ISSSource White Papers

Posts Tagged ‘Invensys’

Friday, August 21, 2015 @ 05:08 PM gHale

By Gregory Hale
Ernie Rakaczky would just laugh and shrug his shoulders if he heard this, but he truly was a pioneer in the industrial security sector.

I can remember to the day where we were when I broached the subject of starting up a news web site focused on safety and security to Ernie. He was quick to point out where the industry was, where it was headed and who are some of the leaders. His passion for security was unparalleled.

At a user group conference back in the Invensys days after the ISSSource site launched, a few years before Schneider Electric bought the process control giant, Ernie was sitting with a few editors and he was talking about some event that shed more light on why security was so important and you could just see how he was ready to take on the fight of raising awareness throughout the industry. It was a fight he fought for a long time and he kept pushing, knowing how important the battle was. And even after an illness started taking control, he was still making calls and answering emails.

After a big management change at Invensys years ago, he called up one time knowing I had just ended an interview with one of the top executives. Ernie just started off the conversation asking if I had mentioned to the exec the importance of cyber security in the industry. He was always fighting the battle.

Ernie also talked about how the IT world needed to work with OT and his work with the IT companies like McAfee (know Intel Security) helped get both genres involved in the game to help end users remain secure, whether they knew they had to or not.

Security industry Pioneer, Ernie Rakaczky.

Security industry Pioneer, Ernie Rakaczky.

He truly was a security evangelist in the days at Invensys and throughout the industry when security was a foreign subject. He knew, however, it was going to be top of mind and an important factor for all users moving forward.

In the work world, you meet people, but you are always thinking about getting the job done. Deadlines, deals, innovating, whatever the task at hand, and the people aspect often ends up forgotten. That is wrong and everyone needs to understand there are some quality people that help run businesses and they make an impact on our lives every day.

Ernie Rakaczky died Wednesday after a long illness, but his legacy in the industry will continue on forever.

Ernie Rakaczky: Job well done.

Wednesday, October 16, 2013 @ 10:10 AM gHale

By Gregory Hale
Whether it is maintenance, operations or engineering on the plant floor, there is a business angle missing for most manufacturers that would help add true value to the bottom line.

Yes, the technical aspects are all accounted for, but how about real business metrics that can help solidify the end goal, which is to make, and grow, a profit.

Invensys: Security Awareness on Rise
Invensys Deals for HMI Provider
Invensys: Compliance and Security
Invensys: Safety Pays
Invensys: Foxboro Evo Integrates Safety

“Whenever an engineer or operator or maintenance worker makes a decision, it either creates wealth or destroys wealth,” said Peter Martin, Ph.D, vice president, business value solutions, for the Software and Industrial Automation division of Invensys said during his talk Tuesday at Invensys Software Conference and Tech Support Symposium in Dallas, TX. “We have an island mentality, we specialize so much, we can’t talk to each other. We have a huge level of talent and we don’t use it.

That island mentality exists and part of the problem is everyone needs to bridge the gap and be able to work together. Technology is there, but that can also cause the schism.

“We can’t use technology as an excuse,” Martin said. “The islands of technology exist because we created it. Maintenance and operators have no incentive to work together.”

Often times the maintenance folks work toward maximizing availability, while operators maximize utilization. That means the goals sometimes clash and that can lead to different results.

Martin said life in the plant was much different in the 70s through the 90s where all everyone worried about was just keeping the plant running. From the 90s to the early 2000s, it was about optimizing the plant. From 2010 on it is all about optimizing the business.

“If you can’t prove you created value,” Martin said, “you haven’t created value.” That means manufacturers have to get down to the basics and understand what they are there for. They are making a product, so the company and make a profit. That also means they have to learn to measure business values and metrics in real time.

After all, Martin said, “if you can’t measure something, you can’t control it.” That saying usually applies to process control, but it also works for the business environment.

“We used to work in an environment where costs were stable,” Martin said. “The speed of business has changed from being highly stable to real time.”

One case in point, Martin said, was the cost of electricity. That cost used to be stable and was not highly variable. Now, however, the cost can change as quickly as every 5 minutes, he said.

There are four drivers hitting manufacturers they need to address:
• Globalization
• Market dynamics
• Aging industrial environment
• Increasing regulatory pressures

While manufacturers have the process aspect down where they know production has various costs associated with it like energy and materials to make the product.

But from the business perspective there are dynamic performance measures that flow down into strategic indicators that can lead to key performance indicators for manufacturing or real time accounting measures on the business side.

The catch is no one views the accounting measures on a daily or weekly basis. With variables such as electricity changing on a daily basis, how can a manufacturer get all the costs under control? The answer is to find a way to measure them on a daily basis.

The CFO is dealing with financial measurement but also needs to look at real time performance measures and then activity based management which can give him or her a good indication of how the business is operating on a daily basis.

Understanding how the manufacturing enterprise is running on a daily basis from a production standpoint and a business standpoint is not a pipe dream, it can be a reality.

“We have to break those islands down,” Martin said. “We need the right measures to drive improvement.”

Tuesday, October 15, 2013 @ 06:10 PM gHale

By Gregory Hale
Levels of cyber security awareness just keep increasing throughout the industry.

“From 2006 when I first started at Invensys people were talking about firewalls and how that made them secure,” Doug Clifton said Tuesday during the Invensys Software Conference and Tech Support Symposium in Dallas, TX. “From 2006 to today you can just see the increase in awareness. The thought process is changing to thinking about installing applications.”

Invensys Deals for HMI Provider
Invensys: Compliance and Security
Invensys: Safety Pays
Invensys: Information in Context
Invensys: Foxboro Evo Integrates Safety

With all the big attacks in the news like Stuxnet, Night Dragon and Shamoon, security awareness obviously has grown with security professionals, but the good news is it has also risen with the rank and file workers on the plant floor.

“You are hearing about security more than just at work,” said Clifton, director of Invensys Operations Management’s Critical Infrastructure Security Practice. “Just yesterday, my kids’ school sent home a note about cyber security. So, it is all around us. Awareness is there.”

“When I started, security was all about being an insurance policy. Today we can also make the network performance much better. The goal is to protect the network from various things – even themselves.”

There are companies that talk about security compliance and some that talk about tactical solutions, but Clifton said they should be somewhere in between where they are compliant to best practices and standards.

As the awareness increases, some people will talk about doing a penetration test to attack a system to find weaknesses. But Clifton talks about doing a vulnerability assessment.

“We want to get the basics introduced,” he said. “After a while we may get to the point of doing a penetration test, but we are not there yet. We want to bring in best practices. We don’t want to focus on the big monster of NIST standards. We want to deal with the basics on how you can protect yourself without breaking the bank. We find we have clients that are not sure what they have that needs protecting.”

He talked about one case where he went into a manufacturer and they told him they were not sure why they needed security at all. They were a small company that was producing a simple product. As it turned out they were making a good bit of revenue off a new type of coating that would ensure their customers would only have to apply it once a year instead of the usual twice a year. That, they said, would save their customers time and money. Clifton then told them, wouldn’t you want to ensure your intellectual property – in this case an industry leading product – would stay in your possession and not fall into the hands of a competitor. That is when they understood why then needed a security program.

“Securing intellectual property is pretty fundamental along with safety of personnel. Not enough people give credence to security intellectual property.”

Yes awareness is on the increase, but often times Clifton and his team have to go into a user and just sit down and have a conversation on their objectives.

Security will mean there will be changes, and it will not be business as usual. The main goal is to not add in levels of complexity. We want to take it and make it more robust and create an environment that is not impactful to their work.

“Going from zero to secure is a pretty big step,” he said. “There are intermittent goals along the way. It is a journey. The further along they are in the journey, the better the questions they ask.”

Thursday, October 10, 2013 @ 04:10 PM gHale

Invensys created an update that mitigates the improper input validation vulnerability in the Wonderware InTouch human-machine interface (HMI), according to a report on ICS-CERT.

Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team discovered the vulnerability in the Wonderware InTouch application. The Positive Technologies Research Team tested the update to validate that it resolves the vulnerability.

Alstom Patches Software Vulnerability
Additional Patches for Rockwell
Philips Fixes Buffer Overflow
Bug in Siemens SCALANCE X-200

The following Invensys Wonderware products suffer from the version: InTouch HMI 2012 R2 and all previous versions.

Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Invensys Wonderware InTouch.

Invensys is a global technology company that works with industrial, commercial, rail operators, and appliance operators, while operating in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.

The Invensys Wonderware InTouch HMI works across several sectors including critical manufacturing, energy, food and agriculture, chemical, and water and wastewater.

Wonderware InTouch HMI allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware InTouch HMI to send the contents of local or remote resources to the attacker’s server or cause a denial of service of the system.

CVE-2012-4709is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.

This vulnerability is not remotely exploitable and needs user interaction for any kind of exploit. The exploit triggers when a local user runs the vulnerable application and loads the malformed XML files.

No known public exploits specifically target this vulnerability and an attacker with a low skill would be able to exploit this vulnerability.

Instructions and a link to the application update are on the Invensys download page.

Any machine running InTouch 2012 R2 or earlier versions suffers from the issue, according to Invensys. Users should install the update using instructions provided in the ReadMe file for the product and component installed. Invensys recommends users:
1. Read the installation instructions provided with the patch.
2. Shut down any of the affected software products.
3. Install the update.
4. Restart the software.

Tuesday, September 24, 2013 @ 02:09 PM gHale

Automation industry giant, Invensys, dealt for HMI and embedded device software provider, InduSoft.

Headquartered in Austin, Texas, and founded in 1997, InduSoft has over 250,000 HMI software licenses with more than 700 users worldwide, primarily industrial computer manufacturers and machine and system builders, who embed InduSoft’s software into their products.

Invensys: Compliance and Security
Invensys: Safety Pays
Invensys: Merger with Schneider on Track
Invensys: Information in Context
Invensys: Foxboro Evo Integrates Safety

“The acquisition of InduSoft represents the continuing execution of our strategy to strengthen our portfolio through inorganic means, enabling us to target additional segments across our portfolio,” said Ravi Gopinath, president of Invensys’ software business.

The acquisition strengthens and broadens Invensys’ software solutions portfolio, especially in the embedded HMI segment, Gopinath said.

“Combined with Invensys’ existing software offerings, our capabilities and expertise in the OEM and machine-building segments allow us to provide a broader, end-to-end HMI, SCADA and MES solution to our customers,” said Marcia Gadbois, president of InduSoft. “Together, our software tools will make it easier for them to integrate their information and automation systems.”

“With InduSoft we can now offer everything from basic embedded HMI devices to manufacturing operations, asset management and ERP integration,” said Norm Thorlakson, vice president, HMI and supervisory software and solutions, Invensys. “Wonderware users will now be able buy industrial devices, machines and computers with InduSoft software, while companies that are using InduSoft software will be able to expand their solutions with Wonderware supervisory, historian and manufacturing operations management software.”

InduSoft will continue with its existing executive team. Terms of the deal were not immediately available.

Meanwhile, Invensys’ $5.2 billion pending merger with Schneider Electric is still on for a closing either by the end of this year or early next year, said Invensys President and Chief Executive Mike Caliel at the Foxboro & Triconex Global Client Conference ‘13 in San Antonio, TX, earlier this month.

“Schneider made an offer and the Invensys board will recommend the takeover,” Caliel said. “Hopefully, the deal will close by the end of the year or early next year.”

Wednesday, September 18, 2013 @ 12:09 PM gHale

By Gregory Hale
Todd Mortensen II used to be an IT professional, but not any more.

At least that is what his bosses told him as he was learning and working as a senior network specialist at PNM’s coal-fired San Juan Generating Station in Albuquerque, NM.

Invensys: Safety Pays
Invensys: Merger with Schneider on Track
Invensys: Information in Context
Invensys: Foxboro Evo Integrates Safety

That was all part of the learning process he talked about during his discussion on “Lessons Learned when Compliance, Cyber Security and a Control System Mix,” during the Foxboro & Triconex Global Client Conference ’13 in San Antonio, TX last week.

“You can hire IT people. It is all right, we don’t bite,” Mortensen said. “We understand controls much better. You just need to make sure they get the right training. I was an IT guy, but I am told I am not IT any more.”

PNM serves 498,700 electricity customers statewide and also sells electricity on the wholesale market and is New Mexico’s largest electricity provider.

As a part of meeting compliance rules and maintaining a secure platform, Mortensen talked about some of what the company is working with, like a multiple mesh unit; 8.4.3 upgraded to 8.7 of mesh secure; NERC CIP v3 compliant, prepping for v5; individual operating accounts; event monitoring, whitelisting/malware software prevention; off the shelf thin clients; McAfee EPO; patching programs and Information Protection Procedures (IPP) for USB drives.

When dealing with compliance issues, Mortensen said he worked with his supplier and they had some helpful items like their documents site and a security enhancement guide among other items. Yes, they need secure products, but they also needed a plan.

“Secure products will not make you compliant,” said Doug Clifton, director of Critical Infrastructure and Security Practice (CISP) at Invensys. “There are other things that you have to do.”

“Cyber security regulations will not go away,” Mortensen said. “Whenever you do cyber security you will need a lot of time, money and resources.” In addition, he said, “you will need backing from the executive level all the way to the back line.”

While that works, sometimes there just is not a ton of experience found in plants dealing with how to work with standards, so Mortensen said there is no need to work in a vacuum.

“You can always use outside firms that have the experience working with these standards,” he said. “You need to be ahead of the game.”

One of the keys, though, is to train these outside contractors in how your company works and deals with various issues because in the end, “you are responsible for your compliance and your cyber security.”

Here are some tips Mortensen suggested when working with contractors:
• Ensure you lead
• Have people that can look at their own work and see if it is done correctly
• See if they have experience with standards and rules that you have to comply with
• Ensure they have experience securing systems like yours

Mortensen did say NERC CIP compliance forced his company to ensure a secure environment.

“Compliance can be a stepping stone to security, but it is not security,” he said.

Wednesday, September 11, 2013 @ 09:09 AM gHale

By Gregory Hale
The process safety mindset is changing to where users now understand safety can really add benefit to the bottom line.

If a company is truly smart about safety and focuses on what they have to do, remain vigilant and is a top tier organization, they should realize a five percent gain in productivity, said Steve Elliott, director of Triconex product management during his Tuesday talk at the Foxboro & Triconex Global Client Conference ’13 in San Antonio, TX.

Invensys: Merger with Schneider on Track
Invensys: Information in Context
Invensys: Foxboro Evo Integrates Safety
Security Comm Schism with Execs

In addition, he said, a company employing a solid safety program could see a three percent reduction in production costs, five percent reduction in maintenance costs, 20 percent reduction in insurance and a one percent reduction in capital budget. Those statistics come from the Center for Chemical Process Safety.

While numbers show what a company could gain, Elliott said accidents are still happening.

“Process safety incidents are not decreasing at the same rate as occupational safety,” he said. “We are starting to see more visibility of process safety in the market.”

One of the issues, however is not about technology, but who is using it.

“We focus on technology all the time. You can have the best technology in the world, but if you don’t use is properly, it is not going to help you at all.”

Through advances in technology, users today are getting a flash flood of information and they can end up paralyzed with data overload. That is why the goal now is to “give more contextual information to give more information to the right people at the right time.”

While Triconex is celebrating its 30th year, Elliott said “when you look at the last 30 years, quite a few things all around us have changed, but the core technology of Triconex system still remains.”

Part of that technology allowed for sharing of information to ensure a system stays on track and everyone understands the risk. But understanding that risk starts at the beginning, not when a process is running.

“You need to know and understand the risks when the system is in design mode,” he said. “Use that information to start getting a view of the risks a user has to manage.”

Basis of safety design:
• Continuously safety reliable production
• Fewer personnel to manage and maintain SIS operations
• Extend SIS lifecycle
• Faster SIS startup cycle
• Lower network infrastructure and maintenance
• Low total cost of ownership

You can’t have a discussion about safety without talking about security and Elliott said it is important to secure the hardware for the safety integrated system (SIS) and engineering workstations.

“It is a must harden the engineering workstations and not just the safety systems themselves. The goal is highly secure safety hardware and software.”

The trend right now in safety is to focus on integrated but independent safety system. That is part of the discussion with Invensys’ new launch of Foxboro Evo automation control system, which integrates safety.

While the new system integrates safety, Elliott said Triconex will produce safety systems as standalone systems as they have for years, or they will produce an integrated system.

“Integrated systems goes back to the 1990s,” Elliott said. “Triconex was a node on the Foxboro and Honeywell systems. So, integrated is not really new.”

When it comes to choosing a safety system, Elliott said it is really up to the user. “There is no right and no wrong. We have one customer that uses separate safety system upstream and the same customer uses an integrated system downstream.”

Tuesday, September 10, 2013 @ 07:09 PM gHale

By Gregory Hale
One of the big questions going into the Foxboro & Triconex Global Client Conference ‘13 here in San Antonio is talk about Invensys’ $5.2 billion pending merger with Schneider Electric.

“There has been a lot of talk about this out in the industry and I just want to set the record straight. Schneider made an offer and the Invensys board will recommend the takeover,” said Invensys President and Chief Executive Mike Caliel. “Hopefully, the deal will close by the end of the year or early next year.”

Invensys: Information in Context
Invensys: Foxboro Evo Integrates Safety
Security Comm Schism with Execs
IT Report: Security Still Lacking

He then said by law, there is quite a bit he cannot say. Right now they are two separate companies and they are operating as such, however, the synergies between the two show great potential to go to market from the discrete and processes angles.

While the discussion of Schneider’s history of takeovers is suspect, Invensys leaders are saying they are seeing very good signs of what the combined company will be able to do.

While a full integration of the two companies can take by estimates 18 months to two years, the thought is for end users, business should pretty much remain the same for a period of time.

Invensys even showed a video from Jean-Pascal Tricoire, Schneider’s chief executive, who said he was happy to learn about the new Evo system and is looking forward to moving forward with Invensys.

Tuesday, September 10, 2013 @ 07:09 PM gHale

By Gregory Hale
Information is coming at automation professionals at greater levels than ever before and believe it or not it could lead to indecision or bad decisions. That indecision can end up leading to greater potential for a safety incident.

That is why the greater the information, that data needs to come across with a higher degree of context so engineers, operators and maintenance workers can make proper decisions in real time, said Mike Caliel, president and chief executive of Invensys during his keynote address at the Foxboro & Triconex Global Client Conference ’13 in San Antonio, TX.

Invensys: Foxboro Evo Integrates Safety
Security Comm Schism with Execs
IT Report: Security Still Lacking
Cyber Alert: Attackers in Driver’s Seat

“Systems today provide exponentially a higher level of data than ever and that may not be helping, Caliel said. “Information overload is becoming more prevalent.”

People, he said, will want to make a decision, but without seeing that data on proper context, workers may end up being slowing in moving or not moving at all and that can lead to problems.

That is where the new Foxboro Evo system comes into play. Invensys launched the system at the conference and it is their next step to giving more context and value to manufacturing automation users.

“We believe the speed of business technology will continue to increase,” said Peter Martin, Invensys vice president business value solutions who also spoke during the opening session at the conference. “We believe safety and cyber security will continue to be in demand. With fewer people working in industrial plants, each person will need to work with increased productivity.

Through a video message, Jean-Pascal Tricoire, Schneider’s chief executive, said he was happy to learn about the new Evo system and is looking forward to moving forward with Invensys.

Tuesday, September 10, 2013 @ 04:09 PM gHale

By Gregory Hale
Invensys released its next-generation process automation system called Foxboro Evo, which is integrating safety into the control system.

The system has advanced tools and applications and a cyber secure hardware platform, and it integrates the company’s Triconex safety system.

Security Comm Schism with Execs
IT Report: Security Still Lacking
Cyber Alert: Attackers in Driver’s Seat
Biggest Security Threat: Employees

“This new system can help eliminate barriers to success,” said Gary Freburger, president of Invensys’ systems business during his keynote address at the Foxboro & Triconex Global Client Conference ’13 in San Antonio, TX. “This changes every function within the operation. It can reduce risk, reduce costs and reduce time.”

The Foxboro Evo process automation system comes from Foxboro I/A Series and Triconex technology. The one thing everyone at the conference went to great lengths to say is this system is, and will be, compatible with existing Foxboro systems already out there. So, when they need to, legacy systems can migrate up to the Evo system in step-change fashion.

This new system comes out with the global automation environment continuing to evolve into a cohesive unit with the enterprise.

“We have seen complexity increase with collaboration all over the world, and we think that will intensify,” Freburger said. “We know we have a changing workforce with young engineers coming in and older ones leaving and this system will allow workers to have to opportunity to make decisions quickly.”

The Foxboro Evo system includes a high-speed controller, field device management tools, a maintenance response center, an enterprise historian, 1-n redundancy and cyber security hardening.

One of the benefits Invensys is touting is safety and security workers should gain from the integrating control and safety, which enables sharing of operational information while keeping the safety system functionally isolated. The other bonus was talk about the levels of security that go into place before any product hits the users’ hands.

“We recognize (users) have a set of challenges and one of them is a more formal way to report safety issues. We are committed to make safety more visible,” Freburger said.

But in the end, since users do not jump from system to system easily. It takes years if not decades to make changes. That is why Freburger said this is one way to future proof the investment in a system.
“We will always make sure there is a path to the new technology,” he said. “We will never leave anyone behind.”

Archived Entries