Vol 1 Issue 12
September 2019
In This Issue

Stuff You Should Know

In the summer I escape Texas heat to vacation in cool elevations of northern New Mexico. It is a 12 hour drive each way. Fortunately, I have lots of podcasts I can listen to. One of them is "Stuff You Should Know". The hosts Chuck and Josh have recorded over 1,000 shows since 2008, each of which runs about an hour, and they cover a very broad range of subjects. Cruising through the broad expanse of west Texas, I was delighted to listen to their August 17 broadcast covering cyber security for SCADA (Supervisory Control and Data Acquistion) systems entitled "Are We in a Cyberwar?". This was a subject topical to my work and to this newsletter.

Chuck and Josh begin their story in Bellingham WA. On June 10, 1999, there was an explosion at the Olympic Pipeline facility that killed 3 people, injured 8, and resulted in USD 45 million in property damage. Of the 5 causes identified by the National Transportation Safety Board (NTSB), one of them was "performing database development work on the supervisory control and data acquisition system while the system was being used to operate the pipeline, which led to the system's becoming non-responsive at a critical time during pipeline operations." This incident became the subject of the hyperbolic April 9, 2008 article in Wired magazine entitled "Industrial Control Systems Killed Once and Will Again, Experts Warn".

The reason the story begins here is that this incident is recognized by many as the first case of a fatality in which a SCADA system bore some responsibility. Chuck and Josh say that this caused many cyber security experts to become aware that SCADA systems could potentially be used to create disasters.

The next chapter in the story is the 2010 Stuxnet incident. This was a successful effort, likely developed by US and Israel, to infect a SCADA system used in Iran's nuclear program. Stuxnet was able to disrupt the frequency of drives controlling uranium enrichment centrifuges by infecting controllers in the SCADA system, which damaged Iran's nuclear program.

I recommend listening to the rest of the story as told by Chuck and Josh, but I will now take this opportunity to make some corrections that need to be taken into account. I do not expect Chuck and Josh to master every subject on earth, so I was not surprised to find a few problems in their podcast

* In the podcast they refer to a SCADA system as "SYSTEMS Control and Data Acquisition System". The correct derivation of the acronym is "SUPERVISORY Control and Data Acquisition System". Perhaps a semantic correction, but noticeable for those of us in the business.

* More substantive is the claim that SCADA systems run Microsoft Windows. While this is true, it can lead to the wrong conclusions. In our industry we have SCADA and DCS (Distributed Control Systems). These systems originated with different designs but continue to converge technically. While the computers that provide graphical displays, history, and higher-level functions predominantly run Microsoft, controllers and IO processors don't. The devices close to the field that have logic and control algorithms require a realtime, deterministic operating system. Therefore, they don't run Windows. SCADA began as a combination of a PLC (Programmable Logic Controller) running its proprietary realtime operating system with a PC running a commercial operating system (such as Microsoft DOS or Windows) to provide engineering and operator functions. DCS design began as a proprietary system throughout for larger scale systems where deterministic processing was required at every level. Over time the DCS has migrated from proprietary to commercial (Microsoft) computers with the exception of the field controllers/devices. If we combine SCADA and DCS and refer to them as different types of ICS (Industrial Control Systems), we can say that an ICS is neither wholly Microsoft nor wholly proprietary. It cannot be said that ICS field devices have the same vulnerabilities of a computer running Microsoft.

* The blame on Microsoft is further refuted by the fact that the incident in Bellingham that began this story was not on a Microsoft system. The system at Olympic Pipeline ran on a VAX computer running VMS operating system from Digital Equipment Company (DEC). In 1984 I began my career in the paper industry working on an ICS using an earlier version of this DEC platform, a PDP-11 machine running RSX-11M operating system. I can attest to times that we had problems with that ICS, so Microsoft is not a common denominator to every control system malfunction.

* The incident in Bellingham was not a cyber-attack. Chuck and Josh referred to it as a system malfunction. It is not clear that the Olympic Pipeline ICS had any malfunction. It is possible the user that made online database changes causing the system to be nonresponsive, as suggested by the NTSB report. System failures can happen regardless of a cyber-attack, and some failures are human caused.

* Bellingham illustrated what can happen if an attack on an ICS occurred. Chuck and Josh say that the US is particularly unprepared because we adopted connectivity to the Internet so quickly while cyber security lagged. This suggests that all the threats come from connectivity to the Internet. Wrong! Stuxnet happened in Iran on a system with no outside connectivity. No hacker intruded over an Internet connection. Stuxnet got into that system through a USB drive. It is unclear whether a secret agent inserted it or if USB sticks deliberately dropped in a parking lot ended up being used by someone on site. It is well known that if someone sees a USB laying on the ground, they are likely to pick it up and use it.

* Chuck and Josh say that Stuxnet infected Siemens switches. The infection was in Siemens controllers, not switches.

* The greatest threat to your system is not Internet connectivity. It is serious, but not as likely as some human in your facility. Whether deliberately or accidentally using an infected USB or someone willfully walking into a room with no locks or security on the doors and taking out their grievances by using your system to cause harm is statistically a much more likely risk. If you have no policies on who has access to a room, who has login credentials, and how peripherals like USB or laptops can connect, you can lockdown your outside connectivity and still be at risk.

* If you still think air-gapping your system (completely disconnecting it from the outside) will make your immune, consider that such a system requires a user to copy files by connecting USBs or laptops. Therefore, you may make your system more vulnerable with an air gap than by having a connected system built for security.

* Chuck and Josh state that SCADA systems are the Achilles heel of our infrastructure because of their cyber vulnerability. Wrong! If you want to weaken your facility, remove the ICS. That is why I call the article by Wired magazine hyperbolic. Nearly every industrial facility in the world has an ICS because it makes us safer, cleaner, and more sustainable. It can always be argued that an ICS should be safer, but not having one would be unsafe.

* Chuck and Josh state that SCADA systems are used in the US, and therefore the US is more vulnerable. Wrong! Industrial facilities worldwide require an ICS for the same reasons as stated above. The US is no more vulnerable because facilities have an ICS.

* Chuck and Josh state that the US is lacking in preparation for cyber war compared to countries like China, Russia, North Korea, and Iran. I see no evidence of this. Iran is less connected than the US, yet Stuxnet got into their disconnected ICS.

* Chuck and Josh didn't know where the term "ping" comes from. Ping is a common way we determine if a computer is connected on a network. The origin is from active sonar used on submarines to send a "ping" through the water to see if the signal reflects off another vessel. If the sub detects the signal bouncing back, it knows there is another vessel nearby.

Despite this long list of corrections, clarifications, and opinions, I am not hating on Chuck and Josh. I will still keep listening and recommending their show.

My recommendation to you is to seriously look at your vulnerability. I may have sounded like I was defending Microsoft, but we all know that hackers target the most popular operating system in the world and there are vulnerabilities there. I have been to a lot of your mills. Many of you have doors wide open to these risks. I also do projects on critical infrastructure for the US Federal government, municipal governments, and private industry and many do not comply with fundamental standards of security or their own policies. Chuck and Josh are correct in stating that the US is very vulnerable, but it is not all due to Microsoft, Internet connectivity, and none of it should be blames on an ICS. We create our own vulnerability by failure to defend ourselves.

Some of you have recovery boilers. I hope I don't have to remind you that they can be dangerous. Even if you don't have such a dangerous process at your facility, hackers are attracted not just by causing a disaster. They want money and can hold you hostage for ransom. On a recent project I was one of 10 engineers working on a SCADA system that was only going to be in development for just 2 months before being shipped to a site. Many of the engineers needed to remotely connect from their location to do their development, so connectivity was required. The facility that staged the system decided that since the system wouldn't be there very long, they would not put in a firewall. After 6 weeks of work, we were all suddenly taken offline when an intrusion was detected. Someone from somewhere got into our system and started deleting files with a ransom message. We were able to remove connectivity quickly enough to protect the 6 weeks of work that our team had completed. We had to rebuild servers and restore some of our work without having to pay ransom. We were very close to a very costly failure to protect ourselves that could have resulted in a project failure to meet schedule and budget. The lesson is that defense is not optional.

In closing, I want to share the good and the bad.

Bad news: Your production and safety are vulnerable and can be exploited by those seeking to hold your hostage for ransom.

Good news: Podcasts are an enlightening and entertaining way to spend 12 hours in a car

Pat Dixon is Southwest Region Engineering Manager for Global Process Automation (GPA), a controls system integration firm.   

His LinkedIn profile is https://www.linkedin.com/in/dixonpatrick/.

Metsä Board implements artificial intelligence in quality management

Metsä Board's Kyro mill is to begin using artificial intelligence for quality management on its folding boxboard machine. Supplied by Voith, the software uses measurement results related to the quality properties of and the mill's process data. By combining various process parameters and using statistical models the system can automatically predict quality values and adjust process parameters in real time. This improves the production efficiency of the folding boxboard machine and improves quality consistency.

Read the entire article here.

Metsä Board Product News



There's No Magic Bullet: Learnings on the Road to Indstury 4.0
As the world becomes increasingly connected, we are beyond automation and machine learning being disruptors; they are becoming table-stakes technology. On paper, manufacturers across the globe should be transforming old factories and outfitting them for the future of production. But the reality is that converting old factory operations into truly smart factories presents many challenges that can slow down manufacturers' ability to turn the concept of a digital factory into an operational reality.

Read the entire article  here.

Ben Nelson, Mark Maas


Why AIoT is Emerging as the Future of Industry 4.0 
Two trends that are dominating the technology industry are the Internet of Things (IoT) and Artificial Intelligence (AI). But for industrial automation, these two technologies are much more than the buzzwords or trending topics. The convergence of AI and IoT will redefine the future of industrial automation. It is set to lead the Industry 4.0 revolution. 

IoT and AI are two independent technologies that have a significant impact on multiple industry verticals. While IoT is the digital nervous system, AI becomes the brain that makes decisions which control the overall system. The lethal combination of AI and IoT brings us AIoT - Artificial Intelligence of Things - that delivers intelligent and connected systems that are capable of self-correcting and self-healing themselves.

To appreciate the promise of AIoT, we need to look at the evolution of connected systems.

Read the entire article  here.

Janakiram MSV

What Are The Stages In Implementing Big Data In Your IoT Project?

Many IoT projects involve a large number of  sensors, which in turn capture a large amount of data that have to be managed, processed and analysed to come to useful conclusions.

These large datasets are, not surprisingly, called  b ig data, which don't necessarily only have to be used in conjunction with IoT projects but in many cases are.
When you start thinking about an IoT-based project and depending on its type and targets, at some point you will have to consider using big data analysis tools. 

Furthermore, if you are in a position to work with a large amount of data for analysis, the next thing you will need to consider is which  roadmap you should follow.

Below are some guidelines so that you can easily navigate your way around drawing up an IoT-related big data project.
IoT Solutions World Congress
NIST seeks industry feedback as Internet of Things cybersecurity standards take shape

The internet of things covers a wide range of devices, from smart speakers to medical devices, but the National Institute of Standards and Technology is looking to build a common foundation of cybersecurity practices for IoT manufacturers and consumers.

At an IoT workshop at its headquarters in Gaithersburg, Maryland, NIST sought feedback from industry partners on an  internal report released in June that focused on next steps for IoT security and privacy. Tuesday's meeting also stemmed from a  roadmap the agency released in April that laid out areas where the agency could further advance its work on its cybersecurity framework.

Mary Theofanos, a computer scientist with NIST's Material Measurement Laboratory, said as IoT devices gain mainstream popularity with consumers, fewer users have an understanding of the security implications of those devices

Read the entire article here.

Jory Heckman

 AI and bionic eyes are helping to contain raging wildfires

On a tower in the Brazilian rainforest, a sentinel scans the horizon for the first signs of fire.

Only these eyes aren't human. They don't blink or take breaks, and guided by artificial intelligence they can tell the difference between a dust cloud, an insect swarm and a plume of smoke that demands quick attention. In Brazil, the devices help keep mining giant Vale working, and protect trees for pulp and paper producer Suzano.

Read the entire article here .                              

Brian K. Sullivan

Coming up next month...
  • Enterprise IoT Needs Orchestration to Survive
  • 20 Surprising IoT Statistics You Don't Already Know
  • 6 Tricks for Lowering Your IIoT Costs
  • and much more

Industree 4.0 is exclusively sponsored by SAP