In episode 2 of Control Pub Talk with “Mad” Mike Marston, Mike shows us the EASY IO FG 32 Controller being used in several unique applications. Want to make beer? The powerful FG32 is the control solution of choice for micro brewers in the know. Could you control vending machines with the EASY IO Controller? Watch this video and find out!
Energy Department to Fund Master’s and Doctoral Training in Power Electronics. As part of the Obama Administration’s commitment to accelerating American manufacturing and Energy Secretary Ernest Moniz’s support of STEM education (Science, Technology, Engineering, and Math) to create the next generation of engineers and manufacturers, the Energy Department has announced up to $10 million available to establish one or more graduate-level training programs at colleges and universities for engineers in power electronics. (Read the full funding opportunity announcement for complete details and instructions to apply.)
The training curriculum in power electronics—which control or convert electrical energy into usable power—will include cutting-edge wide bandgap semiconductors that can operate at higher temperatures, voltages, and frequencies, and are more durable and reliable than silicon-based counterparts. The five-year traineeships program will be implemented beginning in the fall 2016 school year and are concentrated on advanced power electronic equipment engineering, design and manufacturing.
Power engineers play an important part in clean energy technologies and will be in high demand in the growing clean energy economy. These engineers are needed to enable the design, manufacturing, and deployment of advanced new high-efficiency electrical equipment such as motors, inverters, and grid equipment, as well as high-efficiency electrical systems.
The industrial sector consumes over a quarter of the electricity produced in the United States and is projected to increase its use by approximately 30% by 2040. This growth means that America will likely see an increase in job opportunities for power engineers in advanced manufacturing industries and energy intensive industries, including automotive, aerospace, chemical and clean energy. These traineeships aim to help close the potential workforce development gap in the power engineering field.
The Energy Department will competitively select one or more U.S.-based colleges and/or universities with accredited programs in relevant fields to implement master’s and doctoral training programs in power electronic equipment design and engineering. The funding is designated for stipend and tuition support during the first two years of graduate-level power engineering training and is designed to fill the identified workforce needs within industry, national labs, and universities. Read the full funding opportunity announcement for complete details and instructions to apply.
The Office of Energy Efficiency and Renewable Energy accelerates development and deployment of energy efficiency and renewable energy technologies and market-based solutions that strengthen U.S. energy security, environmental quality, and economic vitality. Find out more about power electronics research and development and the Advanced Manufacturing Office.
Are you looking for an easy to use and configure zoning system — that has the capabilities of a much more complex zoning system? We caught up with Angie Jarvis and the team from ProLon at the 2015 CGNA Vendor Showcase and ProLon just might have the answer! Check this video out and see just how easy it is to set up a zoning system. Reach out to your local CGNA controls distributor and try ProLon on your next zoning job.
If you haven’t heard what Shodan is and why do we care, I would suggest you get familiar with it. Shodan has been called the “Google” for the internet of things (IoT). Shodan is continually cataloging web facing, connected devices such as control systems, computers, CRACs, power systems, etc.
Why should we care? We should care because if you have setup a customer’s system that is directly connected to the internet, Shodan has either found it or will find it and put into its database for the world to see.
I found the site below in the amount of time it took me to type “niagara” in the Shodan search bar, and then click the first IP listed. Notice all the information for this site is listed on the right of the image.
Try It Yourself
The image on the left shows a search I did for Niagara systems. If you want to try it out, I set the image up so that when you click it, it will open Shodan and automatically search for Niagara systems around the world.
Notice who is leading the pack? We are! This is a statistic we DO NOT want to be in the number one position.
This search shows us that as of today (7/28/15), there are 15,948 publicly exposed, Niagara instances in the United States. Yours could be one of them.
The image below is the details page for the site shown above. The details page gives you the open ports, the Niagara version, the last time Shodan recorded it on the web (in this example it was yesterday around 10 AM), the internet service provider (ISP), city and country that the site is in and lastly… A map showing the location of the IP! This map is the IP geographical location and most likely not the site.
Does Shodan require you to search by vendor? Nope… You can search by equipment type.
The next search I did was for “Chillers”. The image below shows two of the results from this screen (there were many more than these two) and there is lot info that the bad guy could use.
This first system in the image shows that it is a Tracer SC and it is located in the mechanical room. The software version and firmware version are listed. Its Bacnet instance ID is listed. And it shows us the internal IP for the BBMD.
The second system in the image is Delta Controls. It is located on the 10th floor, in the boiler room. It too shows the software and firmware versions and its Bacnet instance ID. The internal IP of the BBMD is shown as well.
Tracer SC Details
I clicked the details for the Trane SC system and the image on the right shows that Microsoft IIS running. This is web service needed to run the user interface.
It is also running ASP.NET. Both of these can be exploited by a hacker. Especially if they are not being updated.
If you want to try it out yourself, go to https://www.shodan.io.
If you would like more information on Shodan or any of my other post, email me at email@example.com.
If you haven’t seen these maps, it can be eye opening. These are real-time and/or near real-time threat maps that are readily available online.
They cover traffic such as:
- DDoS (distributed denial of service) the intentional paralyzing of a computer network by flooding it with data sent simultaneously from many individual computers
- IDS (intrusion detection systems) network attacks detection flow
- VUL (vulnerability scan) vulnerability detection flow
- MAV (mail anti-virus) malware detection flow during Mail Anti-Virus scan when new objects appear in an email application
- WAV (web anit-virus) shows malware detection flow during Web Anti-Virus scan when the html page of a website opens or a file is downloads
- OAS (on-access scan) shows malware detection flow during On-Access Scan, i.e. when objects are accessed during open, copy, run or save operations
- ODS (on demand scanner) shows malware detection flow during On-Demand Scan, when the user manually selects the “Scan for viruses
- Attack types against (all types not listed):
Various companies who are touting their cyber security offering like to throw these up behind them during photo ops. They are impressive, but more importantly they show us the unseen cyber world and the fact we are under attack.
The list below includes pictures of the sites and the links to view them in real-time.
Live Norse Attack Map – Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors.
Kaspersky Lab’s CYBERTHREAT Real-Time Map – Kaspersky Lab has launched an interactive cyberthreat map that visualizes cyber security incidents occurring worldwide in real time. The types of threats displayed include malicious objects detected during on-access and on-demand scans, email and web antivirus detections, as well as objects identified by vulnerability and intrusion detection sub-systems.
Digital Attack Map – The Digital Attack Map displays global DDoS activity on any given day. Attacks are displayed as dotted lines, scaled to size, and placed according to the source and destination countries of the attack traffic when known
Fortinet Threat Map – Remote execution attacks, memory related attacks, remote location attacks, denial of service attacks (DoS), etc.
There are more maps that do some of the same type of tracking as well as other threats. The list below includes the site listed in this article as well as others.
MUST RUN THIS ONE IN CHROME
Young Gun, Rob Allen welcomes the incomparable Roger Rebennack to 7 Minutes in Control. Roger, one of the most knowledgeable experts in access and security systems, shares with Rob the 5 primary reasons building owners and facility managers need to integrate access and security controls to their Building Automation Control Systems now. But that’s not all, if you know Roger, sometimes known as the hardest working, most exciting man in building automation controls, you know that he will not be limited by any obstacles or time restrictions. Seven Minutes? I don’t think so! Be prepared to be educated and entertained by the one and only Roger Rebennack.
Dan Kaufman, head of the Software Innovation Division for DARPA (Defense Advanced Research Projects Agency) was asked a question by Lesley Stahl of 60 Minutes (view 60 Minutes segment) “Can the Internet be fixed? Or do we just have to throw this one out and build a whole new Internet from scratch, with security built in?” His response was “I don’t think the Internet is broken. I think the things we put on the Internet are broken. What we’re doing is we’re putting a lotta devices on it that are unsecure.”
For the controls industry this is a very true statement. However, the human element can and will supersede any measure of security that is put in place. So no matter if every device was replaced on the internet with highly secure, hardened devices, we will find a way to leave ourselves vulnerable.
So what is human patching…?
For the most part we all have varying degrees of understanding about what it means to patch a device, operating system, platform, etc. The basic definition is “…a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance.“
Human patching is a lot like the definition for devices, operating systems, platforms, etc. It is an updating of our thought processes, our habits, how we view the security of our systems, and replacing bad security habits with good security habits. Problem is all it takes is one “un-patched” human to take down an entire company’s security measure. Patching “things” is much easier than humans, as you can image. You can’t just “patch” one person in your organization, you have to “patch” your company’s culture. This takes time.
What needs to be “patched”?
There is a lot of information on the web about changing human behavior as it relates to cyber security. You could spend days researching how to do this and it could leave you feeling overwhelmed. Like the saying goes “you can’t eat the entire elephant in one bite”, you can’t patch your human workforce in one day. Okay… I hate to use a cliché, but here it goes another one… Go after the low hanging fruit first. Here is are some of the “low hanging fruit” you probably have in your organization.
- Realize that any data you possess needs to be protected.
- It is amazing what information you might think is not anything that could be used to gain access. So if the info belongs to the customer, to your organization, or yourself, lock it down.
- When you are not at your computer, lock it. At the very least have a short time on your screen with the password enabled.
- Do not use passwords that have relativity to you such as birthdays, your spouse, or your children. Social engineers love it when you do.
- Have the lock screen enabled on your smart devices. Enabling complex passcode is preferred.
- Do not share your username and passwords with anyone or have them written down.
- We all have tons of usernames and passwords we must remember in to order do our job. Research and put in action a highly encrypted password keeper. Most good password keepers will require a very strong, complex master password.
- If you are not 100% sure of the origin of an email, delete it.
- Do not open attachments that you are not 100% sure they are safe.
- Turn off “automatically download attachments.”
- Keep your operating system, browser, anti-virus and other critical software up to date with the latest patches and definitions.
- Do not give out personal information over the phone or in an email unless you are 100% sure of who is asking.
- Be suspicious. Social engineers use our trusting nature to get what they need.
The controls industry has become safety aware through company culture. This didn’t happen overnight and cyber aware won’t either. Help create a culture of cyber aware inside your organization. One person in the organization that is cyber aware is not enough. It takes every person realizing they are as much a part of the solution as anyone else.
Young gun, Rob Allen, caught up with “The Godfather” ( yes, he will make you an offer you can’t refuse), Ed Merwin, at the 2015 Realcomm|IBcon conference. What was the offer? Well, here is a hint, the number 4 is involved.
Ed gives Rob and update on Niagara 4 and his take on the conference. Did you know that the JACE 8000 won a DIGI award at this year’s RealComm/IBcon? Well, you do now. Congratulations to Ed and the team at Tridium. Good job Rob!
Neptronic, a leading manufacturer of HVAC Products and Solutions since 1976, is proud to announce that their game-changing Next Generation VAV and Fan Coil Controllers — are Available NOW! Huge hardware, software, and network improvements provide better precision, more application versatility, upgrades to BACnet V14, an dual menu selected BACnet or Modbus protocols. and context driven menu. Visit Neptronic today to see more features and benefits of Neptronic’s Next Generation Controllers!
It use to be that if you had a Siemens Building Automation Control System you had to go to the Siemens branch to buy all your replacement parts, including sensors. Although you still have to go back to the Siemens branch or factory direct contractor to get your properitory Siemens Building Automation controllers, you now have the option of buying the communicating wall sensors from independent distributors like the ones in Controls Group North America.
Couple this with the fact that CGNA distributors have been stocking Siemens valves, actuators, non proprietary sensors, Siemens variable frequency drives and energy meters, and you can see that Siemens is empowering their customers with another buying choice for replacement building automation parts.
I like the direction Siemens is going.