When it comes to wiring accessory replacement, a number of questions are often raised regarding the competence of those doing the task as well as the necessary testing required once the job is complete. This technical bulletin, written by Richard Giddings, ECA Technical Manager, addresses these questions and provides some best practice guidance that can be applied equally to both commercial and domestic locations.
Often undertaken by semi-skilled operatives or fully qualified experienced practitioners, wiring accessory replacement is usually viewed as merely a ‘like for like’ change, of something already in service with the simplistic opinion that if somebody can use a screwdriver they should be able to copy a configuration which is already there in front of them.
This is partly true, however further critical questions could arise, for example: what if someone was to
allege receiving an electric shock from the wiring accessory? Or perhaps, what if the wiring accessory was later implicated further in a fire situation?
Consequently, unless basic testing and verification is undertaken as part of the accessory replacement, the person undertaking this seemingly simple task may eventually find themselves in a situation where they are liable and have a case to answer to.
Relying on Standards
BS 7671 is unhelpful in this manner, in that there are no specific regulations regarding what needs to be done when carrying out such work.
Indeed, BS 7671, under what it defines ‘Minor Works’ (together with its associated ‘Minor Electrical Installation Works Certificate’) also falls short with such work, as the BS 7671 definition of ‘Minor Works’ is, ‘work comprising an alteration or addition, that does not include the provision of a new circuit’.
Under these definitions simple wiring accessory/light fitting replacement clearly falls outside the scope of BS 7671 – yet still, the liability remains on the person responsible for the work.
It is worth remembering that under the Electricity at Work Regulations there is a requirement for persons undertaking any electrical work to be competent; be it new circuits, alterations or simple like for like changes.
For this reason, ‘Best Practice’ within the industry would be to undertake basic checks and tests when carrying out the accessory replacement.
By necessity, the person undertaking the work should have sufficient skill, knowledge and experience to carry out simple tests and measurements, considering and checking for example:
- Safely isolate, prove dead and work safely
- Earth fault loop impedance, and
- If the circuit incorporates an RCD, testing in order to ensure it works to manufacturer’s specification.
In order to protect liability, it stands to reason that such test results should be recorded somewhere.
To facilitate this, some operatives or organisations elect to use the BS 7671 Minor Electrical Installation Works Certificate (even though such work is not by definition ‘Minor Works’) – this is good practice.
Alternatively, other companies may have their own methods of recording such results, perhaps for example on their bespoke engineers’ job sheets – this is equally good practice.
If work extends in replacing emergency light luminaries then this should also be recorded in the premises log book. If components, such as batteries are replaced then additional testing 24 hours after initial charging may be required.
It should be remembered, that ‘like for like’ replacement or repair work has never been classed as notifiable work within dwellings under Approved Document P of the Building Regulations – and as such does not need registering or indeed use of a competent person Part P scheme.
Historically Human Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) systems were not included in the scope of the charter for Information Technology (IT). Process engineering or the plant maintenance organization were normally tasked with the responsibility for the SCADA/HMI systems. The responsibility included the selection and management of the computing platform and the industrial control network (ICN). In the many cases, a lone electrician was responsible for the entire system, including the workstation, the ICN and the Programmable Logic Controller (PLC). In this era of SCADA/HMI the ICN was rarely interconnected with the IT enterprise network or the Internet. Remote access was typically done using phone modems connected directly to the SCADA host workstation.
Bringing IT and SCADA in Sync
Two trends in the second half of the 1990’s brought IT and SCADA closer together. The first was the so-called “Y2K scare” that affected all enterprise computing systems. This included computing systems found in production management software such as SCADA and HMI. IT departments included production system in the scope of their audits, looking at production systems to ensure that they were ready to handle the new century date formats.
This alone, did not bring about the integration of production systems with IT architecture. For the most part these systems continued to not be connected to the rest of the corporate IT networks. Given the “air gap” security combined with the unique requirements for managing traffic on the ICN, centralized IT network management tools simply could not be effectively used.
A second trend that coincided with the Y2K focus was the deployment of Enterprise Resource Management (ERP) systems in many organizations. The data demands of the ERP and its uncertain connection to the shop floor meant that either a parallel system had to be deployed or SCADA would become the bridge. As a result, SCADA and other production system like Manufacturing Execution Systems (MES) were used for tracking production and feeding ERP’s shop floor data appetite by connecting to both IT networks and Industrial control networks.
During the past 15 years we have seen continued integration of IT and production systems. SCADA systems are now for the most part connected to the enterprise networks. Remote access is usually provided via VPNs so the SCADA system can be reached from anywhere on the Internet.
There has been some organizational friction in bringing these two very different cultures together. At the top level IT generally looks at their systems as dynamic and have a focus on scalability, performance and cybersecurity. They may be more willing to apply patches and updates, as long as they know they have the ability to roll back to previous configurations if problems occur. The focus of the industrial network is to deliver extremely high reliability and safety. Due to the critical nature of the real-time data, even short term disruptions can impact production rates and the safety of the workers and equipment that rely on it. For this reason, software patches and firmware upgrades are more thoroughly tested before they are applied to production systems.
SCADA’s Place in the Control Center vs. Data Center
Today we have a world in which the systems are more and more under the protection and management of IT and IT practices. This is particularly true for cyber security and virtualization, which is becoming widely adopted. This leads to the question of whether the SCADA host computer should be removed from the control room or the shop floor and moved into the data center.
We were recently asked to provide guidance to a medium-sized organization that was considering this issue. They have a large warehouse, housing materials that must be controlled to strict environmental conditions. In order to automatically maintain the integrity of the environment of the warehouse, they purchased a system from a vendor that uses our SCADA platform for the HMI. The vendor delivered the HMI on a single user workstation connected with an industrial network to several PLCs in the warehouse that controlled the heating and cooling equipment along with other environmental control equipment. The workstation was physically located in a desk located in the warehouse.
Management was concerned that the workstation was exposed to physical damage from normal warehouse material handling activities such as forklift movements. They were also concerned about the time required to respond to either an accident of this sort or even normal maintenance issues with the workstation, given its physical location. For these reasons, the company wanted to move the workstation from the warehouse floor to the enterprise data center.
Newer Protocols Open Up Possibilities
This was possible because the PLC communication was an Internet Protocol (IP), which have generally replaced the older serial protocols in modern ICNs. The IP protocol created the possibility to have a virtual private network (VPN) established from the data center to allow the HMI to connect to the PLCs on the ICN.
In order to provide the warehouse operator access to the Graphical User Interface (GUI) of the HMI, the IT department preferred to use Microsoft Remote Desktop Applications (RDA). RDA is a subset of the widely used Remote Desktop Services (RDS). RDA allows the HMI GUI to appear on the operator’s normal desktop as an icon without having the RDS requirement to overlay the entire desktop. As a standard Microsoft solution, the use of RDS or RDA is transparent Microsoft compliant SCADA software platforms.
The IT department also wanted to host the HMI workstation on a virtual machine (VM) in the data center rather than have it on a dedicated workstation, as was the case when it was in the warehouse. Once again, with a standard Microsoft application, running on a VM is transparent, as designed. The only issue that was out of the ordinary for IT was the need to map a USB port to the host. Use of a USB dongle for licensing is a common practice found in SCADA and HMI platforms, but less common for enterprise software. In this case, it was a simply a mapping of the USB port to the VM hosting the SCADA. A network USB device may be required in more complicated multi-station networks.
Successful Outcome in the Data Center – for Operations, Warehouse and Facilities Managers
The move from the warehouse floor to the data center was judged a success from many perspectives. Some of the many benefits include increased transparency of the technology, tightened cybersecurity and improvement in system reliability including major reduction to disaster recovery estimates. Both IT and the warehouse management organization judged the performance to be equal to what they had when the workstation was located on-site.
The program had another effect. The facilities maintenance team realized they could improve their performance if they had ready access to the environmental monitoring information. Subsequently to roll-out of the virtualized workstation, the maintenance department requested separate and unique access to the SCADA/HMI system.
The project had originally been licensed and configured as standalone system supporting a single user at a time. A new user profile for maintenance could be set up under the existing license and the RDA connection could be shared with the maintenance organization. With the new architecture, anyone using the system installs RDA. After it is installed, it is simply a matter of opening the RDA icon on their desktop, logging into their session and they are in a window that behaves exactly as it did on the dedicated workstation. The downside was when the operations were logged in, the maintenance people would get a “connection refused error” when they tried to log in and vice versa when maintenance was logged in, operations could not access the GUI.
In order to provide for multiple users to access a standalone HMI, it simply needed to be reconfigured to a SCADA system. Some modifications were required to the license and the configuration of the SCADA project. A standalone HMI license can be converted to a multi-user client server SCADA license in most systems with various degrees of difficulty. In this case, it was simply a matter of the exchange of a license file.
There are also configuration changes required to reflect the new users in the system. For example, the configuration to ensure that each user is sharing the same communication channel to the PLC and not impacting the overall level of traffic on the ICN with parallel communications requests.
With these architectural and configuration changes in place, it was now possible to expand the number of concurrent users. The customer considered how many users would need to access the system simultaneously. In this case the answer came back as three. The on-shift operator, the maintenance manager and the plant manager. There are multiple people in the operations and maintenance department, but for sizing the platform, it was decided that it would support a maximum of three users simultaneously.
Virtual machines were provisioned for the additional client workstations supporting the architecture. The VM hosting the SCADA server software was also designated as the license manager. The network license enables the client station VMs to be created on-demand rather than consuming resources during idle times. Client access licenses were acquired from Microsoft for the new RDA sessions required for this project.
The system is now a multiuser system residing in the IT department’s data center. There have been no issues from the warehouse operations end users or the new maintenance department and management end users about performance or accessibility of the system.
Bearing in mind that the environmental controls that are being monitored and applied here do not change rapidly, the migration to the data center was well advised. If any additional latency was introduced by the more complex ICN routing, it was not noticeable. More importantly, the risk to losing the SCADA server from physical damage from a forklift strike was eliminated.
Disaster Recovery Plan
The IT department did call one last time when they were reviewing their overall Disaster Recovery plans. Protection and recovery of historical alarm and event database information was discussed, which they maintain in a Microsoft SQL Server database. Second, consideration was given as to how to best protect the project configuration directory and the platform installation directory. Finally, a review was done of the steps to put it all together into a clear plan of action in the case of an unexpected loss of the server hosting the virtual machines or even the data center itself.
The interesting part of this disaster recovery discussion is that it was done entirely within the comfort zone of the IT professionals that I was talking to. They are used to thinking about minimizing the time required for recovering servers and databases. They know they have to plan to achieve minimal downtime and they know the value of that downtime.
The acceptance of SCADA and HMI in the data center has already occurred. As virtualization becomes the standard deployment of computing in an enterprise setting, we will see continued growth of the percentage of customers choosing this approach. Cybersecurity concerns will also push the SCADA center into the safety of the data center. For most SCADA and many HMI applications of the future, this will likely be the standard deployment strategy.
SELECT, the trade body for Scotland’s electrical sector, is stepping up its campaign to make it a legal requirement for electricians to be regulated by the Scottish Parliament.
It is launching a widespread media campaign to highlight the dangers of using unqualified people to carry out electrical work and to press for official recognition of electricians as a profession.
SELECT will use major Scottish regional newspapers, radio stations across the country and railway station posters to disseminate the message that regulation of the profession is key to increasing safety as well as being wholly justified.
Government statistics have shown that 69% of all accidental fires in Scottish homes are caused by electricity and unqualified workers pose a distinct and continuing threat to safety in Scottish homes.
The campaign, which will run over the spring and summer of 2017, will emphasise the length of training that electricians undertake and the benefits of regulation with a focus on the aspect of safety.
Alan Wilson, SELECT’s head of communications and membership services, said: “Electrical installations are extremely complex and they underpin modern life. Working with electricity cannot be undertaken in a cavalier fashion.
“Every year, fires arising from dangerous electrical installations endanger – and sometimes cost – lives and load costs on to insurance companies and emergency services.
“That is why it is so important that the Scottish Parliament leads the way in ensuring that trades people who go into people’s homes or businesses know how to conduct themselves in a safe and professional manner.”
SELECT will also employ the massive communications firepower of social media sites such as Twitter to further promote its regulation campaign.
SELECT’s aim is the delivery of the highest standards of professionalism and workmanship. It promotes constant improvement to meet this goal. It believes that the industry should ensure basic standards of safety and competence so that any customer can rely on any electrician they may employ.
SELECT has more than 1200 member businesses which operate all across Scotland.
Refrigerant manufacturer says decision will help accelerate transition to lower-GWP gases
Honeywell has announced that it will exit the sale of R404A and R507 in the EU by 2018 in order to meet the deadline set by the EU’s F-gas regulations and in anticipation of severe reductions in quota for the higher-GWP refrigerants. In their place, Honeywell will be offering its low GWP alternatives such as Solstice N40 (R448A) and Genetron Performax LT (R407F).
Julien Soulet, managing director for Honeywell Fluorine Products in Europe, Middle East, Africa and India said: “Given the upcoming targets set by the F-Gas Regulation, customers will soon encounter reduced availability of high-GWP products. We encourage refrigeration customers to work closely with Honeywell’s Authorised Distributors to accelerate the transition to near drop-in replacement products that are available now and fully comply with F-Gas regulations.”
The F-gas regulations include a ban on servicing of larger refrigeration systems containing R404A and other high-GWP regrigerants in 2020.
The company said it is taking this action ’in anticipation of the expected scarcity of high GWP products due to the F-gas Regulation phase-down schedule.’
In a statement, the company said: ”The F-gas Regulation states how much refrigerant can be placed on the European market each year, based on GWP. It requires significant and increasingly larger and faster reductions of the highest-GWP HFCs well ahead of 2020. Due to the large, mandated reduction in quota to be implemented on January 1, 2018, it is expected that an accelerated phase-out of high-GWP products will be required in order to cope with the phase-down timing. This means that customers need to convert now to more environmentally preferable solutions in order to prepare for the scarcity of high-GWP products anticipated in 2018 and to fully meet the F-gas requirements by the end of 2019.”
The manufacturer said the replacement refrigerants can be serviced long-term, beyond any of the F-gas ban dates and are commercially available now.
R448A has a GWP of 1273 and demonstrates 3 per cent lower energy consumption in low-temperature applications such as freezer display cases, and up to 16 percent lower energy consumption in medium-temperature applications such as supermarket supermarket-display cases, the firm said. Solstice N40 can be used in new installations, as well as to retrofit systems currently using R22, R404A and R507 and interim blends.
R407F has a GWP of 1674 and is already being used in over 15,000 supermarkets worldwide, Honeywell added. During a long-term test conducted by Asda, Genetron Performax LT consumed 9 per cent less energy than systems using R407A, and 14 per cent less energy than systems running R404A in medium-temperature. It is specifically designed to replace R404A, R507 and R407A refrigerants, and can be used in retrofits as well as new installations.
Refrigerant manufacturer Chemours has announced price rises of 30% on high GWP refrigerants in Europe – its second big increase in consecutive months.
After announcing increases of 25% on R404A and R507 from April 1, Chemours has today announced a further 30% price rise on these high GWP refrigerants from May 1. The company has also announced further increases of 10% on refrigerants R134a, R410A, R407A and R407C on top of last month’s 20% price hikes.
The increases on R404A and R507, relating to a combined increase of over 62% in just one month, come amidst fears of severe shortages of the higher GWP refrigerants next year.
Other suppliers announced similar increases last month and more are expected.
Under the F-gas phase-down regulations, Europe faces severe cuts in HFC availability next year with cuts of 37% of the baseline 183Mt CO2eq. Refrigerant producers and suppliers, operating under a quota system, are effectively able to place on the market far more low GWP refrigerants than the higher GWP gases.
Chemours maintain that end users need to transition from the high GWP products like R404A to low GWP alternatives in order to enable the EU to achieve the goals outlined in the F-gas regulations.
Aiming for a more empirical understanding of the cybersecurity attacks actually being seen in the wild, Dragos sifted through and analysed mountains of public data. Though attacks are common, there’s no need for panic.
Cybersecurity is an important concern in industrial and utility settings, but it has a tendency to swing to the extremes in attention—too often, it’s either hugely overhyped or it’s ignored as an insignificant risk. Truly, the very real threats to industrial security lie somewhere in the middle of that spectrum, but a quantifiable metric has been elusive.
Dragos, an industrial cybersecurity software and service provider, set out recently to cull through reams of mostly publicly available data to develop a more empirical picture. And what the researchers found is that non-targeted IT infections are very prevalent, with a conservative estimate of about 3,000 unique industrial sites a year being affected. They also found that—though they do tend to get overhyped—targeted intrusions into industrial control systems (ICSs) are not as rare as you might think.
In both cases, though, the solution is: Keep calm and monitor your network security.
“Security in the ICS is very important to safety and reliability, but the power grid isn’t going to just fall over and gas pipelines aren’t going to start exploding over random infections or non-nation-state actors deciding to target them,” writes Robert Lee, Dragos CEO, in a blog explaining the findings of the study, “MIMICS (Malware in Modern ICS).” Even the targeted attacks are not earth-shattering, he continues, adding that “the threats are real, but not life changing, and should be taken seriously with a sound approach to the priorities in industrial environments.”
Targeted vs. non-targeted
Although high-profile stories around Iran’s nuclear industry, the Ukrain’s power utilities or other energy sectors tend to grab clicks and reader attention, they don’t create the necessary changes in behavior that will keep industrial operations safe. This is largely because these stories don’t seem to relate to the day-to-day running of a typical plant.
“There’s a disconnect between a lot of what the hype is and what the folks are seeing. People have heard of Stuxnet or BlackEnergy or Havex, but nobody’s actually seen those in their environments,” says Ben Miller, director of threat operations for Dragos, who undertook the project of identifying, analyzing and extracting lessons learned from the data. “An engineer would read a report on Stuxnet and disregard that as hype because he’s not seeing that.”
All three of the computer attacks Miller mentions were designed to attack industrial control systems. Stuxnet was used to compromise Iran’s uranium enrichment facilities; BlackEnergy is best known for taking out power in parts of the Ukraine by disconnecting substations from the power grid; and Havex, originally targeting the energy sector, moved on to focus on attacks of ICS/SCADA users.
For those industrial manufacturers who think they don’t need to be concerned about these attacks because they are unlikely to be a target, that’s in large part true. But that doesn’t mean they need not be concerned about cybersecurity at all. The dangers still lurk, but are lesser known, much more common malware attacks.
“What are in these environments are traditional opportunistic viruses that are spreading unbeknownst to automation folks,” Miller says. “That’s what they should be concerned about. And it’s actually pretty easy to defend with good practices and cyber hygiene.”
Miller and Lee gave a keynote presentation last week at the SANS ICS Security Summit in Orlando to discuss for the first time some key findings from the MIMICS study. The report was based on public data found at VirusTotal, and was geared toward understanding malware as it relates to ICS.
“We wanted to quantify what is out in the wild,” Miller says. Over the course of just 90 days, the study identified thousands of real-world infections caused by opportunistic viruses and removable media across many ICS vendor programs.
“A lot of what we did see was opportunistic, and likely wouldn’t create an impact,” Miller explains. “But you’d only need to change a variable to have an industrial impact.”
Attacks like BlackEnergy or Stuxnet are still within the realm of possibility, Miller says, but are more of a targeted attack rather than the opportunistic attacks that are happening on a regular basis.
Owned by Google, VirusTotal is a free online service that enables anyone to upload a file to be scanned for viruses, worms, trojans and other malware. “By itself, it’s a good service, but it serves as a malware repository as well,” Miller explains. “I as a researcher can search for a file and see when it was first uploaded or last uploaded.”
And that’s exactly what Miller did, analyzing about 30,000 samples of infected ICS files and installers dating back to 2003. Although Dragos had a premium account with VirusTotal to get access to some of the data Miller analyzed, a lot of information is exposed publicly, he says.
Some of the malware that Miller saw included automated viruses that were spreading to legitimate ICS files. This creates a program path for any ICS vendor, Miller explains, where legitimate files are infected with malware. “This led to 15,000 files being discovered over the last 128 days being infected.”
Another interesting development that Dragos documented was malware that was not tailored to ICS-specific systems, but was themed around it. In a period spanning from 2013 to as recently as last month, Dragos analyzed a spate of files known as a downloader—not necessarily malicious in itself, but opening a backdoor to download additional malicious software—made to look like Siemens control software.
Data on the file makes it look like it’s related to a Siemens programmable logic controller (PLC). “If you’re on your Windows machines and you hover over the icon, it would give you the information—in this case, it’s going to say ‘Siemens Automation, Siemens PLC.’ That’s the kind of theming I describe,” Miller explains. “It will look like nothing happened. But what did happen is it went to a website and got an encrypted file, and was set to download another set of malicious software onto the computer.”
In other words, a bad actor has been attempting to compromise industrial environments by theming its malware to look like Siemens control software, Lee explains. But he also reiterates the contention that there is no reason for alarm, but rather a sound approach to cybersecurity. “As an example, simple supply chain awareness of software would eliminate this attack vector,” he writes. “Identify the digital hash of the software from the vendor, download the software, and check the hash against the known-good before installing it in the industrial environment.”
What might create a bigger cause for concern, actually, is the uploading of files to public databases like VirusTotal.
Some of the information Miller was able to analyze on VirusTotal provided perhaps a bit more insight into the uploading organizations than they might like the public to see. He found a couple PDFs, for example, that were Nuclear Regulatory Commission finding reports that appear to be non-public information. One in particular had facility names, equipment names and findings from the investigation, Miller says.
“Another one was a zip file of a substation maintenance report,” Miller says. “There were AutoCAD drawings, spreadsheets with inspections, sign-offs, names and that kind of thing.”
Miller continues, “I was a bit surprised at how much industrial security folks seem to be using VirusTotal. There are probably safer ways to use VirusTotal.”
Miller recommends using VirusTotal as a data source to perform searches, but not to upload files that might be corrupted. “It’s very safe to search for a file. You can see if anyone has submitted it before and what the report says. You’re not saying you have that file; you’re just searching for it,” Miller explains. “When you start uploading to it, that’s when things can become more interesting. There are some dos and don’ts that haven’t been communicated.”
But if everybody took that advice, I argue, there wouldn’t be anything left in VirusTotal to search for and the site would become useless. “It does make the general security researcher’s job harder,” Miller comments, “but it strengthens the hand of the actual asset owners.”
With close to two decades of experience in cybersecurity, Miller has particular expertise in the electricity sector, having served as associate director of the Electricity Information Sharing and Analysis Center (E-ISAC), which is operated by North American Electric Reliability Corp. (NERC).
The Ukraine power attack grabbed a lot of attention for cybersecurity in the electricity sector. But in fact the sector has been highly engaged for several years, Miller says, with a group of electric company CEOs (the Electricity Subsector Coordinating Council) meeting quarterly with the U.S. Department of Energy (DOE) and White House officials to discuss cybersecurity concerns.
What helps the communication is that those CEOs are generally not competitors, and are used to offering each other assistance as needed. “That has helped the cybersecurity aspect of how things are handled,” Miller says. This is in contrast, for example, to oil majors, which are in a more competitive position. “In that regard, the electricity sector has a leg up. They come to the table much more openly because they don’t have that baggage of competition hanging over them.”
The next phase
Now that Dragos has better empirical data around malware infecting industrial environments, it will continue to cull through findings and report back to industry.
“This was a research project, so we weren’t sure what we would find,” Miller says. “We’re happy with a lot of the results we found, and there are additional findings that we’re working through.”
Dragos plans to operationalize the research, Miller adds, to automate reports back to customers on a regular basis.
“We’re trying to add more nuance to the discussion, to better frame the problem with an understanding of what is being seen in the wild—with numbers behind it,” Miller says.
Security researchers discovered Stuxnet in 2010, and it has since become one of the most well-known malware campaigns in history. The attack was developed to damage programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems using four zero-day vulnerabilities in Microsoft Windows. What has the cybersecurity community learned from this incident?
SCADA Security Lessons From Stuxnet
Nowadays, not even the most secure plants are isolated from threats. In the case of Stuxnet, the gap between the isolated plant and open infrastructure was bridged by a USB key.
But what does Windows have to do with SCADA? SCADA systems are no longer isolated boxes running on proprietary protocols. Today, they can be accessed by a human/machine interface (HMI), either integrated with the rest of the IT environment or simply using classic IT. Therefore, defending SCADA is about protecting everything that surrounds the system.
Protecting OT to Secure IT
SCADA systems are an important but severely limited part of the IT arsenal required to provide a service. In the case of a nuclear plant, many devices belong to the operational technology (OT) environment, in addition to those that correspond to IT. In fact, cybercriminals often reach IT assets through holes in OT systems. This enables them to easily discover vulnerabilities without the technical know-how or pricey equipment required to make an exploit out of the box.
OT consists of classic IT, SCADA, and many sensors and other devices. For this reason, OT is often included in discussions about the Internet of Things (IoT). The difference is that OT is always managed by someone who is responsible for security. In the case of IoT, there is very little accountability because devices such as smart refrigerators and cameras are often designed and operated by parties that have no stake in security whatsoever.
Learning From History
It is critical to protect your OT to keep cybercriminals from poking through, but don’t forget to protect your IT as well. It’s equally important to secure all IoT devices throughout the design phase. If IT professionals can learn from history, they can prevent a catastrophic incident like Stuxnet from befalling their organizations.
Refrigerant users face new price increases of as much as 30% as Europe transitions away from high GWP HFCs.
The UK’s leading refrigeration wholesaler and one of the world’s main refrigeration manufacturers have both announced large increases in the price of refrigerants from next month. The latest increases follow 20% price hikes by a number of suppliers at the beginning of the year and suggestions that there may be more to come this year.
UK wholesaler Dean & Wood, part of the Beijer Ref group, has announced price increases of 30% on high GWP refrigerants like R404A and R507 and the R22 transitional blend R422D. The new prices, which come into effect on April 1, also include 20% increases on a number of common gases including R134a, R410A and R407C, and so-called interim gases R407A and R407D.
Refrigerant manufacturer Chemours wrote to its customers this month announcing price increases across Europe of 25% on R404A and R507 and 20% rises on the other base HFCs R134a, R410A, R407A and R407C.
At the beginning of the year, refrigerant manufacturer Mexichem announced 20% price rises on R404A and R507 and 15% increases on R134a, R410A and R407C. Supplier National Refrigerants announced similar increases from January 1.
The “perfect storm” of swinging cuts in HFC availability next year and suppliers’ needs to juggle production and import quotas is behind the latest increases. Industry leaders have long urged a rapid transition away from high GWP gases and warned of high price rises and possible scarcity of some gases.
The cap and phase down under the European F-gas regulations is based on CO2 equivalents (CO2e). This means that refrigerant producers and suppliers, operating under a quota system, are effectively able to place on the market far more low GWP refrigerants than the higher GWP gases.
Latest European Commission figures report that the amount of HFC refrigerant placed on the market in 2015 amounted to 168Mt CO2eq – within the baseline cap amount for the year of 183Mt CO2eq. Next year the industry, faced with cuts of 37% of the baseline, must make do on 115Mt CO2eq. This is a significant cut, but industry pundits have further warned that as the refrigerant contained in imported pre-charged equipment is also to be included in that figure for the first time, the cut is more like 44%.
Speaking at the European Eureka 2016 conference at the end of last year, UK consultant Ray Gluckman warned of 2018 having the potential to be “an absolute disaster” and called for more attention and action in the transition away from high GWP refrigerants. At the same event, AREA president Per Jonasson warned that time was running out to switch to lower GWP refrigerants and urged users to take immediate action.
Malware posing as legitimate software for Siemens control gear has apparently infected industrial equipment worldwide over the past four years.
The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we’re told. At least 10 industrial plants – seven in the US – were found running the infected software, a study by industrial cybersecurity firm Dragos claims.
According to the Maryland-based biz, this particular malware was specifically thrown at industrial control equipment. Exactly what it does, or did, is not explained, although it is described as “crimeware”. Dragos CEO Robert Lee writes:
Starting in 2013, there were submissions from an ICS environment in the US for Siemens programmable logic controller control software. The various anti-virus vendors were flagging it as a false positive initially, and then eventually a basic piece of malware. Upon our inspection, we found … variations of this file and Siemens theme 10 times over the last four years, with the most recent flagging of this malicious software being this month in 2017.
In short, there has been an active infection for the last four years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective.
This malware is separate to common-or-garden adware and bank-raiding Trojans that find their way onto PCs. Dragos conservatively estimates that 3,000 industrial sites a year are infected by traditional cyber-pests. These infections were largely opportunistic Trojans – such as Sivis, Ramnit, and Virut – brought in by staff using infected USB sticks.
Dragos revealed its findings during a keynote at the SANS ICS Security Summit in Orlando, Florida.
Edgard Capdevielle, chief exec at industrial control security specialists Nozomi Networks, said: “That ICS themed malware exists is not surprising, but it is concerning. The reality is that ICS networks today face all the same security challenges as every other IT network, but lack similar security options.
“Historically ICS was designed to be completely segregated and confined by physical boundaries. However, each new IP address punches another hole in the metaphorical wall that separates Information Technology (IT) and Operational Technology (OT). Having established IT connectivity, it’s difficult to put the genie back in the bottle and each of these avenues is a potential point of weakness that can be compromised – by hackers burrowing in or malware (such as ransomware) detonating internally and then radiating out.”
Andrew Cooke, head of cyber consulting at Airbus Defence and Space CyberSecurity, added: “Malware is prevalent in a wide range of industrial systems, often spread by an infected USB stick or by unauthorized remote access. But while the majority of malware found in these systems is low level, it can still pose a serious risk for the organizations concerned. Sophisticated attackers often use these methods to gain valuable intelligence about the way that a system is operated, configured and run.”
Refrigerant safe handling register Refcom has created a search facility on its website to allow refrigerant suppliers to check whether customers are properly F-gas certified.
Air conditioning and refrigeration engineers are required to present their F-gas certificate or an ACRIB SKILLcard when purchasing refrigerant. There have been reported incidents of counterfeit certificates and non-compliant plastic cards being used and, while refrigerant suppliers are legally required to ensure anyone buying gas from them is F-gas certified, it has previously been difficult to check whether certification is genuine and up to date.
As a result, Refcom has simplified the process by introducing a search facility on its website that allows suppliers to check customers’ credentials by both company name and/or F-gas certificate number.
Refcom maintains that ensuring the company name and certificate number match is a reliable method of establishing whether an operative is legally allowed to buy refrigerant gas. However, if the supplier finds a problem they are asked to contact the Refcom helpdesk to establish whether the company has chosen not to be publicly listed on the register or if the certificate is invalid.
Refcom was established in 1994 and appointed by the government as a certification body to provide the mandatory registration service for the refrigeration and air conditioning sectors. It now claims to account for more than 80% of company certificates covering the UK refrigerant handling market.
“This is a very important new feature,” said BESA’s senior mechanical engineer Graeme Fox. “Refcom has been pivotal in efforts to drive up professional standards across our industry and ensure we continue to manage the safe handling of F-gases. However, we are not complacent and continually monitor the situation to ensure nothing undermines the rigour and integrity of the F-gas scheme – such as failure to produce valid certification details when buying refrigerants.
“The easiest way for someone to prove their credentials is to show their original certificate or their ACRIB SKILLcard, which is the only legally compliant portable proof of F-gas certification and operator competency,” he added.