Extreme Badness from Malware and Design Flaws Impact Industry

Insiderlogo3First, there’s the Triton Exploit

In 2004, Triconex safety expert Robert Adamski told me, “I’m going to share my nightmare with you.” He proceeded to talk about, not a safety issue, but a cyber security issue. He predicted that it would be possible to penetrate a control system and enter the safety instrumented system, the SIS, which is designed to safely shut down a plant in the event of a failure in the process. He explained exactly how his hacker, “Let’s call him Ali al Qaeda,” would be able to do that, and he dared me to tell him it couldn’t happen.


Ever since then, I have been talking about Bob Adamski’s nightmare, and nobody has ever been able to tell me it couldn’t happen.


The best they could do was to assert, pretty baldly, that it was highly unlikely, that it would require great resources, and would not happen because it would potentially cause extreme damage. Neither Adamski, who passed away a few years ago, nor I ever believed much in that argument, and we’ve been waiting for Bob’s nightmare to come true.


Well, now it has. Not quite as badly as Adamski feared, and no plant was destroyed. But an attacker targeted an SIS system, and caused it to shut down the plant.

The best description of what happened, and what the malware can do is in a blog by Heather MacKenzie of Nozomi Networks. You can read the entire blog here. She makes some important points.


“The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process,” MacKenzie wrote. 


The attack is bold and notable,” she said, “because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Also, the type of SIS attacked is widely used and is commissioned in a consistent way across many industries.”


She then makes an important point. “The SIS system that was attacked was a Schneider Electric Triconex Safety Instrumented System (hence the malware moniker “TRITON”, also known as “TRISIS”.)  However, the malware was not designed specifically for Triconex, it was designed because the target organization was using Triconex(emphasis added).”


What MacKenzie, and Nozomi Networks’ partner, Fireye, which discovered the exploit, says is that FireEye is moderately confident that the attacker inadvertently shutdown operations while developing the ability to cause physical damage. You can read their reasons for coming to this conclusion, and many other important details about the attack, in the FireEye blog post on TRITON.


MacKenzie notes, “ It is the first known malware targeting SIS, and only the fifth malware known to specifically target ICS (after Stuxnet, Havex / Dragonfly, Blackenergy2, and Industroyer / CrashOverride).”


It is likely that if the target enterprise had been using another SIS system, the exploit would have targeted that one instead of the Triconex system.


Now that the exploit has demonstrated that SIS systems as a class are penetrable and vulnerable, we can expect to see more attacks.


“Cassandras” like Joe Weiss, myself, Eric Byres (of Tofino fame) and others have been pointing out for a decade that there is a thought gap between data security, which most cyber security systems are based on, and process safety. You cannot have a secure system unless it is a safe system. You cannot have a safe system unless it is a secure system. We can no longer ignore this fact or Bob Adamski’s nightmare will become all too real.


Intel, AMD, and Other Processors Vulnerable


If the Triton Exploit weren’t enough, the entire computing world was rocked in December  and early January by the revelation that processors by Intel, ARM, AMD, and even Qualcomm (one of the largest manufacturers of mobile device processors) are vulnerable to a series of vulnerabilities, like Spectre and Meltdown, which leave them open to attack.


How this impacts the automation industry is obvious. Since the major automation vendors abandoned making their own chips, almost forty years ago, chipsets by Intel, ARM, AMD and others have been used in everything from sensors to controllers, to the computers that DCS and SCADA systems run on. The computers that serve as cloud servers are not immune either.


A report from CNET describes the issue: “Researchers found two major weaknesses in processors that could let attackers read sensitive information that should never leave the CPU, or central processing unit. In both cases, attackers could see data that the processor temporarily makes available outside of the chip.

Here’s why that happens: To make computer processes run faster, a chip will essentially guess what information the computer needs to perform its next function. That’s called speculative execution. As the chip guesses, that sensitive information is momentarily easier to access.”


Spectre and Meltdown (which targets cloud servers) can be used on systems that are not patched to prevent it, to permit unauthorized entry into the system. Now, it is in the industrial space that systems will potentially NOT be patched.


This is because in many cases, the system cannot be shut down to patch it, or the system is running on an archaic processor. There are thousands of Windows XP systems running in the industrial environment. There are instances of even Windows 3.11 and DOS systems running processes yet today. These systems cannot be patched.


Intel and the others state that the flaw has existed for at least twenty years, so all those archaic systems are vulnerable.


CNET reports, “Researchers, chipmakers and computer companies all say there are no known examples of hackers using these weaknesses to attack a computer. However, now that the details of the design flaws and how to exploit them are publicly available, the chances of hackers using them are much higher.”

As the Triton Exploit and others have proven, hackers up to and including nation states, have been trying to penetrate Industrial Control Systems for at least a decade and a half already. This just gives them another avenue to exploit. And as the ICS malware exploits we have already seen show, it is not all that difficult to attack a control system that is not adequately defended.


Operating system manufacturers like Apple and Microsoft are scrambling to patch their systems so that the exploits cannot be used. But the fact that it exists in nearly all processors means that it will be hanging over us for a long time.

In the meantime, be wary of phishing and other means of achieving entry into your control systems. Be afraid. Be very afraid.

This first appeared in the December 2017 INSIDER. If you like this kind of reporting and analysis, please consider becoming an INSIDER subscriber. Visit http://www.spitzerandboyes.com/insider for more information.


A Little Off-Topic: Peter S. Beagle Named SFWA Grand Master

Peter S. Beagle Named SFWA Damon Knight Grand Master
I don’t always write about automation, technology, and manufacturing. I write and edit science fiction, fantasy and alternate history as well. This brings me into contact with a variety of well-known writers, like Larry Niven, the late Jerry Pournelle (who I replaced as a Director of the Heinlein Society) and many others.
I have known Peter Beagle since 1973, when I did the lighting and set design for a play he was performing in at UC Santa Cruz. He is one of my favorite people. A couple of years ago, at Balticon, my wife Joy Ward, who is the interview columnist for Galaxy’s Edge magazine, with some technical assistance from me, conducted a far-ranging interview with Peter, excepts from which were published in the September 2016 issue of Galaxy’s Edge magazine, and a longer version to be published by Shahid Mahmoud sometime this year. We are extremely delighted that Peter has received this very long overdue honor from his peers.
The Science Fiction and Fantasy Writers of America (SFWA) is pleased to announce that Peter S. Beagle has been named the 34th Damon Knight Grand Master for his contributions to the literature of Science Fiction and Fantasy.
The Damon Knight Memorial Grand Master Award is given by SFWA for “lifetime achievement in science fiction and/or fantasy.” Beagle joins the Grand Master ranks alongside such legends as C. J. Cherryh, Anne McCaffrey, Ursula K. LeGuin, Isaac Asimov, Ray Bradbury, and Joe Haldeman. The award will be presented at the 52nd Annual Nebula Awards Weekend in Pittsburgh, PA, May 17-20, 2018.
Beagle may be best known for his novel The Last Unicorn, and has also explored our fascination with the mythical in The Innkeeper’s Song, A Fine and Private Place, and a wide variety of short fiction. Beagle won the Hugo and the Nebula Award for his 2005 novelette “Two Hearts.” He has won the Mythopoeic Award for his novels The Folk of the Air and Tamsin. He was nominated for a Hugo for his adaptation of J.R.R. Tolkien’s The Lord of the Rings for Ralph Bakshi’s animated version and wrote the screenplay for the Star Trek: The Next Generation episode “Sarek.”
Peter Beagle’s work has been the gateway for multitudes of fantasy readers, but also writers as well, including myself. His work shines a light on the human heart and its beauties even when that heart is flawed and wanting, showing how that beauty arises from such imperfect conditions. Beagle unquestionably belongs among the greats, and I count it a privilege to invite him to be the next SFWA Damon Knight Memorial Grand Master.
The Nebula Awards will be presented during the annual SFWA Nebula Conference, which will run from May 17th-20th and feature expert presentations, seminars and panel discussions on the craft and business of writing, SFWA’s annual business meeting, and receptions. On May 20th, a mass autograph session will take place at the Pittsburgh Marriott City Center and is open to the public. For more information on the conference, including a link to register, please visit nebulas.sfwa.org.
The Nebula Awards recognize the best works of science fiction and fantasy published in the United States as selected by members of the Science Fiction and Fantasy Writers of America, membership in which is open to professional science fiction and fantasy authors. The first Nebula Awards were presented in 1966.
In addition to the Nebula Awards, SFWA will present the Bradbury Award for Outstanding Dramatic Presentation, the Andre Norton Award for Outstanding Young Adult Science Fiction or Fantasy Book, the Kate Wilhelm Solstice Award, the Kevin O’Donnell, Jr. Service to SFWA Award, and the Damon Knight Memorial Grand Master Award.

Consolidating Distribution

Insiderlogo3The Ongoing Consolidation Trend in Distribution
E+H Appoints TriNova in Upstate New York and New England

When your editor first began working as a sales engineer in the automation industry, distribution in North America was defined by the Dodge marketing territories.

These were county-by-county (later modified to be zipcode-based) distribution and representation maps, published by the F. W. Dodge Company. Every automation company representation contract used these territories. There was the “Northern California Territory” for example, which included the counties of Western Nevada, but not Clark County (home of Las Vegas and the military bases).

These territories were most often “exclusive” meaning that only one company had distribution rights in that territory for those products.

These territories have become more and more irrelevant. There are several reasons for this.

First, the economics of the small, family-operated, one- or two- person rep firm, or distribution company decayed. It now costs approximately $500 to make a single sales call. The traditional “eight calls a day” sales methodology simply stopped working.

Second, the generational shift left many second- or third- generation rep/distributor owners looking for exit strategies because they didn’t really want to work in the family business, or couldn’t make a living at it any longer.

Third, the better capitalized rep and distributor firms started expansion plans that focused on either buying a small rep or distributor in a new territory or simply bypassing existing distribution and starting up an entirely new enterprise, and soliciting crossover from their existing principals.
Endress+Hauser has been working with this level of consolidation since the early 2000s. At one point, they even purchased a representative firm which was in financial distress, and kept it running. Now, they’ve done it again, in New England and Upstate New York.

Fourth, the explosion of electronic commerce has made other options than buying from a local rep or distributor possible.

TriNova Inc. is a long-time representative and business partner of Endress+Hauser, and is 50 years old as a company. The company is the automation supplier’s Sales Representative and Authorized Service Provider in the southeast and has now expanded its operations in New England and Upstate New York from new offices in Ballston Spa, NY.

The two companies have spent the last three months preparing for a smooth transition by staffing the new office and training personnel. Teams have been established and are ready to provide customers in the new territory dedicated support and services in all markets and industries.

“We are pleased to have the opportunity to expand our partnership with TriNova in the New England and Upstate New York region,” said Chris English, Vice President of Sales, Endress+Hauser.

And, just as this issue is going to press, E+H announced that they were partnering with their rep and service provider in Oklahoma, Vector Controls to put together a consortium to work in the oil field industry, with partnerships with Angus Measurement Services, TechnipFMC and its Authorized Service Provider, Vector Controls. The automation companies will collaborate to bring added value to the oil and gas industry, assisting customers with transition to the digital oilfield. The partnership alignment between the automation companies is to inform and better prepare the oil and gas industry and customers for Industry 4.0. The oil and gas industry has played a pivotal role in the economic transformation of the world. Today the industry can set new parameters and direction through digitalization.

If you liked this content, there’s much more where it came from. This story was originally published in the December 2017 Industrial Automation and Process Control INSIDER. You can subscribe by visiting http://www.spitzerandboyes.com/insider.

Emerson Acquires ProSys Inc.

Emerson Completes Acquisition of ProSys, Inc.

Deal adds new software capabilities to improve plant performance and brings new technologies to Emerson’s Operational Certainty initiative

Emerson (NYSE: EMR) announced on the 17th of January that it has acquired ProSys Inc., a global supplier of software and services that increase production and safety for the chemical, oil and gas, pulp and paper, and refining industries. By building intuitive processes for plant operators, these solutions make everything from everyday operations to responding during abnormal situations easier.

“The staff of ProSys are all friends of long standing and the INSIDER wishes them all well and congratulates them on their success,” said Walt Boyes, editor/publisher of the INSIDER.

“Adding ProSys’ differentiated technologies and expertise allows us to help our customers improve plant performance, safety and profitability by optimizing their human and automation resources,” said Mike Train, executive president, Emerson Automation Solutions. “With ProSys, we can provide innovative control and operator performance capabilities to make control room operators far more effective.”

Executive President Mike Train

ProSys’ portfolio includes solutions that help operators manage alarms critical to plant production and safety, and efficiently handle changing plant states. In addition, ProSys provides modern, high performance and intuitive graphics for better operator communications.

ProSys complements Emerson’s May 2017 acquisition of MYNAH Technologies, which provides dynamic simulation and operator training software. Together, these technologies embed expertise to help operators navigate plant systems safely and efficiently, and prepare customers to accommodate the changing state and age of the industrial workforce.

“Our specialization in software and services that increase operator performance builds on Emerson’s market leadership in automation control systems,” said Dustin Beebe, president and CEO at ProSys. “By working together as one, we can provide even more operational and financial value to customers.” Beebe will join Emerson Automation Solutions as vice president, control and operator performance.

Dustin Beebe will join Emerson as Vice President of control and operator performance

The ProSys software portfolio supports Emerson’s Operational Certainty™ program designed to help industrial companies achieve Top Quartile performance in areas of safety, reliability, and production.
Terms of the acquisition were not disclosed. For more information about ProSys Inc., visit https://www.prosys.com/.

Is Malware the Achilles Heel of the IIoT?

Insiderlogo3Is Malware the Achilles Heel of the IIoT?
By Walt Boyes

(Originally published in the December 2017 Industrial Automation and Process Control INSIDER)

The big appeal of the Industrial Internet of Things is the potential vast increase of meaningful information we could obtain by increasing the sheer number of sensors and the analytical methodologies of Big Data and the latest visualization tools for working with that data. The central axiom of the IIoT is that this information will be used to operate plants and even entire enterprises much more profitably.

There are some obvious problems with this axiom, It is pretty glaring that you have to collect the right information. It doesn’t help to add 100 or 1000 sensors to a process if the values of those sensors aren’t critical information. The problems don’t stop there.

We have pointed out before that the cost of sensors must decrease dramatically be- fore the IIoT can become a reality. I remember hearing a friend from Shell saying that if they needed a measurement, they’d be willing to pay for it. The flip side of that is that if the cost of making those measurements goes down substantially, the impetus for needing the measurement goes up.

But the real issue that IIoT boosters don’t want to talk about is security.
There are two basic schools of thought about IIoT security. One is that nobody would try to penetrate a network through its edge devices. The other is that the problem is so large that it is basically unsolvable, so who cares.

The first school of thought is the same old “security by obscurity” nonsense. Our concepts of cyber security have been formed by network-centric security experts. There have been some lonely security researchers, like Joe Weiss, and others like the INSIDER who have been pointing this bias out for years. And for years, we have noticed a steadily growing number of “security researchers” at Blackhat and other gatherings, who have concentrated their research on network penetration through the sensor network.

The other school of thought is much more pervasive and even more insidious. This claim is the reason that there is always the next patch coming out for software. You can’t solve the problem because there are always smarter black hats.

Somehow, it seems to us, that both schools of thought are missing the point. Which is that if the potential users of the Industrial Internet of Things see that from a cost-benefit viewpoint the potential loss from an attack far outweighs the potential gain from all that beautiful information, adoption of the IIoT will stall.

We are already seeing this in the commercial IoT world. Sales of Nest thermostats and household control systems have stalled. People are concerned. Now, with the latest revelations about inherent design flaws in Intel, AMD, and other processor chips, they are becoming frightened. All they can see to do is to pray that nobody ever attacks them. And we see the same fear in the industrial space.
So, if the IIoT is to be a success, we have to focus on two things. First and foremost, we need to make security inherent in every de- vice and the firmware and software that runs on them, from field sensor to process controller to MES and ERP systems.

And, second, we need to focus on providing the right information at the right time, or there will be no value add with the IIoT.
End users vote with their feet, and their dollars, pounds, euros, pesos and yuan. For all the ballyhooed new IIoT centric plants, there are dozens more built to the old standards, because we are sure that they work, and the perceived risk is less.

Change the risk and the IIoT will grow to its potential.

If you liked this content, and want to see more, visit http://www.spitzerandboyes.com/insider to subscribe.


Analog Output Accuracy: The Devil In the Details

Flowmeters typically contain multiple components that introduce error into the flow measurement system. A simple flow measurement system may be comprised of a primary flow element and a transmitter that processes signals from the primary flow element. Sometimes, the primary flow element and transmitter are physically integrated together as one piece, such as in potable water meters. More complicated flow measurement systems may include multiple components such as a flow computer or other electronic components that compensate for process pressure, process temperature, or other parameters.

It should not be forgotten that flow measurement systems are “systems” that measure flow. As an example, consider a hypothetical primary flow element that exhibits no error while the transmitter exhibits 5 percent accuracy. In this exaggerated example, the accuracy of the flow measurement system will be 5 percent. Assuming that the flow measurement error is that of the primary flow element only is an error of omission. Users should constantly be on guard to identify this type of error.

In most flowmeters, the primary flow element and transmitter are integrated electronically. For example, the wetted primary flow elements of Coriolis mass flowmeters, thermal flowmeters, and magnetic flowmeters are virtually useless without transmitters that contain their respective flow measurement algorithms and drivers. Therefore, flowmeter performance typically includes the combination of a primary flow element and a transmitter. Further, the performance of most flowmeters is predicated on the calibrated output that is usually the pulse/frequency output of the transmitter.

However, most process control applications of flowmeters involve the use of an analog output such as 4-20 mA to represent 0-100 percent of the desired flow rate. The analog signal is typically generated using circuits that convert the pulse/frequency signal (or its source) to an analog signal. This conversion introduces a measurement error that is constant throughout the signal range, so it can usually be expressed as a percent of full scale. The error introduced is typically between 0.03 and 0.10 percent of full scale depending upon the quality of the converter. To obtain the measurement accuracy of the analog output, this error is mathematically added to the accuracy of the flowmeter.

The analog output error may seem small, but at low flow rates, this error can become significant and actually dominate measurement accuracy. For example, consider a vortex shedding flowmeter that can operate from 10 to 100 units per minute with 0.75 percent of rate accuracy but has an analog output accuracy of 0.10 percent of full scale. At 10 units per minute, the pulse/frequency output has an accuracy of 0.75 percent of rate, whereas the analog output contributes an additional (0.1*100/10) or 1.00 percent rate error, so the measurement accuracy of the analog output is 1.75 percent of rate.

Most suppliers calibrate the pulse/frequency output. They typically state its accuracy as the performance of the flowmeter. The accuracy of the analog output conversion is often buried in the specifications in the fine print. Sometimes, it is not published and must be requested from the supplier. Sometimes the information is forthcoming, but often suppliers do not understand the question and try to state the analog output resolution (say 1 part in 4096, or 0.02 percent) as the analog output accuracy. After further investigation, many suppliers will admit that they do not know the analog output accuracy — even though most of their customers may use that output exclusively for their flow measurements. They also provide further enlightenment when they say that “no one ever asked for this before”.

The burden of obtaining the best flow measurement possible in a given application does not lie with the supplier — it lies with the user. Do not forget the fine points that may lurk in the details and the errors of omission that may be available for the asking.

This article originally appeared in Flow Control magazine (September 2004) at www.flowcontrolnetwork.com.

HIMA talks SIS Cyber

Insiderlogo3HIMA, the largest independent safety instrumented system manufacturer, today released this press release:

(Houston, TX, January 11, 2018)

In late 2017 the ICS cybersecurity specialist Dragos announced that a safety controller (SIS) of a HIMA competitor in a process facility in the Middle East had been targeted by a new malware attack and successfully hacked. The SIS was compromised, leading to a shutdown of the facility. The professional execution of the attack again clearly shows that facility operators need to take the subject of cybersecurity very seriously. HIMA, a leading global independent vendor of smart safety solutions for the process industry, therefore offers to provide expert consulting on the subject of cybersecurity in safety-critical systems.

The above-mentioned cyberattack represents a new dimension of cyber threats to critical infrastructure. According to current knowledge, it was specifically planned and designed to target the SIS of a particular manufacturer. This sort of attack on a SIS, the first ever seen worldwide, is very sophisticated and only possible with significant effort.

Dr Alexander Horch, Vice President Research, Development & Product Management at HIMA, comments: “The incident with our competitor should serve as a wake-up call for all of us and further enhance awareness of the subject of cybersecurity in the industry. Work processes and organizational deficiencies are by far the most common areas of vulnerability for successful cyberattacks. System interfaces that remain open during operation and can be used to program the systems concerned, for example, give attackers a potential point of access. We urgently advise facility operators to not rely solely on cyber safe components, but instead to establish a comprehensive security concept for their own facilities.”

To achieve maximum safety and security, it is especially important for facility operators to implement the requirements of the standards for functional safety and automation security (IEC 61511 and IEC 62443) for physical separation between process control systems and safety and security systems.

In addition to providing automation solutions conforming to relevant national and international standards, HIMA supports plant engineers and operators in developing security concepts for the entire life cycle.
“For facility operators it is important to constantly keep an eye on potential forms of manipulation. In this regard, safety-critical applications are fundamentally different from other industrial PLC or office applications. Considerable expertise is necessary to ensure cybersecurity in safety applications. Maintaining and constantly refining security often poses a challenge to facility operators. It is therefore advisable to draw on the services of experienced safety and security experts in order to jointly develop and implement effective concepts”, says Heiko Schween, a security expert at HIMA.

December 2017 INSIDER discusses cyber-badness

Insiderlogo3The December 2017 INSIDER has been released. The cover story, “Extreme Badness from Malware and Design Flaws Impact Industry” discusses the two cyber issues impacting the ICS community that surfaced in late December: the Triton Exploit and Spectre and Meltdown. The INSIDER has been discussing this for years, and your editor and Joe Weiss beat the drum for years at Control magazine. The late Robert Adamski called something like the Triton Exploit “Adamski’s Nightmare.” It has been infecting my dreams since 2004, and I am pleased to pass it along to you. If you aren’t afraid yet, you haven’t been paying attention.

In the Health Watch, NIck Denbow and I look at the state of the Automation Industry through the lens of ABB, and we take a look at Endress+Hauser’s alliances, distribution, and newest product and what it means for Millenials as they become engineers and operators.

Rajabahadur Arcot’s article, “India’s expanding economy and emerging growth opportunities” rounds out the last issue of 2017.

If you’re not a subscriber, visit Become an INSIDER and subscribe. Individual subscriptions are $500 per year…that works out to less than $40 a month for the best news and commentary in the industry. Corporate subscriptions are also available. Contact David Spitzer for details.




Relationship Advice: Making the Most of Vendor Partnerships


Getting the most out of vendors is a challenge facing all who are active. There are techniques that you can use whether you are trying to get the best service at the local print shop or detailed information on a flowmeter. You will certainly be able to use your own experience to add to the tactics presented here.

Before you even think about calling the vendor, you need to determine what it is that needs to be done. For example, if a flow measurement is not stable, you may want to observe the effect(s) of putting the control loop in manual.  This ensures that the valve operates smoothly. You may also want to observe other measurements (such as pressures, temperatures, and flows) that affect the flow through the flowmeter. Vendors are trained to do certain things well, but troubleshooting your proprietary process or addressing internal politics is usually not among them. Vendors should know about the equipment that they sell, but even the best will stumble when asked to solve problems outside of their areas of expertise. Further, they potentially risk legal consequences if something should go terribly wrong.

Who should you call once you have determined that contact with the vendor is needed? Try to determine who has the information or who controls the resources that you need and call that person. If you do not know who this is, try to determine who would know who that person is and their contact information. This may be your local representative, but it could be your supervisor or a technician who previously needed similar information from the vendor. For example, significant delays can be avoided by directly contacting the factory person who schedules field technical service instead of leaving a message for your local representative who is only in the office for two hours on Friday and will return the call during the next week.

Understand what the vendor does and does not do. As previously mentioned, vendors should know about the equipment that they sell. Do not expect them to solve all of your problems. They may know a lot about widgets and have extensive related experience, but they sell products and they do not work for you. If you force vendors into the position of solving your problems, they may (reluctantly) do so, but their solution will usually entail the minimum of their effort and the minimum of their cost to successfully sell their product. For example, an instructor related a story about a contactor that had a 10 horsepower motor for installation on a fan that only needed a 3 horsepower motor. The instructor (who taught motor efficiency) knew that the energy consumption of the 10 horsepower motor would be higher and made him install the 3 horsepower motor. Installing the 10 horsepower motor was the easy way out for the contractor because he could “unload” a motor that he would probably not be able to use — and he was not paying the electric bill.

Be sure that you completely and honestly communicate with vendors in a clear straightforward and respectful manner. Vendors are indispensable in solving certain problems, so not acting in this manner today may return to haunt you tomorrow. Given the comments above, there is nothing wrong with respectfully asking a vendor for referrals to find people who might be able to help solve the problem at hand.

As a last resort, carry a stick. Sometimes vendors (like all of us) need a little push. Over the years, I reluctantly called a few supervisors and contacted the factory for information that was not forthcoming locally. There is always the threat of curtailing future sales, but with certain products, this approach can be a double-edged sword.

In summary, vendors are people who should be contacted and used to perform work that supplements your work within their areas of expertise. You and the vendor should work together respectfully, and the vendor should not be asked (or forced) to perform your work.

This article originally appeared in Flow Control magazine (August 2004) at www.flowcontrolnetwork.com.

Happy Holidays!

Insiderlogo3The staff of the INSIDER and Spitzer and Boyes LLC want to wish you all Happy Holidays, whichever tradition you follow. May your holidays be merry, and may your next year be better than this one. We hope your lives are filled with love and plenty, and your families be happy and secure.

With All Our Best Wishes!