Posts Tagged ‘Invensys’
Thursday, May 9, 2013 @ 12:05 PM gHale
Invensys created an update that mitigates multiple vulnerabilities that impact the Invensys Wonderware Information Server (WIS) software, according to a report on ICS-CERT.
Researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team, who found the vulnerabilities, tested the update and validated that it fixes the remotely exploitable issues.
Exploitation of these vulnerabilities could impact systems deployed in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater sectors.
The following Invensys WIS versions suffer from the issue: WIS 4.0 SP1SP1 and 4.5– Portal, and WIS 5.0– Portal.
Successful exploitation of these vulnerabilities could allow an attacker to execute remote code, disclose information, or perform session credential high jacking of WIS.
Invensys works with industrial, commercial, rail operators, and appliance operators in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys WIS software sees use in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater industries.
WIS provides industrial information content including process graphics, trends, and reports on a single Web page. WIS Web clients allow access to real-time dashboards, predesigned reports of industrial activities, and provide analysis or write back capabilities to the process.
One of the vulnerabilities enables an attacker to inject client-side script into Web pages viewed by other users or bypass client-side security mechanisms imposed by modern Web browsers. This vulnerability, if exploited, could allow arbitrary code execution and may require social engineering to exploit.
CVE-2013-0688 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Another vulnerability could allow an attacker to perform database operations unintended by the Web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if exploited, could allow arbitrary code execution.
CVE-2013-0684 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
WIS allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause WIS to send the contents of local or remote resources to the attacker’s server or cause a denial of service (DoS) of the system.
CVE-2013-0686 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
WIS does not properly restrict the size or amount of resources requested, allowing the attacker to consume more resources than intended. This vulnerability, if exploited, could allow remote code execution and DoS.
CVE-2013-0685 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
To date, there are no public exploits specifically target these vulnerabilities and an attacker with a medium skill would be able to exploit these vulnerabilities.
Invensys has developed an update to the WIS software that mitigates these vulnerabilities. Click here to download and install the update from the Invensys download page.
Invensys said users running any machine with one or more of the products listed should undergo a patch. No other components of the WIS installed products have an issue. Users should install the update using instructions provided in the ReadMe file for the product and component they are installing. Invensys recommended users should set the Security level settings in the Internet browser to “Medium – High” to minimize the risks presented by these vulnerabilities.
Friday, March 22, 2013 @ 06:03 PM gHale
Invensys has a patch for a vulnerability that impacts the Wonderware Win-XML Exporter, according to a report on ICS-CERT.
Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team discovered an improper input validation vulnerability in the Win-XML Exporter. The Positive Technologies Research Team validated the patch fixes the vulnerability.
Exploitation of this vulnerability could impact systems deployed in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater sectors.
Win-XML Exporter Version 1522, 148, 0, 0, and possibly earlier versions suffer from the issue.
Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Wonderware Win-XML Exporter.
Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes. The Invensys Wonderware Win-XML Exporter sees use in industries worldwide, including critical manufacturing, energy, food and beverage, chemical, and water and wastewater.
The Wonderware Win-XML Exporter converts interface windows from Intouch HMI projects and displays them in Internet Explorer with the help of Wonderware Information Server.
Wonderware Win-XML Exporter allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware Win-XML Exporter to send the contents of local or remote resources to the attacker’s server or cause a denial of service of the system.
CVE-2012-4710 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
This vulnerability is not exploitable remotely and cannot suffer exploitation without user interaction. The exploit triggers when a local user runs the vulnerable application and loads the malformed XML files.
No known public exploits specifically target this vulnerability. An attacker with a medium skill would be able to exploit this vulnerability.
Instructions and a link to the update are on the Invensys download page. Invensys said any machine running one or more of the products listed should download the patch. No other components of the Wonderware installed products suffer from the problem. Users should install the update using instructions provided in the ReadMe file for the product and component installed.
Invensys recommends users:
• Read the installation instructions provided with the patch
• Shut down any of the affected software products
• Install the update
• Restart the software
Friday, December 14, 2012 @ 06:12 PM gHale
Mitigations are available for a vulnerability that impacts Siemens ProcessSuite and Invensys Wonderware InTouch products, according to a report on ICS-CERT.
Mitigations are available for an insecure password storage vulnerability in Siemens ProcessSuite and Invensys Wonderware InTouch applications.
On one hand, Siemens said ProcessSuite is an outdated system and they cannot issue an updated to match current security requirements. Instead the company recommends upgrading to a more recent human-machine interface (HMI).
On the other hand, Invensys recommends using Windows integrated security rather than the InTouch security subsystem, but has created a new patch to mitigate this vulnerability.
Successful exploitation of this vulnerability, discovered by researcher Seth Bromberger of NCI Security, LLC and independent researcher Slade Griffin, can allow an attacker to log in to the system as a privileged user and take over the application.
All versions of Siemens ProcessSuite suffer from the issue. Siemens said ProcessSuite phased out in 2005 and completely discontinued in 2010. Customers using SIMATIC PCS7 / APACS+ OS are not affected.
The following Invensys Wonderware InTouch versions suffer from the issue: Wonderware InTouch 2012 R2 and previous. Wonderware applications that use Windows Integrated security or ArchestrA security do not have the problem.
An attacker with read permissions to the password file can decrypt it and obtain all usernames and passwords, allowing logon as a privileged user and take over the application.
ProcessSuite is a part of a Distributed Control System “APACS+” from Moore Products Inc., which Siemens acquired in 2000. Siemens ProcessSuite is based on Wonderware InTouch V7.11 and uses similar authentication mechanisms. Siemens no longer supports ProcessSuite.
ProcessSuite does go across several sectors including manufacturing, oil and gas, chemical, and others. Siemens estimates that these products are used primarily in the United States and Canada.
InTouch is an HMI created by Invensys Wonderware used for designing, building, deploying, and maintaining applications for manufacturing and infrastructure operations.
User management information including passwords store in a reversible format in file “Ps_security.ini” by the affected software. An attacker with read permissions to this local file can obtain the passwords, log in as a privileged user, and potentially affect the availability, integrity, and confidentiality of the system. CVE-2012-4693 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
An attacker would need local access to the password file to be able to exploit this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.
Wednesday, October 17, 2012 @ 07:10 AM gHale
By Gregory Hale
Knowledge leads to total protection.
That protection stems from effective, efficient and timely sharing of critical knowledge. “A vulnerability is shared in real time,” said Chris Blask, founder and chief executive of ICS Cybersecurity and chair of the ICS-ISAC during his session Tuesday at the Industrial Control Systems Joint Working Group (ICSJWG) meeting in Denver, CO.
“It is possible to gather all the details and then put it in context and share with other centers,” Blask said. “It allows the venders to address issues. It allows asset owners to understand everything.”
Gathering critical information and sharing that with others in the proper context is the goal behind the Industrial Control System-Information Sharing and Analysis Center (ICS-ISAC)
“You need to aggregate the data and have actionable information,” said Gib Sorebo, chief cyber security technologist and assistant vice president at SAIC. “You need to get to the point where people take action on something before something happens.”
ICS-ISAC will provide automated cross-industry alerting and threat communications among critical infrastructure companies.
While individual critical infrastructure areas have their own information-sharing efforts, the ICS-ISAC will increase communications horizontally, across industries, Blask said.
This is a private sector concept to the government run ICS-CERT. “ICS-ISAC serves a purpose unmet in the community,” Sorebo said.
“This provides information in a way to show how you can use the information,” Sorebo said. “This isn’t letting people figure it out for themselves.”
In short, ICS-ISAC is all about getting information in the hands of end users so they can understand a threat.
“Being able to respond quickly when you find something is appealing,” said Paul Forney, chief technologist at Invensys Operations Management’s R&D security team.
Now, there is a time lag over when people find out about a vulnerability.
“You don’t know about the vulnerability and you don’t know how to react,” he said. “Why couldn’t there be more information available much closer to the incident?”
Monday, September 17, 2012 @ 04:09 PM gHale
Chief of Intelligence and Analysis for the Control Systems Security Program at the U.S. Department of Homeland Security will give the keynote at the OPC Technology Summit 2012 in Orlando, FL.
The OPC Technology Summit 2012, held at the Renaissance Orlando at SeaWorld Oct. 16-18, is where industry experts will come together to learn and share the latest information including best practices, use-cases and technology solutions built on the OPC Unified Architecture.
At this event it is possible to learn, network and exchange ideas on how OPC UA solutions can drive business benefits to your company.
And when it comes to security, Sanaz (Sunny) Browarny, Chief of Intelligence and Analysis for the Control Systems Security Program at the U.S. Department of Homeland Security, addresses control system security risks, including impacts and details on the malicious actors whose intent it is to disrupt and destroy control systems in critical infrastructures for the U.S
In addition, officials from ABB, Rockwell Automation, Siemens and Yokogawa will outline their companies’ OPC UA adoption strategies for data and information integration.
Also, Beckhoff, BP Exploration, Elster, Invensys, SAP and Schlumberger, among others, outline what they see as the key benefits of OPC UA for improving Operations and Information Excellence within manufacturing and infrastructure domains.
Click here for more information and to register.
Thursday, August 16, 2012 @ 04:08 PM gHale
By Gregory Hale
With up to just over 17,000 alarms a day in some cases and 3 to 8 percent of production lost a year as a result of poor alarm management, it is no surprise the strategy is taking off.
The thing is there is no one solution that will solve the problem of alarms. “There is no single piece of technology,” said Diego Izarra, alarm management project lead for Invensys Operations Management during a session at the 2012 North America Invensys Foxboro User Group in Boston Thursday. “There is no single approach to alarm management. You don’t want the operator not keeping up with alarms where they miss an important incident.”
“Alarm management is a process,” said Rob Brooks, process control manager for the chemical division at PPG. “It is constant working. The hope is to sit down and talk it over because it is not going away.”
When you get down to is alarm management ends up being a vital cog in the safety wheel at any plant. One operator misses and important alarm because he is inundated and that ends up being a potential safety incident. While the converse is true, if that operator has a clear deck where he can quickly define what an important alarm is and what is not as pressing, he can alert the proper plant personnel of an issue and that will avert a potential crisis.
Gerry Seguin is a senior automation specialist at the mining company Vale and he had a huge alarm management problem. Among their issues was a boatload of alarms going off in its furnace units every day.
“We had over 17,000 alarms going off in one day,” he said. “We had alarms for everything.” Just think about the lost productivity, the trips, shutdowns and outages.
They brought in their alarm management integration team and worked toward finding a way to eliminate the massive amount of alarms.
The end result was the furnace daily alarms went from over 17,000 a day to 66 and the hourly average went from 740 alarms an hour to 28.
“There is still plenty of room to go for improvement,” Sequin said.
Suncor Energy’s Mike Mastrogiacomo needed to improve their alarm management strategy at its 135,000 barrel per day refinery in Montreal.
To get it started they went with a study to understand the tasks they had to accomplish to get a good handle on their alarm management. “That allowed us t put some context behind our alarm management,” Mastrogiacomo said.
They were averaging 3 alarms every 10 minutes and Mastrogiacomo said their goal was to cut that number in half. Their first step was to develop an alarm management philosophy. “That was critical,” he said. “It is a living document; not static.”
Part of that philosophy is to understand and share rules and responsibilities and talk about the management of change among other issues.
After undergoing a series of implementation phases like communicating the plan and philosophy with everyone at the company and then executing on the plan, Suncor was able to almost cut the average in half to 1.8 alarms every 10 minutes and Mastrogiacomo said they will get it down to 1 alarm every 10 minutes.
While it may seems a daunting task, it is possible to reduce alarms to the point of solid management, which means the plant will reduce the amount of unplanned downtime, which means higher productivity and more potential profits.
“There are little things you can do to eliminate alarms easily,” Mastrogiacomo said.
“Getting your alarms to be the right ones will improve results easily,” Izarra said.
Alarm management is not a one man operation, there needs to be all types of people working to accomplish the goal.
“They key is having someone cracking the whip,” Seguin said.
Wednesday, August 15, 2012 @ 12:08 PM gHale
By Gregory Hale
Process control is going virtual.
That is because Invensys Operations Management extended its virtualization offerings to thin clients and the Foxboro I/A Series distributed control system. Invensys’ virtualization initially focused on the Microsoft HyperV and VMware platforms within its software product lines.
The goal is to help users reduce implementation costs; reduce risks; shorten project schedules; improve scheduling integrity; strengthen the ability to respond to project changes; and improve global collaboration.
“With the typical project implementation taking between 6 to 18 months, when we have an implementation via virtual machines it means we can push back some hardware devices so they are not outdated when the system starts up,” said Grant Le Sueur, brand director at Invensys Operations Management during a meeting unveiling the launch at the 2012 North America Invensys Foxboro User Group meeting in Boston. “That means we can introduce hardware closer to implementation.”
With virtualization, there is a three-point strategy, Le Sueur said. It all focuses on decoupling: Decoupling engineering process from geography; decoupling software from hardware and decoupling I/O installation from design.
Virtualizing a control solution can reduce implementation costs, cut project risks, improve scheduling and enhance change agility throughout the project lifecycle. It can also shorten the implementation process, and improve collaboration.
Invensys has a new range of servers qualified as an optimized virtual machine-hosting appliance; a new range of solid-state operator client terminals; thin client management software; a USB modular alarm annunciator keyboard; virtual machine-hosting software; recommendations on cyber-security best practices; guest operating system licenses; and support for Invensys’ control and safety offerings that can operate specifically within approved virtualized architectures. All of these end up managed within standard product-lifecycle management policies.
Since virtual machines are accessible worldwide via terminal services, global teams are able to work on the projects around the clock.
Wednesday, August 15, 2012 @ 11:08 AM gHale
By Gregory Hale
Cultivating a solid, workable relationship with the IT department was just one of the tasks Salt River Project’s Mike Hull had to deal with when he implemented a security plan at his coal-fired plant.
“The relationship started off as an adversarial process,” Hull said, during a cyber security session at the 2012 North America Invensys Foxboro User Group meeting in Boston Wednesday. “They came in and wanted to take over. We knew it had to be a partnership. After a while they realized there were more things they did well and there were things we did well. The relationship evolved and it worked out real well.”
That was one of the issues that came to pass during the implementation of the security plan, but a chunk of other issues ended up averted because Hull sat down with his integrator and worked out a plan of attack for the implementation.
“We spent a lot of time working on the front end going over a long term plan,” the computer controls supervisor said.
All that work up front paid off in the end and now Hull’s plan is a template for the other Salt River Project plants looking to meet NERC-CIP compliance requirements.
Meeting compliance is one of the major reasons why manufacturers, mainly power companies, start up a security program, said Doug Clifton, director of Invensys Operations Management’s Critical Infrastructure Security Practice.
“We look at what is important for the community,” Clifton said. “I don’t sell FUD, fear uncertainty and doubt. You have to look at security from a network perspective. You can have a firewall and switch, but if you don’t look at it from a network perspective, you miss out on features.”
Clifton mentioned six benefits of a solid cyber security plan:
• Regulatory compliance
• Reducing environmental and financial risk
• Increase plant effectiveness
• Connect plant to enterprise
• Reduce downtime
• Increase network performance
In the end, a security solution is all about ensuring continued uptime and eliminating as much unplanned downtime as possible.
“Security should not be a point solution,” Clifton said. “You need a roadmap to keep your money machine up and running. You need to keep making your product.”
Tuesday, August 14, 2012 @ 05:08 PM gHale
By Gregory Hale
Change is inherent in today’s manufacturing environment. Yes, some technology may be long in the tooth, but change is inevitable and a modernization plan will help companies move forward.
Changing technology: The Purdue model was the state of the art in the 80s, the MES convergence was in the 90s and it was enterprise convergence in the 2000s.
“The speed of business is changing,” said Rick Morse, vice president for the Control and Safety Solutions business of Invensys Operations Management during the product roadmap discussion during the 2012 North America Invensys Foxboro User Group conference in Boston Tuesday. “With automation advances, what used to take 50 people to do years ago can now be done by one person.”
That is what Invensys’ modernization program is all about, embracing change to gain more perspective and stronger productivity from people and technology.
“There used to be manual labor and we replaced that with PLCs and DCS’s and now we are changing to a new era. We are going to decision support automation,” Morse said. “We are going to tie all the technology together and put it into context. That means we change to a knowledge worker from a manual worker.”
“The whole game will change as we go to a whole new perspective on what we can help you do,” he said. “The speed of business and the speed of money are getting closer together.”
With modernization, “We are reinventing from the inside out.”