HMI computer..best practice

jdbrandt · Jul 3, 2006

I'm getting ready to set up a number of Dell-type computers
for use as HMI terminals.

I'm wondering if anyone has any 'best practices' in this area.

Virus protection? (I'm guessing NO, since there's no internet
connection and way to update it.)

Disk set up.

User name(s).

Programs to delete.

Operating system features to enable/disable.

Remote access (RAS)

Mark Buskell · Jul 3, 2006

I usually strip out the virus protection on non-networked computers. After that remove all games and programs such as AOL or MSN. You also may want to set up a logon for the Administator password with full rights and one for the Operator with limited rights. Make sure that you also have a UPS to protect the computers.

Contr_Conn · Jul 3, 2006

I usually strip out the virus protection on non-networked computers

No guarantee that someone will not bring a floppy, USB jump drive or CF card that contains virus...

I saw once that games were installed on PC based HMIs by operators during first production weekend...

Tark · Jul 4, 2006

The amount of junk manufactures put on computers now a days is staggering. It sure would be nice to order a computer with just the OS.

For stand alone computers (those running the HMI), I make sure I have all the OEM’s drivers, wipe the hard drive, and reinstall the OS. I like knowing that everything on that computer is there because I put it there.

For larger systems I like to run the HMI on a server using Terminal Services. This allows me to only have to administer one computer, the server. I tell the customer that they can do whatever they want with the operator’s computers. You can save a lot of money not only in the up front hardware cost, but also in the on going administration cost.

As far as your questions, it really depends on the customer and what kind of system they have. I store the HMI application in a separate directory, generally called SCADA. For user names I use the first letter of the first name and the entire last name like jDoe. As far as programs go I sit down with the customer and discuss what they do and don’t want on the computer, some don’t mind games on the computers others do.

antoine · Jul 4, 2006

I always disable CD / DVD drives + USB ports + floppy in the bios to make sure operators do not bring games and stuff on the computer.

Secure bios with PW.

Ragards

Antoine

TimWilborne · Jul 4, 2006

I usually just leave the computer at home

Gambrinus · Jul 4, 2006

antoine said:
I always disable CD / DVD drives + USB ports + floppy in the bios to make sure operators do not bring games and stuff on the computer.

I saw this situation: unknown "advanced operator", probably one young man, had resetted the BIOS. And, of course, had installed a lot of games. BIOS was protected with PW, administrator said. Locking in BIOS isn't a 100% guarantee against this kind of young men too. Only big angry boss behind the operator can serve as it. :nodi:

Contr_Conn · Jul 4, 2006

Password will not help, BIOS can be reset within seconds, Windows Administrator password reset can be done as well, so no protection here.
Only good production practices and discipline can help...

CharlesM · Jul 4, 2006

When you get the system running, back up the hard drive with Norton Ghost or similar program. Then you can start fresh when needed. Also handy when creating a bunch of like computers.

Voltimus · Jul 4, 2006

That's why it's good to buy a "decoy" computer...in other words, we usually have one or two computers with internet connections and a game or something on them....they end up not messing with the server computers and development computers or operator stations.

ayman metwally · Jul 4, 2006

Also, What are your thoughts about using Norton Ghost to restore every thing anytime just in few minutes ?!
This will take care of every possible problem.

antoine · Jul 5, 2006

Resetting BIOS PW is easy if you can access the inside of the box ! This can be secured with a lock. I have one "critical" computer, it is located in a closed room, I use a FO modem to connect a screen and mouse in the operator room ( NO KEYBOARD)!

Norton GHOST works fine (we use it a lot) BUT it assumes you re install the backup on the exact same computer; this may NOT be the case in case of hardware failure of the computer !! So, always keep your istallation CD and source software !

Antoine.

antoine · Jul 5, 2006

... i forgot to mention:

After the last computer crash due to illegal games installation, I asked the manager of the plant a play station and a big television with DVD reader.

The answer was: no.

... poor me ...

Netrom · Jul 5, 2006

Give the operators an "almost" tamper free, terminal fell!

When deploying a number of scada station, we usualy use CAT5 based KVM extenders, and place the PC's in a locked computer cabinet. This physicaly prevents use of discs and USB-memory, and also lowers controlroom noise.

ex.

http://www.blackbox.com/Catalog/Detail.aspx?cid=537,1374,1377&mid=3718

rdrast · Jul 5, 2006

Best practices would include using a domain.
Also, for Windows platforms, study up on, and get to seriously know, the applet "GPEDIT.MSC" (type that into the start|run box to browse around it).

Gpedit will allow you to completely lock down a system, based on accounts. Regular users should have no access to system configuration settings, all removable media access should be disallowed (CD/DVD, Floppy, USB Sticks). Also, regular users should have zero access to any network resources, especially the internet.

The group policy editor will let you control just about everything in windows, it is very powerful, but tough to get started working with.

Of course, you need to have a strong password administrator account.

HMI computer..best practice

jdbrandt

Lifetime Supporting Member

Mark Buskell

Member

Contr_Conn

Member

Tark

Member

antoine

Member

TimWilborne

Lifetime Supporting Member

Gambrinus

Member

Contr_Conn

Member

CharlesM

Member

Voltimus

Member

ayman metwally

Lifetime Supporting Member

antoine

Member

antoine

Member

Netrom

Member

rdrast

Lifetime Supporting Member

Similar Topics