MsMUG Fall Meeting - PowerPoint PPT Presentation

1 / 76
About This Presentation
Title:

MsMUG Fall Meeting

Description:

Members: Kevin Staggs (Honeywell), Mark Heard (Eastman Chemical), Ernie Rakaczky (Invensys) ... Members: Ernie Rakaczky (Invensys), Dick Oyen (ABB) ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 77
Provided by: bobmac6
Category:
Tags: msmug | ernie | fall | meeting

less

Transcript and Presenter's Notes

Title: MsMUG Fall Meeting


1
MsMUG Fall Meeting
  • MSMUG Meeting
  • ISA Show, Chicago
  • 26 October 2005

2
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in
    - Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • OPC Security Paper - Eric Byres, Matt Franz
  • QA - panel session
  • Close - Bill Cotter

3
What is MsMUG
  • Microsoft Manufacturing User Group
  • User group devoted to addressing opportunities
    when applying Microsoft technology to industrial
    applications
  • Formed in February 1999
  • 250 members
  • Users
  • Software suppliers
  • Microsoft

4
How do you Benefit
  • Leverage user community, key suppliers
    Microsoft to address
  • Reliable system Better ROI
  • Security Supporting e-Productivity efforts
  • Longevity of OS Deferred capital spending
  • Best Practices Easy to support systems
  • Training Better leverage of current staff

5
Past Accomplishments
  • Microsoft Designed for Windows XP recommendation
  • Best Practices
  • Recommendations for software licensing
  • Training skill levels

6
Current Focus
  • MUGSecure - Bob MacDonald - PCS
  • - better OS for the Factory
  • MUGPatch - Jim Bauhs - Cargill
  • - Improve patch process
  • MUGOPC - Bill Cotter - 3M
  • - Improve the OPC products

7
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in
    - Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • OPC Security Paper - Eric Byres, Matt Franz
  • QA - panel session
  • Close - Bill Cotter

8
MUGSecure Update
  • MSMUG Meeting
  • ISA Show, Chicago
  • 26 October 2005

9
MUGSecure Objective
  • The MUGSecure Team is focused on increasing
    Windows operating system reliability and security
    by developing Best Practices for configuring
    Windows in a manufacturing environment.

10
Overview of Process
  • Technical Area Teams develop content for specific
    areas (e.g. Group Policy or Services)
  • Using MS Threats and Countermeasures Guide as
    basis for technical areas
  • Combine Technical Area Team content into single
    draft document
  • MSMUG members review content
  • Finalize and publish

11
Technical Area Team 1/3
  • Focus Area Group Policy (Domain level policies,
    audit policies, user rights assignment, event
    logs, security options, software restrictions)
    and Administrative Templates (Windows components,
    system, network, printers)
  • Members Kevin Staggs (Honeywell), Mark Heard
    (Eastman Chemical), Ernie Rakaczky (Invensys)
  • Status Combining recommendations from Honeywell
    and Invensys into a single document. Completion
    date uncertain.

12
Technical Area Team 2
  • Focus Area System Services
  • Members Rashesh Mody (Invensys), Kevin Meyer
    (3M), Kevin Staggs (Honeywell), Clayton Coleman
    (Invensys)
  • Status Combining services recommendations from
    Honeywell and Invensys into single spreadsheet.
    Expected completion within a month.

13
Technical Area Team 4
  • Focus Area Domain infrastructure, additional
    registry settings, additional hardening
    procedures
  • Members Bob Eagle (Goodyear), formerly Rory
    James (Chevron Phillips)
  • Status Draft document of recommendations
    complete and posted on MUGSecure web site.

14
Technical Area Team 5
  • Focus Area Operating system image and
    application software management
  • Members Pat Kennedy (OSISoft)
  • Status No active work. Will revisit the need
    for this after initial Best Practices publication.

15
Technical Area Team 6
  • Focus Area People issues (roles, skills,
    administrative tools)
  • Members Ernie Rakaczky (Invensys), Dick Oyen
    (ABB)
  • Status Believe that ISA SP-99 already covers
    this in sufficient detail. Working to understand
    how to cross-reference between Best Practices and
    ISA documents

16
MUGSecure Schedule
Technical Area Teams
Develop Draft Best Practices
MSMUG Reviews
Finalize Publish
17
MUGSecure Information
  • Conference calls first Thursday of each month
    from 10-12 US Eastern Time. (currently scheduled
    through January)
  • ARC hosted Collaboration Portalhttp//public.arc
    web.com/msmugclick on MUGSecure Home
  • Contact Bob MacDonald (PG) for more information
    (macdonald.rc_at_pg.com)

18
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in
    - Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • OPC Security Paper - Eric Byres, Matt Franz
  • QA - panel session
  • Close - Bill Cotter

19
MUGPatch
  • Team Leader - Jim Bauhs - Cargill
  • Improve patch process
  • No Reboot - Erik Goode - Cargill
  • Find ways to eliminate or minimize reboots
  • Patch Awareness -Evan Hand - Kraft
  • Improve communication about patches
  • Better Tools - Bob Mick - ARC
  • Find better tools methods of patch mgmt

20
No Reboot
  • July 2004 Security Summit hosted by Microsoft
  • Microsoft expressed commitment to the
    Manufacturing environment
  • Progress has been noted
  • Windows Server 2003 SP1 has been released,
  • WSUS (Windows Software Update Services) has been
    released, it allows new methods of patch
    management to reduce reboots during patching.
  • Cooperative/collaborative relationship between
    MSMUG Microsoft
  • A lot of progress in a short amount of time, and
    MSMUG has been one of the voices asking for these
    improvements. Microsoft is really listening to
    us first.

21
ISV Tools Working Group
  • Participants
  • Bob Mick - bmick_at_arcweb.com
  • John Hopson - John.Hopson_at_wonderware.com

22
ISV Tools Working GroupObjective
  • Investigate and document the current state of
    tools that support patch management on Windows
  • Defining general requirements for new and
    enhanced tools that support good practices as
    guidance to software suppliers, including both
    Microsoft and ISVs.

23
Success Criteria
  • Subgroup success will be the development and
    publishing of
  • An agreed to assessment of the current state of
    ISV patch management tools
  • A categorized directory of selected 3rd (4th?)
    party patch management tools which may use used
    by ISVs. This may need to be updated
    periodically
  • Recommendations for Microsoft and ISVs for
    integration of patch management tools

24
Working Group Results
  • The current State of ISV Patch Management Tools
  • Recommendations to ISVs
  • Recommendations to Microsoft

25
Microsoft Patch Management Tools
Preliminary
http//www.microsoft.com/technet/security/topics/p
atchmanagement.mspx
26
Third Party Patch Management Tools
  • Tools Functions
  • Inventory systems
  • Monitory vendors for patches
  • Monitor sources for vulnerabilities
  • Monitor for and download patches
  • Test
  • Deploy
  • Monitor patch state

Preliminary
27
Leveraging Member Better Practices
  • Vendor Management
  • Coordination

28
Vendor Engagement Approach
  • Identify key vendors
  • Engage account management team
  • Request a single point of contact for security
    issues
  • Identify key requirements
  • Progress key topics through regular engagements
  • Regular calls
  • Account team security workshops

29
Key Issues Vendor Views
  • Control systems are stand alone and should not be
    connected to other systems therefore we dont
    need to harden them.
  • If you do want to connect your systems then
    heres how you do it (with no protection)
  • Anti virus software and patches change the system
    configuration and therefore need testing prior to
    use
  • Implementing security is costly whos going to
    pay?
  • Hey this security thing is important and it can
    be a business advantage.

30
Key Vendor Topics
  • Accreditation of anti virus software
  • Patch accreditation
  • Incident response
  • Secure standard architectures
  • Security testing

31
Anti Virus Software
  • Starting Position 2002
  • Most vendors did not recommend the use of anti
    virus software
  • Some accredited occasional versions of some
    antivirus packages
  • Even those vendors were wary about automated
    updates
  • Current Position
  • All major vendors accredit anti virus for recent
    systems
  • Most vendors provide anti virus guidance
    documents
  • Where we want to be
  • All control systems with AV software with easy
    update mechanisms
  • Accreditation of other protection systems e.g.
    tripwire
  • Accreditation of system monitoring agents for
    remote monitoring

32
Patch Accreditation
  • Starting position 2002
  • You cant apply security patches to control
    systems
  • 2003
  • Please raise a support case and we will test
    the patch for you
  • The patch should be tested in around 9 months
    (around the time of Blaster and Nachi worms)
  • Current Situation
  • Most main vendors now automatically assess and
    Microsoft patches
  • Some vendors have very good patch turn around
    times (1-3 days)

33
Key Achievements
  • All major vendors now accredit anti virus
    software
  • Vendors now accredit patches automatically and
    some do this at impressive speeds
  • It is now possible to patch control systems in
    line with IT systems
  • Some vendors . . .
  • . . . are engaged in industry bodies and
    standards working groups
  • . . . have undertaken detailed security testing
    of systems
  • . . . are developing standard security
    architectures
  • . . . are starting to harden the lower levels of
    control systems

34
Vendor Engagement into the Future Raising the
bar
  • Automated patch audit and deployment tools
  • Decrease patching issues
  • Managing component software vulnerabilities
  • Integrating security testing into Factory
    Acceptance Tests (FATs)
  • Building security into procurement contracts
  • Hardening the lower levels of control systems
  • Securing process control protocols (mainly OPC)
  • Vulnerability scanning in live environments
  • Integration of security products into control
    systems
  • Engagement of other vendors

35
Summary
  • More information is available
  • There are tangible benefits to work with MSMUG
  • Plenty of opportunities to join MSMUG

We Need YOU!
36
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in -
    Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • OPC Security Paper - Eric Byres, Matt Franz
  • QA - panel session
  • Close - Bill Cotter

37
orgs...
38
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in
    - Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • OPC Security Paper - Eric Byres, Matt Franz
  • QA - panel session
  • Close - Bill Cotter

39
MS MUG OPC Users Survey
  • Thomas J. Burke - OPC Foundation President
  • William Cotter - MSMUG Chair (OMAC)
  • Chip Lee - ISA Director Rashesh Mody - OPC
    Foundation Chief Architect
  • ISA Expo Oct 2005

40
Survey Results
  • Total Responses 157
  • Majority from Automation, Instrumentation and
    Control background
  • 90 are OPC users

41
OPC Functionality
Data Access 97Total Majority under 10 Nodes
42
OPC Interoperability
  • Interoperability is very important
  • 56 Want Certified Products
  • 32 Dont feel Cerification is needed

43
Survey Main Results
  • Top 3 issues Robustness, DCOM, Documentation

44
Survey Main Results Q8
45
Survey Main Results Q9
46
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in
    - Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • OPC Security Paper - Eric Byres, Matt Franz
  • QA - panel session
  • Close - Bill Cotter

47
OPC Foundation
48
OPC Foundation
49
Security ReliabilityOPC Microsoft
Collaboration
  • Rashesh Mody
  • Chief Architect
  • OPC Foundation

50
Survey Results
  • Total Responses 157
  • Majority from Automation, Instrumentation and
    Control background
  • 90 are OPC users

51
OPC Functionality
52
OPC Interoperability
  • Interoperability is very important

53
Users Preference
  • Top 3 issues DCOM, Robustness, Documentation

54
Recent OPC Activities
  • Last July, we held a conference at Redmond Campus
    jointly with Microsoft
  • Held Interoperability Conference in Florida and
    Germany
  • Certification process is under review
  • Net set of Specs in progress
  • Unified DA, AE and HDA
  • 15 Vendors are working together

55
OPC Unified Architecture Motivation
.NET new Communication architecture
DCOM retires
Internet
OPC-UA
Better Integration (DA, HDA, AE)
More Areas of Application (MES, ERP)
Service Oriented
56
OPC Unified Architecture Key Features
  • Broad Application Scope
  • Up to MES and ERP and down to device device
    level
  • Requires Enhanced Reliability, Security,
    Transaction Services
  • Open Communications
  • State-of-the-art Web technology
  • Performance, Secure Reliable
  • Integrated Address Space and Object Model
  • DA, AE, HDA, Commands, are joined
  • Rich Information Model
  • Complex Data Systems Seamless Open Integration

57
Reliability
  • Subscription Update Features
  • Keep-alive (heartbeat) messages
  • Allows clients to detect a failed server or
    channel
  • Sequence Numbers in each update message
  • Allows client re-sync to obtain missed messages
  • Decouples callback channel from notification
    mechanism, allowing callback channel to be reset
    without loss of data
  • Redundancy Features
  • Designed for easy (optional) redundancy of both
    Clients and Servers
  • e.g. re-sync request can be sent to a backup
    server

58
Security
  • OPC Unified Architecture Clients present
    credentials to OPC Unified Architecture Servers.
  • OPC Unified Architecture Servers require
    authentication and authorization.
  • Optional message signing and encryption.

59
UA Enable all OPC COM Servers
  • UA clients can instantly connect to hundreds of
    existing OPC COM Servers

UAClient
UAServer Wrapper
COMDA Server
SOAP over
UA
HTTP or TCP
60
UA Enable all OPC COM Clients
  • Use the UA Client Proxy to connect existing COM
    clients to new UA Servers

UAClient Proxy
COMDA Client
UAServer
SOAP over
UA
HTTP or TCP
61
Disable Remote DCOM
  • Use the UA proxy and wrapper to replace DCOM as
    remote communication protocol

UAClient Proxy
COMDA Client
UAServer Wrapper
COMDA Server
SOAP over
UA
HTTP or TCP
62
OPC Specifications
  • OPC UA Specification in release candidate phase
  • Demo is presented at OPC Booth
  • OPC UA will address DCOM replacement, Robustness,
    Reliability.
  • Client and Server Wrapper will be available from
    OPC Foundation to vendors
  • Remove usage of DCOM for network nodes
  • Timeline 2006

63
Certification
  • Why?
  • Reliability, Security, Interoperable,
    Maintainable Plug-N-Play
  • What How
  • OPC Compliance (self test)
  • OPC Interoperability Workshops
  • OPC 3rd Party Certification
  • OPC Certification Lab

64
Microsoft/OPC Vision ..
  • End User Driven Architecture
  • Vendors adoption driven from end-user demands
  • Service Oriented Approach
  • Vertical / Horizontal Interoperability with
    Platform Language Neutrality / Transparency
  • Automation Device data/information access
    exchange with the enterprise with stops in
    between.
  • Scalability, Relaibility , Security Designed In.

Microsoft/OPC is Dedicated to Interoperability in
Automation (and beyond)
65
Standards/ Collaboration
MIMOSA
OpenOM Joint work by MIMOSA, OPC ISA-95 to
integrate operations and maintenance
information ISA Standards ISA-95
Enterprise/Control System Interface Standard,
Parts 3 4 define MES Functions ISA-99 Control
System Cyber-Security Standard OMAC Open
Modular Architecture Controls group standardizing
packaging machinery interfaces WBF BatchML XML
Schemas based on ISA-88 B2MML XML Schemas based
on ISA-95 OPC DCOM and XML interfaces. New Web
Services Unified Architecture (UA) under
development MIMOSA Asset Mgt and Maintenance
Mgt Schema, Meta Data and Interfaces
OPC
WBF
OMAC
BatchML
ISA
ISA-99
ISA-95
B2MML
OpenOM MFG JWG
66
Interoperability Coexistence
OPC 2.0 Client (Existing) DA, HDA, AE
OPC UA Wrapper
Proxy
UA Client
No DCOM
OPC 2.0 Server (Existing) DA, HDA, AE
OPC UA Wrapper
UA Server
Client Wrapper
67
(No Transcript)
68
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in
    - Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • OPC Security Paper - Eric Byres, Matt Franz
  • QA - panel session
  • Close - Bill Cotter

69
OPC Security Good Practices Research
  • Eric Byres, BCIT
  • Matthew Franz, Digital Bond

70
Background
  • Kraft Foods has sponsored a research project to
    develop a whitepaper that
  • Provides overview of security relevant aspects
    OPC for end-users
  • Describes known OPC/DCOM security issues and
    vulnerabilities
  • Defines a set of host and network security best
    practices to harden OPC deployments
  • Focus is end-users not developers!

71
Research Process
Vulnerabilities
R E F A R C H
OPC Security Good Practices
User Concerns
Host Hardening
Host and Network Security Issues
Vendor Guidelines
FW Configuration
3rd Party Apps
OPC Specs
Threats
72
Document Content
  • Section 1 Introduction Purpose
  • Section 2 OPC Essentials succinct treatment of
    security relevant OPC concepts
  • Section 3 OPC Exposed on the box (and
    (network?) analysis of components to identify
    exposures
  • Section 4 OPC Security Practices menu of
    remediation controls to address findings
  • Section 5 Applied OPC Security practical
    application of best practices to common OPC
    deployments

73
Survey
  • It is critical for us to understand how OPC is
    deployed in the real world to assess risks
  • Which OPC functions (types of servers are used)
  • Concerns about OPC deployment
  • Windows configuration (OS, Identity DB, etc.)
  • Network Topology
  • Perhaps you have already solved the problem!

74
Current vs Future Work?
  • Current work does not include
  • Development of Complex Solution Testbed
  • Formal Threat Analysis (of OPC or our security
    architecture)
  • Vulnerability Testing of OPC Client/Servers
  • OPC IDS and IPS (both host and network based)
    recommendations
  • Evaluation of 3rd Party (i.e. tunneling) products
  • What else?

75
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in
    - Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • BCIT Document - Eric Byres
  • QA - panel session
  • Close - Bill Cotter

76
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in
    - Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • BCIT Document - Eric Byres
  • QA - panel session
  • Close - Bill Cotter

77
Meetings
  • Secure
  • 1st Thursday 10 AM 12 PM Eastern
  • Patch
  • Ad Hoc
  • OPC
  • Ad Hoc once a quarter - soon

78
Meetings
  • MsMUG
  • Phone - Even Months 1st Tuesday 1100 Am
    Eastern , 800 AM Pacific
  • Face2Face ARC's Tenth Annual Orlando Forum -
    February 20-24, 2006
  • Title Next Generation Manufacturing
  • Driving Operational Performance through
    Innovation and Collaboration

79
Links
  • ARC hosted Collaboration Portalhttp//public.arc
    web.com/msmug
  • Mail
  • join-omacmsmugall_at_isa-online.org
  • Website
  • http//www.omac.org
  • Working_Groups
  • Manufacturing_Infrastructure

80
Special Thanks
  • ISA - Chip Lee
  • ARC - Bob Mick
  • - Dennis Daniels
  • CIM Software- Beau Chaney
  • - Mark Spindler
  • ??? - David Bauman

81
MsMUG Fall Meeting Agenda
  • OVERVIEW - Bill Cotter
  • Security Team - Bob MacDonald
  • Patch Team - Jim Bauhs
  • Microsoft - where going and how MsMUG fits in
    - Ron Sielinski
  • OPC Users Servey - Bill Cotter
  • OPC Foundation - Rashesh Mody
  • OPC Security Paper - Eric Byres, Matt Franz
  • QA - panel session
  • Close - Bill Cotter
Write a Comment
User Comments (0)
About PowerShow.com