23601 honeywell security cs
TRANSCRIPT
-
8/6/2019 23601 Honeywell Security CS
1/7
Microsoft Visual Studio .NETCustomer Solution Case Study
Honeywell Builds Secure ProcessKnowledge Systems with Microsoft
OverviewCountry or Region: United StatesIndustry: Industrial Automation
Customer Profile
Honeywell Process Solutions (HPS)
provides products and services to
the process automation industry,
including cyber security for the
companys large industrial and
petrochemical customers.
Business Situation
HPS realizes the benefits of open
technology and recognizes the need
to secure automation systems
against abnormal situations and
nontraditional threats.
Solution
HPS committed to continual
improvement in the security of its
flagship Experion Process
Knowledge System (PKS) product
and deepened its partnership
commitment with Microsoft to joint,
trustworthy computing.
Benefits
Improved plant operations Outstanding collaborative support
for security
Easy migration and integration
When we talk with customers, one of thethings that differentiates us is that we make
security part of the infrastructure of thesystem. Its pervasive: its at every level, itsin everything.
Honeywell Process Solutions (HPS) builds and delivers
automation products and services to support a wide
range of heavy industries, including refining, chemicals,
pharmaceuticals, mining, and energy. The reliability and
security of control systems in these industries is critical
not only to efficient plant operation and business
success, but also to the avoidance of failures and risk
mitigation. Honeywells flagship product Experion
Process Knowledge System (PKS) is a process
knowledge system with key components based on
advanced Microsoft Windows operating systems
and .NET connection software. Working in close
collaboration with Microsoft, HPS has pioneered
groundbreaking methods of securing Windows-based
solutions that improve the decision-making
effectiveness of plant operators under normal and
abnormal conditions.
-
8/6/2019 23601 Honeywell Security CS
2/7
SituationHoneywell Process Solutions (HPS), a
business unit within Honeywells
Automation and Control business
segment, serves a U.S.$15 billion
installed-customer base and supplies
them with process automation
products. Clients depend on HPS for
the infrastructure that controls
complex production processes
involving high temperatures and
pressures typically found in
production industries such as energy,
chemical, and pharmaceutical.
In recent years, threats against open
systems have escalated the need for
securing computing infrastructures
within production facilities. In 2004,
the U.S. Department of Homeland
Security advised that refineries and
petrochemical plants are to be
considered potential terrorism
targets. This heightened reality has
given momentum to industry andgovernment initiatives aimed at
enhancing the security of industrial
facilities in ways that meet
nontraditional threat scenarios.
Says Kevin Staggs, Control System
Solution Planner at HPS, Our clients
are operating some very sensitive
processes. A significant failure can
cause a plant to shut down or worse,
so everything we do is built around
safety and availability. When we talk
with customers, one of the things thatdifferentiates us is that we make
security part of the infrastructure of
the system. Its pervasive: its at
every level, its in everything.
Honeywell has long had a reputation
for delivering process automation
products that exceed the highest
standards for safety and security. Its
flagship system is the Experion
Process Knowledge System (PKS).
Experion PKS is designed for
operators to monitor and control
complex processes. It gathers data
from a range of diverse sources,
including field sensors, control
equipment, and other supervisory
systems, then presents this data to
the operator through graphical
displays. A single point of access to all
process information helps improve
operator performance and ensure
safety.
Experion PKS comprises a Control
Execution Environment (CEE) at the
industrial controller level that controls
plant processes, using Experion
servers and databases to gather and
organize information, and Experion
stations to provide the human-
machine interface (HMI) with the
operator. At the industrial controller
level, HPS manufactures equipmentintegrating proprietary, real-time
operating systems. Starting in 1996,
the server-level software has run on
Microsoft Windows operating
system platforms. Operator stations
run on Windows-based PCs and use
Microsoft Internet Explorer technology
as a basis for the HMI display. A
medium-size implementation might
include 15 operator stations and two
Experion servers.
The entire Experion PKS architectureincludes many products that securely
integrate into a complete
performance solution, as shown in
Figure 1.
Honeywell Process Solutions wanted
to introduce new features and
capabilities into Experion PKS. The
goal was to increase the level of
-
8/6/2019 23601 Honeywell Security CS
3/7
information visibility between higher-
level business applications and lower-
level process control systems to
create a truly enterprise-wide
knowledge system for manufacturing
organizations. Any changes to the
HPS process automation software,
however, would have to meet two
stringent requirements.
1.All changes must accommodate
legacy technology. The industries
served by HPS depend on complex
systems with life spans of 15 years
and longer. We need to be able to
integrate todays technology with
controllers that we shipped in 1974,
points out Staggs. We will never
leave anybody behind, which creates
some very significant challenges.
2. Safety and security must remain
priority one. Increased levels of
integration between the realm of
business applications and the world of
industrial controls might run the risk
of creating new susceptibilities and
possibilities for failure. Understanding
and eliminating such risk remains the
utmost concern of HPS when
considering any changes to Experion
PKS.
SolutionThe most recent release of Experion
PKS, R300, represents the latest step
in Honeywells carefully considered
Figure 1. Experion PKS servers
and stations in the Experion
platform architecture.
-
8/6/2019 23601 Honeywell Security CS
4/7
plan to provide greater value to its
customers through the inclusion of
advanced Microsoft technologies. The
Experion server, which first migrated
from UNIX to a Windows platform in
1996, now runs on Microsoft Windows
Server 2003 operating system and
uses Microsoft SQL Server 2000.
Some of the Experion applications are
built with Microsoft Visual Studio
.NET 2003 on the Microsoft .NET
Framework version 1.1. Technologies,
such as Windows Forms, provide
information from both the plant floor
and the business enterprise to human
operators on Windows XP operating
systembased client stations.
HPS developers use .NET-connected
technologies extensively in carefully
selected parts of Experion PKS,
particularly in its user interface
elements and offline configuration
tools. Applications, such as
movement automation, blendingapplications, and business
applications, are utilizing .NET, says
Andrew Duca, System Architect at
HPS. All our integrated tools used for
configuring and engineering a system
within our Configuration Studio are
based on smart client technology
and .NET.
The user interface provided by the
companys own HMIWeb technology is
a particularly important component of
the Experion PKS system because it isdirectly tied to the ability of the
operator to control processes
efficiently. During system
implementation, the HMIWeb Display
Builder is used to create custom
displays showing graphical
representations of processes (such as
pumps, valves, tanks, and pipes).
Animation and scripts can be used to
change the visualization of the display
when changes occur. This
customization of Internet Explorer
based display can be accomplished by
using .NET-connected technologies
like Windows Forms.
HPS has a Premier Independent
Software Vendor (ISV) agreement
with Microsoft and works closely with
Microsoft Partner Services on security
topics. In order to deploy secure
Windows-based server and
workstation products, Experion PKS
R300 uses a number of special
techniques that include:
A series of scripts lock down the file
system and registry during the
installation of the operating system.
A series of local groups are created
and the system is locked down
based on those groups before any
HPS application is even installed on
the machine.
Experion Server is installed onto aWindows Server 2003 Service Pack
1 (SP1) platform, and the Experion
Server firewall feature isby
defaulton.
A strict separation is enforced
between the process control side of
the system and the business
application side. A client on one
side never crosses the boundary to
access a server on the other side.
Server-to-server interactions across
that boundary are carefully limited
through protocols that require, forexample, special shadow servers.
Increasingly, Experion products are
moving toward a domain model in
which an application must be
deployed into a Windows domain
either the business domain or the
control domain. Eliminating trust
relationships between the domains
will compartmentalize risk.
The newtechnologies comingdown the road inWindows and .NET
will help usaccomplish [our]goal throughconstantlyimprovingcollaborativedecision-supporttools and better
-
8/6/2019 23601 Honeywell Security CS
5/7
Group policy objects are used in
Experion deployments. HPS
provides its group policy templates
(based on provided group policy
objects) for its customers to
integrate into organizational units.
In some cases, HPS scripts the
whole process of creating a domain
and setting up security.
Honeywell will continually place an
emphasis on Experion PKS security.
Future versions will likely be built on
an even more compartmentalized
model that will eliminate all trust
relationships between domains and
synchronization between machines.
To test the effectiveness of its
security measures, Honeywells
white hat teams stage network-
based attacks against the Experion
servers and stations.
Benefits
Safety and environmental protectiongo beyond regulatory compliance,
with constant pressure to safeguard
people, assets, and profitability while
increasing efficiency. Honeywell
Process Solutions uses the power of
Windows to extend the role and scope
of automation for its customers. Using
Microsoft .NET software, Honeywell
continues to improve the ability of
plant operators to view and
comprehend processes in real time,
especially under abnormal conditions.
Improved Plant Operations
Experion PKS uses Windows operating
systems and .NET connection
software to help integrate process
control information with business
information in manufacturing plants.
Better visibility into enterprise-wide
information increases efficiencies,
improves uptime, and reduces plant
life-cycle costs for its customers. Not
only are the Windows-based servers
and workstations securely locked
down, but also their advanced ability
to gather, store, analyze, and present
information to plant operators can
actually improve the safety and
security of the plant under abnormal
conditions. Better information
delivered more quickly to the
operator can prevent or mitigate
catastrophic failures.
Windows platforms will enable us to
build next-generation operator
environments that use best guidance
from the Abnormal Situation
Management Consortium, remarks
Duca. We are working toward an
integrated cockpit that brings exactly
the right information to the operators
at the exactly the right time, without
overloading them with too much non-
critical information. The new
technologies coming down the road inWindows and .NET will help us
accomplish that goal through
constantly improving collaborative
decision-support tools and better
display technology.
Outstanding Collaborative Support for
Security
Honeywell Process Solutions has
introduced the latest Windows and
.NET technologies into an
environment tightly constrained by
extreme safety and securityrequirements. In collaboration with
Microsoft, Honeywells years of
experience and Six Sigma
methodology have enabled it to
pioneer some of the safest and most
secure methods in the world for
implementing Windows-based
systems.
Our collaborationon security was atwo-way street. TheHPS engineerslearned about ourapproach to threatmodeling, and theygave us goodfeedback that weincorporated intoour ownmethodology.
-
8/6/2019 23601 Honeywell Security CS
6/7
The Microsoft Partner Services team
provides both proactive and reactive
support for development and
deployment projects by HPS.
According to Duca, The Partner
Services team is a virtual extension of
our development team.
The benefits of close collaboration for
trustworthy computing are
exemplified by the Threat Modeling
Workshop Microsoft delivered for the
developers and architects at HPS.
Microsoft experts shared their internal
methodology used to test business
application security, then the
Microsoft and HPS engineers worked
together to determine how threat
modeling could best be applied to the
HPS systems. Our collaboration on
security was a two-way street,
according to Ned Curic, Strategic
Security Advisor at Microsoft. The
HPS engineers learned about our
approach to threat modeling, andthey gave us good feedback that we
incorporated into our own
methodology.
Easy Migration and Integration
Honeywells customers deploy the
latest Experion PKS servers and
stations, which are based on Windows
Server 2003 and Windows XP, right
alongside other systems that have
typically been in place for 10 years or
more. Everything about these
Experion products has been designedto be safe, secure, and compatible
with the proven technologies of
Honeywells legacy process control
systems.
Customers in the automation industry
do not typically upgrade their
systems as often as do other
enterprises. Honeywell Process
Solutions, therefore, takes
tremendous advantage of Microsofts
extended product life-cycle policies to
support HPS customers over the long
term. HPS helps its customers
maintain older systems and augments
those systems with new features and
capabilities that take advantage of
the latest Windows technologies.
When it is time to upgrade, the
continuity of the Windows platform
enables HPS to offer its customers a
clear upgrade path from any previous
point to the current product.
-
8/6/2019 23601 Honeywell Security CS
7/7
Microsoft Visual Studio.NETMicrosoft Visual Studio .NET is the
rapid application development (RAD)
tool for building next-generation Web
applications and XML-based Web
services. Visual Studio .NET empowers
developers to rapidly design broad-
reach Web applications for any device
and any platform. In addition, Visual
Studio .NET is fully integrated with the
Microsoft .NET Framework, providing
support for multiple programming
languages and automatically handling
many common programming tasks,
freeing developers to rapidly create
Web applications using their language
of choice.
For more information about Visual
Studio .NET, go to:
msdn.microsoft.com/vstudio
Acquire Visual Studio .NET:
msdn.microsoft.com/vstudio/howtobuy
MSDN Subscriptions:
msdn.microsoft.com/subscriptions
Microsoft .NET FrameworkThe Microsoft .NET Framework is an
integral Windows component for
building and running the next
generation of applications and XML-
based Web services.
For more information about the .NET
Framework, go to:
msdn.microsoft.com/netframework
For More InformationFor more information about
Microsoft products and services, call
the Microsoft Sales Information
Center at (800) 426-9400. In
Canada, call the Microsoft Canada
Information Centre at (877) 568-
2495. Customers who are deaf or
hard-of-hearing can reach Microsoft
text telephone (TTY/TDD) services
at (800) 892-5234 in the United
States or (905) 568-9641 in Canada.
Outside the 50 United States and
Canada, please contact your local
Microsoft subsidiary. To access
information using the World Wide
Web, go to:www.microsoft.com
For more information about
Honeywell Process Solutions
products and services, call 1-877-
466-3993 or visit the Web site at:
www.honeywell.com/ps
2006 Microsoft Corporation. All rights reserved.This case study is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS ORIMPLIED, IN THIS SUMMARY.Microsoft, MSDN, the .NET logo, Visual Studio, theVisual Studio logo, Windows, the Windows logo,Windows Server, and Windows Server System areeither registered trademarks or trademarks ofMicrosoft Corporation in the United States and/orother countries. All other trademarks are property oftheir respective owners.
Document published December 2005
Software and Services Microsoft Windows Server
System Microsoft Windows Server 2003
Microsoft SQL Server 2000
Microsoft Internet Explorer
Microsoft Visual Studio .NET 2003
Microsoft Windows XP
Services
Microsoft Partner Services
Technologies
Microsoft .NET Framework
version 1.1 Microsoft Windows Forms
Partner Solutions
Abnormal Situation
Management Consortium
Experion Process Knowledge
System
http://msdn.microsoft.com/vstudiohttp://msdn.microsoft.com/vstudio/howtobuyhttp://msdn.microsoft.com/subscriptionshttp://www.microsoft.com/http://www.microsoft.com/http://www.honeywell.com/pshttp://www.microsoft.com/http://www.honeywell.com/pshttp://msdn.microsoft.com/vstudiohttp://msdn.microsoft.com/vstudio/howtobuyhttp://msdn.microsoft.com/subscriptions