Tag Archives: cyber security

Rockwell’s PSUG-The Plant PAx Roadmap

My tweets from Monday afternoon’s roadmap session at PSUG:

Mon, 13:07: Chris Dornan and Jason Wight provide the PlantPAx roadmap— #ROKPSUG

Mon, 13:09: We are members of a secret society called the International Society of Automation #ROKPSUG (why is ISA not a bigge… https://t.co/qVDQhDQLyR

Mon, 13:11: #ROKPSUG Plant PAx 4.5 releases this coming summer.

Mon, 13:13: Kris Dornan begins the deep dive #ROKPSUG https://t.co/uuCPKArFSh

Mon, 13:14: SMART— #ROKPSUG https://t.co/SQ5cONPCoS

Mon, 13:16: New Standard Control Panels #ROKPSUG https://t.co/rLjmKbacHu

Mon, 13:17: Intelligent Packaged Power — #ROKPSUG https://t.co/QOB1PRQ78V

Mon, 13:18: Server consolidation — #ROKPSUG https://t.co/Co9r84LY3e

Mon, 13:21: Redundant PASS server enhancements; DTM support of Ehernet/IP Devices; updated function block diagram editor https://t.co/bSb9BcPg0K

Mon, 13:23: Mod sheet size online — #ROKPSUG https://t.co/VEPoMLEPBh

Mon, 13:24: Productive! https://t.co/gpcCsPiUkX

Mon, 13:27: New productivity tools #rokpsug https://t.co/oCt4pUKbiG

Mon, 13:30: New faceplates; trending integration with alarms; PI Asset framework for process objects — #rokpsug https://t.co/ZcFPISAGQR

Mon, 13:38: More productivity tools— thinmanager integration; mobile alarming interface; updated batch visualization #rokpsug https://t.co/npi1SXaFEQ

Mon, 13:41: Protected— area based security; PRP network support; Redundant communications —#ROKPSUG https://t.co/LhV5C80yPj

Mon, 13:45: And we’ll come fix it for you! #ROKPSUG https://t.co/voCmk9VAQs

Mon, 13:48: “Don’t YOU worry about it! #ROKPSUG https://t.co/pRbxwTC6pC

Mon, 14:10: Rockwell’s new entrant in the I/O sweepstakes. They call it the standard configured panel. #rokpsug https://t.co/ddOdv8yONf

Insiderlogo3 If you like reporting like this, with no advertising and no slant, subscribe to the INSIDER at www.spitzerandboyes.com/insider.

ISA Fires Pat Gouhin, Longtime Executive Director

ISA has announced the firing of Pat Gouhin. I suppose that if you weren’t in the know, this will come as a huge surprise. I heard about it a few days ago and was sworn to secrecy. Now the announcement has been made:

International Society of Automation Plans for New Leadership of Professional Staff
Research Triangle Park, NC (21 August 2017) – The International Society of Automation (ISA) announced today that Executive Director and CEO, Patrick Gouhin, will be stepping down. ISA’s President, Steve Pflantz, announced that a Search Committee will be formed in the immediate future to identify Mr. Gouhin’s successor. The selection and announcement of a new Executive Director are expected to occur in the months ahead. Peggie W. Koon, Ph.D., CEO & Founder of Leading Change, LLC, will serve as Interim Executive Director.

“Pat has been our Executive Director since 2006 and has been a dedicated employee of ISA,” Pflantz said. “Under Pat’s leadership, ISA has progressed on many fronts. We will continue to ensure ISA’s long-term vitality as we continue our commitment to advance the profession of Automation. The Board is committed to the strategy work that has been done thus far and is grateful for Pat’s leadership in bringing us to this point.”

“This is an exciting time in the history of ISA, and I am proud of what we have achieved and the work we are doing,” Gouhin said. “A strong foundation has been laid based on the effort of many passionate volunteer leaders and a wonderfully dedicated staff team that will allow the next Executive Director to hit the ground running.”

During his 11+-year tenure at ISA, Gouhin has overseen many significant milestones in the Society’s history, including the expansion of ISA’s brand family to include the founding of The Automation Federation and the Automation Standards Compliance Institute, and the acquisition of digital media powerhouse Automation.com. The world’s only consensus standard for industrial cybersecurity, IEC 62443, was also developed and expanded under his tenure.

Before joining ISA, Gouhin served as the Chief Operating Officer of the American Institute of Aeronautics and Astronautics (AIAA). He also served as the first Vice President of Operations and Technology Transfer for the National Institute of Aerospace (NIA) at Langley Research Center, a start-up resulting from $69 million government contract award to build a world-class research and education institute.

Interim Executive Director Dr. Koon’s experience and expertise lies in strategy development and execution, leadership coaching, and change management. Dr. Koon is the former Vice President of Audience for the Augusta Chronicle/TAC Media, Morris Communications, LLC. She has over 25 years of experience in IT, process control, and process automation for both discrete and continuous process industries. She was a General Motors Scholar, earning a B.A. degree in Mathematics from Smith College. She also completed 2 years of graduate studies in Industrial and Systems Engineering as a General Motors Graduate Fellow at the Georgia Institute of Technology, and she has a Ph.D. in Management Information Systems from Kennedy Western University.

In addition to her experience managing strategic change, Dr. Koon has also been a member and leader at ISA for more than 20 years. She has held a variety of prominent roles in the Society, including Society President (2014), Chair of the Automation Federation (2015), member of the ISA Executive Board (2016), and Chair of Workforce Development for the Automation Federation (2016).

For additional information, contact ISA Director of Marketing & Communications, Jennifer Halsey, at jenniferhalsey@isa.org.

Shouldn’t We Be A Bit More Concerned? How Do You Feel About The Internet Of Things?

On A Personal Level

The IoT (Internet of Things) and the use of Cloud storage is all the rage. Products which utilize the IoT, like Google’s Nest devices, learn from your actions and make changes accordingly. With the Nest thermostat, you simply adjust it a few times for the temperature you prefer, and the device “learns”and takes over from there. Nest cameras allow you to view the interior or exterior of your home while you are away. Other Nest products provide monitoring of other home related issues such as CO levels. But what are products such as these actually learning and moreover, what are they storing and sharing?

Let’s look at the thermostat first. It learns when you turn your heat/AC up or down, it learns the temperatures you prefer, and it stores that data in the Cloud. While there is no implied consent to share this data when the thermostat is purchased, imagine how valuable that information could be. The Nest thermostat collects and stores information on whether or not it is being installed in a home or business, the location address and zip code, when you come and go, and occupancy and movement within a room. Imagine if that information were available to a tech savvy thief. They would no longer have to case your home or business before a robbery. The thermostat does that for them.

Want to add a Nest cam? Well! That makes life even easier for a would-be home-invasion professional to meet his daily quota. The Nest cam links to other Nest devices Via Nest Works and stores streaming video, as well as a location identifier. You or others whom you give permission, (e.g. a developer with Works) can access the following information at will:

  • View camera or mic status
  • View or change streaming status (turn camera streaming on/off)
  • Device name
  • Where identifier
  • Last online status change
  • Subscription status (enrolled/not enrolled)
  • Links to live camera feed in the Nest app (iOS, Android) or on the web
  • Content related to the last event that triggered a notification, such as sound or motion detected, event start stop times, and links to image and gif files

According to additional information provided on Nest.com, if you have multiple Nest Products interfacing with one another, the products will share information with each other. Sharing can occur locally among connected devices (both Nest and third-party devices), between Nest Products and your mobile devices or applications, or among Nest’s servers. So, if the system is hacked, not only does a tech savvy thief know where you live and when you’re home, there is the potential for them to peruse your home via video cam to locate and ID the possessions in your home that they would like to steal.

Nest freely admits that they will share your information (with your permission) when you choose to connect to third-party products and services through Works. They will also share it with partners, such as insurance companies. Following the “with your permission” statement, however, comes an additional statement that causes me concern. “We may also receive information from our partners and other sources and combine that with the information in your Nest account. For example, in order to offer rewards programs, we might receive information (such as which of our partners offers services where you live) to determine eligibility and efficacy of our programs.” The implication here is that permission is not needed to share information in this instance.

So, now Nest has stored (among other things) your address, your occupancy information, your Wi-Fi network information, your email address, and video of your home, on the Cloud. Nest shares your information (with your consent) if you sign up for programs offered by Nest partners which include energy and insurance companies, as well as with vendors, service providers and technicians who assist with Nest processing and storage. With all that sharing, how secure is the information? Even putting aside the possibility of Cloud hacking, the replication and transmission of the types of personal information Nest collects and stores provide a plethora of chances for information to be purposely or accidentally misused.

Is the previously outlined home theft scenario a potential reality or just a remote possibility? The threat is very real. Otherwise, Nest would have no need to post its “responsible disclosure policy.” The policy asks security researchers who believe they have identified a security vulnerability to contact Nest immediately, and give the company a reasonable amount of time to respond to the information before making the information public. It also asks that the person who discovers the vulnerability not access or modify user data without permission of the Nest customer. If the researcher acts in good faith and does not degrade the performance of Nest services, Nest promises not to take legal action against the person. Now I ask you, how many hackers or cyber thieves are going to notify Google Nest that they have found a way to hack the system? Sure, Google provides a reward for submitting this type of information, but how does that reward compare in value to the ability to case and burgle a multitude of homes with so little effort?

The Bigger (and Scarier) Concern                                                    

While home safety is important, there are larger concerns associated with the IoT. Have you ever heard of Stuxnet? It was the world’s first digital weapon, developed to cause centrifuges to malfunction, delaying the production of enriched uranium (and nuclear weapons) in Iran. Over a five month period it was responsible for the loss of almost a thousand centrifuges, significantly reducing the enriched uranium production at the plant. If you’re interested, the following url (https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet) will take you to a report about Stuxnet and its results. The simple explanation is that using USB hard drives and targeting computers at five outside companies that were linked to the uranium plant, Stuxnet insinuated itself into the plant’s computers and wreaked havoc until it was finally discovered. In this instance, the US and Israel worked together to target Iran. What happens if the target is us?

Is targeting the US a possibility? According to The Global Risks Report 2016, 11th Edition, released in February of this year, cyber attacks are the greatest risk North America faces this year, followed by data theft. The report notes that everything from personal finance to national infrastructure (anything managed via some form of computer network) is vulnerable to attack, and the IoT is making those attacks easier than ever to initiate because of the linkages it promotes. The report points out that as The IoT continues to grow it brings with it some definite benefits, but it also opens the door for issues such as “economic espionage, cybercrime, and even state-sponsored exploits – that are increasingly perpetrated against businesses.”

Not only is cyber attack a possibility, it is a harsh and expensive reality, costing US businesses billions of dollars. In the past year alone we have heard about successful cyber attacks against the OEM, which is responsible, for among other things, maintaining files containing personal information on US government employees who applied for top-secret security clearances (it appears that these were the files targeted), Sony, Anthem and Premera Blue Cross, US natural gas systems, and several other large US corporations and government offices. Fingers have been pointed at both China and North Korea, but one of the issues with cyber attack is that it can be extremely difficult, if not impossible to prove who is responsible for the attack.

One of the latest Cyber attacks to come to light is an attack on a New York Dam by hackers in Iran. The White House is expected to release information concerning this attack in the next few days. According to a March 10, 2016 article by John Bonazzo, a writer for the Observer, the hack of the Bowman Avenue dam occurred in 2013, while the U.S. and Iran were negotiating the recent nuclear deal. The malicious software used, only provided access to back office systems and not the operational services of the dam. We lucked out.

Bonazzo talked with Leo Taddeo, former Special Agent in Charge of the Special Ops/cyber Division of the FBI in NY and current CSO of Cryptzone, concerning the attack. Taddeo told the Observer that “the continuing automation of infrastructure by the Internet of Things was cause for concern in this case” because “the more things are interconnected, the more chances an attacker has to get access to things we care about, including the equipment and infrastructure that keeps us safe,” He continued by saying, “Even though this attack wasn’t successful, it shows we need to be vigilant.”

Smart sensors already exist that among other things, control industrial plant systems and link to each other and to a central hub to provide information that allows companies to monitor and identify potential issues with manufacturing equipment, correcting problems before shut-down is necessary. Several companies are now in the process of developing and introducing products like GE’s Predix, a cloud based industrial internet platform that takes the information these smart sensors and other similar products produce, aggregates it, and stores it via the Cloud. According to the product brief, Predix “is machine-centric, supports heterogeneous data acquisition, storage, management, integration, and access, provides advanced predictive analytics, guides personnel with intuitive user experience, and is delivered securely? [emphasis mine] in the cloud.” It basically takes Big Data and allows it to be used in a meaningful way.

 

But what happens when the system is hacked? I can’t help but believe that if anyone understands the dangers associated with our current path toward total integration of anything and everything on the IoT, it would be Leo Taddeo, and he is definitely concerned. Shouldn’t we be, as well?

I would like to hear your opinions as well as concerns and rebuttals against the inherent dangers presented by the IoT.

PAS spotlights process safety and cyber security at PTC2014 #pauto #PASTech2014

From PAS about the PAS Technical Conference:

Process Safety and Cyber Security to be Key Focus at PTC2014

Industry leaders will share next generation best practices for operational safety and cyber security at PAS Technology Conference 2014 in Houston, May 19-21.

Houston, Texas—May 6, 2014 – PAS Inc. today announced details of the topics to be presented at its PAS Technology Conference (Twitter hashtag #PASTech2014) in Houston, May 19-21. The focus of the conference will be sharing of emerging best practices in process safety and cyber security by industry leaders such as BASF, DOW, ExxonMobil, and Chevron. PAS is a leading provider of automation software for process safety, cyber security, and asset reliability to the power and processing industries worldwide.

“The PAS Technology Conference is a unique forum for sharing safety and security information among companies that are otherwise competitors in the same sector,” said Eddie Habibi, Founder and CEO of PAS. “When it comes to the important topics of protecting people and critical infrastructure, global companies collaborate openly and share their experiences. And they do it here at PTC2014.”

Topics at this year’s conference include how to enable a plant operator to make the right decision at the right time in order to successfully deal with issues from minor production upsets to catastrophic incidents, which can impact personnel safety and the environment. Decision support technologies including alarm management, high performance operator interfaces, control loop performance, integrated operational information, boundary management, and configuration management of highly proprietary industrial control systems– all will be featured at PTC2014.

PAS will unveil cutting-edge new products for safe operations, advanced information visualization, and cyber security management at this conference, as well as key alliances and partnerships.

To register for the conference or for additional information visit www.pas.com/ptc .