It seems that the control software companies aren't offering Linux or
Unix solutions since they feel there isn't enough market interest to
justify the effort. But then, there isn't much market interest because
*nix based control products aren't commonly available.
I would suspect that if a company were to come out with quality software
which runs under Linux, the interest would be there. The robustness,
scalability and ease of remote management would justify its use over
Windows based systems. Security would also be a plus. While Linux is by
no means immune to remote compromise, it is much more resistant then
Windows has proven to be.
What I have typically seen done in the process industries is to create
separate networks linked by a firewall that block all traffic except that
which is explicitly required for the business sytsem interface. Included in
the list of blocked traffic is HTTP, SMTP and POP3 traffice which eliminated
about 95% of the virus sources out there. We also employ SecurID tokens as
an authentication methodology to gain access to the process control network
segments. What this means is that in addition to having a valid password
you have to be in possession of the SecurID token in order to be
Azimuth Solutions Inc.
I would agree that a sensibly locked down firewall/router is provided
to provide a degree of separation and manageability. Dual NIC are a
stop-gap or trial/beta solution not best suited for the long haul.
We've previously started out on this as lowest cost (using the
hardware only yardstick !) and found it required more knowledge,
sometimes easy to setup other times difficult. It is also like
software barriers ie very easily forgotten or overridden and not
In addition if you have a control network of any size the patch and
virus management issue is a serious one and we should all take leaf
out of the IT guys book for looking after it.
Corporate deployment packages for anti-virus are readily available and
are actually very suitable for control networks, once some basic
research is done. There are lots of leaks and holes inside, perimeter
fencing is NOT enough.
On the windows OS patch front, there again are very good tools out
there freely available from MS, assuming you can run them somewhere,
which is not an issue. The SUS update server (to be improved further
by WUS I think) is a god send. Anyone, who says its a hassle or has no
time to update patches needs shot, these tools are great and you can
set up whatever level of automatic/approval you want - look into it.
This covers a range of OS w2k onwards and includes patch management
for SQL as well ! This alone for me justifies upgrading to W2k/XP.
Another gripe/worry I had for years was how the AV/Patches could
co-exist with the myraid of automation packages. These concerns have
not been realised. In fact I am sorry to say that it is actually
automation vendor version upgrades that remain a much more serious
undertaking ! (IMHO)
Someelse, which has worked nicely is rolling out the AV/SUS solution.
We actually carry a small Vmware W2K image with the AV/SUS which can
be deployed rapidly on any available server/pc and be done very
As for complete separation, this is of course a solution, but doing
this loses out on so many important benefits, there is no need to list
in this thread.
Excellent prose Alistair. Many good
suggestions. However, let me point out a
few things. There have been numerous
cases of people using wireless devices,
such as phones/modems with CDPD, GRPS,
CDMA, etc etc, that have been infected
with malignant code. This can easily
happen when these sorts of devices get
software off the net, from the
manufacturer or elsewhere. The FBI has
several ongoing investigations into
COTS (Commercial Off The Shelf) devices
that have malignant software from the
overseas manufacture. No they are not
going to go public with these stories,
at this time.
Also, If any use inside a network runs
the wrong software, inside of a network
that is connected to the internet, or a
wireless grid, chances are that
malignate software will find it's way
into your network. There are solutions,
but, they are not for the faint-at-heart.
First, install and run a good intrusion
detection software package. These sorts
of software monitor the internal network
for issues. They are very complex to
install, collect data, analyze data, and
make modifications to networks, but it
works. Second, if at all possible, use
linux or BSD servers on your control
network. Microsoft has a very long way
to go to even remotely have a secure
Before everyone begins throwing stones
at me, please look at a few web sites,
that may enlighten yourself about real
network security. Oh, and all of those
vendor protocols, are clear text, and
are easier to hack that a loaf of white
bread. The US military is moving to
embedded linux in the battle space for a
variety of reasons, but, security is
first and foremost:
Some sites of enlightenment:
Just to mention a few
Fair enough, but we've gotto 'pee with what we've got'
which is the likes of DeltaV/OsiPi/Rockwell/Intellution/non-unix batch
systems.. all windows based stuff, non of which is going to get
So the diversion off to unix is not really an option, we are looking
at tightening up the obvious holes, push up the security rating and
not get caught out by the likes of the high profile recent worms/etc.
Hopefully, microsoft continues to tighten up things, over time and
with enough effort and money..... things will get better.
On the telecoms/wireless front there is still great reluctance from a
security point to authorise these technologies and I can see/agree
with the logic, so for now in the process control industrial sector
the wireless LAN/bluetooth/SMS/mobile has not been embraced to a high
degree. We only seem to use this stuff in our home/hotels !
From the extreme security point of view, I thought/read that the
biggest threat was disgruntled employees/control engr/admins,....
another topic I guess.
Network Interface Card. The LAN/network card in your PC with the fat
phone jack and two blinking lights.
You can install more than one, and assign them different IP addresses,
which allows you to communicate with two separate networks, without,
in theory, connecting the two together. Unfortunately, as an earlier
post pointed out, there is software which allows complete and silent
control of the PC it is installed on.
For example, the capabilities of Back Orifice 2000:
HTTP filesystem browsing and transfer, with optional restrictions.
Management of Microsoft Networking file sharing
Direct registry editing
Direct file browsing, transfer, and management
Remote upgrading, installation, and uninstallation
Network redirection of TCP/IP connections
Access console programs such as command shells through Telnet
Multimedia support for audio/video capture, and audio playback
NT registry passwords and Win9x screensaver password dumping
Process control, start, stop, list
Multiple client connections over any medium
GUI message prompts
Proprietary file compression
DNS name resolution
..all offered as a remote server, so that all these features could be
controlled thousands of miles away via the business LAN connection.
Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here.
All logos and trade names are the property of their respective owners.