exploits specifically targeting these vulnerabilities. An attacker with a medium skill level would be able to exploit these vulnerabilities.

Emerson created a hotfix that resolves these vulnerabilities. Emerson has distributed a notification in KBA NK-1200-0091 ICS-CERT ADVISORY– ICSA-12-137-01 Emerson Multiple Vulnerabilities: Impact and Recommended Actions to customers who own a DeltaV Control System. The notification provides details of the vulnerabilities, recommended mitigations, and instructions on obtaining and installing the hotfix.

Tuesday, May 17, 2011 @ 11:05 AM gHale

Emerson released DeltaV Analyze V2.0 software to help process automation operators manage alarm system performance.

In addition, Emerson inked an alliance pact with automation safety certification and consulting firm exida whose alarm rationalization software can optimize Emerson’s DeltaV process automation system alarms.

“After just six weeks using Emerson’s DeltaV Analyze software we had identified and eliminated nuisance alarms for an overall 40% reduction in alarms seen by our operators,” said Steve Elwart, systems engineering director for Ergon Refining and an early user of the software.

Nuisance alarms are a common problem in industrial plants since the application of digital computers to process control in the 1980’s. The ease with which a user can implement alarms has led to overload, alarm floods, and incorrectly prioritized alarms, all of which diminish control room operators’ effectiveness.

“New industry standards that define good alarm management engineering practice combined with heightened scrutiny by safety, health and environmental regulatory agencies and the insurance industry are making plant managers take notice,” said Emerson’s Kim Van Camp, making reference to ANSI/ISA18.2-2009 Management of Alarm Systems for the Process Industries and the forthcoming complimentary IEC standard, IEC 62682.

Emerson’s DeltaV Analyze V2.0 software provides out-of-the-box reports that measure alarm system performance as prescribed by the new standards, such as peak and average incoming alarm rate and priority distribution. Reports contain “top 20” lists of nuisance alarms of various types, such as the sources of the most frequent occurring alarms and those that remain active for the longest time.

Emerson’s alliance with exida leverages exida’s SILAlarm alarm rationalization software to optimize the DeltaV system’s alarm performance.

“Alarm rationalization is one of the key activities in ISA-18.2’s alarm management lifecycle and is critical to create a sustainable and effective alarm management program,” said exida’s Todd Stauffer, director of Alarm Management services. “SILAlarm delivers benefits to operations that previously would have considered rationalization too burdensome and expensive. The results include reduced alarm load on the operator, no more nuisance alarms and improved operator response.”

Thursday, February 24, 2011 @ 04:02 PM gHale

Emerson Process Management won a multi-million dollar purchase order from State Nuclear Power Engineering Corporation (SNPEC) to supply Fisher control valves for the Westinghouse AP1000 pressurized water reactors at the Sanmen 2 and Haiyang 2 nuclear power plants in China.

The order includes valves for two applications at each plant: A start-up or bypass valve and the main feedwater valve.

The bypass valve is a specially-designed six-inch valve with a seismically qualified actuator and special trim to ensure a smooth transition with the main regulation valve.

The main feedwater valve is a 20- by 16-inch valve with specially characterized trim and actuation to ensure rapid but stable response. The actuators for both valves have been sized using EPRI guidelines to meet industry standards.

Tuesday, January 25, 2011 @ 06:01 PM gHale

Emerson Process Management’s DeltaV SIS process safety system is in compliance with three burner management system (BMS) standards.

TÜV certified the DeltaV SIS system as meeting the requirements for the National Fire Protection Association NFPA 85: Boiler and Combustion Systems Hazards Code, the European Standard EN 298: Automatic gas burner control systems for gas burners and gas burning appliances with or without fans, and the European Standard EN 50156: Electrical equipment for furnaces and ancillary equipment. All of these standards cover the design and installation of fuel burning equipment and their associated systems.

Fire-heated equipment plays a critical role in the production process, so safety, reliability, and availability are paramount. The DeltaV SIS system can meet BMS needs (large or small), gives operators increased visibility for BMS operations, and reduces engineering and complexity for BMS applications. DeltaV SIS simplex and redundant logic solvers gained certification for use in SIL 3 applications in accordance with IEC 61508.

“With many existing DeltaV SIS installations already being used in burner management applications, the NFPA 85, EN 298 and EN 50156 product certifications give users additional assurance that the DeltaV SIS system is well-suited for use with fired equipment,” said Mike Boudreaux, Emerson’s brand manager for the DeltaV SIS system.

Click here to learn more about Emerson’s smart SIS.

 
 
Archived Entries