Control Network seperation from Business Network

I use XP auto update, but critical updates are far from daily. Looking at my Installation History it's about 3 weeks or so, the last was 18 April 2004.
Francis

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
It really is DAILY. I had a look into 'Start/settings/control panel/add or remove' and found 42 (!) entries with the name Windows XP Hotfix KBnnnnn. The reason I'm asking is with the wide variety of disguises viruses take these days, I was wondering if this is a new one.
Walter

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I couldn't find where to do that.
Walter.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

turn
crashed.
Start|Settings|Control Panel|System|Automatic Updates tab.
Select "Turn off automatic updating; I want to update my computer manually"
BTW: If your PC is part of an Active Directory domain and you don't have the Automatic Updates tab, ask your System Admin to let you have it back! ;-)
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Until the day comes when someone inadvertantly plugs an infected laptop into the control network or otherwise crosses the two networks . . .
My control system doesn't rely on any MS products (which I think is the best protection against these sorts of thing), but even so, now that digital 'scopes, etc. are coming out running Windows, the Windows exploit of the day can still be a major hassle.
-- Steve
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Yes.. that is a problem - and, like all security issues, if someone inside deliberately wants to stuff things up there is not a great deal you can do about it.
One way to *minimise* the chance of this happening is to: 1. Disable DHCP, DNS, WINS (on a Control network you should, anyway) 2. Run a non-"standard" IP address range (ie. anything other than 192.168.0.x) and 3. Password-protect server shares so that the only people who can get access to anything are those who know what they are doing or have been told what IP settings to use on that network.

Quarantine them.. that's about the only thing that will work.
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

So, in this particular case, there WAS a disturbance AND a significant outage, due to a PREVENTABLE security hole.
Keeping up with difficult realities is the maintenance cost of using control systems based on consumer off-the-shelf hardware and software, in order to reduce up-front costs.
Millions of people check their stock portfolio every day at work; it isn't any more difficult to keep abreast of the latest vulnerabilities.
MS has been working harder lately to develop a patch as soon as a vulnerability is described, but before it is widely published. The Sasser worm appears to have been released AFTER the patch was. The virus writers keep up with the technology; so should the rest of us.
--Gene
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Hmmm, I really find it hard to believe/understand how one can mix up plant and process control networks. This is close to suicide... if I only think of how many times plant network was not available, due to worm and virus stuff (and also "selfmade" userfiddling....)
good luck: -Serge-

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Serge,
I used to think so too but those times are past. Here is an example: The client is a large refinery. Across the street is a commercial plant supplying us with hydrogen. It is owned and operated by a third party. Our guys want to know immediate pressure, flow, temp and purity of H2 being supplied. Solution -- they put their data on the web, we connect and open the page whenever we need it.
Another example: A natural gas gathering pipeline is supplied from many sources owned by many operators and coming on and off stream more or less at random. Central control wants to know what is going on. The old way was to build your own communications infrastructure. Now everybody within twenty miles of a cell tower connects direct to the internet and the material is gathered onto a web page.
Just like the Joy of Sex overcomes the fear of clap so the joys of open communications overcome the fear of Sasser. Our job now is to reduce the risks.
Walter.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
No problem by connecting both networks together, but then it's best to have a router with firewall installed.
Process Control Network Security is another subject....
regards: -Serge-

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Kim wrote:

I've been reading this thread with interest, and I have a question:
Has there been any activity in using Linux on the process control side? The Linux freaks (er -- aficionados (er -- users)) would certainly tell you that it has potential for being a robust solution.
--

Tim Wescott
Wescott Design Services
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I think AutomationX is still out there somewhere - and I'm sure there are others. "Freshwater Shark" was pushing it pretty hard here not that long ago. ;-)
The biggest hurdle with Linux has nothing at all to do with the robustness of the OS as such and more to do with getting people to support it. The fact that most everyone is familiar with Windows makes it pretty easy for HMI developers to sell software for it..
Linux used to have a bigger edge back when Windoze used to crash all the time - but Win2k and XP are pretty stable now, so Linux doesn't have as much going for it as it used to - but with so many people getting sick of M$, things may well change in the near future...
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
The lack of applications and support for Linux is closely linked to the lack of viruses for Linux. If enough people switch to Linux to attract a proper application and support industry, it will also attract a virus 'industry'.
Or is there some way in which Linux is inherently virus resistant? Historical low attack rates don't mean a thing.
Walter.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I work for a large organization that has an IT department that were still testing the update for the Sasser virus when we were stuck. They would not let us put the update on their network without proper testing. Frustrating as it cause much more trouble than the patch.
The controls network is connected to the main network as the control system is fully integrated into the business network. Having a complete separate control network is not an option as many of the reports we generate communicate to the business systems. Ie. Material costs, recipes, bill of materials etc.
The system is connected directly to the business network with nor firewall or router and hence this is how the control system was shut down due to the sasser virus. I am looking into a firewall and or router but still not sure which is the best way to go.
Kim
On Thu, 06 May 2004 21:03:02 -0700, Tim Wescott

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

You want both - combined.
Try the SnapGear SME530 from http://www.cyberguard.com/snapgear/datasheets.html or buy a Cisco-pretty-much-anything.
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I want both combined with some security. Currently they are both combined but I am looking into segregating the control items from the business network but what I'm not sure about is the best method. I need to be able to communicate to the business network and remain secure. Currently our IT department are working on a solution, I just want to ensure that their solution is the best solution.
Thanks all for the responses.
On Fri, 7 May 2004 18:08:20 +1000, "Cameron Dorrough"

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Kim wrote:

If you must have the connectivity between the control and the business end of the network then look at segmenting your network with a few fire-wall routers. Netgear <http://www.netgear.com/ and Cisco Systems <http://www.cisco.com/ do suitable units for the average situation. A few hundred dollars worth of boxes will soon begin to provide better protection.
You will need a firewall-router for your link to the outside world (internet) and a firewall-router for each segment of your network. Keep the control stuff on segments away from the business segments.
It is a good idea to look for segmenting opportunities and closing the holes in the firewalls down to the absolute minimum needed to maintain communicability. Use NAT to hide the details of segment addressing from other segments and the internet.
There is a really excellent book by Cisco called "Internet Routing Arcghitectures". I suggest that the System Architect for your enterprise gets themselves aquainted very soon.
Naturally, all your systems should also run anti-virus measures as well (especially if you are using PC's in the control side.
--
********************************************************************
Paul E. Bennett ....................<email://peb@a...>
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Tim,

I use Linux with custom apps on a few pilot plants in R&D. No virus problems whatsoever.
Besides, there are plenty of free and open source applications for automation and control available. Check out www.linuxincontrol.org and the links therein.
There are industrial grade commercial solutions, too. For example, (and I am not affiliated with them) take a look at www.sixnetio.com..
Andrey
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
has anyone worked with osi for linux?
www.osii.com
the website is pretty lame, lots of flash and press releases, not much meat. But if someone's worked with it, I'd be interested in the impressions
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Interesting stuff! - Sorry, I haven't used it because it is not much use to someone (like me) who spends most of their time outside the EMS/Utilities sector.
The list of supported communication protocols is a good indication of the applicabililty of a SCADA package - after all, that is basically what a SCADA system is for.
OSII list "Harris/H-series, Boeing, Leeds & Northrup, Landis & Gyr, Westinghouse, and Control Data" - that is not even the full spectrum of EMS out there, but at least it's the major players.
If you have one of those systems in place, I'm sure it's probably pretty good, but in contrast, something like CitectFacilities (www.citect.com), whilst a Windows package and not Linux, is making enormous inroads into the EMS/Utilities markets in Australia and China purely on the strength of their communications and support base.
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here. All logos and trade names are the property of their respective owners.