Posts Tagged ‘Invensys’
Tuesday, October 15, 2013 @ 06:10 PM gHale
By Gregory Hale
Levels of cyber security awareness just keep increasing throughout the industry.
“From 2006 when I first started at Invensys people were talking about firewalls and how that made them secure,” Doug Clifton said Tuesday during the Invensys Software Conference and Tech Support Symposium in Dallas, TX. “From 2006 to today you can just see the increase in awareness. The thought process is changing to thinking about installing applications.”
With all the big attacks in the news like Stuxnet, Night Dragon and Shamoon, security awareness obviously has grown with security professionals, but the good news is it has also risen with the rank and file workers on the plant floor.
“You are hearing about security more than just at work,” said Clifton, director of Invensys Operations Management’s Critical Infrastructure Security Practice. “Just yesterday, my kids’ school sent home a note about cyber security. So, it is all around us. Awareness is there.”
“When I started, security was all about being an insurance policy. Today we can also make the network performance much better. The goal is to protect the network from various things – even themselves.”
There are companies that talk about security compliance and some that talk about tactical solutions, but Clifton said they should be somewhere in between where they are compliant to best practices and standards.
As the awareness increases, some people will talk about doing a penetration test to attack a system to find weaknesses. But Clifton talks about doing a vulnerability assessment.
“We want to get the basics introduced,” he said. “After a while we may get to the point of doing a penetration test, but we are not there yet. We want to bring in best practices. We don’t want to focus on the big monster of NIST standards. We want to deal with the basics on how you can protect yourself without breaking the bank. We find we have clients that are not sure what they have that needs protecting.”
He talked about one case where he went into a manufacturer and they told him they were not sure why they needed security at all. They were a small company that was producing a simple product. As it turned out they were making a good bit of revenue off a new type of coating that would ensure their customers would only have to apply it once a year instead of the usual twice a year. That, they said, would save their customers time and money. Clifton then told them, wouldn’t you want to ensure your intellectual property – in this case an industry leading product – would stay in your possession and not fall into the hands of a competitor. That is when they understood why then needed a security program.
“Securing intellectual property is pretty fundamental along with safety of personnel. Not enough people give credence to security intellectual property.”
Yes awareness is on the increase, but often times Clifton and his team have to go into a user and just sit down and have a conversation on their objectives.
Security will mean there will be changes, and it will not be business as usual. The main goal is to not add in levels of complexity. We want to take it and make it more robust and create an environment that is not impactful to their work.
“Going from zero to secure is a pretty big step,” he said. “There are intermittent goals along the way. It is a journey. The further along they are in the journey, the better the questions they ask.”
Thursday, October 10, 2013 @ 04:10 PM gHale
Invensys created an update that mitigates the improper input validation vulnerability in the Wonderware InTouch human-machine interface (HMI), according to a report on ICS-CERT.
Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team discovered the vulnerability in the Wonderware InTouch application. The Positive Technologies Research Team tested the update to validate that it resolves the vulnerability.
The following Invensys Wonderware products suffer from the version: InTouch HMI 2012 R2 and all previous versions.
Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Invensys Wonderware InTouch.
Invensys is a global technology company that works with industrial, commercial, rail operators, and appliance operators, while operating in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys Wonderware InTouch HMI works across several sectors including critical manufacturing, energy, food and agriculture, chemical, and water and wastewater.
Wonderware InTouch HMI allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware InTouch HMI to send the contents of local or remote resources to the attacker’s server or cause a denial of service of the system.
CVE-2012-4709is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
This vulnerability is not remotely exploitable and needs user interaction for any kind of exploit. The exploit triggers when a local user runs the vulnerable application and loads the malformed XML files.
No known public exploits specifically target this vulnerability and an attacker with a low skill would be able to exploit this vulnerability.
Instructions and a link to the application update are on the Invensys download page.
Any machine running InTouch 2012 R2 or earlier versions suffers from the issue, according to Invensys. Users should install the update using instructions provided in the ReadMe file for the product and component installed. Invensys recommends users:
1. Read the installation instructions provided with the patch.
2. Shut down any of the affected software products.
3. Install the update.
4. Restart the software.
Wednesday, September 11, 2013 @ 09:09 AM gHale
By Gregory Hale
The process safety mindset is changing to where users now understand safety can really add benefit to the bottom line.
If a company is truly smart about safety and focuses on what they have to do, remain vigilant and is a top tier organization, they should realize a five percent gain in productivity, said Steve Elliott, director of Triconex product management during his Tuesday talk at the Foxboro & Triconex Global Client Conference ’13 in San Antonio, TX.
In addition, he said, a company employing a solid safety program could see a three percent reduction in production costs, five percent reduction in maintenance costs, 20 percent reduction in insurance and a one percent reduction in capital budget. Those statistics come from the Center for Chemical Process Safety.
While numbers show what a company could gain, Elliott said accidents are still happening.
“Process safety incidents are not decreasing at the same rate as occupational safety,” he said. “We are starting to see more visibility of process safety in the market.”
One of the issues, however is not about technology, but who is using it.
“We focus on technology all the time. You can have the best technology in the world, but if you don’t use is properly, it is not going to help you at all.”
Through advances in technology, users today are getting a flash flood of information and they can end up paralyzed with data overload. That is why the goal now is to “give more contextual information to give more information to the right people at the right time.”
While Triconex is celebrating its 30th year, Elliott said “when you look at the last 30 years, quite a few things all around us have changed, but the core technology of Triconex system still remains.”
Part of that technology allowed for sharing of information to ensure a system stays on track and everyone understands the risk. But understanding that risk starts at the beginning, not when a process is running.
“You need to know and understand the risks when the system is in design mode,” he said. “Use that information to start getting a view of the risks a user has to manage.”
Basis of safety design:
• Continuously safety reliable production
• Fewer personnel to manage and maintain SIS operations
• Extend SIS lifecycle
• Faster SIS startup cycle
• Lower network infrastructure and maintenance
• Low total cost of ownership
You can’t have a discussion about safety without talking about security and Elliott said it is important to secure the hardware for the safety integrated system (SIS) and engineering workstations.
“It is a must harden the engineering workstations and not just the safety systems themselves. The goal is highly secure safety hardware and software.”
The trend right now in safety is to focus on integrated but independent safety system. That is part of the discussion with Invensys’ new launch of Foxboro Evo automation control system, which integrates safety.
While the new system integrates safety, Elliott said Triconex will produce safety systems as standalone systems as they have for years, or they will produce an integrated system.
“Integrated systems goes back to the 1990s,” Elliott said. “Triconex was a node on the Foxboro and Honeywell systems. So, integrated is not really new.”
When it comes to choosing a safety system, Elliott said it is really up to the user. “There is no right and no wrong. We have one customer that uses separate safety system upstream and the same customer uses an integrated system downstream.”
Tuesday, September 10, 2013 @ 07:09 PM gHale
By Gregory Hale
One of the big questions going into the Foxboro & Triconex Global Client Conference ‘13 here in San Antonio is talk about Invensys’ $5.2 billion pending merger with Schneider Electric.
“There has been a lot of talk about this out in the industry and I just want to set the record straight. Schneider made an offer and the Invensys board will recommend the takeover,” said Invensys President and Chief Executive Mike Caliel. “Hopefully, the deal will close by the end of the year or early next year.”
He then said by law, there is quite a bit he cannot say. Right now they are two separate companies and they are operating as such, however, the synergies between the two show great potential to go to market from the discrete and processes angles.
While the discussion of Schneider’s history of takeovers is suspect, Invensys leaders are saying they are seeing very good signs of what the combined company will be able to do.
While a full integration of the two companies can take by estimates 18 months to two years, the thought is for end users, business should pretty much remain the same for a period of time.
Invensys even showed a video from Jean-Pascal Tricoire, Schneider’s chief executive, who said he was happy to learn about the new Evo system and is looking forward to moving forward with Invensys.
Tuesday, September 10, 2013 @ 07:09 PM gHale
By Gregory Hale
Information is coming at automation professionals at greater levels than ever before and believe it or not it could lead to indecision or bad decisions. That indecision can end up leading to greater potential for a safety incident.
That is why the greater the information, that data needs to come across with a higher degree of context so engineers, operators and maintenance workers can make proper decisions in real time, said Mike Caliel, president and chief executive of Invensys during his keynote address at the Foxboro & Triconex Global Client Conference ’13 in San Antonio, TX.
“Systems today provide exponentially a higher level of data than ever and that may not be helping, Caliel said. “Information overload is becoming more prevalent.”
People, he said, will want to make a decision, but without seeing that data on proper context, workers may end up being slowing in moving or not moving at all and that can lead to problems.
That is where the new Foxboro Evo system comes into play. Invensys launched the system at the conference and it is their next step to giving more context and value to manufacturing automation users.
“We believe the speed of business technology will continue to increase,” said Peter Martin, Invensys vice president business value solutions who also spoke during the opening session at the conference. “We believe safety and cyber security will continue to be in demand. With fewer people working in industrial plants, each person will need to work with increased productivity.
Through a video message, Jean-Pascal Tricoire, Schneider’s chief executive, said he was happy to learn about the new Evo system and is looking forward to moving forward with Invensys.
Tuesday, September 10, 2013 @ 04:09 PM gHale
By Gregory Hale
Invensys released its next-generation process automation system called Foxboro Evo, which is integrating safety into the control system.
The system has advanced tools and applications and a cyber secure hardware platform, and it integrates the company’s Triconex safety system.
“This new system can help eliminate barriers to success,” said Gary Freburger, president of Invensys’ systems business during his keynote address at the Foxboro & Triconex Global Client Conference ’13 in San Antonio, TX. “This changes every function within the operation. It can reduce risk, reduce costs and reduce time.”
The Foxboro Evo process automation system comes from Foxboro I/A Series and Triconex technology. The one thing everyone at the conference went to great lengths to say is this system is, and will be, compatible with existing Foxboro systems already out there. So, when they need to, legacy systems can migrate up to the Evo system in step-change fashion.
This new system comes out with the global automation environment continuing to evolve into a cohesive unit with the enterprise.
“We have seen complexity increase with collaboration all over the world, and we think that will intensify,” Freburger said. “We know we have a changing workforce with young engineers coming in and older ones leaving and this system will allow workers to have to opportunity to make decisions quickly.”
The Foxboro Evo system includes a high-speed controller, field device management tools, a maintenance response center, an enterprise historian, 1-n redundancy and cyber security hardening.
One of the benefits Invensys is touting is safety and security workers should gain from the integrating control and safety, which enables sharing of operational information while keeping the safety system functionally isolated. The other bonus was talk about the levels of security that go into place before any product hits the users’ hands.
“We recognize (users) have a set of challenges and one of them is a more formal way to report safety issues. We are committed to make safety more visible,” Freburger said.
But in the end, since users do not jump from system to system easily. It takes years if not decades to make changes. That is why Freburger said this is one way to future proof the investment in a system.
“We will always make sure there is a path to the new technology,” he said. “We will never leave anyone behind.”
Thursday, July 18, 2013 @ 05:07 PM gHale
Knowledge is king and sometimes manufacturers are totally lacking in any understanding of how poor their security posture really is.
Along those lines, Invensys has a new cyber security assessment service to help users understand the risks that might impact the safety and reliability of their operations.
The assessment is a key part of any security best practice program, getting the ball rolling in learning how the user can help ensure critical infrastructure protection and compliance with corporate, industry and/or government mandates.
Performed on-site, the control system assessment provides a baseline of the user’s current security position, and it can be the starting point to develop a strategy to meet the challenges of reducing and managing security risks.
The assessment, which includes the following service elements, allows Invensys to develop a unique and customized approach to addressing security issues:
1. Site and system assessment: A site review and system-specific vulnerabilities. The results of the assessment end up in a report highlighting critical assets, vulnerabilities and risks.
2. Compliance assessment: It addresses compliance status by reviewing operations and processes against required corporate compliance standards.
3. Establish security baseline: This allows a user to gauge progress against current status and operating models for security.
• Comprehensive approach is the vital first step in determining security requirements
• Baseline and benchmark the security of critical assets
• Appropriate and applicable industry standards, government regulations and mandates
• Identification and assessment of the risks that could impact control system operation
• Gap analysis highlights and recommends mitigation necessary to improve security
• Assess policies, procedures and technical measures
• Vendor-neutral and applicable to all control systems and their interconnections