------------------------------
EMERSON ACTS LIKE THE LEADER

Way back, when I worked for Young & Rubicam (the world's largest ad
agency), they stressed one of the most important rules of marketing: "If
you want to be perceived as a leader, ACT like a leader." Methinks John
Berra, president of Emerson Process Management, took the same class.

The pugnacious president came out swinging today, when he delivered the
first keynote address at the Emerson Global Users Exchange. "We have never
been better," he declared to about 1,800 customers. "Although our numbers
are not official until November, I estimate that our 2005 sales are about
$4.2 billion, an increase of $500 million over last year. Our 2005 sales
are tracking toward 13% growth this year. Further, our order rate is up
more than 15%. We are the most financially stable company in the process
control business."

Berra made a few innuendos about control companies that mask their sales
numbers, combine them with other operations, and otherwise do everything
they can to NOT tell you what their annual process control sales are.

"We intend to widen our lead," he said, implying that Emerson was leading
the pack. We don't know for sure if that is true, and we won't know until
we compile our Top 50 in December. But anyone listening to Berra would
certainly think Emerson was the leader. At least Berra was ACTING like the
leader, in the best Y&R tradition.

Another Y&R marketing rule is, "your best customers are your existing
customers," implying that it is easier to sell equipment to current
customers than it is to find and sell new customers. It's the classic 80/20
rule at work.

Berra seems to have learned this lesson too, because he did everything he
could to assure customers that Emerson cares about them, wants to know
their problems, and they made the correct buying decision.

Berra is a master at this game. From anybody else, it would smell like
marketing schmaltz. From Berra, it sounded sincere.

Another marketing rule is: "It is important to be sincere. Once you learn
to fake that, you got it made!" In Berra's case, I don't think he was
faking it.

Rich

-------------------------------
I LOVE IT WHEN I AM RIGHT

For years now, I've been writing articles that predict the use of remote
servers, and software that runs from afar. Many people told me that user
companies would never permit plant data to escape their grasp and wind up
(gasp!) in the hands of some vendor. Or, even worse, wind up on a server
for a company that is working for other end users. Or, horror of horrors,
be transmitted over the Internet!

Balderdash to all that. I've been right all along.

I attended a session, "Equipment Monitoring at a Crude Oil Facility," by
Cesar Malpica, process engineer at Petrolera Amerivan in Venezuela, who
described how they were using an AMS asset management system to diagnose
problems in compressors, heaters and boilers.

The kicker is, the AMS system is running on a server in the UK, and the
Amerivan engineers, techs, managers and maintenance folks get access to AMS
screens over the Internet, using a web browser.

The reason the server is in the UK is because that's where Emerson keeps a
staff of engineers and analysts who understand refinery operations and can
diagnose problems from afar. Malpica described how the two companies work
together to solve equipment problems, and it seems to be a sweet deal.

And, for those who say asset management software from a process control
vendor is dedicated to their proprietary hardware only, another
"balderdash" is in order: the process control system at Amerivan is a
Honeywell TDC3000. AMS takes what data it needs from the Honeywell
historian.

Why Amerivan didn't use Honeywell's asset management software to do the
same remains a question. Malpica said they considered other solutions, but
only Emerson had the software and the engineering expertise they needed.

Another question that remains unanswered is: Why don't process control
companies advertise and promote such capabilities? They can all do remote
server applications and, if you ask them, they will tell you so.

Asset management appears to be the hot topic of the day around here. More
on that subject anon.

Rich Merritt

EMERSON INTRODUCES SMART REMOTE AUTOMATION, A NEW EXTENSION OF THE PLANTWEB® DIGITAL ARCHITECTURE


Emerson Process Management something they call Smart Remote Automation, an extension of its PlantWeb® digital architecture that the company says will improve businesses comprised of processes that go well beyond the confines of the typical plant. The Smart Remote technology enables continuous diagnostics to run at remote sites and connect in real-time to centralized operations centers where they allow predictive operations and maintenance, and enable staff to increase site availability and throughput.

The first industry to benefit from this extended architecture will be upstream oil and gas, where production, transportation, and distribution operations can cover hundreds or even thousands of square miles. To maintain these sites has traditionally required many man-hours and miles of driving.

Jon Milliken, president of the Flow Computer division of Emerson Process Management, said,“Smart Remote Automation represents an entire new category of technology that will give our users continuous visibility to the health of their field instrumentation, enabling operation and maintenance that is more proactive and efficient, and increasing up-time of their dispersed facilities.”

“This launch marks the beginning of the end of run-to-fail practices," Milliken claimed. "Smart Remote Automation embraces our customers’ process instrumentation and equipment, and represents an architecture platform for future additions that we are developing,” continued Milliken. “Throughput and yield should increase."

Smart Remote Automation provides health of such equipment as pressure, temperature, flow, level transmitters, and control valves. Centralized real-time access to this information may produce a major impact on maintenance and repair budgets, and improvement in uptime.


Technology Enables Smart Remote Automation

Smart Remote Automation relies on HART-based field devices that power PlantWeb with predictive intelligence, and on the ROC800 Remote Operations Controller. Extending the values of this technology to remote sites is made possible by the technology of Emerson’s ROC field server and AMS™ Suite with ROC Polling Service. AMS Suite is the company’s family of software products that convert health status from the intelligent devices into predictive information for use by those running the facility.

ROC Field Server is a new field device that manages communications as it merges low-bandwidth, low-speed field diagnostics communication with high-bandwidth, high-speed Ethernet host communications by prioritizing data packets, caching and bandwidth management, and automatic directory generation.

AMS Suite provides the real-time configuration, calibration, diagnostics, documentation, and the user interface for the smart instrumentation. The suite includes Intelligent Device Manager and Asset Portal software for managing smart instrumentation. ROC Polling Service is software that resides on the AMS Suite and provides the communication and database interfacing between the suite and the ROC800 Remote Operations Controller located at each remote site.

ROC800 Remote Operations Controller is a field-proven measurement and control device that serves as the communication link between the smart instrumentation located at a remote site and the ROC Field Server or ROC Polling Service. It passes data between the smart instrumentation and AMS Suite. The ROC800 communicates to smart instrumentation using HART protocol. The ROC800 supports a variety of communication and networking technologies including both low and high speed wired and wireless.



Emerson Claims Broad Benefits To Be Delivered by Smart Remote Automation

- Improve process availability by using predictive intelligence to help detect and avoid causes of equipment failure that can lead to unplanned downtime.

- Increase maintenance efficiency and effectiveness by detecting and diagnosing potential equipment problems before they become issues that detract from performance.

- Help regulatory compliance and reporting by enabling companies to provide device alert tracking and a detailed audit trail of operations.

- Increase throughput and yield by reducing downtime, and by improving basic and advanced control, reducing variability.

- Improve quality by helping keep instruments and equipment maintained and performing at their best

Several Invensys troopers gave interesting discussions on systems security. The most interesting of the Invensys staff was Ernie Rakaczky, whose sermon was about Prevention instead of Reaction to system attacks.

"Everything starts with a site security review," he said, "that addresses your specific needs. This is really a risk assessment."

"Being secure doesn't mean giving up productivity," he went on, "but it does mean that you may have to be more rigid with your processes."

Your security system should be built of multiple layers, in which the judgement call is the risk vs. value assessment. You may want to consider data isolation strategies, building "data DMZs" for data that is critical and susceptible to attack. You may want to seriously consider data warehousing, instead of letting people go directly to the operating control system and pull down data.

"The key concern," Rakaczky said,"is the impact of Day Zero. That's the day the attack first starts."

Day Zero is not attressed by anti-virus; it is not addressed by network detection and monitoring; it is not addressed by patch management-- and this is not a Windows issue. This is true for all OSes.

Invensys, he reported, is security focused, building security from within, in new product development, in existing products, and with new validation and testing methodology. Invensys helps end users in the design phase of projects, in the implementation phase of projects, and, above all, Invensys offers security program management services. (There's that "services" word again...)

Invensys has established a security-focused website: https://ips.csc.invensys.com. On this site are whitepapers, tutorials, links and etc.

Invensys also provides Security Review services, system hardening, and solution implementation.

"We are the industry leaders," Rakaczky boasted. "We were the first DCS supplier to ship our product with integrated anti-virus. We run our vulnerability scans on our own equipment."

Rakaczky implored his audience to get involved with the standards working groups like SP99 and PCSRF and others. "It is exciting to be part of this," he said.

Byres, who set out a decade ago to make himself the world's leading authority on process control security, and who has put lowly little British Columbia Institute of Technology on the map for politicians, regulators, process control experts, standards bodies, and the entire hacker community, returned for a second straight year to talk turkey about cybersecurity. He brought new data with him, too.

When he started, Byres remembered, it was really about "separating fact from fiction. We needed a realistic assessment of risk; what was urban myth, how urgent was the risk, what vulnerabilities, what threat sources were there, and how serious were the consequences of the threats."

So BCIT created the ISID, the industrial security incident database, which now has tracked over 100 incidents from 17 contributor companies all around the world, and across all industry verticals where process automation systems are used.

The data shows a sharp change in the number of incidents between 2000 and 2001, continuing through 2003 at a very high level, and tailing off slightly through 2005. Byres believes that the number of incidents will never return to pre-2000 levels. He also noted that the nature of the problems shifted radically beginning in 2001.

From 1982 to 2001, accident accounted for over 58% of incidents, while external threats accounted for 28% and inside jobs accounted for 15%

But since 2001, external attacks have climbed to 61% of threats, a major increase, while accident has remained stable at about 32%, and inside jobs drastically declined to 2%, while audits and other incidents rose to 5%.

Why the shift, Byres asks.

"Well, it is not a reporting artifact," he insisted. "We've checked that out thoroughly and it is a real issue."

Byres thinks there are three possibilities:

1. The nature of malware changed in 2001/2002
2. Widespread adoption of TCP/IP and Ethernet technologies
3. SCADA is now on the hacker and public radar since 9/11

What does this mean? The landscape has permanently changed, Byres insists, and companies who are using pre-2001 solutions are in deep danger. Companies need new solutions to these new risks, or "you're throwing money away."

According to Byres, malware is now accouting for 2/3 of incidents in recent years. This, he noted, seems to match IT trends. "What has been surprising," he said, "is the high level of sabotage reported, over 13%!"

Worms are the real problem, over 88% of incidents are involvement with a worm. "Slammer" is still the number one problem on the plant floor.

However, malware may be the most common threat, but it is not the most expensive. Incidents where the cost exceeds $100k are comprised almost 79% of accidents and 21% sabotage, Byres reported.

Where are the attacks coming from? 56% of attacks are remote, with only 2% being physical. Local attacks comprise about 27% of the total, with "other" amounting to about 15%, Byres claims.

Nearly half the problems came "from the business system right through the firewall!" Byres exclaimed. "I am not happy," he continued, "with the state of firewalls."

Even though people have been warned against this practice for years, approximately 17% of attacks actually still come from direct connection to the Internet. This is seen a lot in water SCADA systems, Byres reported.

Byres pointed out that there are many infection vectors, and many "back doors."

New challenges, according to Byres, include the fact that hacking is no longer fun and script kiddies. It is now a business with significant ties to worldwide organized crime.

Targeted worms are now becoming common, and info-spying is becoming the principal goal of hacking. "We might recently have seen a custom process control worm recently," Byres confided. "We're still studying it."

Byres reported on a "grey hat/black hat" convention held very recently called TOORCON7, and quoted from "Talk #16: SCADA Exposed" and noted that this talk revealed a great many vulnerabilities in all the most common SCADA and DCS systems.


____________________________________________________________________________________________________________
A Special Sidebar
From Dale Peterson's SCADA SECURITY blog:

2005-09-28

SCADA Exposed and Other Fare from Toorcon7

_________________________________________________________________________________________________________________


One of the biggest security challenges in process automation, Byres claims, is DCOM. Someone shouted out from the audience, "DCOM is evil!" Byres seemed to agree, and noted, "DCOM is the foundation for OPC, which makes DCOM a vector now!" Byres continued, "This is a big problem, because OPC is NOT SECURE!" This is a huge issue, he insisted, and must be addressed real soon or it will bloom into big big trouble.

"Companies still don't understand the risk," he said, "and it is very hard to show ROI...and beyond that, most companies do not have an enterprise wide coherent security policy for the corporation."

A recent IEEE report concluded that 80% of all firewall installations in industry have major holes, Byres reported. Out of the 37 firewalls studied, 5 were good. "What 'good' means," Byres elucidated, "is that they had three or less major holes." He continued, "If IT departments have this much trouble, what about the poor, lowly Process Control Network?"

Byres' advice:


*Defense in depth: the bad guys will still get in
*Harden the plant floor
*Best Practices Guides for patch management, domain management and group policies and objects (ACL)
*Quickly find/create a secure DCOM replacement


In addition, Byres notes that there are huge embedded system weaknesses in such devices as PLCs, DCS controllers, RTUs, etc. PLCs fail when scanned, indicating extremely bad TCP/IP implementation; RTUs violate basic TCP standards, and so forth.

We also need, he proclaimed, a complete suite of Quality Assurance testing tools for security so that we can find vulnerabilities before we deploy the software. These tests are required for even a baic level of assurance.

BCIT has developed software suite called Achilles. Achilles is a GUI-based security test platform to coordinate multiple Linux testing tools. It automates most vulnerability testing.

Concluding, Byres said that a key issue going forward will be how to get the word out safely. "We need to encourage," he said, "companies to share to the database, find a secure method of reporting and reading vulnerability information, and methods to fairly and legitimately get vulnerability information to vendors." He also recommended that the first step in creating standards for industry was to generate 'best practices' and recommendations for how to handle legacy systems. He also called for improvements to the QA standards in the industry.

This came from the CSIA eNewsletter:

One of our Associate Members, MicroMod Automation, contacted us with the following information. They had been informed that an estimated 400 Waste Water treatment plants of various sizes have been damaged to some extent. Based on their records some 40% of the controls for these sites were of the 3 x 6 panel board type provided by Bailey / Fisher-Porter. MicroMod took over the production, repair and application support for these products in 2004. If any of our members are called upon to service one of these facilities, you can purchase any replacement hardware directly from them at a substantial discount. Call Frank Fontana of MicroMod at 585-321-9222 for assistance in this matter.

If you know anybody in the water and wastewater business in Texas, Louisiana, Mississipi, and Alabama, please pass this along.

Walt

WANT TO SEE SOMETHING REALLY SCARY?

Walt's reports about security problems were mirrored here at the Emerson user conference, with several sessions on cybersecurity.

Then it got scary. A bunch of hackers from Idaho National Labs frightened the beejeesus out of about 250 attendees by demonstrating -- live -- how to use a laptop over the Internet to hack through two firewalls, get onto a process control network, read the internals of a device controller, and turn on a pump, all without being detected.

I don't pretend to have understood all the gory details, because they were throwing around words like script kiddies, IDS, DMZ, and ACT scans as if we all knew what they meant. Nevertheless, the results were downright scary., Especially because they had a demo control system sitting on the floor in front of the podium, and you could hear the pump when it started up. They also spoofed HMI screens, demonstrating that they could make the operator see anything they wanted him to see. We saw the HMI screen change!

I will try to explain how it worked. They started their attack by sending an email to a user on one of the business computers. The email contained a powerpoint presentation which, when opened, sent innocuous emails back through the router and firewall to the hacker on the laptop. Because the email came OUT of the system, through the firewall and router, this gave the hacker enough information to get back in and "take over" the business PC, right through the router. Once in, they did an ACT scan to identify every node on the business LAN, figured out which node was the firewall protecting the control system, and then spoofed all the other computers into thinking that THEY were the firewall/router. This caused every node on the system to send them security codes, which they used to get through the real router, onto the process control network, and into another workstation. From there, another ACT scan identified all the network devices again. They nosed around until they found one with an embedded web server, and opened it up. Then, through some reverse engineering, they were able to find the internal tables that labeled all the process variables. They then "forced" an output to start the pump.

The demo took only about 15 minutes, obviously because they were just retracing steps and knew exactly where to find what they needed. In real life, it took the hackers three weeks to penetrate the system the first time, mostly because they had to reverse engineer the controller in question. But script kiddies (tools that amateur hackers can find and use) that contain intrusion programs are readily available for Zip files, PowerPoint files, Oracle and a host of other files you get in the mail every day, That means almost anyone can get through your firewalls, including 14-year-old hackers.

Going beyond the business system requires more skill, and reverse engineering the control device takes exceptional skill. But none of this is beyond the ability of a professional, dedicated hacker who is being paid to get into your system. And, once such a hacker does the reverse engineering on a particular device, it might find its way into the hacker community as a script kiddie. It's just going to get worse.

One of the scariest items I learned is that Ethernet is a two-way network, even if you set your Shadow Server up so that it can send but not receive messages. It becomes a two-way network when the sending part asks the receiver, "Did you get that packet?" and the receiver says "Yes." That's two-way communications, and lets a talented hacker get in. Advice we gave a few months ago, which said you should isolate your system from outside networks completely, and let a shadow server deal with business networks and remote users, now appears a bit faulty. The concept is good, said the lab boys, but maybe you want the two computers to communicate by something other than an Ethernet link. Like Sneakernet.

When the session broke for 10 minutes, nary a person left. All wanted to hear the 2nd part, which explained what Emerson was doing to improve security on DeltaV systens.

Rich Merritt

I LOVE TO BE SCHMOOZED

I first learned the value of schmoozing when I was a young punk kid, building automation systems for Process Control Inc. in Columbus, Ohio. We had a sweet llittle deal with a local manufacturer, wherein we supplied them with PDP-11-based automation systems. We had installed three systems in the plant, and bid on another job with every expectation of winning the bid, We had sign-offs from all the engineers and production people, and were ready to roll.

To our dismay, the job went to IBM. It seems that IBM flew a couple of senior VPs down to Boca Raton for a few days, where they were "entertained." I assume that means golf, deep sea fishing, and all the other attractions in that region. No matter that the IBM solution was 4 times more expensive than ours; what was important was the schmoozing of VPs.

I thought such days were long gone, thanks to the IRS' rules on expense accounts and the down economy.

But then I attended the Emerson User Group meeting, where I find schmoozing has returned. Never mind that Emerson feeds everybody, holds the conference in a really cool place like Orlando, and runs a first-class operaton. They have free BOOZE and FOOD in the exhibit hall!

No wonder that the exhibit hall is full of people until 9 pm. It's almost like attending a trade show in Europe, with people wandering around with a glass of Maker's Mark, single-malt scotch, or California wine. Like I said, it's first class all the way. And no wonder that attendance is up.

If ISA wants to grow its trade show, it should bring back booze and food during the show. Today's goody-two-shoes, sanitary version of the once-rowdy (and extremely profitable) ISA show is a pale imitation of those booming shows. Does anyone remember the dancing girls from Esterline-Angus that stopped floor traffic at an ISA Show in the Astrodome? Bringing back booze would be a good start on the road to recovery. Dancing girls would be good, too.

Rich Merritt