It’s beginning to look a lot like… the North Pole here in western Canada.  It’s currently a balmy -32 C with the wind, and expected to stay that way for the holidays.  It makes strolling the storefronts for those last minute gift items a nippy prospect. Personally I’m looking to avoid frostbite by checking out websites with downloadable gifts.  Downloadable gifts like varied and countless kinds of software, e-books and games give you a list of advantages:  

·       It’s green.  These days, we are all concerned about ways to be eco-minded and downloading means less garbage.

·       It’s instantaneous.  Talk about instant gratification: your purchase arrives seconds after you buy it.

·       …and you don’t have to brave the cold.

So here are a few options for the OPC lovers on your lists:

·       For that Uncle who’s across the global and wants to keep in touch.  OPC Tunneller is the perfect gift for ensuring secure, reliable OPC communications across firewalls and unreliable connections.

·       For the parents who keep calling you for computer troubleshooting.  The OPC Server for Performance Monitor to keep track of all the important factors like memory usage, hard drive space and CPU.  Also a good option for the IT managers or green data center owners on your list.

·       Add the OPC Buffer to keep a running history to share with Gramma or anyone else who needs some OPC history.

·       And the OPC Data Manager just makes a great stocking stuffer for everyone.  Who doesn’t need to share data between different systems?

In case anyone out there is wondering… I’d love to get a copy of the new OPC Server for OMRON.  It would round out my PLC server collection J

I’m off for the holidays and will be back posting early in the new year.  Hope everyone has safe and happy holidays.

The SANS Institute Process Control and SCADA Security Summit 2009 is being held in Florida, Feb 2-3.  It’s being held at a hotel in the heart of the Walt Disney World Resort. I’m not sure if that is a subtle hint that IT Security is the stuff of magic and imagination or that securing process control and SCADA systems is merely a wonderful fantasy…  The dubious relevance of large talking mice to securing critical infrastructure aside, it looks like this years event will be talking a lot about IT security in Power and Utilities.  If you look at the top ten questions for the summit, there are several specifically targeting power and utilities. 

1.    How has the threat to control systems changed during 2008? Who are the new attackers? What kind of damage have they already done? What can they do?

2.    Exactly how do attackers penetrate the defenses that have been established by most control system users?

3.    What are the principal vulnerabilities in control systems and how should they be prioritized for mitigation?

4.    What techniques are the most advanced control systems users implementing to mitigate the threat? How are they training their people? How are they balancing information technology and control systems needs?

5.    How can Utilities gain top management support for major security initiatives?

6.    How can utilities educate their Public Utility Commissions so that investments in cyber security may be included in the rate base.

7.    Which SCADA security research projects have shown useful results? How can asset owners put those findings to work?

8.    Which control system vendors have made the most progress on implementing the new standards for secure configuration of their products?

9.    What innovations has NERC implemented and how can electric utilities and others share in the lessons learned?

10.  What tools have governments developed that makes security of control systems more effective and efficient?

While this is not specifically an OPC event, I would suspect that the whole topic of cyber security, particularly in regards to power utilities would be of interest to many OPC users out there.  There are countless generating companies, municipalities and other utility companies out there using OPC as part of their communication infrastructure.  When looking at securing critical infrastructures, there is a lot of work to be done and more and more noise is being made about this particularly in the US.  (Whether or not the noise in the right kind is open for debate as the folks at Digital Bond point out…)  In either case, it seems plain to me that anything that makes the data communication layer more secure for our Power systems is a good thing.  It may be conducting a systems security audit, implementing OPC Security Gateway to increase the granularity of user access protection or some other OPC security option.

If nothing else the questions posed to the security summit show that someone out there is asking questions and is concerned about the state of control system security.  The concept of including security costs in the rate base might be one answer to my earlier post on the costs of security, and I for one would like to hear some of the answers to the other questions. For anyone attending the conference it would be interesting to hear if OPC is a topic of discussion among the attendees.  Are they concerned about the security of their OPC connectivity?  If so, what are they doing about it?

P.S. As Peter points out, the security summit coordinates nicely with the ARC Advisory Group’s Orlando Forum, so you can hit both events with one trip J

You see news on the dismal economy and news stories on cyber-security pretty much everyday.  It’s not surprising that we are now seeing them tied together in the same article:  Cyber Security: A Hard Sell in Tough Economic Times. At companies hit crunch time on the bottom line, they will be looking at areas to cut.  Since security is already not getting the love it truly deserves, it wouldn’t be surprising to see it on the block.  Companies are already unwilling to talk about what lack of security is costing them.  I think this quote from this article speaks volumes on that topic:

“…government efforts led by the Homeland Security Dept. have been stymied by bureaucratic confusion and an unwillingness by agencies and corporations to share information about cyber break-ins. The commission’s report catalogues incidents afflicting financial institutions, large corporations, and government agencies…”

While most cyber-security discussions talk about financial and communications systems, the most alarming are talks regarding Power Utilities and other infrastructure systems.  Talks like the one from Rick Sergel, President & CEO of NERC at the NARUC Meetings 2008, last July 20, don’t paint a warm and fuzzy picture.   To some people what might be even more alarming is the recent report on cyber-security that basically says the status-quo is not working and calls for more government involvement.

Certainly there are more and more manufacturers that a thinking about the OPC security of their systems.  The most recent release of the MatrikonOPC Security Gateway is quickly becoming a popular choice for many OPC installations.  Also there are more users requesting OPC Servers that natively support security.  And of course the whole topic of Security is always popular when talking about OPC UA.

What about your company? Have you had your cyber-security projects delayed or cancelled due to the recent economic crunch?  For the folks in the USA, is the prospect of increased government involvement having any affect on your business decisions?

Seems like a lot of people enjoyed the previous episodes of OPC Mythbusters, so I decided to let Adam and Jamie have a go at the big myth – “OPC UA – Is it Ready?” This time they get a little help from a couple of guest stars. Enjoy!

(If the clip doesn’t appear try this link)

OPC UA has made great progress in the last year with many concrete products and architectures coming together. Since OPC UA is a set of layer specifications and the core set is solid, then OPC UA is ready to go.  Of course, as with any implementation roll out as ambitious as OPC UA there is still more work to be done if you consider the full scope. Let’s hear from you.  What aspects of OPC UA do you think should get the most focus in the coming year?  Release of the final Access Type specifications? More stringent guidelines on how vendors implement OPC UA security? Adding more features to the SDK? Release of the OPC UA Compliance tools and test cases? Increasing the stability and/or usability of the SDK? Other items?