Author Archives: Walt Boyes

Extreme Badness from Malware and Design Flaws Impact Industry

Insiderlogo3First, there’s the Triton Exploit

In 2004, Triconex safety expert Robert Adamski told me, “I’m going to share my nightmare with you.” He proceeded to talk about, not a safety issue, but a cyber security issue. He predicted that it would be possible to penetrate a control system and enter the safety instrumented system, the SIS, which is designed to safely shut down a plant in the event of a failure in the process. He explained exactly how his hacker, “Let’s call him Ali al Qaeda,” would be able to do that, and he dared me to tell him it couldn’t happen.

 

Ever since then, I have been talking about Bob Adamski’s nightmare, and nobody has ever been able to tell me it couldn’t happen.

 

The best they could do was to assert, pretty baldly, that it was highly unlikely, that it would require great resources, and would not happen because it would potentially cause extreme damage. Neither Adamski, who passed away a few years ago, nor I ever believed much in that argument, and we’ve been waiting for Bob’s nightmare to come true.

 

Well, now it has. Not quite as badly as Adamski feared, and no plant was destroyed. But an attacker targeted an SIS system, and caused it to shut down the plant.

The best description of what happened, and what the malware can do is in a blog by Heather MacKenzie of Nozomi Networks. You can read the entire blog here. She makes some important points.

 

“The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process,” MacKenzie wrote. 

 

The attack is bold and notable,” she said, “because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Also, the type of SIS attacked is widely used and is commissioned in a consistent way across many industries.”

 

She then makes an important point. “The SIS system that was attacked was a Schneider Electric Triconex Safety Instrumented System (hence the malware moniker “TRITON”, also known as “TRISIS”.)  However, the malware was not designed specifically for Triconex, it was designed because the target organization was using Triconex(emphasis added).”

 

What MacKenzie, and Nozomi Networks’ partner, Fireye, which discovered the exploit, says is that FireEye is moderately confident that the attacker inadvertently shutdown operations while developing the ability to cause physical damage. You can read their reasons for coming to this conclusion, and many other important details about the attack, in the FireEye blog post on TRITON.

 

MacKenzie notes, “ It is the first known malware targeting SIS, and only the fifth malware known to specifically target ICS (after Stuxnet, Havex / Dragonfly, Blackenergy2, and Industroyer / CrashOverride).”

 

It is likely that if the target enterprise had been using another SIS system, the exploit would have targeted that one instead of the Triconex system.

 

Now that the exploit has demonstrated that SIS systems as a class are penetrable and vulnerable, we can expect to see more attacks.

 

“Cassandras” like Joe Weiss, myself, Eric Byres (of Tofino fame) and others have been pointing out for a decade that there is a thought gap between data security, which most cyber security systems are based on, and process safety. You cannot have a secure system unless it is a safe system. You cannot have a safe system unless it is a secure system. We can no longer ignore this fact or Bob Adamski’s nightmare will become all too real.

 

Intel, AMD, and Other Processors Vulnerable

 

If the Triton Exploit weren’t enough, the entire computing world was rocked in December  and early January by the revelation that processors by Intel, ARM, AMD, and even Qualcomm (one of the largest manufacturers of mobile device processors) are vulnerable to a series of vulnerabilities, like Spectre and Meltdown, which leave them open to attack.

 

How this impacts the automation industry is obvious. Since the major automation vendors abandoned making their own chips, almost forty years ago, chipsets by Intel, ARM, AMD and others have been used in everything from sensors to controllers, to the computers that DCS and SCADA systems run on. The computers that serve as cloud servers are not immune either.

 

A report from CNET describes the issue: “Researchers found two major weaknesses in processors that could let attackers read sensitive information that should never leave the CPU, or central processing unit. In both cases, attackers could see data that the processor temporarily makes available outside of the chip.

Here’s why that happens: To make computer processes run faster, a chip will essentially guess what information the computer needs to perform its next function. That’s called speculative execution. As the chip guesses, that sensitive information is momentarily easier to access.”

 

Spectre and Meltdown (which targets cloud servers) can be used on systems that are not patched to prevent it, to permit unauthorized entry into the system. Now, it is in the industrial space that systems will potentially NOT be patched.

 

This is because in many cases, the system cannot be shut down to patch it, or the system is running on an archaic processor. There are thousands of Windows XP systems running in the industrial environment. There are instances of even Windows 3.11 and DOS systems running processes yet today. These systems cannot be patched.

 

Intel and the others state that the flaw has existed for at least twenty years, so all those archaic systems are vulnerable.

 

CNET reports, “Researchers, chipmakers and computer companies all say there are no known examples of hackers using these weaknesses to attack a computer. However, now that the details of the design flaws and how to exploit them are publicly available, the chances of hackers using them are much higher.”

As the Triton Exploit and others have proven, hackers up to and including nation states, have been trying to penetrate Industrial Control Systems for at least a decade and a half already. This just gives them another avenue to exploit. And as the ICS malware exploits we have already seen show, it is not all that difficult to attack a control system that is not adequately defended.

 

Operating system manufacturers like Apple and Microsoft are scrambling to patch their systems so that the exploits cannot be used. But the fact that it exists in nearly all processors means that it will be hanging over us for a long time.

In the meantime, be wary of phishing and other means of achieving entry into your control systems. Be afraid. Be very afraid.

This first appeared in the December 2017 INSIDER. If you like this kind of reporting and analysis, please consider becoming an INSIDER subscriber. Visit http://www.spitzerandboyes.com/insider for more information.

 

A Little Off-Topic: Peter S. Beagle Named SFWA Grand Master

Peter S. Beagle Named SFWA Damon Knight Grand Master
I don’t always write about automation, technology, and manufacturing. I write and edit science fiction, fantasy and alternate history as well. This brings me into contact with a variety of well-known writers, like Larry Niven, the late Jerry Pournelle (who I replaced as a Director of the Heinlein Society) and many others.
I have known Peter Beagle since 1973, when I did the lighting and set design for a play he was performing in at UC Santa Cruz. He is one of my favorite people. A couple of years ago, at Balticon, my wife Joy Ward, who is the interview columnist for Galaxy’s Edge magazine, with some technical assistance from me, conducted a far-ranging interview with Peter, excepts from which were published in the September 2016 issue of Galaxy’s Edge magazine, and a longer version to be published by Shahid Mahmoud sometime this year. We are extremely delighted that Peter has received this very long overdue honor from his peers.
The Science Fiction and Fantasy Writers of America (SFWA) is pleased to announce that Peter S. Beagle has been named the 34th Damon Knight Grand Master for his contributions to the literature of Science Fiction and Fantasy.
The Damon Knight Memorial Grand Master Award is given by SFWA for “lifetime achievement in science fiction and/or fantasy.” Beagle joins the Grand Master ranks alongside such legends as C. J. Cherryh, Anne McCaffrey, Ursula K. LeGuin, Isaac Asimov, Ray Bradbury, and Joe Haldeman. The award will be presented at the 52nd Annual Nebula Awards Weekend in Pittsburgh, PA, May 17-20, 2018.
Beagle may be best known for his novel The Last Unicorn, and has also explored our fascination with the mythical in The Innkeeper’s Song, A Fine and Private Place, and a wide variety of short fiction. Beagle won the Hugo and the Nebula Award for his 2005 novelette “Two Hearts.” He has won the Mythopoeic Award for his novels The Folk of the Air and Tamsin. He was nominated for a Hugo for his adaptation of J.R.R. Tolkien’s The Lord of the Rings for Ralph Bakshi’s animated version and wrote the screenplay for the Star Trek: The Next Generation episode “Sarek.”
SFWA PRESIDENT, CAT RAMBO
Peter Beagle’s work has been the gateway for multitudes of fantasy readers, but also writers as well, including myself. His work shines a light on the human heart and its beauties even when that heart is flawed and wanting, showing how that beauty arises from such imperfect conditions. Beagle unquestionably belongs among the greats, and I count it a privilege to invite him to be the next SFWA Damon Knight Memorial Grand Master.
The Nebula Awards will be presented during the annual SFWA Nebula Conference, which will run from May 17th-20th and feature expert presentations, seminars and panel discussions on the craft and business of writing, SFWA’s annual business meeting, and receptions. On May 20th, a mass autograph session will take place at the Pittsburgh Marriott City Center and is open to the public. For more information on the conference, including a link to register, please visit nebulas.sfwa.org.
The Nebula Awards recognize the best works of science fiction and fantasy published in the United States as selected by members of the Science Fiction and Fantasy Writers of America, membership in which is open to professional science fiction and fantasy authors. The first Nebula Awards were presented in 1966.
In addition to the Nebula Awards, SFWA will present the Bradbury Award for Outstanding Dramatic Presentation, the Andre Norton Award for Outstanding Young Adult Science Fiction or Fantasy Book, the Kate Wilhelm Solstice Award, the Kevin O’Donnell, Jr. Service to SFWA Award, and the Damon Knight Memorial Grand Master Award.

Consolidating Distribution

Insiderlogo3The Ongoing Consolidation Trend in Distribution
E+H Appoints TriNova in Upstate New York and New England

When your editor first began working as a sales engineer in the automation industry, distribution in North America was defined by the Dodge marketing territories.

These were county-by-county (later modified to be zipcode-based) distribution and representation maps, published by the F. W. Dodge Company. Every automation company representation contract used these territories. There was the “Northern California Territory” for example, which included the counties of Western Nevada, but not Clark County (home of Las Vegas and the military bases).

These territories were most often “exclusive” meaning that only one company had distribution rights in that territory for those products.

These territories have become more and more irrelevant. There are several reasons for this.

First, the economics of the small, family-operated, one- or two- person rep firm, or distribution company decayed. It now costs approximately $500 to make a single sales call. The traditional “eight calls a day” sales methodology simply stopped working.

Second, the generational shift left many second- or third- generation rep/distributor owners looking for exit strategies because they didn’t really want to work in the family business, or couldn’t make a living at it any longer.

Third, the better capitalized rep and distributor firms started expansion plans that focused on either buying a small rep or distributor in a new territory or simply bypassing existing distribution and starting up an entirely new enterprise, and soliciting crossover from their existing principals.
Endress+Hauser has been working with this level of consolidation since the early 2000s. At one point, they even purchased a representative firm which was in financial distress, and kept it running. Now, they’ve done it again, in New England and Upstate New York.

Fourth, the explosion of electronic commerce has made other options than buying from a local rep or distributor possible.

TriNova Inc. is a long-time representative and business partner of Endress+Hauser, and is 50 years old as a company. The company is the automation supplier’s Sales Representative and Authorized Service Provider in the southeast and has now expanded its operations in New England and Upstate New York from new offices in Ballston Spa, NY.

The two companies have spent the last three months preparing for a smooth transition by staffing the new office and training personnel. Teams have been established and are ready to provide customers in the new territory dedicated support and services in all markets and industries.

“We are pleased to have the opportunity to expand our partnership with TriNova in the New England and Upstate New York region,” said Chris English, Vice President of Sales, Endress+Hauser.

And, just as this issue is going to press, E+H announced that they were partnering with their rep and service provider in Oklahoma, Vector Controls to put together a consortium to work in the oil field industry, with partnerships with Angus Measurement Services, TechnipFMC and its Authorized Service Provider, Vector Controls. The automation companies will collaborate to bring added value to the oil and gas industry, assisting customers with transition to the digital oilfield. The partnership alignment between the automation companies is to inform and better prepare the oil and gas industry and customers for Industry 4.0. The oil and gas industry has played a pivotal role in the economic transformation of the world. Today the industry can set new parameters and direction through digitalization.

If you liked this content, there’s much more where it came from. This story was originally published in the December 2017 Industrial Automation and Process Control INSIDER. You can subscribe by visiting http://www.spitzerandboyes.com/insider.

Emerson Acquires ProSys Inc.

Emerson Completes Acquisition of ProSys, Inc.

Deal adds new software capabilities to improve plant performance and brings new technologies to Emerson’s Operational Certainty initiative

Emerson (NYSE: EMR) announced on the 17th of January that it has acquired ProSys Inc., a global supplier of software and services that increase production and safety for the chemical, oil and gas, pulp and paper, and refining industries. By building intuitive processes for plant operators, these solutions make everything from everyday operations to responding during abnormal situations easier.

“The staff of ProSys are all friends of long standing and the INSIDER wishes them all well and congratulates them on their success,” said Walt Boyes, editor/publisher of the INSIDER.

“Adding ProSys’ differentiated technologies and expertise allows us to help our customers improve plant performance, safety and profitability by optimizing their human and automation resources,” said Mike Train, executive president, Emerson Automation Solutions. “With ProSys, we can provide innovative control and operator performance capabilities to make control room operators far more effective.”

Executive President Mike Train

ProSys’ portfolio includes solutions that help operators manage alarms critical to plant production and safety, and efficiently handle changing plant states. In addition, ProSys provides modern, high performance and intuitive graphics for better operator communications.

ProSys complements Emerson’s May 2017 acquisition of MYNAH Technologies, which provides dynamic simulation and operator training software. Together, these technologies embed expertise to help operators navigate plant systems safely and efficiently, and prepare customers to accommodate the changing state and age of the industrial workforce.

“Our specialization in software and services that increase operator performance builds on Emerson’s market leadership in automation control systems,” said Dustin Beebe, president and CEO at ProSys. “By working together as one, we can provide even more operational and financial value to customers.” Beebe will join Emerson Automation Solutions as vice president, control and operator performance.

Dustin Beebe will join Emerson as Vice President of control and operator performance

The ProSys software portfolio supports Emerson’s Operational Certainty™ program designed to help industrial companies achieve Top Quartile performance in areas of safety, reliability, and production.
Terms of the acquisition were not disclosed. For more information about ProSys Inc., visit https://www.prosys.com/.

Is Malware the Achilles Heel of the IIoT?

Insiderlogo3Is Malware the Achilles Heel of the IIoT?
By Walt Boyes

(Originally published in the December 2017 Industrial Automation and Process Control INSIDER)

The big appeal of the Industrial Internet of Things is the potential vast increase of meaningful information we could obtain by increasing the sheer number of sensors and the analytical methodologies of Big Data and the latest visualization tools for working with that data. The central axiom of the IIoT is that this information will be used to operate plants and even entire enterprises much more profitably.

There are some obvious problems with this axiom, It is pretty glaring that you have to collect the right information. It doesn’t help to add 100 or 1000 sensors to a process if the values of those sensors aren’t critical information. The problems don’t stop there.

We have pointed out before that the cost of sensors must decrease dramatically be- fore the IIoT can become a reality. I remember hearing a friend from Shell saying that if they needed a measurement, they’d be willing to pay for it. The flip side of that is that if the cost of making those measurements goes down substantially, the impetus for needing the measurement goes up.

But the real issue that IIoT boosters don’t want to talk about is security.
There are two basic schools of thought about IIoT security. One is that nobody would try to penetrate a network through its edge devices. The other is that the problem is so large that it is basically unsolvable, so who cares.

The first school of thought is the same old “security by obscurity” nonsense. Our concepts of cyber security have been formed by network-centric security experts. There have been some lonely security researchers, like Joe Weiss, and others like the INSIDER who have been pointing this bias out for years. And for years, we have noticed a steadily growing number of “security researchers” at Blackhat and other gatherings, who have concentrated their research on network penetration through the sensor network.

The other school of thought is much more pervasive and even more insidious. This claim is the reason that there is always the next patch coming out for software. You can’t solve the problem because there are always smarter black hats.

Somehow, it seems to us, that both schools of thought are missing the point. Which is that if the potential users of the Industrial Internet of Things see that from a cost-benefit viewpoint the potential loss from an attack far outweighs the potential gain from all that beautiful information, adoption of the IIoT will stall.

We are already seeing this in the commercial IoT world. Sales of Nest thermostats and household control systems have stalled. People are concerned. Now, with the latest revelations about inherent design flaws in Intel, AMD, and other processor chips, they are becoming frightened. All they can see to do is to pray that nobody ever attacks them. And we see the same fear in the industrial space.
So, if the IIoT is to be a success, we have to focus on two things. First and foremost, we need to make security inherent in every de- vice and the firmware and software that runs on them, from field sensor to process controller to MES and ERP systems.

And, second, we need to focus on providing the right information at the right time, or there will be no value add with the IIoT.
End users vote with their feet, and their dollars, pounds, euros, pesos and yuan. For all the ballyhooed new IIoT centric plants, there are dozens more built to the old standards, because we are sure that they work, and the perceived risk is less.

Change the risk and the IIoT will grow to its potential.

If you liked this content, and want to see more, visit http://www.spitzerandboyes.com/insider to subscribe.

 

HIMA talks SIS Cyber

Insiderlogo3HIMA, the largest independent safety instrumented system manufacturer, today released this press release:

(Houston, TX, January 11, 2018)

In late 2017 the ICS cybersecurity specialist Dragos announced that a safety controller (SIS) of a HIMA competitor in a process facility in the Middle East had been targeted by a new malware attack and successfully hacked. The SIS was compromised, leading to a shutdown of the facility. The professional execution of the attack again clearly shows that facility operators need to take the subject of cybersecurity very seriously. HIMA, a leading global independent vendor of smart safety solutions for the process industry, therefore offers to provide expert consulting on the subject of cybersecurity in safety-critical systems.

The above-mentioned cyberattack represents a new dimension of cyber threats to critical infrastructure. According to current knowledge, it was specifically planned and designed to target the SIS of a particular manufacturer. This sort of attack on a SIS, the first ever seen worldwide, is very sophisticated and only possible with significant effort.

Dr Alexander Horch, Vice President Research, Development & Product Management at HIMA, comments: “The incident with our competitor should serve as a wake-up call for all of us and further enhance awareness of the subject of cybersecurity in the industry. Work processes and organizational deficiencies are by far the most common areas of vulnerability for successful cyberattacks. System interfaces that remain open during operation and can be used to program the systems concerned, for example, give attackers a potential point of access. We urgently advise facility operators to not rely solely on cyber safe components, but instead to establish a comprehensive security concept for their own facilities.”

To achieve maximum safety and security, it is especially important for facility operators to implement the requirements of the standards for functional safety and automation security (IEC 61511 and IEC 62443) for physical separation between process control systems and safety and security systems.

In addition to providing automation solutions conforming to relevant national and international standards, HIMA supports plant engineers and operators in developing security concepts for the entire life cycle.
“For facility operators it is important to constantly keep an eye on potential forms of manipulation. In this regard, safety-critical applications are fundamentally different from other industrial PLC or office applications. Considerable expertise is necessary to ensure cybersecurity in safety applications. Maintaining and constantly refining security often poses a challenge to facility operators. It is therefore advisable to draw on the services of experienced safety and security experts in order to jointly develop and implement effective concepts”, says Heiko Schween, a security expert at HIMA.

December 2017 INSIDER discusses cyber-badness

Insiderlogo3The December 2017 INSIDER has been released. The cover story, “Extreme Badness from Malware and Design Flaws Impact Industry” discusses the two cyber issues impacting the ICS community that surfaced in late December: the Triton Exploit and Spectre and Meltdown. The INSIDER has been discussing this for years, and your editor and Joe Weiss beat the drum for years at Control magazine. The late Robert Adamski called something like the Triton Exploit “Adamski’s Nightmare.” It has been infecting my dreams since 2004, and I am pleased to pass it along to you. If you aren’t afraid yet, you haven’t been paying attention.

In the Health Watch, NIck Denbow and I look at the state of the Automation Industry through the lens of ABB, and we take a look at Endress+Hauser’s alliances, distribution, and newest product and what it means for Millenials as they become engineers and operators.

Rajabahadur Arcot’s article, “India’s expanding economy and emerging growth opportunities” rounds out the last issue of 2017.

If you’re not a subscriber, visit Become an INSIDER and subscribe. Individual subscriptions are $500 per year…that works out to less than $40 a month for the best news and commentary in the industry. Corporate subscriptions are also available. Contact David Spitzer for details.

 

 

 

Happy Holidays!

Insiderlogo3The staff of the INSIDER and Spitzer and Boyes LLC want to wish you all Happy Holidays, whichever tradition you follow. May your holidays be merry, and may your next year be better than this one. We hope your lives are filled with love and plenty, and your families be happy and secure.

With All Our Best Wishes!

 

 

Schneider Releases Triconex Malware Advisory

Insiderlogo3From the Schneider Electric announcement:
Malware Discovered Affecting Triconex Safety Controllers V1.1 December 14, 2017
Overview
____________________________________________________________________________
Schneider Electric is aware of a directed incident affecting a single customer’s Triconex Tricon safety shutdown system.
____________________________________________________________________________
We are working closely with our customer, independent cybersecurity organizations and ICS- CERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors. It is important to note that in this instance, the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment.
Triconex user documentation contains detailed security guidelines and recommendations on how to protect Triconex systems from attack. We strongly encourage all our customers to follow these recommendations regarding product use and security, as well as apply and follow industry-recognized cybersecurity best practices at all times to protect their installations:
• Ensure the cybersecurity features in Triconex solutions are always enabled;
• Never leave the front panel key position in the “Program” mode when not actively
configuring the controller;
• And ensure all TriStation terminals, safety controllers and the safety network are isolated
from the rest of the plant communication channels.
Also, review and assess your site’s cyber preparedness. Schneider Electric is a proponent of the NIST Cyber Security Framework and is ready to assist should this be necessary.
The Schneider Electric Product Security Office continues to work with ICS-CERT and will update this advisory as more information becomes available.
Details
The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.

Walt and Joy in Control- Part Two “Can We Escape Our Fate?”

Greg McMillan continues his interview with Walt Boyes and Joy Ward in the December issue of Control magazine. Here’s the link to the article on the controlglobal.com website:

What can be done to change our fate?

Joy and I would love to hear your thoughts on what we had to say, both in the November issue and the December issue. Comment here, or send me your comments to waltboyes@spitzerandboyes.com. [contact-form-7 404 "Not Found"]