01 December 2004
Safe and Secure
Crowds pack in security sessions; automation industry picking up.
While the industry outlook remained optimistic despite jitters on Wall Street stirred by record-breaking oil prices, it was very easy to find the hot-button topic at ISA EXPO 2004 in Houston. All you had to do was look for the standing-room-only crowds in the security technical sessions. They were easy to find.
Officials needed to bring in dozens of extra chairs to seat attendees at a security standards panel discussion organized by Bryan Singer, chair of the ISA-SP99 standards committee focusing on control systems security. Singer said the SP99 committee's membership now totaled 240 individuals from a broad cross section of industries, including international interests.
Singer said the standards committee's goal was to reduce the complexity of implementing standards, provide a common means for vendors and customers to communicate and receive expert guidance, and reduce industry-wide risks.
Most manufacturing security standards that now exist "are of a guidance nature," he said, and not focused on plant control systems' specific needs.
Agencies involved in related standards, besides ISA, include the National Institute of Standards and Technology (NIST), International Electrotechnical Committee (IEC), American National Standards Institute (ANSI), Institute of Electrical and Electronics Engineers (IEEE), International Organization for Standardization (ISO), Chemical Industry Data Exchange (CIDX), regulatory agencies such as the Food and Drug Administration (FDA), and the U.S. Department of Homeland Security.
However, "manufacturing is not adequately covered" by existing standards, which is why SP99 is actively at work and working with groups like CIDX and NIST, Singer said.
ISA-SP99 has completed the first editions of two key ISA technical reports.
The first, ISA-TR99.00.01, Security Technologies for Manufacturing and Control Systems, appeared in publication on 12 March 2004.
The second technical report, ISA-TR99.00.02, Integrating Electronic Security into the Manufacturing and Control Systems Environment, became available on 12 April 2004.
ISA-SP99 will now focus on developing its first ANSI/ISA standard, while at the same time periodically updating the two technical reports to reflect new information and technology updates, Singer said.
Panel member Joe Weiss, of KEMA Consulting Inc., is heading up an IEEE task force for the electrical power industry, which is looking at improving security against cyber attacks. Based on his experience attending various meetings on the subject, "there is still a lot of disagreement" among various standards-making bodies on definitions of terms, he said.
"ISA is basically coming up with a standard for control systems, and then you can take it back to the other industries" for further refinement, Weiss said.
Security issues at the show were not just limited to the standards arena. Suppliers were keeping a sharp eye on the topic. But they also realized all systems are not tamper-proof.
"I think in a year's time to twenty-four months, security will be a given. Right now, people don't know what they don't know," said Mike Caliel, president of Invensys Process Systems. "I don't think people are prepared today."
Mike Bradley, Wonderware president, agreed users are not prepared, adding, "this will take a while to get it fixed."
Industrial cybersecurity expert Eric Byres brought a new twist to who is really hacking into systems in a panel of government and private industry cybernetworking and critical infrastructure specialists at the session entitled, "Automation Systems—An Achilles' Heel to Our Critical Infrastructure."
No longer are the majority of attacks on industrial computer control systems coming from internal sources, Byres said.
Joining Byres for the forum were Dave Sanders of the U.S. Department of Homeland Security, Dave Scheulen of British Petroleum (BP), Elizabeth Rhodenizer of Public Safety and Emergency Preparedness Canada (PSEPC), and Karl Williams of the U.K.'s National Infrastructure Security Coordination Centre (NISCC).
Byres, research faculty in critical infrastructure security at the British Columbia Institute of Technology (BCIT), introduced research numbers that he and Justin Lowe, principal consultant at PA Consulting Group in London, gathered.
Their breakdown of 13 incidents of industrial intrusion between the years 1982 and 2000 show that incidents were almost evenly split between accidental, internal, and external sources, with only 31% of the events being generated from outside the company. Accidents, inappropriate employee activity, and disgruntled employees accounted for most of the problems.
These statistics correlate well with the numbers expressed by security researchers in the traditional information technology (IT) world at that time. For example, one statistic was widely quoted in 2001: "A study by the FBI and the Computer Security Institute on Cybercrime, released in 2000, found that 71% of security breaches were carried out by insiders."
They then analyzed the same events for the 2001–2003 period. Externally generated incidents accounted for 70% of all events, indicating a change in threat source.
Interestingly, the IT world appears to be experiencing the same shift. For example, Byres quoted a report from Deloitte and Touche:
"Deloitte & Touche's 2003 Global Security Survey, examining 80 Fortune 500 financial companies, finds that 90% of security breaches originate from outside the company, rather than from rogue employees. For as many years as I can remember, internal attacks have always been higher than external," said Simon Owen, Deloitte & Touche partner responsible for technology risk in financial services. "Sixty to 70% used to be internally sourced. But most attacks are now coming from external forces, and that's a marked change."
Why did the threat source change so significantly in such a short period of time?
Byres and Lowe said they have no definite answers, but there are a few possibilities to explain the impact on industrial control systems. First, the emergence of automated worm attacks starting with Code Red on 19 July 2001 means that many of the intrusions have become nondirected and automated. The control system has become just a target of opportunity rather than a target of choice.
Second, Lowe and Byres said, common operation systems (e.g., Windows 2000 or Linux) and applications (e.g., SQL Server) now dominate the human-machine interface (HMI), engineering workstation, and data historian systems. These often come configured more appropriately to business requirements and are vulnerable to a wide variety of common IT attacks and viruses. Issues with applying patches to these critical systems exacerbate the problem.
Finally, the increasing interconnection of critical systems has created interdependencies users haven't been aware of in the past. As the Slammer incident documented by the North American Electric Reliability Council illustrates, Internet incidents can indirectly affect a system that doesn't use the Internet at all. In this case, the power utility used frame relay for its supervisory control and data acquisition (SCADA) network, believing it to be secure. Unfortunately, the frame relay provider utilized a common Asynchronous Transfer Mode (ATM) system throughout its network backbone for a variety of its services, including commercial Internet traffic and the SCADA frame relay traffic. The worm overwhelmed the ATM bandwidth, blocking SCADA traffic to substations.
"All SCADA systems have weaknesses," said InduSoft's Fabio Terezinho, "The only completely secure system is one that doesn't work."
Terezinho, whose presentation was "Is Your Plant Vulnerable to Cyberattack?", spoke before another standing-room-only symposium at the Reliant Center titled "Cyberthreats to Your Automation Systems—Why Worry?"
Donovan Tindill of Matrikon spoke about the increasing rate with which viruses spread, citing some numbers. The Red virus in 2001 infected 24,000 hosts per hour.
The Slammer in 2002 infected 140,000 hosts per hour and infected a nuclear power plant. The Blaster in 2003 moved even faster, and though it did not cause a blackout in the northeast, it certainly encouraged it.
The Sasser virus in 2004 moved faster yet. Likewise, and as a mitigating factor, patches for these virulent maladies develop and become available at a faster rate. A patch for the Sasser appeared within eight days, while back in 2001 it took nearly six months to fix the Red.
"The largest problem is the poor implementation of existing security. Security is not a technical problem, it's a people problem," Tindill said.
During the session, Byres went on to compromise a programmable logic controller (PLC) that he had in the front of the hall running a program of blinking lights. Using a hacker's device called Foundstone that he downloaded from the Internet for free, Byres altered the speed and the direction of the lights, and then he just shut down the PLC altogether.
"This is the state of the Blackhat community's capabilities," Byres said.
The way the Foundstone utility works is that it logs into the machine and peppers it with protocols and checks portals until it finds an open portal and a protocol that works on the device. On the screen, it identifies both.
Another problem is the number of defects per thousand lines of code (KLOC). Byres's studies show 0.6 defects/ KLOC. A modern embedded controller has 100 KLOC.
Byres went on to talk about attack tree methodology as applied to analyzing common SCADA protocol for possible security vulnerabilities.
Attack tree analysis works for many companies and has many applications. As to cybersecurity, it breaks down into these steps.
- Create a model of ways one can attack the system.
- Predict how your enemies will attack by comparing their capabilities with your vulnerabilities.
- Evaluate the impact of each attack scenario.
- Determine the level of risk associated with each attack scenario.
- Monitor the system for signs of attack.
With the goal to become "proactive" rather than "reactive" to cyberspace security hackers, Microsoft is spurring ongoing meetings and discussions with major industry groups, a company executive said at Tuesday's session.
"You can chase off hackers in a reactive mode, or you can go into a preventive mode and build up a shield. It's better to be proactive," said Don Richardson, director of Microsoft's manufacturing industry unit in Redmond, Wash.
Asked which manufacturing industry segments had paid the most attention to security, Richardson had a quick answer: "The process industry—by far," he said. "Petroleum, chemical, petrochemical companies . . . to them, it's a very real issue." Discrete industries "are probably a little behind."
Richardson said Microsoft has held security-focused meetings in Redmond with CIDX and also with Microsoft's manufacturing user group (MUG). Agendas covered progress in Microsoft's "trustworthy computing" initiative, launched two years ago; details about Service Pack 2, a major security update recently released to Microsoft users; and input from numerous independent software vendors and customers.
Among issues of interest to manufacturers desiring to download a security patch, Richardson said, is "patch management," but they are concerned about downtime that might result from doing that.
"Feedback has been great," Richardson said. "We've learned the need to get past the emotional issues—who do I blame?" In manufacturing, the challenge is to keep systems running, to keep plant operators from seeing implementing security as "a burden," he said.
"There are some [manufacturing] companies that have implemented very successful strategies—they have strict policies in place—not just software security, but for the entire plant," he said. Ideas come from the bottom up, as well as from the top down.
If security was the top issue on the minds of ISA EXPO show goers, then the state of the automation industry was close behind.
"We're optimistic," said Loren Engelstad, an engineering manager with Emerson Process Management at the company's Chanhassen, Minn., plant. Engelstad said he feels that way because Emerson's products "are seeing increased interest by customers."
Barbara Kline, who works with Ethernet products maker GarrettCom, also sees good signs in the North American economy. "We're confident enough that we've just introduced new product and we're developing more for two to six months down the line," she said.
Another show attendee, whose company sells analyzers to the oil refining business, said his firm's sales were up. "We are not seeing a spike in sales due to $50-a-barrel prices. Our spike is because of the sulfur regulations for gasoline and diesel fuels. Business is good!"
EXPO keynoter John Sieg, director of corporate operations for DuPont, said the chemical giant is enjoying 13% annual growth and is exceeding $20 billion a year in sales.
Microsoft and Invensys disclosed that, to date, more than 180 companies have implemented over 300 projects using Wonderware's technology. Richardson underscored his firm is seeing "good momentum" with many of its partners. Mark Davidson, vice president at Wonderware, said his company's orders have tripled in the past year.
Mark Neas, regional general manager for the southern region for Honeywell Process Solutions, said things are really starting to pick up. "Right now, our customers have the money to spend," he said. "Customers that have put off upgrades have found out that now is a 'must' time for them."
"We just got a good-sized project out of Houston for a [gasoline] pipeline," said Adrian Totten from MTS Sensors. "The company has wanted to do [the project] for the past three years, but they finally pushed it through. That's a good sign."
Iconics's Tim Donaldson said his company is continuing to see growth. "Business is going well. We have had double-digit growth for the last four to five years in HMI-SCADA," he said.
Ellen Fussell, Nick Sheble, Jim Strothman, and Gregory Hale contributed to this report.
Jobs 'going down silicon hole'
Delivering a wake-up call to some in the audience who seemed convinced cheap labor overseas was the reason behind U.S. manufacturing job losses, outspoken ISA EXPO 2004 panelists Dick Morley and Jim Pinto were quick to rebut that "myth."
"The reason jobs are going down [in number] is because jobs are going down everywhere," said Morley, speaking at a Pinto-led panel entitled "Debunking the Myths: The Good, the Bad and the Future of Outsourcing."
"Jobs are going down the silicon hole, not the outsourcing hole," Morley said. Best known as the inventor of the programmable logic controller (PLC), Morley is a futurist and venture capitalist who has helped start more than 100 companies in the New Hampshire area, his home base.
Responding to a question, Pinto and Morley produced figures to support their contention that productivity resulting from automation—not outsourcing—was the biggest culprit behind most U.S. manufacturing job losses.
Only 300,000 U.S. job losses—about 15%—resulted from offshore outsourcing, Pinto said.
Morley said he was at a meeting on outsourcing at the Massachusetts Institute of Technology (MIT) also attended by representatives of industry giants GE and IBM, among others. While there, figures showed all industrialized countries are losing manufacturing jobs—including China.
According to the MIT study, about 11% of China's manufacturing jobs have disappeared, he said.
Another panelist, Jim Teegarden, a longtime senior manager at Fisher Controls who cofounded intervention management consulting firm Valpers Performance Partners, Inc., approached outsourcing from what he acknowledged was a "pragmatic" viewpoint.
Teegarden underscored that global sourcing should be "a strategic decision, not a short-term cost savings." Senior management needs to be very involved because of potential risks, he said.
"Employee morale is a key issue," Teegarden stressed. "Global sourcing is not easy. It requires involvement, support, and commitment of senior management."
Keynoter: Find your 'center of competency'
Manufacturers can achieve significant cost savings and productivity gains by creating "Centers of Competency" to identify opportunities, then working with technical managers and engineers to implement them, DuPont's director of corporate operations advised ISA EXPO 2004 attendees during his keynote address.
At DuPont, as a result of Centers of Competency, "we've seen $16 million in savings from 50 improvement projects this year," said John Sieg. "We've seen $40 million in savings since we started the program in 2002," primarily from variable cost reductions from legacy systems, the thirty-year-plus DuPont veteran said.
Challenging other manufacturers to consider creating their own Centers of Competency, Sieg explained how those at DuPont work.
"Centers of Competency identify 'initiatives in waiting,'" Sieg said. Team members learn best practices from societies such as ISA. They conduct a self-assessment effort requiring that they first agree on the current state of a process and automation system. After that, the team interviews managers and engineers, then brainstorms how to improve automation and process control systems.
"We're averaging a 6:1 ratio of benefits versus cost," the keynoter said.
A continually challenging area psychologically, however, he cautioned, is "continuing improvement over time"—after the initial excitement of a major achievement wears off.
Rather than pushing for installation of major new systems, the team is encouraged to "opt for incremental new functionality—and avoid complexity." The DuPont executive, who oversees strategic planning teams, said avoiding complexity was his favorite message.
The keynoter took a moment to praise ISA for developing certification programs enabling automation and control professionals to gain credentials that confirm their knowledge and skills. Two such programs, the Certified Automation Professional (CAP) and Certified Industrial Maintenance Mechanic (CIMM) examinations, were new at ISA EXPO 2004. They join ISA's Certified Control Systems Technician (CCST) examination, which ISA has offered for some time.
Show Product Wrap-up
Phoenix Contact revealed its XANT explosion-proof system, explaining how wireless I/O systems can now be safely installed in the Division 1 area with the new wireless I/O transmitter/receiver system, which features a cast aluminum enclosure designed to house a transmitter and antenna. A receiver and antenna are included loose with the packaged system. The cast aluminum enclosure is impact-resistant to UL requirements and includes an integral wire sealing chamber, eliminating the need for a field-installed poured sealing fitting.
Yokogawa introduced Plant Resource Manager (PRM), asset management software that integrates and manages maintenance information from field instruments, monitors online conditions, and records historical data. PRM enables users to remotely access devices that feature field communication capability, such as Foundation Fieldbus and HART-enabled devices.
Datastick Systems introduced two datastick vibration spectrum analyzers, the VSA-1227 and VSA-1247, PDA-based instruments for vibration analysis displaying fast Fourier transform (FFT) designed for ICP accelerometers. The VSA-1227 provides two analog input channels and the VSA-1247 provides four analog input channels. When combined with the appropriate Datastick software, they become complete PDA-based multipurpose instruments for vibration analysis and analog data acquisition using a variety of ICP sensors.
ProSoft Technology exhibited its flow computers for Allen-Bradley's ControlLogix, SLC and PLC platforms, and Schneider Electric's Quantum processor. These products allow integrated process control and flow computer capabilities in a single-slot, in-rack solution. The modules offer communication flexibility between the flow computer and Modbus devices, which is critical for pump stations and process plants.
3D Instruments, LLC released its newest pressure gauge, the Accu-Switch gauge. This pressure gauge offers a new standard for a mechanical pressure gauge with high/low switch contacts. Users can wire the gold-plated switch contacts directly to electrical circuits to provide operational alarms, or to stop/start a variety of electrical equipment pumps, valves, and motors.
Rittal Corp. revealed its first field-installable NEMA-type 4/4X suiting kit for modular enclosures The product is cUL and UL approved and offers technicians the ability to expand and adapt to changing application needs (such as field retrofits that might require an additional enclosure) while maintaining NEMA-type 4/4X protection in the same electrical controls lineup.
Servomex introduced its 2200H high-temperature oxygen analyzer for process applications—now with Factory Mutual (FM) and Canadian Standards Association (CSA) approvals in addition to the ATEX Category 2 approval with which it was launched earlier in 2004. This enables customers to use the analyzer in the U.S. and Canada. They can also incorporate it within systems destined for these markets.
Watlow rolled out its new INFOSENSE sensor technology, which instantly improves the accuracy of the company's existing thermocouple and RTD sensors by a minimum of 50%. Sensor characteristics are listed on small tags attached to each sensor.
Beta Calibrators, a unit of Martel Electronics Corp. (Beta) introduced its new BetaGauge 321 dual sensor pressure calibrator, which provides 0.025% FS accuracy on both internal, isolated, and stainless steel pressure sensors. An external pressure module connection supports all BetaPort-P pressure modules for even greater measurement capability.
Virtual Standards, a Moscow-based manufacturer of a new process to improve measurement accuracy, outlined its contribution to metrology—based on proprietary algorithms for setting individual adjustments in measured devices to compensate for probable errors and bring higher accuracy (as much as three to six times improvement) to the measured value.
Micronor presented its MR312 ZapFree rotary encoder, an entirely passive, fiber-optic incremental rotary encoder. There are no integral electronics within the encoder housing, and the all-optical design requires just a single optical fiber connection.
InduSoft introduced an upgrade to its Web Studio product that includes an embedded, easy-to-configure interface to SQL relational databases such as SQL Server, Oracle, MS Access, MySQL, and others—directly from Windows CE devices. Also, new redundancy capabilities protect data and operational integrity by performing an automatic switchover to a backup system in case of primary failure.
Moxa Technologies, Inc. unveiled its EtherDevice EDS-508 series of switches designed for deployment in demanding environments. It's a series of rugged eight-port switches providing 10/100BaseTx Ethernet and 100Fx fiber-optical connections. It also provides intelligent switching services, including multicast filtering service-IGMP snooping, virtual LAN, security, and quality-of-service that helps to deliver the benefits of industry-standard Ethernet from the back office to the factory floor, improving productivity and collaborative information flow while reducing total cost of ownership.
BeldenCDT Electronics Division displayed its specialty cable products for the commercial, industrial, broadcast, and residential markets, announcing the expansion of its line of DataTuff data cable with the addition of one 2-pair and three 4-pair Category 5e cables.
CSA International announced the availability of carbon monoxide (CO) alarms certified to CSA 6.19.01, Residential Carbon Monoxide Alarming Devices. CO alarms that meet this standard will have undergone testing for a designed life span of at least three years and require either an automatic device or a marked replacement date to indicate that they've exceeded the designed life span.
TigerOptics unveiled an advance in moisture measurement for hydride gases, such as ammonia, phosphine, and arsine. MTO is a gas analyzer incorporating cavity ring-down spectroscopy. Based on this breakthrough technology, the MTO-LP-H2O offers moisture detection in milliseconds with absolute accuracy.
WIKA Instrument Corp. unveiled its dampened movement bi-metal thermometer. This engineered solution provides the benefits of a liquid-filled case in a dry configuration and is perfectly suited for environments where severe pulsation or vibration occurs. The silicone-free thermometer eliminates potential leaking case fills and the possibility of cross-contaminating your process.
Z-World rolled out its RCM3360/3370 microprocessor core module additions to the RCM 3300 family line. The RabbitCore microprocessor core modules present a new form of embedded flexibility with removable xD picture cards. Supporting an onboard 16 MB NAND Flash as well as xD picture cards of up to 128 MB, this product is ideal for large data applications requiring low-power operation.
MTS Sensors announced ATEX approval for its MG Series liquid level gauges. The ATEX approval signifies vendors can sell MG Series sensors worldwide as an intrinsically safe device.
Falconeer Technologies displayed its IV Suite statistical process control product, comprising several modules. FALCONEER IV is a performance-monitoring, validation, and predictive fault analysis software suite to make plants smarter, safer, and more profitable.
OPC Foundation confirmed the ongoing development work on its Unified Architecture specification will result in major security, reliability, and interoperability enhancements for existing and next-generation OPC products. OPC technology will become viable in control applications for the first time, allowing easy implementation and management of integrating manufacturing lines with enterprise-level applications.
Spitzer and Boyes, LLC and ISA released another book as part of their co-marketing agreement. The Consumer Guide series is a set of books providing detailed and unbiased information for the most commonly used instruments throughout the world.