23601 honeywell security cs

8/6/2019 23601 Honeywell Security CS

1/7

Microsoft Visual Studio .NETCustomer Solution Case Study

Honeywell Builds Secure ProcessKnowledge Systems with Microsoft

OverviewCountry or Region: United StatesIndustry: Industrial Automation

Customer Profile

Honeywell Process Solutions (HPS)

provides products and services to

the process automation industry,

including cyber security for the

companys large industrial and

petrochemical customers.

Business Situation

HPS realizes the benefits of open

technology and recognizes the need

to secure automation systems

against abnormal situations and

nontraditional threats.

Solution

HPS committed to continual

improvement in the security of its

flagship Experion Process

Knowledge System (PKS) product

and deepened its partnership

commitment with Microsoft to joint,

trustworthy computing.

Benefits

Improved plant operations Outstanding collaborative support

for security

Easy migration and integration

When we talk with customers, one of thethings that differentiates us is that we make

security part of the infrastructure of thesystem. Its pervasive: its at every level, itsin everything.

Honeywell Process Solutions (HPS) builds and delivers

automation products and services to support a wide

range of heavy industries, including refining, chemicals,

pharmaceuticals, mining, and energy. The reliability and

security of control systems in these industries is critical

not only to efficient plant operation and business

success, but also to the avoidance of failures and risk

mitigation. Honeywells flagship product Experion

Process Knowledge System (PKS) is a process

knowledge system with key components based on

advanced Microsoft Windows operating systems

and .NET connection software. Working in close

collaboration with Microsoft, HPS has pioneered

groundbreaking methods of securing Windows-based

solutions that improve the decision-making

effectiveness of plant operators under normal and

abnormal conditions.


2/7

SituationHoneywell Process Solutions (HPS), a

business unit within Honeywells

Automation and Control business

segment, serves a U.S.$15 billion

installed-customer base and supplies

them with process automation

products. Clients depend on HPS for

the infrastructure that controls

complex production processes

involving high temperatures and

pressures typically found in

production industries such as energy,

chemical, and pharmaceutical.

In recent years, threats against open

systems have escalated the need for

securing computing infrastructures

within production facilities. In 2004,

the U.S. Department of Homeland

Security advised that refineries and

petrochemical plants are to be

considered potential terrorism

targets. This heightened reality has

given momentum to industry andgovernment initiatives aimed at

enhancing the security of industrial

facilities in ways that meet

nontraditional threat scenarios.

Says Kevin Staggs, Control System

Solution Planner at HPS, Our clients

are operating some very sensitive

processes. A significant failure can

cause a plant to shut down or worse,

so everything we do is built around

safety and availability. When we talk

with customers, one of the things thatdifferentiates us is that we make

security part of the infrastructure of

the system. Its pervasive: its at

every level, its in everything.

Honeywell has long had a reputation

for delivering process automation

products that exceed the highest

standards for safety and security. Its

flagship system is the Experion

Process Knowledge System (PKS).

Experion PKS is designed for

operators to monitor and control

complex processes. It gathers data

from a range of diverse sources,

including field sensors, control

equipment, and other supervisory

systems, then presents this data to

the operator through graphical

displays. A single point of access to all

process information helps improve

operator performance and ensure

safety.

Experion PKS comprises a Control

Execution Environment (CEE) at the

industrial controller level that controls

plant processes, using Experion

servers and databases to gather and

organize information, and Experion

stations to provide the human-

machine interface (HMI) with the

operator. At the industrial controller

level, HPS manufactures equipmentintegrating proprietary, real-time

operating systems. Starting in 1996,

the server-level software has run on

Microsoft Windows operating

system platforms. Operator stations

run on Windows-based PCs and use

Microsoft Internet Explorer technology

as a basis for the HMI display. A

medium-size implementation might

include 15 operator stations and two

Experion servers.

The entire Experion PKS architectureincludes many products that securely

integrate into a complete

performance solution, as shown in

Figure 1.

Honeywell Process Solutions wanted

to introduce new features and

capabilities into Experion PKS. The

goal was to increase the level of


3/7

information visibility between higher-

level business applications and lower-

level process control systems to

create a truly enterprise-wide

knowledge system for manufacturing

organizations. Any changes to the

HPS process automation software,

however, would have to meet two

stringent requirements.

1.All changes must accommodate

legacy technology. The industries

served by HPS depend on complex

systems with life spans of 15 years

and longer. We need to be able to

integrate todays technology with

controllers that we shipped in 1974,

points out Staggs. We will never

leave anybody behind, which creates

some very significant challenges.

2. Safety and security must remain

priority one. Increased levels of

integration between the realm of

business applications and the world of

industrial controls might run the risk

of creating new susceptibilities and

possibilities for failure. Understanding

and eliminating such risk remains the

utmost concern of HPS when

considering any changes to Experion

PKS.

SolutionThe most recent release of Experion

PKS, R300, represents the latest step

in Honeywells carefully considered

Figure 1. Experion PKS servers

and stations in the Experion

platform architecture.


4/7

plan to provide greater value to its

customers through the inclusion of

advanced Microsoft technologies. The

Experion server, which first migrated

from UNIX to a Windows platform in

1996, now runs on Microsoft Windows

Server 2003 operating system and

uses Microsoft SQL Server 2000.

Some of the Experion applications are

built with Microsoft Visual Studio

.NET 2003 on the Microsoft .NET

Framework version 1.1. Technologies,

such as Windows Forms, provide

information from both the plant floor

and the business enterprise to human

operators on Windows XP operating

systembased client stations.

HPS developers use .NET-connected

technologies extensively in carefully

selected parts of Experion PKS,

particularly in its user interface

elements and offline configuration

tools. Applications, such as

movement automation, blendingapplications, and business

applications, are utilizing .NET, says

Andrew Duca, System Architect at

HPS. All our integrated tools used for

configuring and engineering a system

within our Configuration Studio are

based on smart client technology

and .NET.

The user interface provided by the

companys own HMIWeb technology is

a particularly important component of

the Experion PKS system because it isdirectly tied to the ability of the

operator to control processes

efficiently. During system

implementation, the HMIWeb Display

Builder is used to create custom

displays showing graphical

representations of processes (such as

pumps, valves, tanks, and pipes).

Animation and scripts can be used to

change the visualization of the display

when changes occur. This

customization of Internet Explorer

based display can be accomplished by

using .NET-connected technologies

like Windows Forms.

HPS has a Premier Independent

Software Vendor (ISV) agreement

with Microsoft and works closely with

Microsoft Partner Services on security

topics. In order to deploy secure

Windows-based server and

workstation products, Experion PKS

R300 uses a number of special

techniques that include:

A series of scripts lock down the file

system and registry during the

installation of the operating system.

A series of local groups are created

and the system is locked down

based on those groups before any

HPS application is even installed on

the machine.

Experion Server is installed onto aWindows Server 2003 Service Pack

1 (SP1) platform, and the Experion

Server firewall feature isby

defaulton.

A strict separation is enforced

between the process control side of

the system and the business

application side. A client on one

side never crosses the boundary to

access a server on the other side.

Server-to-server interactions across

that boundary are carefully limited

through protocols that require, forexample, special shadow servers.

Increasingly, Experion products are

moving toward a domain model in

which an application must be

deployed into a Windows domain

either the business domain or the

control domain. Eliminating trust

relationships between the domains

will compartmentalize risk.

The newtechnologies comingdown the road inWindows and .NET

will help usaccomplish [our]goal throughconstantlyimprovingcollaborativedecision-supporttools and better


5/7

Group policy objects are used in

Experion deployments. HPS

provides its group policy templates

(based on provided group policy

objects) for its customers to

integrate into organizational units.

In some cases, HPS scripts the

whole process of creating a domain

and setting up security.

Honeywell will continually place an

emphasis on Experion PKS security.

Future versions will likely be built on

an even more compartmentalized

model that will eliminate all trust

relationships between domains and

synchronization between machines.

To test the effectiveness of its

security measures, Honeywells

white hat teams stage network-

based attacks against the Experion

servers and stations.

Benefits

Safety and environmental protectiongo beyond regulatory compliance,

with constant pressure to safeguard

people, assets, and profitability while

increasing efficiency. Honeywell

Process Solutions uses the power of

Windows to extend the role and scope

of automation for its customers. Using

Microsoft .NET software, Honeywell

continues to improve the ability of

plant operators to view and

comprehend processes in real time,

especially under abnormal conditions.

Improved Plant Operations

Experion PKS uses Windows operating

systems and .NET connection

software to help integrate process

control information with business

information in manufacturing plants.

Better visibility into enterprise-wide

information increases efficiencies,

improves uptime, and reduces plant

life-cycle costs for its customers. Not

only are the Windows-based servers

and workstations securely locked

down, but also their advanced ability

to gather, store, analyze, and present

information to plant operators can

actually improve the safety and

security of the plant under abnormal

conditions. Better information

delivered more quickly to the

operator can prevent or mitigate

catastrophic failures.

Windows platforms will enable us to

build next-generation operator

environments that use best guidance

from the Abnormal Situation

Management Consortium, remarks

Duca. We are working toward an

integrated cockpit that brings exactly

the right information to the operators

at the exactly the right time, without

overloading them with too much non-

critical information. The new

technologies coming down the road inWindows and .NET will help us

accomplish that goal through

constantly improving collaborative

decision-support tools and better

display technology.

Outstanding Collaborative Support for

Security

Honeywell Process Solutions has

introduced the latest Windows and

.NET technologies into an

environment tightly constrained by

extreme safety and securityrequirements. In collaboration with

Microsoft, Honeywells years of

experience and Six Sigma

methodology have enabled it to

pioneer some of the safest and most

secure methods in the world for

implementing Windows-based

systems.

Our collaborationon security was atwo-way street. TheHPS engineerslearned about ourapproach to threatmodeling, and theygave us goodfeedback that weincorporated intoour ownmethodology.


6/7

The Microsoft Partner Services team

provides both proactive and reactive

support for development and

deployment projects by HPS.

According to Duca, The Partner

Services team is a virtual extension of

our development team.

The benefits of close collaboration for

trustworthy computing are

exemplified by the Threat Modeling

Workshop Microsoft delivered for the

developers and architects at HPS.

Microsoft experts shared their internal

methodology used to test business

application security, then the

Microsoft and HPS engineers worked

together to determine how threat

modeling could best be applied to the

HPS systems. Our collaboration on

security was a two-way street,

according to Ned Curic, Strategic

Security Advisor at Microsoft. The

HPS engineers learned about our

approach to threat modeling, andthey gave us good feedback that we

incorporated into our own

methodology.

Easy Migration and Integration

Honeywells customers deploy the

latest Experion PKS servers and

stations, which are based on Windows

Server 2003 and Windows XP, right

alongside other systems that have

typically been in place for 10 years or

more. Everything about these

Experion products has been designedto be safe, secure, and compatible

with the proven technologies of

Honeywells legacy process control

systems.

Customers in the automation industry

do not typically upgrade their

systems as often as do other

enterprises. Honeywell Process

Solutions, therefore, takes

tremendous advantage of Microsofts

extended product life-cycle policies to

support HPS customers over the long

term. HPS helps its customers

maintain older systems and augments

those systems with new features and

capabilities that take advantage of

the latest Windows technologies.

When it is time to upgrade, the

continuity of the Windows platform

enables HPS to offer its customers a

clear upgrade path from any previous

point to the current product.


7/7

Microsoft Visual Studio.NETMicrosoft Visual Studio .NET is the

rapid application development (RAD)

tool for building next-generation Web

applications and XML-based Web

services. Visual Studio .NET empowers

developers to rapidly design broad-

reach Web applications for any device

and any platform. In addition, Visual

Studio .NET is fully integrated with the

Microsoft .NET Framework, providing

support for multiple programming

languages and automatically handling

many common programming tasks,

freeing developers to rapidly create

Web applications using their language

of choice.

For more information about Visual

Studio .NET, go to:

msdn.microsoft.com/vstudio

Acquire Visual Studio .NET:

msdn.microsoft.com/vstudio/howtobuy

MSDN Subscriptions:

msdn.microsoft.com/subscriptions

Microsoft .NET FrameworkThe Microsoft .NET Framework is an

integral Windows component for

building and running the next

generation of applications and XML-

based Web services.

For more information about the .NET

Framework, go to:

msdn.microsoft.com/netframework

For More InformationFor more information about

Microsoft products and services, call

the Microsoft Sales Information

Center at (800) 426-9400. In

Canada, call the Microsoft Canada

Information Centre at (877) 568-

2495. Customers who are deaf or

hard-of-hearing can reach Microsoft

text telephone (TTY/TDD) services

at (800) 892-5234 in the United

States or (905) 568-9641 in Canada.

Outside the 50 United States and

Canada, please contact your local

Microsoft subsidiary. To access

information using the World Wide

Web, go to:www.microsoft.com

For more information about

Honeywell Process Solutions

products and services, call 1-877-

466-3993 or visit the Web site at:

www.honeywell.com/ps

2006 Microsoft Corporation. All rights reserved.This case study is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS ORIMPLIED, IN THIS SUMMARY.Microsoft, MSDN, the .NET logo, Visual Studio, theVisual Studio logo, Windows, the Windows logo,Windows Server, and Windows Server System areeither registered trademarks or trademarks ofMicrosoft Corporation in the United States and/orother countries. All other trademarks are property oftheir respective owners.

Document published December 2005

Software and Services Microsoft Windows Server

System Microsoft Windows Server 2003

Microsoft SQL Server 2000

Microsoft Internet Explorer

Microsoft Visual Studio .NET 2003

Microsoft Windows XP

Services

Microsoft Partner Services

Technologies

Microsoft .NET Framework

version 1.1 Microsoft Windows Forms

Partner Solutions

Abnormal Situation

Management Consortium

Experion Process Knowledge

System
http://msdn.microsoft.com/vstudiohttp://msdn.microsoft.com/vstudio/howtobuyhttp://msdn.microsoft.com/subscriptionshttp://www.microsoft.com/http://www.microsoft.com/http://www.honeywell.com/pshttp://www.microsoft.com/http://www.honeywell.com/pshttp://msdn.microsoft.com/vstudiohttp://msdn.microsoft.com/vstudio/howtobuyhttp://msdn.microsoft.com/subscriptions

23601 honeywell security cs

Documents