Title: MsMUG Fall Meeting
1MsMUG Fall Meeting
- MSMUG Meeting
- ISA Show, Chicago
- 26 October 2005
2MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in
- Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- OPC Security Paper - Eric Byres, Matt Franz
- QA - panel session
- Close - Bill Cotter
3What is MsMUG
- Microsoft Manufacturing User Group
- User group devoted to addressing opportunities
when applying Microsoft technology to industrial
applications - Formed in February 1999
- 250 members
- Users
- Software suppliers
- Microsoft
4How do you Benefit
- Leverage user community, key suppliers
Microsoft to address - Reliable system Better ROI
- Security Supporting e-Productivity efforts
- Longevity of OS Deferred capital spending
- Best Practices Easy to support systems
- Training Better leverage of current staff
5Past Accomplishments
- Microsoft Designed for Windows XP recommendation
- Best Practices
- Recommendations for software licensing
- Training skill levels
6Current Focus
- MUGSecure - Bob MacDonald - PCS
- - better OS for the Factory
- MUGPatch - Jim Bauhs - Cargill
- - Improve patch process
- MUGOPC - Bill Cotter - 3M
- - Improve the OPC products
7MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in
- Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- OPC Security Paper - Eric Byres, Matt Franz
- QA - panel session
- Close - Bill Cotter
8MUGSecure Update
- MSMUG Meeting
- ISA Show, Chicago
- 26 October 2005
9MUGSecure Objective
- The MUGSecure Team is focused on increasing
Windows operating system reliability and security
by developing Best Practices for configuring
Windows in a manufacturing environment.
10Overview of Process
- Technical Area Teams develop content for specific
areas (e.g. Group Policy or Services) - Using MS Threats and Countermeasures Guide as
basis for technical areas - Combine Technical Area Team content into single
draft document - MSMUG members review content
- Finalize and publish
11Technical Area Team 1/3
- Focus Area Group Policy (Domain level policies,
audit policies, user rights assignment, event
logs, security options, software restrictions)
and Administrative Templates (Windows components,
system, network, printers) - Members Kevin Staggs (Honeywell), Mark Heard
(Eastman Chemical), Ernie Rakaczky (Invensys) - Status Combining recommendations from Honeywell
and Invensys into a single document. Completion
date uncertain.
12Technical Area Team 2
- Focus Area System Services
- Members Rashesh Mody (Invensys), Kevin Meyer
(3M), Kevin Staggs (Honeywell), Clayton Coleman
(Invensys) - Status Combining services recommendations from
Honeywell and Invensys into single spreadsheet.
Expected completion within a month.
13Technical Area Team 4
- Focus Area Domain infrastructure, additional
registry settings, additional hardening
procedures - Members Bob Eagle (Goodyear), formerly Rory
James (Chevron Phillips) - Status Draft document of recommendations
complete and posted on MUGSecure web site.
14Technical Area Team 5
- Focus Area Operating system image and
application software management - Members Pat Kennedy (OSISoft)
- Status No active work. Will revisit the need
for this after initial Best Practices publication.
15Technical Area Team 6
- Focus Area People issues (roles, skills,
administrative tools) - Members Ernie Rakaczky (Invensys), Dick Oyen
(ABB) - Status Believe that ISA SP-99 already covers
this in sufficient detail. Working to understand
how to cross-reference between Best Practices and
ISA documents
16MUGSecure Schedule
Technical Area Teams
Develop Draft Best Practices
MSMUG Reviews
Finalize Publish
17MUGSecure Information
- Conference calls first Thursday of each month
from 10-12 US Eastern Time. (currently scheduled
through January) - ARC hosted Collaboration Portalhttp//public.arc
web.com/msmugclick on MUGSecure Home - Contact Bob MacDonald (PG) for more information
(macdonald.rc_at_pg.com)
18MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in
- Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- OPC Security Paper - Eric Byres, Matt Franz
- QA - panel session
- Close - Bill Cotter
19MUGPatch
- Team Leader - Jim Bauhs - Cargill
- Improve patch process
- No Reboot - Erik Goode - Cargill
- Find ways to eliminate or minimize reboots
- Patch Awareness -Evan Hand - Kraft
- Improve communication about patches
- Better Tools - Bob Mick - ARC
- Find better tools methods of patch mgmt
20No Reboot
- July 2004 Security Summit hosted by Microsoft
- Microsoft expressed commitment to the
Manufacturing environment - Progress has been noted
- Windows Server 2003 SP1 has been released,
- WSUS (Windows Software Update Services) has been
released, it allows new methods of patch
management to reduce reboots during patching. - Cooperative/collaborative relationship between
MSMUG Microsoft - A lot of progress in a short amount of time, and
MSMUG has been one of the voices asking for these
improvements. Microsoft is really listening to
us first.
21ISV Tools Working Group
- Participants
- Bob Mick - bmick_at_arcweb.com
- John Hopson - John.Hopson_at_wonderware.com
22ISV Tools Working GroupObjective
- Investigate and document the current state of
tools that support patch management on Windows - Defining general requirements for new and
enhanced tools that support good practices as
guidance to software suppliers, including both
Microsoft and ISVs.
23Success Criteria
- Subgroup success will be the development and
publishing of - An agreed to assessment of the current state of
ISV patch management tools - A categorized directory of selected 3rd (4th?)
party patch management tools which may use used
by ISVs. This may need to be updated
periodically - Recommendations for Microsoft and ISVs for
integration of patch management tools
24Working Group Results
- The current State of ISV Patch Management Tools
- Recommendations to ISVs
- Recommendations to Microsoft
25Microsoft Patch Management Tools
Preliminary
http//www.microsoft.com/technet/security/topics/p
atchmanagement.mspx
26Third Party Patch Management Tools
- Tools Functions
- Inventory systems
- Monitory vendors for patches
- Monitor sources for vulnerabilities
- Monitor for and download patches
- Test
- Deploy
- Monitor patch state
Preliminary
27Leveraging Member Better Practices
- Vendor Management
-
- Coordination
28Vendor Engagement Approach
- Identify key vendors
- Engage account management team
- Request a single point of contact for security
issues - Identify key requirements
- Progress key topics through regular engagements
- Regular calls
- Account team security workshops
29Key Issues Vendor Views
- Control systems are stand alone and should not be
connected to other systems therefore we dont
need to harden them. - If you do want to connect your systems then
heres how you do it (with no protection) - Anti virus software and patches change the system
configuration and therefore need testing prior to
use - Implementing security is costly whos going to
pay? - Hey this security thing is important and it can
be a business advantage.
30Key Vendor Topics
- Accreditation of anti virus software
- Patch accreditation
- Incident response
- Secure standard architectures
- Security testing
31Anti Virus Software
- Starting Position 2002
- Most vendors did not recommend the use of anti
virus software - Some accredited occasional versions of some
antivirus packages - Even those vendors were wary about automated
updates - Current Position
- All major vendors accredit anti virus for recent
systems - Most vendors provide anti virus guidance
documents - Where we want to be
- All control systems with AV software with easy
update mechanisms - Accreditation of other protection systems e.g.
tripwire - Accreditation of system monitoring agents for
remote monitoring
32Patch Accreditation
- Starting position 2002
- You cant apply security patches to control
systems - 2003
- Please raise a support case and we will test
the patch for you - The patch should be tested in around 9 months
(around the time of Blaster and Nachi worms) - Current Situation
- Most main vendors now automatically assess and
Microsoft patches - Some vendors have very good patch turn around
times (1-3 days)
33Key Achievements
- All major vendors now accredit anti virus
software - Vendors now accredit patches automatically and
some do this at impressive speeds - It is now possible to patch control systems in
line with IT systems - Some vendors . . .
- . . . are engaged in industry bodies and
standards working groups - . . . have undertaken detailed security testing
of systems - . . . are developing standard security
architectures - . . . are starting to harden the lower levels of
control systems
34Vendor Engagement into the Future Raising the
bar
- Automated patch audit and deployment tools
- Decrease patching issues
- Managing component software vulnerabilities
- Integrating security testing into Factory
Acceptance Tests (FATs) - Building security into procurement contracts
- Hardening the lower levels of control systems
- Securing process control protocols (mainly OPC)
- Vulnerability scanning in live environments
- Integration of security products into control
systems - Engagement of other vendors
35Summary
- More information is available
- There are tangible benefits to work with MSMUG
- Plenty of opportunities to join MSMUG
We Need YOU!
36MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in -
Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- OPC Security Paper - Eric Byres, Matt Franz
- QA - panel session
- Close - Bill Cotter
37orgs...
38MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in
- Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- OPC Security Paper - Eric Byres, Matt Franz
- QA - panel session
- Close - Bill Cotter
39MS MUG OPC Users Survey
- Thomas J. Burke - OPC Foundation President
- William Cotter - MSMUG Chair (OMAC)
- Chip Lee - ISA Director Rashesh Mody - OPC
Foundation Chief Architect - ISA Expo Oct 2005
40Survey Results
- Total Responses 157
- Majority from Automation, Instrumentation and
Control background - 90 are OPC users
41OPC Functionality
Data Access 97Total Majority under 10 Nodes
42OPC Interoperability
- Interoperability is very important
- 56 Want Certified Products
- 32 Dont feel Cerification is needed
43Survey Main Results
- Top 3 issues Robustness, DCOM, Documentation
44Survey Main Results Q8
45Survey Main Results Q9
46MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in
- Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- OPC Security Paper - Eric Byres, Matt Franz
- QA - panel session
- Close - Bill Cotter
47OPC Foundation
48OPC Foundation
49Security ReliabilityOPC Microsoft
Collaboration
- Rashesh Mody
- Chief Architect
- OPC Foundation
50Survey Results
- Total Responses 157
- Majority from Automation, Instrumentation and
Control background - 90 are OPC users
51OPC Functionality
52OPC Interoperability
- Interoperability is very important
53Users Preference
- Top 3 issues DCOM, Robustness, Documentation
54Recent OPC Activities
- Last July, we held a conference at Redmond Campus
jointly with Microsoft - Held Interoperability Conference in Florida and
Germany - Certification process is under review
- Net set of Specs in progress
- Unified DA, AE and HDA
- 15 Vendors are working together
55OPC Unified Architecture Motivation
.NET new Communication architecture
DCOM retires
Internet
OPC-UA
Better Integration (DA, HDA, AE)
More Areas of Application (MES, ERP)
Service Oriented
56OPC Unified Architecture Key Features
- Broad Application Scope
- Up to MES and ERP and down to device device
level - Requires Enhanced Reliability, Security,
Transaction Services - Open Communications
- State-of-the-art Web technology
- Performance, Secure Reliable
- Integrated Address Space and Object Model
- DA, AE, HDA, Commands, are joined
- Rich Information Model
- Complex Data Systems Seamless Open Integration
57Reliability
- Subscription Update Features
- Keep-alive (heartbeat) messages
- Allows clients to detect a failed server or
channel - Sequence Numbers in each update message
- Allows client re-sync to obtain missed messages
- Decouples callback channel from notification
mechanism, allowing callback channel to be reset
without loss of data - Redundancy Features
- Designed for easy (optional) redundancy of both
Clients and Servers - e.g. re-sync request can be sent to a backup
server
58Security
- OPC Unified Architecture Clients present
credentials to OPC Unified Architecture Servers. - OPC Unified Architecture Servers require
authentication and authorization. - Optional message signing and encryption.
59UA Enable all OPC COM Servers
- UA clients can instantly connect to hundreds of
existing OPC COM Servers
UAClient
UAServer Wrapper
COMDA Server
SOAP over
UA
HTTP or TCP
60UA Enable all OPC COM Clients
- Use the UA Client Proxy to connect existing COM
clients to new UA Servers
UAClient Proxy
COMDA Client
UAServer
SOAP over
UA
HTTP or TCP
61Disable Remote DCOM
- Use the UA proxy and wrapper to replace DCOM as
remote communication protocol
UAClient Proxy
COMDA Client
UAServer Wrapper
COMDA Server
SOAP over
UA
HTTP or TCP
62OPC Specifications
- OPC UA Specification in release candidate phase
- Demo is presented at OPC Booth
- OPC UA will address DCOM replacement, Robustness,
Reliability. - Client and Server Wrapper will be available from
OPC Foundation to vendors - Remove usage of DCOM for network nodes
- Timeline 2006
63Certification
- Why?
- Reliability, Security, Interoperable,
Maintainable Plug-N-Play - What How
- OPC Compliance (self test)
- OPC Interoperability Workshops
- OPC 3rd Party Certification
- OPC Certification Lab
64Microsoft/OPC Vision ..
- End User Driven Architecture
- Vendors adoption driven from end-user demands
- Service Oriented Approach
- Vertical / Horizontal Interoperability with
Platform Language Neutrality / Transparency - Automation Device data/information access
exchange with the enterprise with stops in
between. - Scalability, Relaibility , Security Designed In.
Microsoft/OPC is Dedicated to Interoperability in
Automation (and beyond)
65Standards/ Collaboration
MIMOSA
OpenOM Joint work by MIMOSA, OPC ISA-95 to
integrate operations and maintenance
information ISA Standards ISA-95
Enterprise/Control System Interface Standard,
Parts 3 4 define MES Functions ISA-99 Control
System Cyber-Security Standard OMAC Open
Modular Architecture Controls group standardizing
packaging machinery interfaces WBF BatchML XML
Schemas based on ISA-88 B2MML XML Schemas based
on ISA-95 OPC DCOM and XML interfaces. New Web
Services Unified Architecture (UA) under
development MIMOSA Asset Mgt and Maintenance
Mgt Schema, Meta Data and Interfaces
OPC
WBF
OMAC
BatchML
ISA
ISA-99
ISA-95
B2MML
OpenOM MFG JWG
66Interoperability Coexistence
OPC 2.0 Client (Existing) DA, HDA, AE
OPC UA Wrapper
Proxy
UA Client
No DCOM
OPC 2.0 Server (Existing) DA, HDA, AE
OPC UA Wrapper
UA Server
Client Wrapper
67(No Transcript)
68MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in
- Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- OPC Security Paper - Eric Byres, Matt Franz
- QA - panel session
- Close - Bill Cotter
69OPC Security Good Practices Research
- Eric Byres, BCIT
- Matthew Franz, Digital Bond
70Background
- Kraft Foods has sponsored a research project to
develop a whitepaper that - Provides overview of security relevant aspects
OPC for end-users - Describes known OPC/DCOM security issues and
vulnerabilities - Defines a set of host and network security best
practices to harden OPC deployments - Focus is end-users not developers!
71Research Process
Vulnerabilities
R E F A R C H
OPC Security Good Practices
User Concerns
Host Hardening
Host and Network Security Issues
Vendor Guidelines
FW Configuration
3rd Party Apps
OPC Specs
Threats
72Document Content
- Section 1 Introduction Purpose
- Section 2 OPC Essentials succinct treatment of
security relevant OPC concepts - Section 3 OPC Exposed on the box (and
(network?) analysis of components to identify
exposures - Section 4 OPC Security Practices menu of
remediation controls to address findings - Section 5 Applied OPC Security practical
application of best practices to common OPC
deployments
73Survey
- It is critical for us to understand how OPC is
deployed in the real world to assess risks - Which OPC functions (types of servers are used)
- Concerns about OPC deployment
- Windows configuration (OS, Identity DB, etc.)
- Network Topology
- Perhaps you have already solved the problem!
74Current vs Future Work?
- Current work does not include
- Development of Complex Solution Testbed
- Formal Threat Analysis (of OPC or our security
architecture) - Vulnerability Testing of OPC Client/Servers
- OPC IDS and IPS (both host and network based)
recommendations - Evaluation of 3rd Party (i.e. tunneling) products
- What else?
75MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in
- Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- BCIT Document - Eric Byres
- QA - panel session
- Close - Bill Cotter
76MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in
- Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- BCIT Document - Eric Byres
- QA - panel session
- Close - Bill Cotter
77Meetings
- Secure
- 1st Thursday 10 AM 12 PM Eastern
- Patch
- Ad Hoc
- OPC
- Ad Hoc once a quarter - soon
78Meetings
- MsMUG
- Phone - Even Months 1st Tuesday 1100 Am
Eastern , 800 AM Pacific - Face2Face ARC's Tenth Annual Orlando Forum -
February 20-24, 2006 - Title Next Generation Manufacturing
- Driving Operational Performance through
Innovation and Collaboration -
79Links
- ARC hosted Collaboration Portalhttp//public.arc
web.com/msmug - Mail
- join-omacmsmugall_at_isa-online.org
- Website
- http//www.omac.org
- Working_Groups
- Manufacturing_Infrastructure
80Special Thanks
- ISA - Chip Lee
- ARC - Bob Mick
- - Dennis Daniels
- CIM Software- Beau Chaney
- - Mark Spindler
- ??? - David Bauman
81MsMUG Fall Meeting Agenda
- OVERVIEW - Bill Cotter
- Security Team - Bob MacDonald
- Patch Team - Jim Bauhs
- Microsoft - where going and how MsMUG fits in
- Ron Sielinski - OPC Users Servey - Bill Cotter
- OPC Foundation - Rashesh Mody
- OPC Security Paper - Eric Byres, Matt Franz
- QA - panel session
- Close - Bill Cotter