We mentioned last year about an iPhone app that monitored Omron PLCs called Scadamobile. The new version (1.3) that was approved on iTunes a few days ago, now supports the Ethernet/IP protocol. This app allows the user to read/write tags in the Logix family (CompactLogix and ControlLogix) of Allen Bradley controllers.
Here is a download of the ISA100: Wireless Systems for Industrial Automation Standards Update Webinar presentation. It was part of Lehigh Valley ISA’s January event and was presented by Dick Caro (Certified Automation Professional, Founder and Principal of CMC Associates).
Melissa Hathaway, President of Hathaway Global Strategies, LLC and Senior Advisor at Harvard Kennedy School’s Belfer Center wrote a great article yesterday about the myths of cybersecurity.
In a nutshell …
Myth 1: Consumer protection exists in cyberspace
Myth 2: Firewalls and virus scanners protect my computer and my enterprise
Myth 3: My government has the solution and will protect me
Myth 4: Physical assets are more valuable than information
Myth 5: Laws are keeping pace with technological innovation
I would like to especially call out Myth 2. There seems to be a false sense of security with installing firewalls, intrusion detection systems, virus scanners etc. within enterprise and industry. I have come across many situations within the manufacturing and control systems space where the engineers are totally satisfied with the security of their networks (as they have firewalls and virus scanners in place). However, what they don’t realize is that their network is still vulnerable and open to other forms of security breaches/ problems.
Security within a network is not just about physical implementation and should not be centered around it (which unfortunately a lot of people do). Security within enterprise or/and automation systems should be policy based with physical implementation (like firewalls and virus scanners) being one part of puzzle. No matter how big or small your network is, it is a good practice to have policies in place — you always want to be prepared for eventualities.
“Oops, I didn’t mean to do that!”
Security problems don’t just happen with viruses, it could be as simple as a factory worker accidentally pressing the wrong button, uploading the wrong ladder logic program, accidentally pulling out the wrong network cable from the network switch or accidentally dislodging the power cord.
Securitysearch.com gives a good definition of a “Security policy”:
“…a security policy is a document that states in writing how a company plans to protect the company’s physical and information technology (IT) assets. A security policy is often considered to be a “living document”, meaning that the document is never finished, but is continuously updated as technology and employee requirements change. A company’s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made.”
I would like to add to the Myth list –
“Myth 6: My network is 100% secure”
“Myth 7: Hackers always cause network security problems”
There is no such thing as a network being 100% secure. A good secured network is one that has policies/ steps to minimize loss of investment and control breaches/ exploits (purposeful or accidental).
There is also a common perception that network security problems always originate from the outside (from hackers or crackers). Not all security problems are purposeful, they can be accidental too and could originate from within the company. A good security policy accommodates and plans for internal and external occurrences.
To end this off, here are some steps companies should take to protect themselves:
1) Learn and educate yourself — Get a good understanding of the types of security threats you face in your environment
2) Do a risk assessment that reveals the crucial/beneficial areas of your network investment
3) Create policies and procedures that integrate security in accordance to your assessment
4) Integrate/ deploy up to date technical controls
5) Plan for eventualities and how to respond to them
6) Continually update/ revise policies
Of course, I am just scratching the surface here as network security has many facets to it. It does however give you something to think about and is something that can’t be taken lightly.
Do you have other Myths to add? Let us know in the comments area.
This is not new (been out since August), but I thought I would mention it as an eye opener.
Ethernet/IP, the industrial communications protocol that enables communication between machine I/O information systems, factory floor devices and enterprise systems has an open-source software stack. The stack was created and recently released by the Vienna University of Technology’s Automation and Control Institute and written in the C Programming language.
This is great from the standpoint of reducing development costs and cutting the risk of implementation. It may very well be a catalyst for vendor adoption and implementation of (the already popular) Ethernet/IP protocol. I’ll go as far as to say that it may also increase custom development from independent outfits/ system intergrators and internally within the larger industries.
Link to the license and royalty free adapter stack download @ SourceForge
As you may have already heard, the ISA (International Society of Automation) announced last week that it is ending its annual ISA Expo. It will be replaced by “Automation Week”, an event centered around seminars and training rather than trade show booths; held at the Westin Galleria in downtown Houston. Vendors will still be allowed to have booths but will be limited to one 10×10 space each and maximum of 100 vendors.
We did participate in last year’s show and was disappointed with the amount of attendees and the geographics of them. It seemed that the attendees just didn’t have a good mix geographically and were too concentrated — the majority of attendees seemed to be from Texas and the nearby states. The general consensus from those I’ve talked to this year weren’t any different. The event this year drew 8000 attendees, where only 200 registered for the educations programs and there was noticeably less exhibitor booths, a significant drop from the 2008 Expo.
Vendor neutral trade trade shows like ISA Expo seem to be rapidly becoming a thing of the past. Companies are participating more in targeted technology, vendor specific/automation based trade shows (e.g. Rockwell Automation’s Automation Fair). Companies are also leveraging the power of the internet and distribution channels in getting their product announcements out. With several more cost effective ways to announce product releases on the Internet, countless social networking outlets, and limited travel restrictions due to the economy, the lure of traditional trade shows is just not the same as it was. The increasing costs of exhibitor booths, hotel accommodations and the extra costs of booth amenities like electrical outlets, internet, shipping etc. also play apart.
It remains to be seen whether this new format will be embraced (considering the fact that the educational programs this year were poorly attended). The cost/quality of this type of show would be a factor in whether people would fly in for 4 days — ISA would have to make it extremely worth their while. A suggestion has been to move it out of Houston and host it in different states every year. Having it in different states tends to create mixtures of vertical industry focus. I have found that having it in Houston every year tends to shift the focus to the Oil/Gas related industry (for obvious reasons; although not purposely done). It will be good to have a change from that (unintended) focus. Having it in different locations could also play to their advantage as allows them to create a themed approach of the event based on geographical location.
The announcement wasn’t much of a surprise to me, considering the declining participation compared to Expos of previous years and in local ISA chapters too (one in particularly has disbanded in our region). My overall impression is that this announcement was sort of a rushed decision — it seems that they are putting a sudden stop to the Expo without a clear picture/direction of what they are going to do next year.
