ISSSource White Papers

Posts Tagged ‘productivity’

Monday, June 29, 2015 @ 09:06 AM gHale

Wireless can Provide Safety for Users, while also Giving a Big Boost to Productivity

By Gregory Hale
Productivity and safety are emerging as the key pillars to any control application enterprise and when wireless adds into the mix, the potential gains are off the charts.

Industrial wireless communication solutions allow for highly flexible, efficient, robust, reliable, safe and secure automation.

Wireless is suitable for indoor and outdoor applications under extremely harsh conditions. In the manufacturing automation environment, the applications are limitless — from cranes to automated guided vehicle systems to uses in the field of remote control/remote maintenance.

Wireless allows for safer operations where it can reduce human exposure to a hazardous environment, especially when the prior alternative was to have someone stand in a danger zone near a crane, or in a remote area. Also, more frequent measurements and early detection of issues can help reduce, or even prevent incidents or accidents. There is also safety in enhancing operational effectiveness where operators can quickly diagnose and troubleshoot plant operations and support predictive maintenance programs by monitoring facility assets. Additionally, it is possible to identify costly problems that can lead to an unsafe condition or even excess use of energy or raw materials.

In short, greater access to monitoring and control information gives engineers and operators better visibility and ultimately better decision-making power when it comes to industrial environments such as plants, factories, and refineries.

“The market is becoming more and more open to the use of wirelessly enabled devices to enable safety in industrial automation,” said Scott Lordo, vice president technology wireless automation and control solutions at Laird.

Safety, Productivity Possibilities
Safety strategies only make sense when looking at all the cynical possibilities. When everything is running as planned it is smooth sailing, but when Murphy’s Law hits, things go sideways quickly.

“If implemented and managed properly, safety critical wireless control improves productivity when controlling machines,” said Lordo. “Our productivity improvements result from ensuring the operator is positioned to better monitor processes effectively, efficiently and safely.”

One case in point is a power point coal loading process. The operator works via remote control on the bulldozers used to push the coal in the pit heading to the furnace. There are times, though, where there is a potential for collapse and the operator in the dozer could be at risk. With wireless remote control, the operator can ‘get off to the side of the pile.’ While asset safety is economically critical — human safety is paramount.”

Additionally, in an overhead crane situation, instead of having the operator stretching as far as he can, he is able to remain safe. With remote control, the operator can get 100 feet away so they are far removed from the swinging load and the risk.

“All of those trends are heading toward productivity and safety and wirelessly-enabled control systems have met those expectations,” Lordo said. “It is this (Internet of Things) IoT space with the whole data collection and aggregation that turns that into information and action. By the time the control system is in place we are connected to the machine, we are connected to the human that is operating it, and we can gather all threat information and as we understand the user’s environment and what they do. We help them turn that data into information so they know what actions they need to take to make their operations safer or more productive.”

Wireless: What to Look for
Here are some advantages and what to look for in wireless:

  • Productivity. Wireless can improve productivity including safety, which Lordo said is an element of productivity. “Protecting workers and operators and doing the work more effectively and efficiently.” Make sure whoever you work with has the ability to complete the RF survey and study and design of the RF infrastructure to ensure reliable repeatable coverage. These have to shut down quickly and they are always in communication. Robustness of the RF infrasturcutre cannot be understated how important it is, otherwise it is always stopping and you lose your productivity.
  • Work with somebody who can hand over their machine and then quickly get back a fully converted electrified remote control. Being able to understand the machine and what is needed to be installed and implemented in order for it to be able to remote control is another critical element. Being able to interface with the machine is a critical element.
  • Training. Fully implementing operator training. How they would think about doing the job differently based on having this capability.
  • Actionable data. There are incidents that occur out there, you get the human view of what occurred with different perspectives from those people involved. But now you can get the view from the vehicle of what happened. That should corroborate with at least one of the stories you get. You can listen to the story you get and match it with the data you have.

Real-time data keeps operators safe and productive during the action, but also it can act as a teaching tool to learn how to become more productive in the future.

“We designed our own safety critical PLC, that then goes onto the machine and interfaces to the machine and into the machine and can (remotely) enact commands from the operator to make the machine do what the operator wants it to do for that particular movement,” Lordo said. “While we are doing that, we are also collecting the data associated with those duties and storing it. We then bring it back to a hosted database and send a web-based user interface back to the users showing productivity reports. This way we can show what actions they need to take to do things better or to mitigate something. The people we work with are very busy and they need to be able to take action quickly and take care of their day job.”

Mining a Solution
Buried deep below the ground under the blazing Nevada sun, Barrick Goldstrike’s Paul Smith knew remote control was the only safe way to handle the Meikle-Rodeo ore mine in Elko, NV. The large block of gold and silver ore is highly fractured, so safety is the primary concern. To say miners work under a huge safety risk is quite an understatement.

“We had to plan on portable radio remote controls (PRRCs) because there was no way we could mine down there without them,” said Smith, general supervisor, at Barrick Goldstrike. “You didn’t want to put any operators at risk in the event of a rock fall or cave-in, and with the kind of fractured ground we were dealing with, those were definite and serious possibilities. Mine workers who operate load haul dumps (LHDs) could easily be at risk.”

In this case, the remote controller keeps the operator protected in potentially dangerous situations by enabling him to stand much further away from the machine. It also allows for more aggressive digging since the LHD can continue its progression into the rock much deeper than it would with the operator on the machine. Since workers are not in the area, just machines, they are able to remove more material before shoring up the walls.

These wireless units enable operators to control industrial equipment from a safe distance away from heavy machinery, hazardous materials, or dangerous environments and elevate the standard for worker safety and productivity. Whether it is a mine, rail yard or a refinery, the information and reporting capabilities help executives, managers, and maintenance departments increase productivity, safety, and profitability in their daily operation.

In the safety critical world, people are familiar with safety integrity level (SIL) ratings and in their minds they tend to associate that with wired only implementation, but that is not the case. There are going to be some wireless SIL certifications.

“That would be one element; SIL 3 certified with wireless control,” Lordo said. “You can achieve that with untethered devices.”

It only makes sense. Safety gains, along with a boost in productivity via wireless brings more opportunities for manufacturers to gain in communication and to grow.

Tuesday, April 14, 2015 @ 04:04 PM gHale

By Frank Marcus
There is no doubt the industrial Internet holds great promise for improving efficiency, productivity, and most importantly, human safety. However, the level of network connectedness required to gain these benefits makes operational systems security more essential than ever, especially in Oil and Gas and other energy sectors.

While critical infrastructure security is already recognized by regulators and compliance leads (see NERC CIP regulations), there are further opportunities to truly strengthen an industrial facility’s security posture. Here are some of the key points I shared with Oil and Gas executives at a GE conference in Florence last month. These points are the result of my experience and current role in performing security assessments across industrial facilities worldwide, from wind farms to oil rigs.

Finding a Balance: Managing OT Cyber Risk
Employee Training Boosts Security
Cyber Attacks Top Continuity Threat
Complex Security Should be Easy

What most companies don’t realize is simply having the right view into different types of information can speed your ability to fix common problems. Think about traveling on a city’s subway system as a good analogy. Of course, you need the basic information like which stop is closest to the address you’re visiting, and what subway line goes there. However, there are additional details that could vastly change how quickly and efficiently you arrive, such as which trains are local and which are express. One might pass right by the stop you need. Yet another level of information – real-time schedule data – might tell you which lines end up affected by delays, helping you determine another way to travel all together.

The same thing can be said of the path to secure critical infrastructure – it can be seamless and fast, as long as you have the right perspectives and information.

Along those lines, the most obvious example is companies only monitoring IT protocols, thus missing the depth and richness OT protocol visibility can provide. Indicators of compromise specific to control systems (such as unexpected control set point changes, logic updates, and administrative settings like date/time) are only available to systems capable of understanding how control systems communicate, and most importantly, with the context to interpret what those signals mean.

Many organizations have not prepared adequately for critical infrastructure and operational technology (OT) risks. It is a delicate balancing act between automating and interconnecting formerly closed systems and mitigating risks. Implementing critical infrastructure security into existing operations is essentially helping organizations to affect change – changing its People, Process and Technology to meet security requirements not there when the operation originally commissioned. Companies can approach security methodically, focusing on three primary areas: Visibility into their security posture; building security into workflows; and hiring and training qualified OT personnel.

To better illustrate the People, Process, Technology approach, I’ll share the type of efforts we completed for a Major Oil Producer to benchmark their security practices relative to a new international standard specific to OT Security.

General awareness training was available to various employee types, which helped the organization then appoint personnel responsible for security implementation and risk management. Why is the People component so critical?

Consider an oil spill or another kind of physical accident. Generally speaking, most employees in the Oil and Gas sector know how to successfully respond to handle such a situation. The same cannot be said about cyber security issues. Not everybody recognizes a Phishing attack email or knows how to deal with suppliers who want to use USB sticks to transfer configuration information. And even if they do, chances are things will change the next month due to new viruses or breaches.

Starting with education across a spectrum of workers, it will increase how quickly and well you can handle the new information and risks prevalent across more connected industrial facilities.

A cyber incident response program helps define clear roles and responsibilities, offering personnel a robust mechanism for effectively containing threats as they occur. Today, the Major Oil Producer regularly conducts risk assessments to understand their security posture as it relates to the evolving threat landscape. In addition, a process is in place to help those newly educated employees act on what they see and monitor.

While companies think about technology in terms of what to buy, operational facilities answer another question – how to secure and manage legacy systems with long operational lifespans. The goal here is to develop technical requirements to adopt security technology compatible with their legacy equipment and process workflows. We determined how they should evaluate technology to find the right fit for their systems. In some cases, this means an upgrade is the most efficient path. But, as our subway analogy explained, with all of the assessment information at hand, sometimes the path is to supplement workstation patching with additional compensating controls for vulnerabilities in the controls equipment proper.

This company is now well down the path of establishing a “Culture of Security,” analogous to the Culture of Safety that drives the everyday behavior of those working in the field and managing physical risk. Also, the organization understands the trade-offs they need to make between securing existing operations and replacing outdated equipment with new solutions that have the ability to support modern security requirements.

New perspectives into information, and working across People, Process and Technology, has delivered an actionable framework to mitigate risks as the producer further connects to more systems, workers, and vendors.
Frank Marcus is the director security technology at Wurldtech. He is responsible for product security architecture. He is an industrial control security analyst for brownfield and greenfield applications primarily in oil and gas, power and water, factory automation, and ICS-specific vulnerability research. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.

Tuesday, February 24, 2015 @ 03:02 PM gHale

By Nate Kube
The Industrial Internet holds so much promise for oil and gas and other energy sectors: Increased human safety, efficiency, productivity. At the same time, the network connectedness required to reap these benefits makes operational systems security more important than ever.

Imagine that while reading this, your chief executive interrupts you with an urgent question: Is your organization protected against Regen, a just disclosed industrial controls vulnerability?

Employee Training Boosts Security
Cyber Attacks Top Continuity Threat
Complex Security Should be Easy
ICS Security Guide Up for Final Review

For many companies we consult with, this type of industrial cyber risk question cannot be easily answered. While their CFOs may review daily reports for IT security risks, they have nothing in place to handle the realities of critical infrastructure and operational technology (OT) risks.

Moving forward, companies will need to balance between these opposing forces. On the one hand, the desire to automate and interconnect will push for opening up systems that have been closed for decades. On the other hand, leaders will need to understand and responsibly mitigate related risks. As we have seen while performing OT security assessments and certifications worldwide, organizations need help to address several operational realities first, including:

  • Visibility into security posture – Considering the massive number of controls systems and vintages of operational equipment, it’s difficult for a manufacturing plant or wind farm to see operational-specific network traffic. (This is partially what makes it impossible to respond to the chief executive’s valid question in the example above.) Adding more sensors and connected equipment will only make this situation more acute.
  • Workflows – Closed off, isolated processes (such as shutting down a turbine engine) used to be the norm, but today, business and technical drivers are forcing more open workflows. Plant managers and compliance directors will need to build security into workflows, to assure commands are authenticated first, as an obvious example.
  • People qualified in operational technology (OT) security – Achieving a good balance between the promise of the Industrial Internet and the operational challenges of securing it will depend on who can see the nuances of industrial security risk. IT perspectives will not suffice to address OT risks. Few companies have considered who can design and implement the steps needed to address the unique threats facing critical infrastructure. Nor have they considered who will accurately monitor dynamic threat landscapes and implement updates as attack vectors evolve.

This may seem an overwhelming set of tasks, but there is hope. A pragmatic starting point is having the vital information to make correct risk assessments. Are you looking at how your operational equipment connects and communicates, for example, or only seeing IT protocol traffic? Do the technologies, processes, and people responsible for watching that communication know how and where to look if something suspicious is detected?

Believing they have security visibility is the most common misperception I see across the energy sector. In the majority of cases, only IT risk is addressed at operational facilities today.

Current Information
If you think about how we use driving information like Google or Yahoo maps, it helps to understand just how insufficient the current security posture information really is. If you are driving in a foreign city, for example, one map version might show you existing roads and interstates. Yet another map might highlight and recommend the best routes based on real-time traffic, latest road conditions, and accidents.

Which map would you rather have to plan your trip?

Similarly, many power plants and oil refineries today are relying on that first map when it comes to protecting their operations. Worse, they are unaware there could be other, more effective maps to guide them. And worse still, they believe their current information is everything they need to be secure.

Vital information is just one part of balancing the promise of the industrial Internet with risk. In follow-on columns, we will share insights from recent customer case studies to pinpoint three areas you can act upon to lead your operations securely into a more interconnected world.

Wurldtech's Nate Kube.

Wurldtech’s Nate Kube.

Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technology Officer, is responsible for strategic alliances, technology and thought leadership. Kube has created an extensive Intellectual Property portfolio and has filed numerous authored patents in formal test methods and critical systems protection. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.

Monday, April 28, 2014 @ 02:04 PM gHale

As cyber attacks get more sophisticated, costly and abundant, there is a continuing need to elevate security awareness to the same level as safety – ensuring not only a safe, but also a secure manufacturing environment, while increasing productivity, uptime and profitability.

While security awareness is slowly growing, it suffers from an identity crisis at manufacturing facilities across the globe. Big, small or anything in between, there is a general lack of understanding for security best practices.

Just look at some of the facts: Reported cyber attacks have grown by 600 percent since 2010. 600 percent. On top of that, the industry is losing around $400 billion a year in cyber attacks. There is no doubt cyber attacks are the most common and most costly attacks in industrial control systems.

It is easy to get lost on the enormity of a security solution, but it doesn’t have to be that way. Yes, there are answers and it starts with technology. But technology ends up being a solid tool. In the end, people wield the power. That means security culture must be on a par with safety to effectively protect against cyber attacks.

Join Honeywell Process Solutions’ Director of Cyber Security Solutions and Technology, Eric Knapp and ISSSource May 15 at 2 p.m. eastern time for a webinar that focuses on how to get security awareness on the same level as safety.

In the webcast we will discuss:
• Quickly Evolving Needs of Security Compared to Safety
• Proactive Security Approach
• Driving Awareness and Implementation of Security Measures
• Standards and Government Legislation is Slow in Development

Register here for Security Awareness: A Matter of Safety.

Wednesday, December 5, 2012 @ 07:12 PM gHale

Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
Industry needs to quickly come to terms with the bring your own device (BYOD) trend if we are ever going make our plant floors secure.

Let’s start with mobile devices, especially personal mobile devices, showing up on the plant floor. Never going to happen you say? Don’t be so sure.

Address SCADA Vulnerabilities Now
SCADA Basics: Integrity Over Availability
Impact of Shamoon on SCADA Security
SCADA Patches You Don’t Get

First, a definition. The topic of personal mobile devices is referred to in the corporate IT world as “Bring Your Own Device” or BYOD. If you haven’t heard of BYOD, Wikipedia defines it as: Bring your own device (BYOD) is a business policy of employees bringing personally owned mobile devices to their place of work and using those devices to access privileged company resources

A common example is using your personal iPhone to access your company’s email system. And as I will explain later, the iPhone is only the tip of the iceberg. The whole BYOD phenomenon is a major concern throughout the corporate world.

An iceberg is a good metaphor for the onslaught of this technology. When dealing with an iceberg, pushing against it or ignoring it generally aren’t effective options. It is bigger than you are and will go where it wants. The best you can do is to try to manage it.

Most IT departments are beginning to accept the inevitability of BYOD. According to a one study, the majority of companies surveyed said they are now adapting their IT infrastructure to accommodate employee’s personal devices, rather than restricting employee use of personal devices.

What about the plant floor? Will tablets soon be standard equipment in the refinery? Or will they be banned from moving outside the corporate office?

When engineers are asked to identify their unfulfilled industrial networking desires, the number 1 item is: “Connecting to the factory with a smart phone”.

I have discussed in the past that in any war between security and productivity, security will lose. The situation is no different here. Smart phones are coming to the plant floor. The only question is “Will we adapt to this new world in a secure way or will it be another source of insecurity”?

One option for the mobile device question is to just ban them outright. There are cases when this might be appropriate (explosive environments for example), but generally outright bans rarely work the way people want them to. One of the reasons is we have a tendency to see technology only in terms of what is available today or what is popular. This results in narrow definitions of a specific technology that lets other technologies slip through. For example, an iPhone is clearly a mobile device, but what about a personal USB keyboard or mouse that an employee brings in, perhaps for health reasons?

Sometimes a “mobile device” isn’t even a device at all. Consider a CD that contains a Stuxnet-infected S7 ladder logic file. Or an automated forklift that moves from site to site. At the extreme end, many people know we have been working with Boeing for the past few years – they have large mobile devices called 787s. What is important to remember is mobile devices can range from a CD with what appears to be an innocent document file, to the obvious iPhone, right up to entire mobile platforms.

The only way to address this range of evolving “mobile” technology is to use the Zone and Conduit concepts promoted in the ISA/IEC 62443 standards. Properly done, zone and conduit security can result in operational requirements that define a security process, rather than proscriptive requirements like “Mobile Devices should not be used on the plant floor.” Restricting devices seems simple and comforting, but since this is so narrow, restrictive and inflexible, it encourages inventive staff to find ways around the rules so they can do their job.

Recently I talked to a customer with a very innovative way to manage Wi-Fi-capable mobile devices on his factory floor. Instead of banning wireless technologies (something that is hard to enforce if you have a lot of contractors), he actually set installed Wi-Fi access points throughout the manufacturing areas. Then he routed all the access points into a “Captive Portal” – one of those locked down web pages you run into in hotels and airports.

This Captive Portal strategy had multiple benefits – first he immediately had a record of who was trying to use Wi-Fi in his factory. Second, by forcing all employees and contractors to log in, he could track exactly what they were doing and when. Then, based on each user’s log-in credentials, he could restrict network access to specific systems in his factory. For example, a contractor working on the Finishing Line could be restricted to only seeing the Finishing Line PLCs. And finally, by using deep packet inspection, he could force the contractors into a view-only mode by blocking all PLC write and programming commands.

Information technologies are changing constantly. Trying to manage them with proscriptive rules is a hopeless task, because we can never keep up. Instead we need to work from general principles. For example, the definition of mobile device can expand from specific technologies (such as cell phones) to a definition based on their general functionality. For example, one proposed definition is “non-fixed location digital information storage or processing devices”. That covers basically anything that can contain an electronic 1 or a 0 and isn’t bolted down.

Once we have our definitions set, we can move onto determining what actions we want to manage. The example with the captive portal showed how all Wi-Fi devices (rather than subsets like laptop or iPad) can be managed in a uniform manner. If we stick to those principles, I believe we can have mobile devices and security at the same time.

Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog and to download the white paper.

Tuesday, November 6, 2012 @ 11:11 PM gHale

By Gregory Hale
Safety is job one for a manufacturer, but it can also be a growth driver through risk leadership.

“Every 15 seconds one employee dies around the world in some type of work related accident,” said Cal Beyer, vice president and head of manufacturing of customer industry segments at Zurich North America during his keynote address Tuesday at Rockwell Automation’s Safety Automaton Forum in Philadelphia. “We have an opportunity as safety leaders to have an impact and make industrial automation safer.”

Safety in Action Saves Chem Plant
Invensys: Alarm Mgt Success
Safety First: Rotor Cracks Shut Plant
Questions over Chevron Refinery Blaze

That is why Beyer said safety, insurance and risk management can lead the way for a company.

“The ability to learn faster than your competitors may be your only competitive advantage,” he said. “Risk leadership is when we can leverage risk to make a profit.”

Mark Eitzman, safety market development manager at Rockwell Automation, couldn’t agree more.

“Without profitability a business will not exist,” Eitzman said in his preamble to the keynote address. “What is the place of safety? Is safety seen as a balancing act or is a contributor to the health and security of the business?”

While Beyer’s business is insurance, he knows what a company needs to do to leverage all its assets – and that means safety. That is why he kept talking about how to create that competitive advantage. He also added a company’s reputation is “an intangible benefit that helps your company. Safety can truly be the source of competitive advantage because it can reduce the total cost of goods and the total cost of risk. It can impact image and reputation.”

To create a sustainable competitive advantage, Beyer said a company has to:
• Become or remain an employer of choice
• Experience less voluntary employee attrition
• Retain existing customer base
• Attract new customers
• Expand market share
• Enhance the ability to forge strategic partnerships and alliances
• Differentiate from competitors

He also listed the top common causes of supply chain disruption: Accidents, production problems, labor, natural disasters, sabotage/terrorism, financial loss, demand variability, physical

“Accidents are number one and we have the opportunity to have an impact to make our organizations safe and have a competitive advantage.”

“That is why the critical questions you need to ask: Is safety a source of competitive advantage? How does your company measure safety? Are you practicing risk management or luck management?” Beyer asked.

Safety, in the end, always comes down to culture and to what degree a company has it sewn into its very fabric of being.

“How do you know safety is embedded into your workers hearts and minds and embedded into the culture of your company?” Beyer asked.

It does seem safety is growing in the minds of companies as globally, frequency rates of injuries is decreasing. However, worker injury does remain the leading line of insurance in the U.S.

“Safety performance gaps are where accidents occur,” he said.”It is the difference between what is expected of us and what is accepted by company leadership.”

To make the business case for change, Beyer gave the following steps:
• Align safety focus with productivity and profitability results
• Dual focus: Loss minimization and profit maximization
• Shift to leading indicators to focus on prevention-based activities
• Calculate total cost of accidents and Total Cost of Risk
• Apportion premium and charge-back loss costs to operating units (departments/divisions)
• Fund for preventive and corrective actions from corporate budget (costly to have accidents, not to prevent them)
• Promote and incentivize through bonus managers & supervisors based upon both safety and production performance

Tuesday, August 28, 2012 @ 12:08 PM gHale

Vital New Approach to a Defense in Depth Security Program

By Gregory Hale
It wasn’t that long ago deep within eastern Tennessee’s Anderson and Roane counties, the Department of Energy’s Oak Ridge National Laboratory (ORNL) fell victim to a hack attack where several megabytes of data ended up stolen.

That 2011 attack started when multiple Lab employees clicked on a link in a phishing email disguised to look like benefits information from the human resources department. Hackers were aware of a Zero Day vulnerability in the Lab’s Internet Explorer browser software and they knew just how to take advantage of it.

Lab workers became aware of the intrusion on April 11 and that started them on a frenetic hunt to find a way to stop the attack. By April 15, Lab management came to the ultimate decision: Unplug the Internet. No connection in or out. The attack stopped; so did any hope of using the Internet for the next two weeks.

Work continued at the lab — home to nuclear, chemical and biotechnology research centers — but any kind of communication or interaction or connection to outside sources was gone. Productivity was lost for a two-week period.

To win and gain an advantage today, manufacturing and process businesses must adapt quickly to change. Time to make decisions and take action is more compact. That makes timely distribution of reliable information vital. In today’s business climate, data needs to go out to operations, engineering and management in the proper context. That all means manufacturers must increase accessibility to the system and, while exchanging business and process information is necessary, it does open the door to intrusions.

That is why a solid defense in depth security program is essential for manufacturers, including antivirus, blacklisting, firewalls and whitelisting to name a few. Security ends up being a process of working with and creating continuously-evolving strategies to fend off attackers, who always find new ways to steal information, data, money or whatever they can get their digital hands on.

Whitelisting to Rescue
One of the newer ways to fend off would-be attackers is to create an application whitelisting program.

The goal of application whitelisting for an industrial control system is to prevent unauthorized applications from running, enforce a list of approved applications, include an administration tool that allows for adjustment to the whitelist, and monitor and report attempts to violate the policy.

“If you look at the basic premise of application whitelisting, it is turning patching upside down,” said Rick Kaun, global business manager Industrial IT Solutions at Honeywell Process Solutions. “I use the analogy of being in a night club. As long as you don’t cause trouble, you are allowed in. That means the bad guys can get in and you don’t find out about it until they are causing trouble. Once I know about you, I put a picture of you at the front door and the bouncer does not let you in next time. That is what antivirus is. Whitelisting is the other. Three couples come to your house for dinner. It is a very expected list. You know what to do.”

“If you look at the basic premise of application whitelisting, it is turning patching upside down.”

– Rick Kaun, Honeywell Process Solutions

Antivirus used to be a great tool that could stop an attack cold. Antivirus’, or blacklisting’s stated goal is to keep all the bad players out of the system by defining a list of file formats the antivirus mechanism does not allow. Plug in the software and watch it do its magic. Antivirus these days is a staple for a security solution, but it cannot work alone any more. With new versions of malware hitting the cyber street every day, antivirus just can’t keep up. New variants pop up that can totally evade any detection.

Just in the first quarter this year alone, malware had its biggest increase in more than four years, according to a report from security software provider, McAfee. The number of samples taken was at 83 million, according to McAfee’s quarterly security report. Fake antivirus programs declined in popularity, but software with faked security signatures, rootkits and password-stealing Trojans rose. McAfee counted 200,000 new examples of password-stealing Trojan horses. That is in just one quarter.

Tandem Effort
As a part of a defense in depth posture, manufacturers need whitelisting to play off antivirus.

“They have to work together,” said Mike Baldi, chief cyber security architect for Honeywell Process Solutions. “Our recommendation for industrial control systems is for them to work together. The technologies are not designed to know about each other so they need to be configured to work together otherwise they can conflict. We have seen that scenario. We do feel it is the best protection for a system to have antivirus and whitelisting installed.”

“I don’t think anyone can just stand up with just one,” Kaun said. “A lot of people are standing up with just blacklisting today because whitelisting is such a challenge, but you really shouldn’t put all your eggs in one basket.”

The two technologies need to work together to act as a back up or there could be a problem.

“I can give an example of how they couldn’t work together,” Baldi said. “Both technologies intercept system operations when you open a file. If you have two applications trying to open the same file at the same time, you can get into system contention problems and they could actually cause one or the other applications to fail. For example, whitelisting runs at the kernel mode so it could block antivirus from doing its job. Antivirus could encounter errors because whitelisting was using a file as it was being opened. So, the two applications have to be aware of each other. There is also some scanning that is done by antivirus that needs to be accounted for and whitelisting needs to allow that.”

Thinking whitelisting was complex has always been one of the issues behind why manufacturers shied away from implementing a program.

“When it comes to process control, I think whitelisting is very well-suited and incredibly challenging,” Kaun said. “The reason why it is incredibly challenging is we are talking legacy control systems. Putting tools in there and locking things down, especially when there are people that don’t understand what their equipment does, if you are using dynamic port ranges for example, how do we actually capture that? That is the challenge.”

Static Bonus
One benefit, though, is the process control environment is relatively static when it comes to software programs. Software is not constantly changing.

“I think the wonderfully beneficial advantage is the environment does not change a lot, so when we get it right, the need to continually tweak that allowed list is a lot less than it would be in a dynamic corporate environment,” Kaun said. “I think on the one hand it is very well-suited because we don’t change a lot, but it is challenging because we have some interesting legacy stuff out there.”

“I can give you a good example of how whitelisting would or would not protect a system,” Baldi said. “A common mode of attack is to replace one of your system files with a version that has malware embedded in it and when you run that utility you also enable the malware which does damage to your system. For instance they could replace the notepad system and when you run notepad you are actually enabling the malware. That kind of attack will be prevented in whitelisting because with your system whitelisted it will not allow a different version of notepad to run.”

The catch Baldi said is if the allowed software has a vulnerability embedded in it.

“If there is a Zero Day vulnerability in the existing version that you have whitelisted of notepad on your system, whitelisting will allow that version to run and the attackers can take advantage of that vulnerability,” he said. “Only the version you have whitelisted will run, but if you whitelisted a Zero Day vulnerability, whitelisting will not protect you against that.”

“That is why you need hand-in-hand antivirus and whitelisting, said Shawn Gold, global solutions leader, industrial IT solutions at Honeywell Process Solutions. “The antivirus should pick up that version of notepad that has a virus in it.”

System Speed
With the traditional security software on a system, end users often fret over adding any more software, fearing it will slow down the process.

But that often ends up not being a problem.

“That is always one the biggest concerns we have,” Gold said. “From anything we add to a process control system, where some IT folks may not be as concerned about the loading on a system, we are paranoid. We have very strict rules on how much load a system can have.”

“From a technical side we are extremely concerned about any changes in the load to our systems because it can impact performance in an upset condition when we need the most horsepower,” Baldi said. “Because of that, we have done some exhaustive testing on our largest systems and we have found some scenarios where whitelisting had a significant impact on operations because of the way the operations worked with the files system. We were able to very quickly — once we have tested them and discovered them — tune the whitelisting so it didn’t impact those areas.”

“If properly tuned and managed for your systems, it can have a negligible impact,” Gold said. “But you have to take that due care and attention.”

System Residence
For an industrial control system, whitelisting does not run at the network level, but rather on every individual node you install it on. So every PC running either a Windows or Linux operating system can have whitelisting running on it. The installation on that node protects only that node.

That means for users to get the most benefit out of whitelisting, they need to understand their system and know what is running on it.

“You should be reviewing your cyber security vulnerability and attack vectors on your system on a somewhat regular basis,” Gold said. “When it comes to whitelisting, if you install an update to your system, you will have to update your whitelist as a part of the ongoing maintenance. It depends on how frequently you upgrade your systems. If you are going to install software upgrades once a year, you should be updating your whitelisting as well.

“The conclusion is whitelisting has to be tightly integrated into your process control solutions,” Baldi said. “If it is tightly integrated it is not an issue, it is not something a casual user will go and pull a whitelist solution off the shelf put it on the system and expect it to work seamlessly, there is a definite tight integration needed there.”

That integration will enable the manufacturer to do what they do best: Make product. As a part of an integrated security package, it will also help keep systems running, which increases productivity and profitability. But whitelisting is not the Lone Ranger; it will need to work in conjunction with other programs and solutions and that will increase a defense in depth posture so attackers can’t get in and steal important information.

“White listing should never be considered a silver bullet,” Gold said. “It’s not a replacement for a customer that has other things like blacklisting/antivirus or what other tools they may have. It is something they should be considering in addition to what they currently have. It does buy them some additional benefits in addition to the added security it does provide.”

Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (

Tuesday, August 28, 2012 @ 12:08 PM gHale

Application Whitelisting can Toughen Up Weakest Link

By Gregory Hale
IT folks were happy at one major U.S. manufacturer a few years ago as they were installing state of the art security technology. “This is the best move for the organization to keep free and clear from any miscreant bug or viruses launched into the network,” they were saying at the time. Just as they neared the end, the crew worked over the weekend to iron out all kinks so they could have it ready first thing Monday morning.

When Monday came, the long-time process control engineering team came in and promptly turned off all the new security measures because it was too different and not the way they always did things.

Human error.

It seems a hacker element left a bunch of malware-riddled USB sticks in parking lot at Dutch chemical giant DSM. Instead of plugging the discarded drives into a workstation, which would have infected the machine, a DSM worker who found one of the devices handed it in to the IT department.

The IT workers did a quick check and found an unspecified password-stealing keylogger.

System saved.

Technologies like antivirus, firewalls and whitelisting, are vital to helping secure any manufacturing automation system, but the human factor is the key ingredient to shepherd any process to ensure continued uptime that will hike productivity and profitability. The catch is though, everyone needs to be on the same security page.

“The gray beards are saying ‘unplug it, we don’t’ need it, who cares. I have been running this plant for 30 years,’ ” said Rick Kaun, global business manager Industrial IT Solutions at Honeywell Process Solutions. “That just isn’t realistic given the business needs for data.”

Arms Around Information Flow
Information, and information flow, is more valuable than ever to organizations. Despite its importance, companies don’t really understand how to effectively manage this valuable resource. An estimated 49 percent of the worth of organizations derives from the information they own, according to the “State of Information Survey” from Symantec Corp.

When asked what would happen if their organization’s information were irrevocably lost with no chance of recovery, survey respondents said they would lose customers (49 percent), damage the brand (47 percent), decrease revenue (41 percent), increase expenses (39 percent) and suffer a tumbling stock price (20 percent).

Protecting against stolen data, information, intellectual property, business market plans, and even money is becoming more complicated and sophisticated. That is why a solid defense in depth strategy for manufacturers, including application whitelisting is more important than ever.

Complexity, or perceived complexity, of technology is an automatic turn off for users. That has been the problem in the past with whitelisting, but this technology is much too valuable to dismiss with a mere perception. Whitelisting, unlike other security programs, can actually be an application where you put it on the system and forget about it. Just maintain it when you do a security assessment.

“Whitelisting can reduce the need to patch, but it will not eliminate the need to patch. It is protecting you from certain vulnerabilities until the opportunity comes to apply the patches.”

– Mike Baldi, Honeywell Process Solutions

The goal of application whitelisting for an industrial control system is to prevent unauthorized applications from running, enforce a list of approved applications, include an administration tool that allows for adjustment to the whitelist, and monitor and report attempts to violate the policy.

“I think whitelisting further enhances the value of a skill set that has the knowledge of process control and IT,” Kaun said.

The initial pushback against whitelisting always seems to fall along the lines of complexity and restrictiveness. But in reality, a manufacturer can make the program as restrictive as it wants and building it can be as easy as following directions.

“You have to build a list, said Shawn Gold, global solutions leader, industrial IT solutions at Honeywell Process Solutions. “There are tools that come with the whitelisting that has some installation scripts, but you have to build a list of things that are allowed.”

“Basic whitelisting provides protection by creating a list of known good executables that can run on your systems,” said Mike Baldi, chief cyber security architect for Honeywell Process Solutions. “All the application whitelisting systems available provide that functionality, but there are additional features. For example you can choose to protect areas of your registry if you want. You can choose to lock down your USB devices. You can enter rules for the whitelisting to protect against certain memory type attacks. These are above and beyond the basic white listing protection. Everything you configure in the system has a risk that you may lock down some normal operation that is needed to run the system. So you have basic whitelisting that can be restrictive to a certain point or you can continue to lock down the system extremely tight with whitelisting, but you have to be very careful to understand the consequences of locking it down.”

Constant Vigilance
With a slowly recovering economy, the need to keep producing more product these days at a lower cost point is at a premium. That means any unplanned downtime could be devastating to any manufacturer’s bottom line. That is why companies need to avoid dreaded downtime and work with multiple layers of defense and constant user education.

The problem is end users tend to be the most common and hard-to-remediate weak point, and even security researchers struggle to address the problem. “You can’t patch users,” said Greg Conti, associate professor of computer science at West Point in the Georgia Tech Information Security Center and the Georgia Tech Research Institute, “Georgia Tech Emerging Cyber Threats Report for 2012.” “And there’s always a human being somewhere behind the security technology.”

One source in that study agreed with Conti, “People are always the most vulnerable part of the IT infrastructure,” he said. “We have so many security layers and defenses, from separating physical control systems from the standard business network, to DMZs, to limiting network protocols that communicate with physical systems, and securing all the primary UIs to the Internet. At the end of the day, there’s a person on the end of all that security that can make decisions that will have an impact.”

Installing application whitelisting presents an upfront learning curve for users, but it is one that can be worth the time and effort.

“Our customers are learning really quickly,” Gold said. “I think the majority expect whitelisting to be more all encompassing and reduce the level of management significantly. It will help, but you have to really be careful about it. The maturity of our customers is increasing, but I do think there are a lot of misconceptions still.”

“The hype about whitelisting is high,” Baldi said. “There has been a lot of publicity. The understanding at the technical level at how involved it is and how tightly it has be interlaced with your system isn’t there. They hear words that this wonderful technology is available and it is going to increase your security protection, but there hasn’t been a lot of activity so far in applying whitelisting so there is not a lot of practical knowledge with that.”

Human Issue
Fear of complexity is one issue, but there is another Kaun feels has a strong human factor involved.

“It is apathy,” Kaun said. “I think the big vendors last year came up with 4,000 viruses or threats, but internally we came up with about 15,000 threats out there. Your least informed employees are your single biggest threat, so you can have all the technologies in the world, but if someone is holding the door open or handing out passwords then you have a problem.”

“I read one study that said 50 or 60 percent of people on the street said they would give over their favorite password for a free chocolate bar. It’s not whether we have application whitelisting or not; whether we have intrusion detection or not; whether we have a full robust program; whether we have point solutions, it is apathy.’’

Users need a solid technology base and a good plan that everyone knows, Kaun said.

“The source of the threat is not as important as when it gets here, and some day it will in some shape or form. How equipped are we to weather that storm, that is the real risk. If you see it as you want to spend how many dollars to make sure al-Qaeda doesn’t hack us, your problem there isn’t budget, it is education and awareness.”

Who takes responsibility and what should a user do often becomes an issue at a plant. Should it be IT, or should the process engineering team take control? At the end of the day, it often becomes an all hands on deck effort.

“Manufacturers are using every tool available to them,” Gold said. “Every combination exists; from the IT group being responsible, to the IT group embedding a person within the process control group, to the process control group being totally responsible and not having anything to do with the IT group.”

“The worst situation is where no one does anything, which is more common than one would expect. Then there is the thinking that we don’t have to do much because we are locking things down with an air gap. Even when air gaps are used in combination with locking down USB ports and not allowing vendors with their laptops to connect to their system, they are missing the critical point on how to mitigate or manage a virus when a path in is eventually compromised There are various levels of preparedness.”

Patch Threat
Patch management is one more way whitelisting can help users overcome some threat issues.

“Whitelisting can reduce the need to patch, but it will not eliminate the need to patch. It is protecting you from certain vulnerabilities until the opportunity comes to apply the patches,” Baldi said. “It is a tremendous potential benefit as long as the limits of that benefit are realized. There are combinations of technologies and benefits that we call defense in depth that together can significantly reduce the need to patch. What I mean by that is they can allow you to run with known vulnerabilities in your system longer until you can schedule maintenance time to do your patches. That would be your antivirus software, your whitelisting software and a third technology called virtual patching, which is basically intrusion protection from the network out. Those three technologies together can significantly reduce your need to patch and allow you to better manage your patch cycles.”

“A lot of people in the plant environment think along the lines of you set it and forget it,” Kaun said. “Part of the value of whitelisting is it works on that premise. The flip side is when you go to change something, how do we manage that so we don’t turn the whitelisting off? The problem is if anything changes it becomes completely useless. That is the challenge when we apply patches we have to make sure the scrutiny has to be much greater so we don’t break our application whitelisting. So, a very detailed technical analysis and a more thorough change management needs to take place.”

Application whitelisting all comes down to helping eliminate human error so manufacturers can keep their system up and running during a time when sophisticated attacks are on the rise.

“It is about safe reliable expected operation,” Kaun said. “Am I concerned? I am concerned because there is more risk and the clients we serve are increasingly under pressure and hitting downtime.”

“We need to not worry about the noise and just get down to work.”

Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (

Tuesday, June 26, 2012 @ 01:06 PM gHale

By Gregory Hale
In these days of resource challenges, productivity will be the answer on how to get manufacturers to the next level of strong profitability.

That is one of the most important topics in the business world today,” said Raj Batra, president of Siemens Industry Automation Division during his keynote address today at the 2012 Siemens Automation Summit in Washington, DC.

Risk is Not a Game
Survey: Security a Thought, Not a Focus
Fed CIO’s say Security Top Concern
Security Awareness: CISO’s Role Changing

Contrary to public opinion, manufacturing in the United States grew last year by 4.3 percent and should grow by 5.2 percent this year, Batra said. While that not is a huge number, it is a positive sign the economy is coming out of its deep slump and is moving forward.

One of the reasons for the growth is a concept called reshoring, where manufacturers are not farming out manufacturing to a less costly manufacturing center, but rather bringing manufacturing closer to where they will sell the product.

A few of the reasons for this are the energy costs involved in shipping the product across the globe and also the rise in wages in the manufacturing countries. Batra said.

Also because manufacturing is more strategic to enterprises, that means companies are now spending more on innovation. “Manufacturing represents 11% of U.S. GDP but accounts for 70 percent of R&D,” Batra said citing industry research.

Yet another issue confronting manufacturers is the hunt for resources. Finding oil, water, natural gas, and minerals is not as easy as it used to be, so it costs more to cull them from the earth.

“We are feeling the resource crunch,” Batra said. “There has been a 100 percent increase to bring oil wells online in the past decade. The next 20 years are going to be different.”

What is the answer? Batra said productivity.

If a company can increase its productivity, they can reap more in profitability. Areas to do that include increasing energy efficiency, increase the efficiency in municipal water operations, and increase the use of renewable energy.

Increasing productivity is something the industry has talked about for years, and it is really moving in that direction, but that is just one aspect a manufacturer can look at for future growth.

Another area for a manufacturer to understand is what the plant will look like in years to come. That is where Yiannis Dimitratos comes in.

The head of the Corporate Center of Competency in Automation & Process Control in Engineering and Operations for DuPont said during his keynote manufacturing plants will look quite a bit different in the coming years than they have in the past.

He said it is all about process operability. “That is the key to making desired products in order and on time and to defined quality in a safe, secure and environmentally acceptable way,” Dimitratos said. “The plant of the future will be a totally different place. It will be a smart plant.”

The idea of a virtual plant working within the real plant is coming closer to reality, he said.

“Virtualization can help improve the plant where you are not testing on the real plant, but instead are validating and testing before going live,” Dimitratos said.

Wednesday, April 18, 2012 @ 02:04 PM gHale

By Gregory Hale
A successful safety profile is all about making quality risk assessments and the new ISO machine safety standard that is making the old EN 954-1 standard obsolete does that by increasing a manufacturer’s performance level.

“The standard provides a quantitative approach to risk assessment and safety validation,” said John D’Silva, marketing manager safety at Siemens during a webinar entitled “Transitioning to ISO 13849-1: Changes Required and Helpful Tools.”

Burn Baby Burn, but Safely
Safety Standard Jumble
Safety Standard on Gas Blows
New ISO 10218: No ‘Marauding’ Robots
ISO 13849 Takes Effect Jan. 1

“This makes sure that safety is not solely a matter of component reliability, but also relies on common-sense safety principles such as redundancy, diversity and fail-safe behavior. Under this standard, the risk assessment for a given safety function will yield a performance level, this helps eliminate both over- and under-engineering, a costly or risky result of EN954-1’s limitations.”

“The new standard accommodates the advances in technologies and that is the main advantage,” D’Silva said. “Further it corrects deficiencies in EN 954-1.”

ISO 13849-1 Safety of machinery: Safety-related parts of control systems (SRP/CS) provides safety requirements and guidance on the principles for the design and integration of safety for control systems, including the design of software.

It specifies characteristics that include the performance level necessary to carrying out safety functions. It applies to SRP/CS, regardless of the type of technology and energy in place whether electrical, hydraulic, pneumatic, mechanical, or others and for all kinds of machinery.

The new standard addresses the dramatic changes in technology the older standard (EN 954-1) was incapable of handling, in particular, determining the safety of programmable products.

D’Silva, an integrated safety expert at Siemens, gave an outline on software-based tools that assist in achieving compliance to the standards. The tools are SISTEMA (Safety Integrity Software Tool for the Evaluation of Machine Applications) and SET (Safety Evaluation Tool).

The SISTEMA software utility provides developers and testers of safety-related machine controls with comprehensive support in the evaluation of safety via ISO 13849-1. It enables one to model the structure of the safety-related control components based upon the designated architectures, thereby permitting automated calculation of the reliability values with various levels of detail, including the Performance Level (PL). The SISTEMA program is now available.

SET for the IEC 62061 and ISO 13849-1 standards is a TÜV-tested online tool that supports the fast and reliable assessment of your machines’ safety functions. One can realize a standard-compliant report that serves as documentation as a proof of safety.

Safety is becoming even more important today than ever before and the new standard will help users move toward the main functions of safety and that is to protect workers, property and the surrounding area. In addition, there are the needs to reduce cost pressures and maintain productivity. With the push toward globalization, there is an increased need for production and one of the ways to meet that need is to lose the old way of doing things and integrate safety.

It is simple, reducing risk means systems remain running, which means a higher level of productivity and increased profitability. While that sounds simple, getting from Point A to the Point B is often fraught with challenges.

The new standard is one area that can help eliminate those challenges.

Key changes incorporated into EN ISO 13849-1 to address deficiencies in the previous standard and accommodate new technologies:
• Addresses the programmable electronic safety devices used increasingly in modern machines.
• Accommodates new technologies now commonly used in safety systems.
• Provides a quantitative approach to risk assessment and safety validation.
• PL’s quantify the required and achieved level of safety in probabilistic terms.
• Defines measures for diagnostic capability and common cause failures.
• Increases customer confidence in safety and integrity of their product.

Click on Safety Evaluation Tool or SISTEMA for more information on the tools.

Archived Entries