MsMUG Fall Meeting - PowerPoint PPT Presentation

1 / 76

About This Presentation

Title:

MsMUG Fall Meeting

Description:

Members: Kevin Staggs (Honeywell), Mark Heard (Eastman Chemical), Ernie Rakaczky (Invensys) ... Members: Ernie Rakaczky (Invensys), Dick Oyen (ABB) ... – PowerPoint PPT presentation

Number of Views:83

Avg rating:3.0/5.0

Slides: 77

Provided by: bobmac6

Category:

more less

Transcript and Presenter's Notes

Title: MsMUG Fall Meeting

1
MsMUG Fall Meeting

MSMUG Meeting
ISA Show, Chicago
26 October 2005

2
MsMUG Fall Meeting Agenda

OVERVIEW - Bill Cotter
Security Team - Bob MacDonald
Patch Team - Jim Bauhs
Microsoft - where going and how MsMUG fits in
- Ron Sielinski
OPC Users Servey - Bill Cotter
OPC Foundation - Rashesh Mody
OPC Security Paper - Eric Byres, Matt Franz
QA - panel session
Close - Bill Cotter

3
What is MsMUG

Microsoft Manufacturing User Group
User group devoted to addressing opportunities
when applying Microsoft technology to industrial
applications
Formed in February 1999
250 members
Users
Software suppliers
Microsoft

4
How do you Benefit

Leverage user community, key suppliers
Microsoft to address
Reliable system Better ROI
Security Supporting e-Productivity efforts
Longevity of OS Deferred capital spending
Best Practices Easy to support systems
Training Better leverage of current staff

5
Past Accomplishments

Microsoft Designed for Windows XP recommendation
Best Practices
Recommendations for software licensing
Training skill levels

6
Current Focus

MUGSecure - Bob MacDonald - PCS
- better OS for the Factory
MUGPatch - Jim Bauhs - Cargill
- Improve patch process
MUGOPC - Bill Cotter - 3M
- Improve the OPC products

7
MsMUG Fall Meeting Agenda

OVERVIEW - Bill Cotter
Security Team - Bob MacDonald
Patch Team - Jim Bauhs
Microsoft - where going and how MsMUG fits in
- Ron Sielinski
OPC Users Servey - Bill Cotter
OPC Foundation - Rashesh Mody
OPC Security Paper - Eric Byres, Matt Franz
QA - panel session
Close - Bill Cotter

8
MUGSecure Update

MSMUG Meeting
ISA Show, Chicago
26 October 2005

9
MUGSecure Objective

The MUGSecure Team is focused on increasing
Windows operating system reliability and security
by developing Best Practices for configuring
Windows in a manufacturing environment.

10
Overview of Process

Technical Area Teams develop content for specific
areas (e.g. Group Policy or Services)
Using MS Threats and Countermeasures Guide as
basis for technical areas
Combine Technical Area Team content into single
draft document
MSMUG members review content
Finalize and publish

11
Technical Area Team 1/3

Focus Area Group Policy (Domain level policies,
audit policies, user rights assignment, event
logs, security options, software restrictions)
and Administrative Templates (Windows components,
system, network, printers)
Members Kevin Staggs (Honeywell), Mark Heard
(Eastman Chemical), Ernie Rakaczky (Invensys)
Status Combining recommendations from Honeywell
and Invensys into a single document. Completion
date uncertain.

12
Technical Area Team 2

Focus Area System Services
Members Rashesh Mody (Invensys), Kevin Meyer
(3M), Kevin Staggs (Honeywell), Clayton Coleman
(Invensys)
Status Combining services recommendations from
Honeywell and Invensys into single spreadsheet.
Expected completion within a month.

13
Technical Area Team 4

Focus Area Domain infrastructure, additional
registry settings, additional hardening
procedures
Members Bob Eagle (Goodyear), formerly Rory
James (Chevron Phillips)
Status Draft document of recommendations
complete and posted on MUGSecure web site.

14
Technical Area Team 5

Focus Area Operating system image and
application software management
Members Pat Kennedy (OSISoft)
Status No active work. Will revisit the need
for this after initial Best Practices publication.

15
Technical Area Team 6

Focus Area People issues (roles, skills,
administrative tools)
Members Ernie Rakaczky (Invensys), Dick Oyen
(ABB)
Status Believe that ISA SP-99 already covers
this in sufficient detail. Working to understand
how to cross-reference between Best Practices and
ISA documents

16
MUGSecure Schedule
Technical Area Teams
Develop Draft Best Practices
MSMUG Reviews
Finalize Publish
17
MUGSecure Information

Conference calls first Thursday of each month
from 10-12 US Eastern Time. (currently scheduled
through January)
ARC hosted Collaboration Portalhttp//public.arc
web.com/msmugclick on MUGSecure Home
Contact Bob MacDonald (PG) for more information
(macdonald.rc_at_pg.com)

18
MsMUG Fall Meeting Agenda

OVERVIEW - Bill Cotter
Security Team - Bob MacDonald
Patch Team - Jim Bauhs
Microsoft - where going and how MsMUG fits in
- Ron Sielinski
OPC Users Servey - Bill Cotter
OPC Foundation - Rashesh Mody
OPC Security Paper - Eric Byres, Matt Franz
QA - panel session
Close - Bill Cotter

19
MUGPatch

Team Leader - Jim Bauhs - Cargill
Improve patch process
No Reboot - Erik Goode - Cargill
Find ways to eliminate or minimize reboots
Patch Awareness -Evan Hand - Kraft
Improve communication about patches
Better Tools - Bob Mick - ARC
Find better tools methods of patch mgmt

20
No Reboot

July 2004 Security Summit hosted by Microsoft
Microsoft expressed commitment to the
Manufacturing environment
Progress has been noted
Windows Server 2003 SP1 has been released,
WSUS (Windows Software Update Services) has been
released, it allows new methods of patch
management to reduce reboots during patching.
Cooperative/collaborative relationship between
MSMUG Microsoft
A lot of progress in a short amount of time, and
MSMUG has been one of the voices asking for these
improvements. Microsoft is really listening to
us first.

21
ISV Tools Working Group

Participants
Bob Mick - bmick_at_arcweb.com
John Hopson - John.Hopson_at_wonderware.com

22
ISV Tools Working GroupObjective

Investigate and document the current state of
tools that support patch management on Windows
Defining general requirements for new and
enhanced tools that support good practices as
guidance to software suppliers, including both
Microsoft and ISVs.

23
Success Criteria

Subgroup success will be the development and
publishing of
An agreed to assessment of the current state of
ISV patch management tools
A categorized directory of selected 3rd (4th?)
party patch management tools which may use used
by ISVs. This may need to be updated
periodically
Recommendations for Microsoft and ISVs for
integration of patch management tools

24
Working Group Results

The current State of ISV Patch Management Tools
Recommendations to ISVs
Recommendations to Microsoft

25
Microsoft Patch Management Tools
Preliminary
http//www.microsoft.com/technet/security/topics/p
atchmanagement.mspx
26
Third Party Patch Management Tools

Tools Functions
Inventory systems
Monitory vendors for patches
Monitor sources for vulnerabilities
Monitor for and download patches
Test
Deploy
Monitor patch state

Preliminary
27
Leveraging Member Better Practices

Vendor Management
Coordination

28
Vendor Engagement Approach

Identify key vendors
Engage account management team
Request a single point of contact for security
issues
Identify key requirements
Progress key topics through regular engagements
Regular calls
Account team security workshops

29
Key Issues Vendor Views

Control systems are stand alone and should not be
connected to other systems therefore we dont
need to harden them.
If you do want to connect your systems then
heres how you do it (with no protection)
Anti virus software and patches change the system
configuration and therefore need testing prior to
use
Implementing security is costly whos going to
pay?
Hey this security thing is important and it can
be a business advantage.

30
Key Vendor Topics

Accreditation of anti virus software
Patch accreditation
Incident response
Secure standard architectures
Security testing

31
Anti Virus Software

Starting Position 2002
Most vendors did not recommend the use of anti
virus software
Some accredited occasional versions of some
antivirus packages
Even those vendors were wary about automated
updates
Current Position
All major vendors accredit anti virus for recent
systems
Most vendors provide anti virus guidance
documents
Where we want to be
All control systems with AV software with easy
update mechanisms
Accreditation of other protection systems e.g.
tripwire
Accreditation of system monitoring agents for
remote monitoring

32
Patch Accreditation

Starting position 2002
You cant apply security patches to control
systems
2003
Please raise a support case and we will test
the patch for you
The patch should be tested in around 9 months
(around the time of Blaster and Nachi worms)
Current Situation
Most main vendors now automatically assess and
Microsoft patches
Some vendors have very good patch turn around
times (1-3 days)

33
Key Achievements

All major vendors now accredit anti virus
software
Vendors now accredit patches automatically and
some do this at impressive speeds
It is now possible to patch control systems in
line with IT systems
Some vendors . . .
. . . are engaged in industry bodies and
standards working groups
. . . have undertaken detailed security testing
of systems
. . . are developing standard security
architectures
. . . are starting to harden the lower levels of
control systems

34
Vendor Engagement into the Future Raising the
bar

Automated patch audit and deployment tools
Decrease patching issues
Managing component software vulnerabilities
Integrating security testing into Factory
Acceptance Tests (FATs)
Building security into procurement contracts
Hardening the lower levels of control systems
Securing process control protocols (mainly OPC)
Vulnerability scanning in live environments
Integration of security products into control
systems
Engagement of other vendors

35
Summary

More information is available
There are tangible benefits to work with MSMUG
Plenty of opportunities to join MSMUG

We Need YOU!
36
MsMUG Fall Meeting Agenda

OVERVIEW - Bill Cotter
Security Team - Bob MacDonald
Patch Team - Jim Bauhs
Microsoft - where going and how MsMUG fits in -
Ron Sielinski
OPC Users Servey - Bill Cotter
OPC Foundation - Rashesh Mody
OPC Security Paper - Eric Byres, Matt Franz
QA - panel session
Close - Bill Cotter

37
orgs...
38
MsMUG Fall Meeting Agenda

OVERVIEW - Bill Cotter
Security Team - Bob MacDonald
Patch Team - Jim Bauhs
Microsoft - where going and how MsMUG fits in
- Ron Sielinski
OPC Users Servey - Bill Cotter
OPC Foundation - Rashesh Mody
OPC Security Paper - Eric Byres, Matt Franz
QA - panel session
Close - Bill Cotter

39
MS MUG OPC Users Survey

Thomas J. Burke - OPC Foundation President
William Cotter - MSMUG Chair (OMAC)
Chip Lee - ISA Director Rashesh Mody - OPC
Foundation Chief Architect
ISA Expo Oct 2005

40
Survey Results

Total Responses 157
Majority from Automation, Instrumentation and
Control background
90 are OPC users

41
OPC Functionality
Data Access 97Total Majority under 10 Nodes
42
OPC Interoperability

Interoperability is very important
56 Want Certified Products
32 Dont feel Cerification is needed

43
Survey Main Results

Top 3 issues Robustness, DCOM, Documentation

44
Survey Main Results Q8
45
Survey Main Results Q9
46
MsMUG Fall Meeting Agenda

OVERVIEW - Bill Cotter
Security Team - Bob MacDonald
Patch Team - Jim Bauhs
Microsoft - where going and how MsMUG fits in
- Ron Sielinski
OPC Users Servey - Bill Cotter
OPC Foundation - Rashesh Mody
OPC Security Paper - Eric Byres, Matt Franz
QA - panel session
Close - Bill Cotter

47
OPC Foundation
48
OPC Foundation
49
Security ReliabilityOPC Microsoft
Collaboration

Rashesh Mody
Chief Architect
OPC Foundation

50
Survey Results

Total Responses 157
Majority from Automation, Instrumentation and
Control background
90 are OPC users

51
OPC Functionality
52
OPC Interoperability

Interoperability is very important

53
Users Preference

Top 3 issues DCOM, Robustness, Documentation

54
Recent OPC Activities

Last July, we held a conference at Redmond Campus
jointly with Microsoft
Held Interoperability Conference in Florida and
Germany
Certification process is under review
Net set of Specs in progress
Unified DA, AE and HDA
15 Vendors are working together

55
OPC Unified Architecture Motivation
.NET new Communication architecture
DCOM retires
Internet
OPC-UA
Better Integration (DA, HDA, AE)
More Areas of Application (MES, ERP)
Service Oriented
56
OPC Unified Architecture Key Features

Broad Application Scope
Up to MES and ERP and down to device device
level
Requires Enhanced Reliability, Security,
Transaction Services
Open Communications
State-of-the-art Web technology
Performance, Secure Reliable
Integrated Address Space and Object Model
DA, AE, HDA, Commands, are joined
Rich Information Model
Complex Data Systems Seamless Open Integration

57
Reliability

Subscription Update Features
Keep-alive (heartbeat) messages
Allows clients to detect a failed server or
channel
Sequence Numbers in each update message
Allows client re-sync to obtain missed messages
Decouples callback channel from notification
mechanism, allowing callback channel to be reset
without loss of data
Redundancy Features
Designed for easy (optional) redundancy of both
Clients and Servers
e.g. re-sync request can be sent to a backup
server

58
Security

OPC Unified Architecture Clients present
credentials to OPC Unified Architecture Servers.
OPC Unified Architecture Servers require
authentication and authorization.
Optional message signing and encryption.

59
UA Enable all OPC COM Servers

UA clients can instantly connect to hundreds of
existing OPC COM Servers

UAClient
UAServer Wrapper
COMDA Server
SOAP over
UA
HTTP or TCP
60
UA Enable all OPC COM Clients

Use the UA Client Proxy to connect existing COM
clients to new UA Servers

UAClient Proxy
COMDA Client
UAServer
SOAP over
UA
HTTP or TCP
61
Disable Remote DCOM

Use the UA proxy and wrapper to replace DCOM as
remote communication protocol

UAClient Proxy
COMDA Client
UAServer Wrapper
COMDA Server
SOAP over
UA
HTTP or TCP
62
OPC Specifications

OPC UA Specification in release candidate phase
Demo is presented at OPC Booth
OPC UA will address DCOM replacement, Robustness,
Reliability.
Client and Server Wrapper will be available from
OPC Foundation to vendors
Remove usage of DCOM for network nodes
Timeline 2006

63
Certification

Why?
Reliability, Security, Interoperable,
Maintainable Plug-N-Play
What How
OPC Compliance (self test)
OPC Interoperability Workshops
OPC 3rd Party Certification
OPC Certification Lab

64
Microsoft/OPC Vision ..

End User Driven Architecture
Vendors adoption driven from end-user demands
Service Oriented Approach
Vertical / Horizontal Interoperability with
Platform Language Neutrality / Transparency
Automation Device data/information access
exchange with the enterprise with stops in
between.
Scalability, Relaibility , Security Designed In.

Microsoft/OPC is Dedicated to Interoperability in
Automation (and beyond)
65
Standards/ Collaboration
MIMOSA
OpenOM Joint work by MIMOSA, OPC ISA-95 to
integrate operations and maintenance
information ISA Standards ISA-95
Enterprise/Control System Interface Standard,
Parts 3 4 define MES Functions ISA-99 Control
System Cyber-Security Standard OMAC Open
Modular Architecture Controls group standardizing
packaging machinery interfaces WBF BatchML XML
Schemas based on ISA-88 B2MML XML Schemas based
on ISA-95 OPC DCOM and XML interfaces. New Web
Services Unified Architecture (UA) under
development MIMOSA Asset Mgt and Maintenance
Mgt Schema, Meta Data and Interfaces
OPC
WBF
OMAC
BatchML
ISA
ISA-99
ISA-95
B2MML
OpenOM MFG JWG
66
Interoperability Coexistence
OPC 2.0 Client (Existing) DA, HDA, AE
OPC UA Wrapper
Proxy
UA Client
No DCOM
OPC 2.0 Server (Existing) DA, HDA, AE
OPC UA Wrapper
UA Server
Client Wrapper
67
(No Transcript)
68
MsMUG Fall Meeting Agenda

OVERVIEW - Bill Cotter
Security Team - Bob MacDonald
Patch Team - Jim Bauhs
Microsoft - where going and how MsMUG fits in
- Ron Sielinski
OPC Users Servey - Bill Cotter
OPC Foundation - Rashesh Mody
OPC Security Paper - Eric Byres, Matt Franz
QA - panel session
Close - Bill Cotter

69
OPC Security Good Practices Research

Eric Byres, BCIT
Matthew Franz, Digital Bond

70
Background

Kraft Foods has sponsored a research project to
develop a whitepaper that
Provides overview of security relevant aspects
OPC for end-users
Describes known OPC/DCOM security issues and
vulnerabilities
Defines a set of host and network security best
practices to harden OPC deployments
Focus is end-users not developers!

71
Research Process
Vulnerabilities
R E F A R C H
OPC Security Good Practices
User Concerns
Host Hardening
Host and Network Security Issues
Vendor Guidelines
FW Configuration
3rd Party Apps
OPC Specs
Threats
72
Document Content

Section 1 Introduction Purpose
Section 2 OPC Essentials succinct treatment of
security relevant OPC concepts
Section 3 OPC Exposed on the box (and
(network?) analysis of components to identify
exposures
Section 4 OPC Security Practices menu of
remediation controls to address findings
Section 5 Applied OPC Security practical
application of best practices to common OPC
deployments

73
Survey

It is critical for us to understand how OPC is
deployed in the real world to assess risks
Which OPC functions (types of servers are used)
Concerns about OPC deployment
Windows configuration (OS, Identity DB, etc.)
Network Topology
Perhaps you have already solved the problem!

74
Current vs Future Work?