The ArchestrAnaut

Straight from the Overview on the linked document

Invensys is aware that a denial of service type vulnerability, including exploit code has been posted on the web against the Wonderware Suitelink service, which is a common component of the System Platform and used to transport value, time and quality of digital I/O information and extensive diagnostics with high throughput between industrial devices, 3rd party and Wonderware products.
Invensys has confirmed the vulnerability exists for Wonderware products prior to the latest 2012 release and has identified mitigations for other products and prior versions. Please see the affected product list below.

The 54.0.0.0 and older versions of the SLSSVC Service can be crashed remotely due to a long and unallocatable unicode string when calling the internal _Grow() function. Version 58.0.0.0 and higher is not susceptible to this vulnerability. The SuiteLink version shipped with InTouch 2012 and WAS 2012 is not vulnerable to a crash but will show excessive resource consumption if exploited.
Invensys is preparing a Security Update that mitigates the identified denial of service vulnerability and can be installed on all supported versions of Wonderware products that use the SuiteLink service. Since this is a common component, Wonderware recommends the installation of this security update on all Wonderware product nodes that use SuiteLink communication.

To get all the details, follow this link below..

https://wdnresource.wonderware.com/support/docs/_SecurityBulletins/Security_Bulletin_LFSEC00000038.pdf

Or, if you are sufficiently paranoid and don’t trust clicking on arbitrary links (good for you), this is the top item on the list when you login to WDN.

- Andy

I just checked the referring searches list & found that someone was looking for how to get an array’s length in IAS.  Well,  here’s my 5 minutes worth of notes on arrays.  All IAS arrays are one based (indexes start at one).  You can refer to a single index (VariableName[#]) or the entire array (VariableName[]).  I’m breaking the rest of the information down into two parts: UDA arrays & local script variable arrays.

Read the rest of this entry »

One of the best parts of using Archestra graphics in your application is the ability to freely resize the vector based graphics with no apparent loss in resolution.  The other nice thing is that as you update the size of the graphic in the design tools the graphic follows suit and grows or shrinks as necessary anywhere it is laid down.  This may be fine if you have an item in free space with no connections or other items close by.  This causes a big problem though if you are laying down graphics in tight quarters and can’t afford for things to wiggle around.

Example:

Let’s start with a simple pump graphic.

Then let’s lay it down on a process graphic with process lines connected

Note on the left hand side that my pump is actually an embedded symbol.

Now, say we want to go back and add some decoration to this pump.  Maybe a piece of text under the pump.  It’s important to remember that when Archestra looks at the size of the graphic it looks at the extents of all elements.  If you go outside those extents Archestra thinks you want to make the graphic bigger.  As such, when making the graphic bigger, Archestra will expand the graphic in all directions equally from the origin i.e. the middle.  It’s pretty easy to see on this example.

Note the 2 shifts.  First, the obvious one.  The graphic grew up and down.  The up growth is easy because you see the separation from the blue lines.  The down growth isn’t easy because I don’t have a marker.  Also, note that the graphic grew to the left and right. 

So how do we fix this problem.  Very simple.  You have to think back to the extents concept.  When you draw your graphic, think about the biggest it could possibly be, including text and other symbol decorations.  Let’s try that with our pump example.

I’ve gone a little overboard but I’ve basically set up some boundaries.  Now I lay it down on my target graphic, lining up my process lines.

Now, I go back and add that text I had before.

Notice that nothing moved around, nothing grew, nothing shrunk.  The reason is that by drawing the box before I laid the graphic down I established the extents or bounds of the graphic.  Now I can do anything I want inside the boundary without changing the “apparent” size.

The word “apparent” is key to making all this work.  Drawing this ugly rectangle works for design time but would look awful at runtime.  Easy way to handle this.

Set the Visible Runtime Behavior property to False.  Now, you can see the rectangle during design time but it will disappear during runtime.  Also, if you like you could make the rectangle really really light gray so it’s not distracting during design time.

Hope this little tidbit helps someone!

- Andy

Going to Ops Manage is without a doubt one of my favorite times of the year.  It’s great to reconnect with old friends and meet new ones.  Well, according to this release it doesn’t look like we’ll see Ops Manage in it’s old form this year.

http://iom.invensys.com/EN/eNews/April2012/events.htm

They reference smaller, more regional events.  This can be good or bad depending on how much Invensys puts into each event.  If they bring a large portion of the Invensys crew to each even that could be good as you might be more one on one time.  On the other hand if they cut back on who is going to be at each conference it could end up just being a boring vendor fest.

Wait and see is that attitude we’ll have to take I guess.

- Andy

Of late we’ve been spending some time with customers just getting them up and running.  Part of that process involves the education process around what each type of node does in the grand scheme of things.  Invariably the question always comes up as to where exactly you should locate an object servers in the logical and physical network architectures.  What I’m thinking about today is probably more around physical placement.

Read the rest of this entry »

Like many others I’ve been following the salacious developments around Cyber Security and our dear SCADA systems.  If you’re involved with any kind of SCADA chances are you have some kind of somewhat valuable target that an outside entity might be interested in either destroying or just messing with.  Maybe it’s nothing more than a building management system controlling the HVAC.  If nothing else they could crank the temperature way or up way down to make people really uncomfortable.  Yes, no harm no foul, but I wouldn’t want to explain that to my boss how someone hacked in a took control of the environment.

So that got me to thinking.  Why, fundamentally, do most environments really suck at being secure.  Is it for lack of desire to be secure or lack of capabilities?  I’ve certainly been in a number of places where the operators “won” and the HMI either had no password or it was posted on a sticky note.  I guess you could say the sticky note method is somewhat “cyber secure”, but terrible nonetheless.  Chances are that password hasn’t been changed in 5 years so it’s really pretty worthless.  Say we get past the desire to be secure and we’ve handed out passwords to the operators and engineers who work on the system.  The next step is the capability of securing the environment.

Read the rest of this entry »

I had a recent issue with a customer where their InSQL instance just stopped recording data to disk.  It was reading the data coming in just fine, it just wasn’t getting to disk.  I go through the basics but can’t quite get it to come back.  Place a call to tech support.  Turns out the customer is running InSQL 9.0 Patch 01.  My friendly tech support person quickly informed me that my customer was way out of support. 

She said she’d be willing to help just a little bit but she couldn’t really do much until I was at least at Patch 02.  Realistically, she said, I needed to be on Version 10 to give me a fighting chance to get adequate support.  Well, this customer is in an FDA regulated environment so upgrade means months and $$$.

Read the rest of this entry »

Looks like the word is official, VSphere 5.0 is finally officially supported!  Check out the announcement

https://wdn.wonderware.com/sites/WDN/Lists/Article/Article.aspx?List=10839c88%2D47d4%2D43fb%2D8699%2D1b9ce20313ca&ID=367

(You’ll need a WDN login to access).  This also includes a link to a really big PDF detailing lots of considerations and detailed instructions on virtualizing your system.  I highly recommend reading it cover to cover.

A brief summary from a recent communication I had lists the following features that are supported.

VMOTION
DRS ( Dynamic resource allocation)
HA (High Availability)
DR (Disaster Recovery)
FT (Fault Tolerance)
And Snapshots (Although we recommend not using this on production systems)

Not totally sure about why snapshots aren’t supported.  One speculation is that a VSphere snapshot can stun the VM for a couple seconds.  There was an issue a while back with ESXi 4.1 that caused a 30 second freeze on NFS datastores.  I’ve seen a 2-3 second freeze on my low end ISCSI SAN. 

Either way this is a really big deal on the support front. I know a pretty good list of customers now who went ahead and took the plunge a while back and have yet to experience an issue related to the fact that the system was virtualized.

A little aside is that I’m going to work on a white paper that goes really deep into the considerations when choosing storage for your environment.  If you’ve ever seen one of my presentations or chatted with me about virtualization I will beat you about the head and shoulders about how critical it is to get your storage right.  If you screw up your servers that’s really easy, and relatively inexpensive, to fix.  If you screw up your storage you’re in for a long expensive process to get it fixed.  Keep an eye out for a white paper on WDN sometime in the future.

- Andy

First off, a post to let you know we’re still here and alive.  I’ve been buried on a startup for the last few weeks on nights.  Inspiration is hard to find at 4:30 in the morning in a cave.

Anyway, a couple things I wanted to get out for our reader’s consumption.

First, if you aren’t reading Scott Whitlock’s blog over at ContactandCoil.com you are really missing out.  He spans the gamut from hard core PLC’s to deep dives in .Net all the way over to garden scale trains.  Anyway, he’s got a really neat idea (at least he wrote it up, don’t know if it’s his idea from scratch) on securing communications to your PLC networks.  The basic idea is that instead of having machines from outside the network actively connect to the PLC’s, do it in reverse.  Make the PLC actively connect to something on the other side of a one-way firewall.  Sure there are some limitations to the approach but as a start it’s a really neat idea.

http://www.contactandcoil.com/automation/industrial-automation/safer-data-collection-from-a-plc/

Second, got a lengthy comment from Roger Smith at Invensys on an older post that I thought had some great nuggets in it so I’m reposting it here for all to consume.

I stumbled across it while Googling for something else and saw my friend Howard’s name on a post.  I just HAD to see what he was up to.  After reading Andy’s post, and the responses, I thought I’d chime in on a couple of the topics discussed.

@Andy: I’m aware of the requirement for DCOM with A2 communications, but never would have thought to check to see if it had been disabled.  Thanks for posting this, I’ll try to remember it for future (re)use.  There’s a long line of people that would love to see DCOM replaced with something more firewall-friendly, like WCF, in a future release.

@Dan: I’m curious if you working with Operations 4.0 or newer?  With that version Wonderware updated the MES Client API and middleware to support WCF, in part to get some relief from DCOM heartburn.

@Howard:
1) The new virtualization guide is included on the System Platform 2012 installation image, available on the WDN support website.  Most of the content is built around discussion and examples of Hyper-V.  This is likely because it’s a feature of Server 2008 R2 OS, rather than a 3rd party application, and perhaps due in part to Wonderware’s close relationship with Microsoft.
2) The requirement to disable UAC for Vista and newer OS was introduced with App Server 3.0 and InTouch 10.0 in 2007.  It has been documented in the ReadMe.html file on the installation media for these products ever since.  Perhaps because adoption of Vista and Server 2008 OS was slow, it seems that many users didn’t discover this requirement until working with Windows 7 and Server 2008 R2 more recently.  Unfortunately, like the DCOM issue above, leaving UAC enabled results in a problem where the symptoms don’t necessarily point to the solution.
3) It was great to see you at OpsManage in Nashville!

-Roger

That’s about all for now.  Hopefully once the startups die down David and I will be back in the saddle again.

- Andy

I’ll apologize in advance for the slightly scattered nature of this post.   This is my brain dump of all the really cool stuff I saw and heard at Ops Manage this year.

Before I begin, some of these are items that were publicly discussed in canned presentations while others I picked up in conversations with some of the powers that be.  Anything that wasn’t part of a public discussion I’ll mark with ** so don’t go asking around when feature XX might be released, you may get a denial the particular feature ever existed or has been discussed.  Also, the screenshots I’m including are from a beta release so if they change slightly on the production release don’t give me a hard time.

1) Right out of the gate, support for VSPhere 5!  I talked with Rob Kambach for a while about this one.  They have completed a battery of tests and found no issues.  At this point they need to go through a documented/formal testing regiment before they officially announce support.  Look for this somewhere around Q1 of next year.  It also sounds like they are going to support a wide range of features such as HA, Fault Tolerance, Snapshots, etc.  They are actually publishing a 700+ page document on Virtualization and High Availability for System Platform.  Most of it is Hyper-V focused but there’s a lot of good information in it.  I’ve read through parts of it from the beta version and I definitely recommend it.  Also, Brent Humphreys and I were having a discussion a while back about how we’d configure an RMC between machines running in two different datacenters.  We speculated setting up a dedicated VLAN for RMC traffic “should” work.  Well, in this document they address the issue and confirm that VLAN’’s are supported for all node to node communications, including RMC traffic.

2) Lots of support for new Server 2K8 R2 remote features.  Once of the coolest new features in 2K8 R2 is the concept of remote apps.  Think terminal services where the app is running on a remote server, but instead of immersing yourself in a complete remote desktop, you run the app from your local machine.  Just double click and icon and you think the app is running on your local machine.  What’s actually happening is that the app is running back on the server and it’s using something like RDP technology to serve up the graphical portion to your computer and interact with your clicks.  This is really really cool stuff.  Here’s the first link I could find on the Microsoft website about this technology.

http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx

3) Skelta/Workflow is now a first class citizen.  Once you install it, all of your objects will have a workflow tab.  How would I use this?  Say you want a supervisor to be notified every time a HH alarm with a priority < 100 goes off with your analog objects.  You can configure a workflow on your template that sends this notification and waits for the supervisor to acknowledge the alarm before the operator is allowed to acknowledge.  I’m expecting some really really big things from the new workflow engine.

4) Tons of improvements around E-Signatures.  The biggest one is that you can split out the verifier function.  Before you had no good way to limit who could be a verifier.  That’s why we ended up writing our own prompting object that built in all of these features.  We’ve had secured and verified writes for a while now.

What we haven’t had is a good way to control who can verify writes.  That has changed with a new operational permission called Verify Writes.

The idea here is that you would setup one group such as operators for an area and they could do the standard operator things.  Then, you could setup another group for supervisors or foremen and they would have the Can Verify Writes permission.  Now an operator can change a value but they have to get a supervisor to verify it.  An even neater concept is the idea that someone from the quality group can have no privileges at all, except Verify Write.  So now when the operator attempts to say a batch is complete and ready for further processing, the quality person could be there with them and verify the answer, essentially authorizing the action.  The log entries have also been improved.  You know the two people who participated in the transaction

What I didn’t see in my release was the detail that it was a verified write.  I do remember, however, seeing this demoed at the conference and it looks like they’ve updated the Description column to include the fact that it was a verified write.

Another cool thing they’ve done is that it will allow you to enter operator credentials for an operator that isn’t even logged on.  What’s neat about this is if the operator just needs to change something real quick they don’t have to actually log on.

Supporting all this functionality is the ability to use smart cards.  Smart cards are akin to an access badge but the operator will place the card in some kind of reader on the HMI station.  Then all they have to do is enter a pin number in place of a password.  More secure and faster.. I love it.

Finally, there are a couple of really cool features that are similar so I’ll talk about them together.  They have added script functions in the graphics called SignedWrite() and SignedAlarmAck().  The intent appears to be to allow the designer to give the operator an alternate way to enter/modify data.  Once they have entered/modified data the script calls a signedwrite to attempt to write the new value to the attribute.  What you can do with this, however, is to inject a pre-defined comment or pre-defined list of comments.  Imagine this scenario, an operator finds a cold storage chamber out of spec.  They go to adjust the set point.  When they adjust the set point a signedwrite is fired.  They are presented with a pre-defined list of comments they can select from.  They can’t just enter “Didn’t like current temperature so adjusted”.  They would only have comments like “Added Material to Load”,”Ambient Conditions out of Spec”, “Controller too Variable”, etc.  In regulated industries it is critical that that operators don’t get too crazy with their comments on alarms and data entry.  One wrong phrase in a comment could spin off weeks of work trying to explain it away, even if it is the truth.  I think this could be one of the most underrated new features. Wow!

Here are a couple dummy calls to give you an idea how these are going to work.  See some neat things on the SignedAlarmAck that you like?

SignedAlarmAck( Alarm_List, Signature_Reqd_for_Range, Min_Priority, Max_Priority, Default_Ack_Comment, Ack_Comment_Is_Editable, TitleBar_Caption, Message_Caption );

SignedWrite( Attribute, Value, ReasonDescription, Comment_Is_Editable, Comment_Enforcement, Predefined_Comment_List );

5) Buffered Data.  Where do I begin on this one.  Let me be the first to say I’m still a little confused.  According to the help files here is what they say buffered data is

The buffered data feature enables efficient accumulation and propagation of VTQ (Value, Time, and Quality) data updates, without foldering and data loss, to data consumers such as objects, alarms, the Historian, and scripts from field devices that support buffering.

Buffered data is defined as data captured and stored locally on a remote device for later transfer to a supervisory system for processing, analysis, and long-term storage. The Buffer property is input-only.

Ok, that’s pretty clear.  Seems like this is built for RTU’s and the like where the remote unit might accumulate some data and forward it on with quality and timestamps.  Interesting.  Only problem is the demo I saw is 180 degrees from that.  The demo’s I saw were touting Buffered data as a way to collect data really really fast.  Imagine you have the same value from a PLC and the object is on a 1 second scan. Here is what an overlay of buffered and non-buffered data might look like.

Here is what I think MAY be going on.  The demo’s they are showing might be using buffering on the end device to put together an array of values and then forward these values on to IAS, making it appear faster.  However, when I chatted with Rob K. about this he indicated that what was going on was that the data collection was running as fast as it possibly could, “out of band” (my words not his).  Either way this looks like a really neat feature that could be very useful. 

My thoughts on how it could be used?  Two areas.  First, imagine you have a piece of equipment that goes through different modes and in one particular mode it’s critical that you capture detailed information about what the machine looked like during that mode, say a pressure test.  If what I was told was true***, that you could turn buffering on and off at runtime, then you could flip this guy into high speed mode during the pressure test then turn it back off after the pressure test.  Another way I could see using this is for super critical data.  In FDA regulated industries losing data is a huge NO NO.  Only problem is that if we lose network connectivity to our PLC there is nothing we can do to recover from that.  The new Foxboro PAC has some neat new features (that may actually dovetail with this) whereby it will buffer history and alarm data locally until a network connection is re-established.  What about doing that with my Allen Bradley Control Logix?  Maybe it detects a lost heartbeat then goes into buffer mode, maybe capturing a value every minute or some reasonable time frame to save on space.  Once the connection is re-established my object hooks back up, sees there is data in the buffer, processes it, then moves on.  This can even work with alarms too.

I think I’ve got a lot of reading to do on this one.  I suspect the first group of folks to really figure this out could have a serious leg up from a system resiliency standpoint.

Ok, this installment has gone on long enough, back to struggling with my Silverlight App.

Next week is Turkey week so I probably won’t put anything out then.  However, week after I promise another post on some new features, especially the new ShowGraphic() function.

- Andy