Cybersecurity experts, and especially the media that reports on cybersecurity vulnerabilities, often love to just point fingers at companies. Seldom do they acknowledge a good response. Here is an item I picked up from a security services company, IOActive.
The company announced Jan. 9 that it has uncovered multiple vulnerabilities in Siemens’ SCALANCE X-200 Switch Family. These Ethernet switches are used to connect to Industrial Control Systems (ICS) components like Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMIs). The switches enable remote diagnostics and simplified configuration through a common web browser.
Senior security consultant for IOActive, Eireann Leverett, discovered two vulnerabilities in the switches. Both vulnerabilities were discovered in the web server authentication of the product. The first vulnerability could allow an attacker to perform administrative operations over the network without authentication, gaining access to critical services. The second vulnerability could allow an attacker to hijack web sessions over the network without authentication.
“Siemens ProductCERT were professional, courteous, and did not adopt an adversarial attitude when I contacted them about the vulnerabilities. Consequently, we were able to clarify the vulnerabilities quickly, and they produced a patch within three months,” said Eireann Leverett, senior security consultant for IOActive. “I challenge other ICS vendors to match this timeline for security patching in the future.”
As soon as IOActive notified the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the vulnerabilities, Siemens ProductCERT wasted little time resolving the issue.
Leverett added, “The speed at which Siemens ProductCERT responded to the notification of these two vulnerabilities is something to be applauded. IOActive has always pushed vendors to respond when they receive notifications on vulnerabilities in their products. Siemens is the perfect example of how companies should respond when addressing these issues.”
Siemens ProductCERT is a team dedicated to accepting and handling security issues and vulnerabilities within their products. They co-ordinate with external and internal security researchers and work closely with the company’s product teams to develop fixes. ProductCERT publish the fixes as soon as they have been tested and credits the researchers who discovered the issues. The very existence of this team illustrates Siemens serious commitment to handling security issues smoothly and quickly.
Siemens has addressed both issues by providing a firmware update for the affected products.
Opto 22 groov HMI
Industrial automation manufacturer Opto 22 has announced groov Server for Microsoft Windows, a software-based version of its groov product for building, deploying, and viewing simple, effective, and scalable operator interfaces to monitor and control systems and equipment using computers and mobile devices. groov Server for Windows runs on enterprise PCs or servers, and is intended for settings where the IT Department won’t add hardware to the network, but will add software served from a Windows PC. Since groov Server for Windows runs on a PC, it also reduces costs for OEM machine builders who incorporate a PC in their product and need to add mobility options for their HMIs.
Using only a modern web browser, groov securely lets industrial automation end-users, system integrators, machine OEMs, building managers, technicians, or any authorized person quickly build and deploy browser-based interfaces for automation, monitoring, and control applications. Although groov is served from a Windows PC, any computer with a modern web browser can be used to build interfaces. These operator interfaces can then be viewed on almost any computer or mobile device regardless of its manufacturer or operating system, including PCs, tablets, smartphones, and even smart high-definition televisions. groov is intended to augment traditional human-machine interfaces (HMIs) by making important information available at any time and in any location.
groov offers a simple yet flexible environment for developing operator interfaces with zero programming, and requires no per-seat runtime or viewing licenses. Overcoming the biggest challenge in developing for multiple screen sizes and mobile HMIs, groov automatically and gracefully scales all screens, page objects, and gadgets, allowing groov HMIs to be viewed and manipulated from virtually any device of any screen size.
groov uses the latest web standards like HTML5, CSS3, and SVG. And while many competing technologies depend on additional software or browser plug-ins like Flash, Silverlight, or Java to work, groov simplifies deployment by requiring no additional software or plug-ins.
groov Server for Windows runs on a PC or server that you control. All network communication between a web browser and groov uses an encrypted secure sockets layer (SSL) over an HTTPS connection. groov does not respond to any other communication methods on any other ports.
groov connects to Opto 22 SNAP PAC automation systems and OptoEMU energy monitoring products over a wired Ethernet network or wireless LAN. Opto 22 recommends using a separate network interface card (NIC) to segment your control systems. Support for the OPC-UA protocol is planned in 2013 and will allow groov to communicate with systems from other manufacturers that offer an OPC-UA server.
Red Lion Graphite HMI Family
Red Lion Controls, the global suppliers of products in communication, monitoring and control for industrial automation and networking, has released its newest generation of Human Machine Interfaces (HMI) – the Graphite series of advanced operator interface panels. “With all cast-aluminum construction, the Graphite series provides the industry’s first rugged HMI solution to combine a wide range of versatile plug-in modules with protocol conversion, data logging and web-based monitoring and control.”
Red Lion’s Graphite series allows customers to easily connect, monitor and control their process in industries that include manufacturing, oil and gas, and water/wastewater. The series’ range of plug-in modules enables customers to easily create a solution for today, with an option to expand to meet changing business requirements. Further, organizations will realize a reduction in development and commissioning times over traditional systems that use an HMI paired with separate I/O, PLCs and other controllers.
“We have used just about everyone’s HMIs, and Graphite is by far the best in terms of appearance and functionality,” said Pierre de Giorgio, president at BlueBay Automation. “It is the most feature-rich HMI that we have ever used, the graphics and resolution are amazing, and with Red Lion’s Crimson 3.0 software, the move to Graphite is seamless.”
Graphite HMIs are available in eight different models, in sizes ranging from 7” to 15”, with sleek bezels that provide a relatively large display given their overall dimension. Both the 7” and 10” HMIs are available as sunlight visible models. Combined with Graphite’s rugged packaging, these models are ideal for harsh outdoor environments.
Offering a built-in web server, Graphite HMIs enable users to monitor and control their application via PCs, tablets or smartphones. SMS text-messaging and email alerts provide early warning of process issues, which helps to avoid costly downtime. In addition, its built-in protocol converter allows programmers to select 13 or more simultaneous protocols from a list of over 250 to seamlessly integrate disparate devices such as PLCs, drives, barcode readers and panel meters.
“The HMI has become the nexus of the machine, and Red Lion’s new Graphite series offers the highest level of protocol support to simplify even the most complex multi-vendor environments,” said Jeff Thornton, director of product management at Red Lion Controls. “By logging performance data and critical events, customers can implement process improvements or perform fault-finding activities.”
The new HMIs are supported by Red Lion’s Crimson 3.0 software, which is included at no extra cost. Crimson 3.0 makes it fast and easy to configure protocols, define data tags, set up sophisticated applications and create an attractive user interface. Designed for ease of use, Crimson allows customers to cost-effectively standardize on one HMI for all of their machines, regardless of the PLC or drive manufacturer used.