Posts Tagged ‘HMI’
Wednesday, July 23, 2014 @ 01:07 PM gHale
Omron Corp. mitigated the multiple vulnerabilities in the NS series of human-machine interface (HMI) terminals, according to a report on ICS-CERT.
These vulnerabilities, discovered by researcher Joel Sevilleja Febrer of S2 Grupo, are remotely exploitable.
The following Omron Corporation products suffer from the issues:
• NS15 Version 8.1xx – 8.68x,
• NS12 Version 8.1xx – 8.68x,
• NS10 Version 8.1xx – 8.68x,
• NS8 Version 8.1xx – 8.68x, and
• NS5 Version 8.1xx – 8.68x.
Successful exploitation of these vulnerabilities could allow an attacker to modify device configuration and expose sensitive information.
Omron Corporation is an international company headquartered in Kyoto, Japan.
The affected products are NS series HMI terminals. The NS series HMI terminals have a global marketing channel, however, Omron said the vulnerabilities only affect their overseas market. The NS series HMI terminals see action across several sectors including critical manufacturing and healthcare and public health.
One of the vulnerabilities is cross-site request forgery where the web application receives a request from a client without adequately verifying the request ended up intentionally sent. This could allow an attacker to execute commands thereby compromising the system and enabling modifications to the system’s configuration.
CVE-2014-2369 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.
There is a cross-site scripting issue where the web application stores untrusted data that can end up read back into the application and included in dynamic content.
CVE-2014-2370 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.0.
While no known public exploits specifically target these vulnerabilities, an attacker with a high to moderate skill would be able to exploit these vulnerabilities.
Omron Corporation produced update, Version 8.69x for Japan and Version 8.7x for other countries, that mitigates the vulnerabilities. The updates for the NS series of HMI terminals can be downloaded at the following locations:
Wednesday, May 21, 2014 @ 06:05 PM gHale
By Gregory Hale
More data is coming in to operators every day and that can be a good thing if the flood of information is understandable and in the right context.
“Big Data is no good if it is not the right data at the right time,” said Amy Ericson, U.S. Country president for energy and transportation solutions provider Alstom during her talk at the PAS Technology Conference 2014 in Houston. “How do you visualize the data that is coming in?
Along those lines, Alstom and PAS inked a deal where Alstom will distribute the PAS PowerGraphiX software.
“We are looking at PowerGraphiX to bring consistency to the industry,” Ericson said.
PowerGraphiX is a set of predesigned graphic templates, object libraries and best-practice guidelines for the design and implementation of operator interfaces at power generation plants. The goal is the make graphics easier to read and understand compared to the hodgepodge of inconsistent offerings out now.
Initially, the software came about because Southern Company Services, Inc. had a vision of consistent HMIs and improved situational awareness in control rooms across the operating fleet. PAS is now making the product commercially available for all utilities.
The Alstom pact was not the only partnership unveiled at the conference as PAS inked an agreement with security provider,Tripwire.
The agreement is part of the Tripwire NERC Alliance Network Program designed to bring collaboration on critical infrastructure compliance and security solutions to help companies efficiently and effectively achieve the complicated NERC CIP compliance.
The integration between the PAS Integrity Software Suite and Tripwire NERC Solution Suite will provide uses with automation software that drastically reduces the time and resources required to collect audit evidence. The goal is the bring a consistent approach to the management and maintenance of secure configurations across a wide range of devices including Industrial Control Systems (ICS), SCADA, Microsoft Windows and Windows Servers.
“Automating the collection of configuration information for all critical assets in energy organizations saves precious resources, improves compliance, reduces human error and, in addition, dramatically reduces cyber security risks,” said Mark Carrigan, vice president of technology at PAS.
Energy organizations must gather, analyze, prioritize and document a large amount of vulnerability and network data in order to protect their most critical assets and meet compliance requirements. The integration of PAS’ Integrity Software Suite and Tripwire’s NERC Solution Suite provides customers with:
• A single process that enables continuous monitoring and rapidly captures detailed status information across a wide range of critical cyber assets, from computer systems and network devices to badge entry systems and SCADA devices.
• Audit-ready reports and dashboards grouped via a flexible and extensible classification system.
• Automated assessment and aggregation of security data alerts that assist in detecting potential security breaches or configuration modifications that affect compliance status.
Wednesday, April 16, 2014 @ 10:04 AM gHale
Progea created a new version that mitigates an information disclosure vulnerability in the Movicon application, according to a report on ICS-CERT.
Celil Ünüver of SignalSEC Ltd., the researcher that discovered the remotely exploitable vulnerability, tested the new version to validate it resolves the issue.
Progea Movicon 11.4 prior to Build 1150 suffers from the issue.
The service of the software allows download and upload of files. Some opcode functions could end up triggered remotely to release limited information such as OS version information.
Progea Srl is an Italian-based company.
The affected product, Progea Movicon 11, is an XML-based human-machine interface development system that includes drivers for programmable logic controllers (PLCs). Movicon provides OPC-based connectivity for data transfer, including OPC DA and OPC XML DA services. According to Progea, Movicon sees use across several critical infrastructure sectors including critical manufacturing, energy, and water and wastewater systems.
Progea said this primarily sees use in Europe, India, and the United States.
TCPUploader module listens on Port 10651/TCP for incoming connections. Exploitation of this vulnerability could allow a remote unauthenticated user access to release OS version information. While this is a minor vulnerability, it represents a method for further network reconnaissance.
CVE-2014-0778 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
No known public exploits specifically target this vulnerability. However, an attacker with a moderate skill would be able to exploit this vulnerability.
Progea has updated and fixed the vulnerability in Movicon Version 11.4.1150. This is available as a download from the Progea Technical Support site.
Users must register on the Progea web site to download this new version.
Thursday, February 27, 2014 @ 02:02 PM gHale
Houston-based PAS Inc released its PowerGraphiX 2.0, a high performance human-machine interface (HMI) package for the power generation industry.
PowerGraphiX consists of predesigned graphic templates, object libraries and best-practice guidelines for the design and implementation of operator interfaces at power generation plants.
The view from the new product improves visual capabilities over the traditional HMI graphics.
The idea behind the software came from a request by Southern Company Services, Inc., which had a vision of consistent HMIs and improved situational awareness in control rooms across its operating fleet.
“Southern Company is committed to proprietary research and development in order to deliver solutions to our company and the industry,” said Harvey Ivey, Southern Company Manager of Instrumentation and Controls Design and Support. “This particular software was originally created to streamline information displayed in control rooms across our generating fleet, significantly improving operator effectiveness.”
The methodology behind developing PowerGraphiX came from the book “The High Performance HMI Handbook” written by PAS Founder and Chief Executive Eddie Habibi and Principal Consultant for High Performance HMI Bill Hollifield.
The book addresses the use of color, pattern recognition, standardization and other principles to transform data into actionable information, providing operators with a more holistic view of plant operating conditions.
This is one way of solving the issue of a less cluttered look for graphics that has been floating around the industry for years.
Wednesday, February 12, 2014 @ 09:02 AM gHale
By Ellen Fussell Policastro
When you think about the automation, asset reliability and mechanical reliability we’ve been investing in our plants for the past 40 years, it’s no wonder we’ve designed in some pretty amazing technologies to boost overall plant reliability.
While the mechanical side has seen an upturn, the human side of reliability needs some work. The human side of reliability was the subject of Tuesday’s PAS-sponsored webinar, “Prevent incidents by improving operator situation awareness.”
“Plants used to shut down once a year to replace a valve or change out a pump seal because they would break on a regular basis,” said Mark Carrigan, vice president of technology at PAS in Houston, Tex., who gave a detailed overview of the root of the problem and how his team is improving human machine interface (HMI) technologies to bring the human side of reliability up a few notches. “Now plants run from five to seven years without a scheduled shutdown because we don’t break things like we used to.”
While overall asset management has improved, and we’re doing a good job on mechanical reliability, challenges remain. “We’ve seen exponential growth in complexity and integration with all these systems in place at a typical facility— doing more with less,” he said. “In the past, a typical refinery plant or chemical plant would have a lot more people producing less product. But when we reduced staff, we realized we could make more product with less people.”
But here’s the problem: There’s still a lack of visibility about vulnerabilities within our systems. “We constantly have to ask ourselves whether we should be working during the startup. Are we doing things potentially unsafe and increasing risks? That’s hard to measure and understand.”
Another difficulty is transferring and maintaining knowledge. With more people retiring, there’s a greater gap in the workforce. How do you make sure all that operational knowledge in the next five years is transferred to the upcoming group of workers?
Not managing these situations well has led to unintended consequences, Carrigan said. “An alarm flood could take place, or equipment could shutdown with an improperly managed change.”
Carrigan offered a few examples of how this can happen, one of which involved testing shutdown systems (testing pressure and measuring safety systems) while the plant was running. Because the plant was running, “they bypassed the SIS system, everyone signed off, and they continued with the test. As a result, they increased pressure, and the interlocked tripped. The safety system was bypassed so it didn’t take action,” he said. The interlocked signal was seeing use within the integrated control system; consequently, valves closed, the system shutdown the plant, and the whole process caused an environmental incident. In this case, people made a change without understanding the consequences. “This is just one example of people not managing complex systems and understanding how the work they do can impact things,” he said.
Human Error, Airline Comparison
Within one graphic, Carrigan compared the rise and leveling off of safety within the automation control industry with that of the airline industry. “We can see a dramatic improvement in overall airline safety, but that improvement has leveled off over the past couple of decades. We can also see interesting trends. Those incidents attributed to human error have not seen nearly as much improvement,” he said.
While the airline and automation control industries are very different, they do have one thing in common — an operator sits in front of a screen, which conveys information about a process, and takes action to keep things on course.
“This type of reliability is hard for our industry,” he said. “But we can look at things, such as equivalent forced outage rate (EFOR) — the time the equipment is not operating as it is supposed to. There has also been an increase in reliability, which has flat-lined over the last several years. “We can see better improvement in mechanical reliability but not human reliability, he said. “This type of information is also less public for the oil and gas industry.”
Carrigan showed through an integrated platform demonstration how all these tools work together in a gas plant within a refinery—how operators and engineers can use an integrated platform to get information quickly to understand what’s taking place, which will allow them to make better and faster decisions.
His team built the example graphic in an HTML environment, so any system has the ability to integrate information from disparate sources. “As an operator, I have this alarm, and now I have to deal with it. So we want to deliver the information the operator needs. We’ve implemented this on many different kinds of control platforms. It’s easy to do. And it doesn’t impact your control network traffic at all,” he said. “By better designing the HMIs, I can help operators catch things while they are still small and help mitigate them. At a Level 3 graphic, you can see the trends — the bottom levels are going up and top levels are going down.”
The graphic allowed Carrigan to see more detail at the various pumps from the overhead and flow control and pressure controls. In his demo, he right-clicked on the alarm for a menu of available options to respond to it (inbound, loop sheets, control map, correlation matrix, and more). “I can see this is a process condition, so it doesn’t make sense to shelve the alarm. If I click on alarm details, I can get all the information I need to see the consequence of not responding is loss of controls,” he said. “So clearly, I need to respond. I can look at different potential causes. The controller is not in manual; it’s 100 percent open. That’s not what the problem can be. The next one is ‘valve stuck’ or ‘pump tripped.’ A bad instrument means I’m getting a bad reading. But that’s not the problem. Yet I do want to do further investigation on ‘valve stuck.’ But I need to understand more about operational limits. I’ve been told if I don’t respond, I’ll end up shutting the process down.”
After checking other options in the dropdown menu, Carrigan could see there was just a small amount of time before the process shut down. With each option, the operator can see more information. “I can also check the impact of making changes to the controller. I have pressure indicators, which let me see various outputs. So I know if I make a change, I will cause a problem to my APC application,” he said. “I have a complex loop, so I better be careful before making changes to the process controller. Next I need to know if there are any control problems with this loop or any performance problems, such as hysteresis.”
Finally, the operator can look at incident reports to discover whether he’s seen the same problem in the past. The incident report database ties everything back to the integrity database. “So we can bring those over to the platform as well,” he said. “We can see in June of last year there was an incident report of the very same thing — the controller was stuck. So we can put in a work order.”
All in all, systems are complex and interactive, and they come from so many different vendors, he said. “Perhaps with better HMI tools, there’s a chance to improve operational reliability so operators can get the information they need quickly — without having to look it up in five different places.”
Ellen Fussell Policastro is a freelance writer in Raleigh, NC. Her email is email@example.com.
Thursday, January 9, 2014 @ 03:01 PM gHale
Ecava Sdn Bhd created an update that mitigates the project directory information disclosure vulnerability in the IntegraXor application, according to a report from ICS-CERT.
Ecava Sdn Bhd IntegraXor – 4.1.4360 and earlier suffer from the remotely exploitable vulnerability. ICS-CERT received the report from the Zero Day Initiative (ZDI) who got the details from security researcher “Alphazorx aka technically.screwed.”
An attacker can use a crafted URL to download certain files in the project directory, compromising the confidentiality of the system.
Ecava Sdn Bhd is a Malaysia-based software development company that provides the IntegraXor SCADA product. Ecava Sdn Bhd specializes in factory and process automation solutions.
The affected product, IntegraXor, is a suite of tools used to create and run a Web-based human machine interface (HMI) for a SCADA system. IntegraXor is in several areas of process control in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.
IntegraXor does not properly restrict access to files in the project directory. An attacker may use a specially crafted URL to download project backup files from the system project directory without any authentication.
CVE-2014-0752 is the case number assigned to the vulnerability, which has a CVSS v2 base score of 7.5.
No known public exploits specifically target this vulnerability, however, an attacker with a low skill would be able to exploit this vulnerability.
Ecava Sdn Bhd issued a notification that details this vulnerability and provides mitigations to its customers. Ecava Sdn Bhd recommends users download and install the update, IntegraXor SCADA Server 4.1.4369.
For additional information, click here to view Ecava’s vulnerability note.
Tuesday, January 7, 2014 @ 06:01 PM gHale
Advantech provided a free version upgrade that mitigates a Remote Procedure Call (RPC) vulnerability in the Advantech WebAccess and legacy BroadWin WebAccess software (WebAccess), according to a report on ICS-CERT.
This is a web browser based human-machine interface (HMI) product. The RPC vulnerability affects the WebAccess Network Service on Port 4592/TCP and allows remote code execution. Independent security researcher Rubén Santamarta found the vulnerability and released exploit code.
This vulnerability affects all versions of WebAccess prior to Version 7.1 2013.05.30, including all legacy versions of either Advantech WebAccess or BroadWin WebAccess.
The successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code.
Advantech/Broadwin WebAccess is a Web-based HMI product used in energy, manufacturing, and building automation systems. The installation base is across Asia; North, Central, and South America; North Africa; the Middle East; and Europe. WebAccess Client software is available for desktop computers and laptops running
Windows 2000, XP, Vista, Server 2003, Windows 7, and Windows 8. A thin-client interface is available for Windows CE and Windows Mobile 5.0.
The code injection vulnerability exploits an RPC vulnerability in WebAccess Network Service on 4592/TCP.
CVE-2011-4041 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.
An attacker can initiate this exploit from a remote machine without user interaction.
An exploit of this vulnerability went public and it requires a moderate level of skill to leverage it.
Advantech released a new version of WebAccess that mitigates this vulnerability. Users may upgrade to the latest version from any previous version of WebAccess at no charge. Download the latest version of WebAccess (V 7.1 2013.05.30) from the Advantech web site.
Advantech has also created the following site to share additional information about WebAccess.
Prior to the release of this new version, customers using WebAccess should refer to security considerations recommended by Advantech in the WebAccess Installation Manual.
Wednesday, November 20, 2013 @ 06:11 PM gHale
Catapult Software created an update that fixes the improper input validation in its DNP3 Driver software, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the updated software to validate that it resolves the vulnerability.
This driver sees use with General Electric (GE) Intelligent Platform’s Proficy iFIX and CIMPLICITY products.
The following Catapult Software product suffers from the remotely exploitable issue:
• Catapult Software DNP driver (“DNP”): Version 7.20.56
• Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) – iFIX or CIMPLICITY servers with the vulnerable I/O Driver installed (this includes iFIX or CIMPLICITY installations that are part of Proficy Process Systems).
The use of this driver can cause the human-machine interface (HMI) to go into a denial-of-service (DoS) condition by sending a specially crafted transmission control protocol (TCP) packet from the outstation on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the outstation. The device must shut down and then restarted to recover from the DoS.
New Zealand-based Catapult Software specializes in SCADA/HMI software development. The affected product, DNP 3.0 driver, sees use with GE Intelligent Platforms’ iFIX and CIMPLICITY products, which are Web-based SCADA/HMI systems. According to Catapult Software, the driver and SCADA systems deploy across several sectors, including oil and gas, water and wastewater, and electric utilities.
As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop by sending a specifically crafted TCP packet, causing the process to crash.
CVE-2013-2811 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop, causing the process to crash. The system must restart manually to clear the condition.
The following scoring is for serial-connected devices: CVE- 2013-2823 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.
No known public exploits specifically target this vulnerability and an attacker with a moderate skill would be able to exploit this vulnerability.
An updated driver is available from Catapult Software. Installing Version 7.20.60 (GE IP 7.20k) of the DNP driver or newer will address this issue. The driver is available for download by registering for support.
In addition, the driver update is also available from GE.
The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets to add an additional layer of protection.
Thursday, October 10, 2013 @ 04:10 PM gHale
Invensys created an update that mitigates the improper input validation vulnerability in the Wonderware InTouch human-machine interface (HMI), according to a report on ICS-CERT.
Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team discovered the vulnerability in the Wonderware InTouch application. The Positive Technologies Research Team tested the update to validate that it resolves the vulnerability.
The following Invensys Wonderware products suffer from the version: InTouch HMI 2012 R2 and all previous versions.
Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Invensys Wonderware InTouch.
Invensys is a global technology company that works with industrial, commercial, rail operators, and appliance operators, while operating in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys Wonderware InTouch HMI works across several sectors including critical manufacturing, energy, food and agriculture, chemical, and water and wastewater.
Wonderware InTouch HMI allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware InTouch HMI to send the contents of local or remote resources to the attacker’s server or cause a denial of service of the system.
CVE-2012-4709is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
This vulnerability is not remotely exploitable and needs user interaction for any kind of exploit. The exploit triggers when a local user runs the vulnerable application and loads the malformed XML files.
No known public exploits specifically target this vulnerability and an attacker with a low skill would be able to exploit this vulnerability.
Instructions and a link to the application update are on the Invensys download page.
Any machine running InTouch 2012 R2 or earlier versions suffers from the issue, according to Invensys. Users should install the update using instructions provided in the ReadMe file for the product and component installed. Invensys recommends users:
1. Read the installation instructions provided with the patch.
2. Shut down any of the affected software products.
3. Install the update.
4. Restart the software.