It really is DAILY. I had a look into 'Start/settings/control panel/add or
remove' and found 42 (!) entries with the name Windows XP Hotfix KBnnnnn.
The reason I'm asking is with the wide variety of disguises viruses take
these days, I was wondering if this is a new one.
Start|Settings|Control Panel|System|Automatic Updates tab.
Select "Turn off automatic updating; I want to update my computer manually"
BTW: If your PC is part of an Active Directory domain and you don't have
the Automatic Updates tab, ask your System Admin to let you have it back!
Until the day comes when someone inadvertantly plugs an infected laptop
into the control network or otherwise crosses the two networks . . .
My control system doesn't rely on any MS products (which I think is the
best protection against these sorts of thing), but even so, now that
digital 'scopes, etc. are coming out running Windows, the Windows
exploit of the day can still be a major hassle.
Yes.. that is a problem - and, like all security issues, if someone inside
deliberately wants to stuff things up there is not a great deal you can do
One way to *minimise* the chance of this happening is to:
1. Disable DHCP, DNS, WINS (on a Control network you should, anyway)
2. Run a non-"standard" IP address range (ie. anything other than
3. Password-protect server shares
so that the only people who can get access to anything are those who know
what they are doing or have been told what IP settings to use on that
Quarantine them.. that's about the only thing that will work.
So, in this particular case, there WAS a disturbance AND a significant
outage, due to a PREVENTABLE security hole.
Keeping up with difficult realities is the maintenance cost of using
control systems based on consumer off-the-shelf hardware and software,
in order to reduce up-front costs.
Millions of people check their stock portfolio every day at work; it
isn't any more difficult to keep abreast of the latest vulnerabilities.
MS has been working harder lately to develop a patch as soon as a
vulnerability is described, but before it is widely published.
The Sasser worm appears to have been released AFTER the patch was.
The virus writers keep up with the technology; so should the rest of us.
Hmmm, I really find it hard to believe/understand how one can mix up
plant and process control networks.
This is close to suicide...
if I only think of how many times plant network was not available, due
to worm and virus stuff (and also "selfmade" userfiddling....)
I used to think so too but those times are past. Here is an example: The
client is a large refinery. Across the street is a commercial plant
supplying us with hydrogen. It is owned and operated by a third party. Our
guys want to know immediate pressure, flow, temp and purity of H2 being
supplied. Solution -- they put their data on the web, we connect and open
the page whenever we need it.
Another example: A natural gas gathering pipeline is supplied from many
sources owned by many operators and coming on and off stream more or less at
random. Central control wants to know what is going on. The old way was to
build your own communications infrastructure. Now everybody within twenty
miles of a cell tower connects direct to the internet and the material is
gathered onto a web page.
Just like the Joy of Sex overcomes the fear of clap so the joys of open
communications overcome the fear of Sasser. Our job now is to reduce the
I've been reading this thread with interest, and I have a question:
Has there been any activity in using Linux on the process control side?
The Linux freaks (er -- aficionados (er -- users)) would certainly
tell you that it has potential for being a robust solution.
I think AutomationX is still out there somewhere - and I'm sure there are
others. "Freshwater Shark" was pushing it pretty hard here not that long
The biggest hurdle with Linux has nothing at all to do with the robustness
of the OS as such and more to do with getting people to support it. The
fact that most everyone is familiar with Windows makes it pretty easy for
HMI developers to sell software for it..
Linux used to have a bigger edge back when Windoze used to crash all the
time - but Win2k and XP are pretty stable now, so Linux doesn't have as much
going for it as it used to - but with so many people getting sick of M$,
things may well change in the near future...
The lack of applications and support for Linux is closely linked to the lack
of viruses for Linux. If enough people switch to Linux to attract a proper
application and support industry, it will also attract a virus 'industry'.
Or is there some way in which Linux is inherently virus resistant?
Historical low attack rates don't mean a thing.
I work for a large organization that has an IT department that were
still testing the update for the Sasser virus when we were stuck. They
would not let us put the update on their network without proper
testing. Frustrating as it cause much more trouble than the patch.
The controls network is connected to the main network as the control
system is fully integrated into the business network. Having a
complete separate control network is not an option as many of the
reports we generate communicate to the business systems. Ie. Material
costs, recipes, bill of materials etc.
The system is connected directly to the business network with nor
firewall or router and hence this is how the control system was shut
down due to the sasser virus. I am looking into a firewall and or
router but still not sure which is the best way to go.
On Thu, 06 May 2004 21:03:02 -0700, Tim Wescott
I want both combined with some security. Currently they are both
combined but I am looking into segregating the control items from the
business network but what I'm not sure about is the best method. I
need to be able to communicate to the business network and remain
secure. Currently our IT department are working on a solution, I just
want to ensure that their solution is the best solution.
Thanks all for the responses.
On Fri, 7 May 2004 18:08:20 +1000, "Cameron Dorrough"
If you must have the connectivity between the control and the
business end of the network then look at segmenting your network with
a few fire-wall routers. Netgear <http://www.netgear.com/ and Cisco
Systems <http://www.cisco.com/ do suitable units for the average
situation. A few hundred dollars worth of boxes will soon begin to
provide better protection.
You will need a firewall-router for your link to the outside world
(internet) and a firewall-router for each segment of your network.
Keep the control stuff on segments away from the business segments.
It is a good idea to look for segmenting opportunities and closing
the holes in the firewalls down to the absolute minimum needed to
maintain communicability. Use NAT to hide the details of segment
addressing from other segments and the internet.
There is a really excellent book by Cisco called "Internet Routing
Arcghitectures". I suggest that the System Architect for your
enterprise gets themselves aquainted very soon.
Naturally, all your systems should also run anti-virus measures as
well (especially if you are using PC's in the control side.
Paul E. Bennett ....................<email://peb@a...>
I use Linux with custom apps on a few pilot plants in R&D. No virus problems
Besides, there are plenty of free and open source applications for
automation and control available. Check out www.linuxincontrol.org and
the links therein.
There are industrial grade commercial solutions, too. For example,
(and I am not affiliated with them) take a look at www.sixnetio.com..
Interesting stuff! - Sorry, I haven't used it because it is not much use to
someone (like me) who spends most of their time outside the EMS/Utilities
The list of supported communication protocols is a good indication of the
applicabililty of a SCADA package - after all, that is basically what a
SCADA system is for.
OSII list "Harris/H-series, Boeing, Leeds & Northrup, Landis & Gyr,
Westinghouse, and Control Data" - that is not even the full spectrum of EMS
out there, but at least it's the major players.
If you have one of those systems in place, I'm sure it's probably pretty
good, but in contrast, something like CitectFacilities (www.citect.com),
whilst a Windows package and not Linux, is making enormous inroads into the
EMS/Utilities markets in Australia and China purely on the strength of their
communications and support base.
Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here.
All logos and trade names are the property of their respective owners.