Converting to Panel PCs and Security

I'm debating the pros and cons using Panel PCs instead of AB Panel Views.

My main question is, what is the best way to handle security on a full Windows 10 machine for HMI purposes? Thin clients etc...

Using Advanced HMI or any open source software, is it a good idea or are there pitfalls that I'm not aware of?

I'm just trying to help our process get away from unnecessary costs if possible.

Thanks in Advance.

I don't know that a Panel Pc would provide any more/less security then AB Panel View.

I can tell you that we use a lot of Maple System Hmi's and the security that these unit provide is amazing. What ever you can think of, I do believe it can be done with these units.

I have one location that the end user control's the location by "remote access" and there are 5 user. All 5 user have a different level of access, so each user only see's the objects that have the same security level access. And once any user logs out or the current user times out, the screen will automatically log user out and revert back to login page.

Works flawlessly!

Looks good. Are there any costs with the EZWarePlus Software? Licenses or such?

Malware is a concern for any PC.

We use PCs extensively for HMI (rack-mount, industrial, and panel computers). Security is a concern. We use an antivirus for private networks solution. I currently have to install Windows security patches manually. I have been pushing for a Windows update server on our private control networks much like our AV update server.

There was a big push to patch all the Windows OS some months ago due to a few instances of companies/plants losing production due to malicious software infections on Windows machines.

I do think the EZwarePlus is a one time charge of $75.00, but after that, all of the updates are free!

It's been several yrs, since we made the original purchase, so some things may have changed, just check with them, they are very helpful.

In an ideal world, you can apply all the updates to every software package on the PC, with maybe a day of delay to allow for IT to test compatibility with current applications. We all know that ideal doesn't apply to most factory environments.

The best industrial PC security practices I've seen amount to making a standard, known good image, and then doing as much as possible to lock it down and prevent any changes to the system.

Between approaches 2 & 3 below, it makes it hard for viruses/malware to run on the system, and even if they can run, they will have trouble getting anything installed permanently.

1) Don't install anything from scratch on each IPC. Create a standard image, test that it works, and then deploy it on every new IPC you get. Obviously, this only holds true for stations that are identical. You may need multiple images for either multiple PC types or PC uses.

2) If you get an Enterprise/Embedded(/IoT?) version of Windows 10, they come with a feature called the Unified Write Filter. This is a new version (combines a few other things as well) of a feature I've used in Windows 7 called the Enhanced Write Filter. Essentially it intercepts writes to your disks (depending on how you configure it), and writes those to a RAM disk instead. The PC keeps operating as "normal", but no changes are made on the disk. The PC is theoretically in the exact same state every boot.

I've generally seen it where the system partition (C drive) is protected by the write filter, but a D: drive for data is left open. That way you have a place for data logging, etc. Depending on the system, HMI projects may need to be stored on the protected drive to avoid tampering.

3) Antivirus software is good, but it is best in a situation where you don't know what software is supposed to be on the PC, and therefore you have to try to detect known bad things. For Industrial environments there is a better approach, called Whitelisting. Essentially, instead of a traditional blacklist based antivirus searching for bad software, and trying to prevent it from running or delete it, the whitelisting software takes a snapshot/signature of the known good software, and then doesn't allow anything else to run.

I've had a few customers who have had success with McAfee Application Control as a whitelisting solution.

NathanA said:

I'm debating the pros and cons using Panel PCs instead of AB Panel Views.

My main question is, what is the best way to handle security on a full Windows 10 machine for HMI purposes? Thin clients etc...

Using Advanced HMI or any open source software, is it a good idea or are there pitfalls that I'm not aware of?

I'm just trying to help our process get away from unnecessary costs if possible.

Thanks in Advance.

Click to expand...

I wrote one post that was just a general best practices in PC security, but it got long. This post will aim more directly at your situation.

From what I've seen, you can save a ton of money and get a better solution by getting away from AB Panel Views. I have a number of customers switching to Comfort panels from Siemens (and sticking with the Logix PLCs), but there are a ton of other options out there. Siemens is what I know, so there's a bit of sample bias in what my customers are doing.

If you want to go with a full windows PC, you may have to get a little creative to replace what you had with a like product without increasing cost. Also, as you suggest, security becomes a much bigger issue. Generally an industrial PC + a screen (or an integrated PC/Screen combo) costs about the same as a dedicated HMI panel, and then you have to add in software costs. This means you either need a cheaper PC (and potentially lose the industrial hardening) or get a cheaper/free HMI software (this is where things like Adv HMI come into play). However, that choice doesn't affect the security discussion much; in either case the suggestions in my other post would apply.

Another option, as you suggest is to potentially use a Thin client. You would need a server somewhere for the thin clients to connect back to. It will probably need a bunch of Virtual Machines. Standard features of VM packages like snapshotting will help protect your VM images, potentially booting from a known good point each time. It also greatly simplifies the management of the HMI stations. The downside here is that you also need some beefy (probably redundant) servers to run the HMIs on, plus a bunch of IT knowledge that most controls guys don't get into. If your IT dept will work with you on this, the costs might end up balancing out in your favor.