You are not registered yet. Please click here to register!


 
 
plc storereviewsdownloads
This board is for PLC Related Q&A ONLY. Please DON'T use it for advertising, etc.
 
Try our online PLC Simulator- FREE.  Click here now to try it.

---------->>>>>Get FREE PLC Programming Tips

New Here? Please read this important info!!!


Go Back   PLCS.net - Interactive Q & A > PLCS.net - Interactive Q & A > LIVE PLC Questions And Answers

PLC training tools sale

Reply
 
Thread Tools Display Modes
Old March 17th, 2018, 06:42 PM   #1
NathanA
Member
United States

NathanA is offline
 
Join Date: Aug 2017
Location: Arkansas
Posts: 6
Converting to Panel PCs and Security

I'm debating the pros and cons using Panel PCs instead of AB Panel Views.

My main question is, what is the best way to handle security on a full Windows 10 machine for HMI purposes? Thin clients etc...

Using Advanced HMI or any open source software, is it a good idea or are there pitfalls that I'm not aware of?

I'm just trying to help our process get away from unnecessary costs if possible.

Thanks in Advance.
  Reply With Quote
Old March 17th, 2018, 09:28 PM   #2
damica1
Member
United States

damica1 is offline
 
Join Date: Aug 2015
Location: Illinois
Posts: 426
I don't know that a Panel Pc would provide any more/less security then AB Panel View.

I can tell you that we use a lot of Maple System Hmi's and the security that these unit provide is amazing. What ever you can think of, I do believe it can be done with these units.

I have one location that the end user control's the location by "remote access" and there are 5 user. All 5 user have a different level of access, so each user only see's the objects that have the same security level access. And once any user logs out or the current user times out, the screen will automatically log user out and revert back to login page.

Works flawlessly!
__________________
David M. Camp

Marshall Electric / www.mei-tech.com

PLEASE READ: https://www.prlog.org/12642091-marsh...-industry.html

PLEASE READ: https://www.prlog.org/12680572-marij...hold-word.html
  Reply With Quote
Old March 18th, 2018, 12:51 AM   #3
NathanA
Member
United States

NathanA is offline
 
Join Date: Aug 2017
Location: Arkansas
Posts: 6
Looks good. Are there any costs with the EZWarePlus Software? Licenses or such?
  Reply With Quote
Old March 19th, 2018, 04:44 AM   #4
iraiam
Member
United States

iraiam is offline
 
Join Date: Jul 2011
Location: Right here
Posts: 133
Malware is a concern for any PC.

We use PCs extensively for HMI (rack-mount, industrial, and panel computers). Security is a concern. We use an antivirus for private networks solution. I currently have to install Windows security patches manually. I have been pushing for a Windows update server on our private control networks much like our AV update server.

There was a big push to patch all the Windows OS some months ago due to a few instances of companies/plants losing production due to malicious software infections on Windows machines.
  Reply With Quote
Old March 19th, 2018, 07:01 AM   #5
damica1
Member
United States

damica1 is offline
 
Join Date: Aug 2015
Location: Illinois
Posts: 426
I do think the EZwarePlus is a one time charge of $75.00, but after that, all of the updates are free!

It's been several yrs, since we made the original purchase, so some things may have changed, just check with them, they are very helpful.
__________________
David M. Camp

Marshall Electric / www.mei-tech.com

PLEASE READ: https://www.prlog.org/12642091-marsh...-industry.html

PLEASE READ: https://www.prlog.org/12680572-marij...hold-word.html
  Reply With Quote
Old March 19th, 2018, 11:34 AM   #6
mk42
Member
United States

mk42 is offline
 
Join Date: Jun 2013
Location: MI
Posts: 1,812
In an ideal world, you can apply all the updates to every software package on the PC, with maybe a day of delay to allow for IT to test compatibility with current applications. We all know that ideal doesn't apply to most factory environments.

The best industrial PC security practices I've seen amount to making a standard, known good image, and then doing as much as possible to lock it down and prevent any changes to the system.

Between approaches 2 & 3 below, it makes it hard for viruses/malware to run on the system, and even if they can run, they will have trouble getting anything installed permanently.

1) Don't install anything from scratch on each IPC. Create a standard image, test that it works, and then deploy it on every new IPC you get. Obviously, this only holds true for stations that are identical. You may need multiple images for either multiple PC types or PC uses.

2) If you get an Enterprise/Embedded(/IoT?) version of Windows 10, they come with a feature called the Unified Write Filter. This is a new version (combines a few other things as well) of a feature I've used in Windows 7 called the Enhanced Write Filter. Essentially it intercepts writes to your disks (depending on how you configure it), and writes those to a RAM disk instead. The PC keeps operating as "normal", but no changes are made on the disk. The PC is theoretically in the exact same state every boot.

I've generally seen it where the system partition (C drive) is protected by the write filter, but a D: drive for data is left open. That way you have a place for data logging, etc. Depending on the system, HMI projects may need to be stored on the protected drive to avoid tampering.

3) Antivirus software is good, but it is best in a situation where you don't know what software is supposed to be on the PC, and therefore you have to try to detect known bad things. For Industrial environments there is a better approach, called Whitelisting. Essentially, instead of a traditional blacklist based antivirus searching for bad software, and trying to prevent it from running or delete it, the whitelisting software takes a snapshot/signature of the known good software, and then doesn't allow anything else to run.

I've had a few customers who have had success with McAfee Application Control as a whitelisting solution.
  Reply With Quote
Old March 19th, 2018, 11:46 AM   #7
mk42
Member
United States

mk42 is offline
 
Join Date: Jun 2013
Location: MI
Posts: 1,812
Quote:
Originally Posted by NathanA View Post
I'm debating the pros and cons using Panel PCs instead of AB Panel Views.

My main question is, what is the best way to handle security on a full Windows 10 machine for HMI purposes? Thin clients etc...

Using Advanced HMI or any open source software, is it a good idea or are there pitfalls that I'm not aware of?

I'm just trying to help our process get away from unnecessary costs if possible.

Thanks in Advance.
I wrote one post that was just a general best practices in PC security, but it got long. This post will aim more directly at your situation.

From what I've seen, you can save a ton of money and get a better solution by getting away from AB Panel Views. I have a number of customers switching to Comfort panels from Siemens (and sticking with the Logix PLCs), but there are a ton of other options out there. Siemens is what I know, so there's a bit of sample bias in what my customers are doing.

If you want to go with a full windows PC, you may have to get a little creative to replace what you had with a like product without increasing cost. Also, as you suggest, security becomes a much bigger issue. Generally an industrial PC + a screen (or an integrated PC/Screen combo) costs about the same as a dedicated HMI panel, and then you have to add in software costs. This means you either need a cheaper PC (and potentially lose the industrial hardening) or get a cheaper/free HMI software (this is where things like Adv HMI come into play). However, that choice doesn't affect the security discussion much; in either case the suggestions in my other post would apply.

Another option, as you suggest is to potentially use a Thin client. You would need a server somewhere for the thin clients to connect back to. It will probably need a bunch of Virtual Machines. Standard features of VM packages like snapshotting will help protect your VM images, potentially booting from a known good point each time. It also greatly simplifies the management of the HMI stations. The downside here is that you also need some beefy (probably redundant) servers to run the HMIs on, plus a bunch of IT knowledge that most controls guys don't get into. If your IT dept will work with you on this, the costs might end up balancing out in your favor.
  Reply With Quote
Reply
Jump to Live PLC Question and Answer Forum

Bookmarks


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Thread Thread Starter Forum Replies Last Post
FTViewSE security Lemming LIVE PLC Questions And Answers 2 August 29th, 2014 10:48 PM
InTouch Security and NAD's LogicON LIVE PLC Questions And Answers 4 October 18th, 2010 05:27 AM
Virus Protection and Data Security..... paragmangale LIVE PLC Questions And Answers 2 December 7th, 2009 02:44 AM
OT: Win XP SP2, how to turn off security notifications ? JesperMP LIVE PLC Questions And Answers 5 March 9th, 2006 09:18 AM


All times are GMT -5. The time now is 05:52 AM.


.