I agree, but what you suggest is impractical. Normally the consultant would have specified the requirements, and then chosen from a list of options given. Practically, all of those options would be Windows, because, guess what, it is the industry standard. Practically then, any contractor suggesting a different system would be at a disadvantage because they would be deviating from the de facto standard. Industry has so much momentum changing from windows is excessively difficult.
I call bullshit. Engineers often get tested for drugs and you don't last long in the business if found with drugs in your system. Most factories I go to test you and the mines are a heck of a lot worse.
His story is not credible. As an engineer I can tell you that they do do drug checks and spot checks at random and they can detect it going way back. If you are found with drugs in your system you will be removed from site and at minimum be doing a rehabilitation program very quickly. At maximum you will lose your job and be banned from site. Same goes for alcohol, but they normally then just bar you from site until you sober up. I had a friend who did pot once and found himself in a world of trouble when they did a random check on site. This is a world wide thing too. Even here in South Africa it happens like that.
He may be an old earth creationist. Or evolutionary creationist. Perhaps even a deist. To say one is a creationist doesn't mean one believes the YEC heresy...:P
I don't know hey. Given that these things dynamically overclock parts to when there is thermal/power headroom available, I would guess, yes, you would see it using tdp. Most processors under the right load should see tdp or close to it in the right loads. It might be tdp minus 2% or 3%, but close enough. If you have better cooling or a lower ambient, you might run into the power limit, which is generally set close to the rated tdp. But it all depends what your load is.
Power factor is a useless measure anyway. It is just a ratio. A bad power factor at 2W is not as bad as a bad power factor at 200kW. Use Vars instead. A much more useful value to have. Given the math of it I fail to understand why anyone is interested in PF. Source; I have designed PF correction systems (up to about 10MVars).
Well, which is a better target? A nuclear power plant or a water recovery plant for a mine in the middle of nowhere. Set up your security accordingly - lock down the nuclear plant tightly. The water recovery plant can go down for weeks until someone bothers to go fix it and plug any minor issues. Seriously whats with all the paranoia on/. today?
Ethernet is actually good enough for a number of things if and only if the network is unloaded. Reading values from a Modbus based protection relay for example. The values are not critical and even if the network fails the protection relay will still trip, but they are useful values to have and mean someone doesn't have to keep walking into the substation to look at them. I can think of a number of other such use cases where ethernet/ip is more than good enough. For remote IO, I would use something better, like DeviceNET(RS485, basically). But Even then, some remote ethernet IO is also good enough. It depends entirely on your use case. One size does not fit all. I am quite aware of the limitations of ethernet IP, and a lot of systems use the same physical layer as ethernet, but make special hubs (remember those?) mandatory instead of switches. I believe ethercat is one such system if you must know. In general ethernet IP is more than sufficient for any SCADA system (with a few exceptions). Time critical stuff should always be done in the (far more reliable) PLC not the (inherently suspect) SCADA system. But that is standard practice. Mostly. I have seen some horrible systems....
My skillset includes setting up linux security as well as programming PLCs and setting up windows security. I run various OS systems in industrial environments. But it is obvious you have never really worked with these systems? Your ideals are nice, but the real world called and wants to know if you'd like to meet for coffee sometime.
When people buy a machine they buy a machine. They don't think about the password because they bought a machine and they need no password to operate it. The salesman comes in and gives his spiel, and then they buy it. The SI or manufacturer password protects the PLC to protect his "IP" and that is that. It is annoying, yes, but I am more inclined to blame the SI/manufacturer than the customer. The customer's skillset does not include programming the PLC and if the system is made right, it should not have to. That is the point of the entire system - so that the customer does not have to worry about it. That is what sells. That is how it is, and how it works, and it is unlikely to change.
Well, ultimately the customer is going to care more about downtime than about security. Even if security has a nebulous risk (that they have not run into yet) of causing downtime. Where I work, we also remote into systems, sometimes directly over a 3G modem. It is a massive security issue, but the convenience sometimes trumps it. Admittedly you'd have to hack a private APN to get into the system, and then bypass the passwords. It is doable, I am sure, but it would be a lot of effort to go to to get into, say, a water recovery plant in the middle of nowhere.
Most of the PLC software I work with, thankfully only requires activation once(or in one case not at all). Rockwell's system of software licensing and flashing the blasted PLC every time you need to do something that should be standard actually does them no favors with me. I will not recommend them to clients and I will only use them if the customer specifies that I do. I am much happier with an Omron or Mitsubishi system. Hell, I'll even take Toshiba over their stuff. Not to mention the terrible support I've gotten out of Rockwell. No thank you very much.
Ultimately there is a compromise on these systems between security and convenience. And that is just the way it is.
The top boss normally demands access to the SCADA in a monitoring mode. Or the SQL based reporting system at least, which should have a blame trail logged in it... Normally you don't want anyone but a qualified engineer messing around in a PLC.
"Passwords will be forgotten". I don't recall saying that. Perhaps let me spell it out for you AC. The password may never have been given in the first place. A common despicable tactic by some less scrupulous vendors and SIs.
As for "Linux will fix it", we know about that, and sometimes use it. However, there are other very good reasons for having your control network physically separate apart from security. Network load and response times spring to mind. But then Slashdot's default "throw linux at it and your problems will magically go away" response is hardly surprising.
I have found DeviceNET a pleasure to work with. Omron do it extremely well, and it is very easy to use. It is also sufficiently fast for most applications. My biggest hassle was connecting a Toshiba PLC to an Omron SliceIO system. Once it was working though, it worked exceptionally well. I'd much rather work with DeviceNET than ethercat or any of the other systems.
Ask him about the horror of OPC and DCOM. As a result of those two abominations most people just disable all security and add "Everyone" to all the lists in order to just get the damn thing working in a reasonable amount of time.
You are correct sir. We have never had to connect any PLC to the internet, and we deal with almost all manufacturers. Rockwell's horrible licensing scheme is why we don't use them so much. Other PLC manufacturers give SIs their software cheaply because that sells lots of hardware that way. Not Rockwell. I suppose it is better than Toshiba's "free" software (which I think was last updated in the 90s), but come on, don't Rockwell want to sell hardware? Even the evil Siemens practically fell over themselves trying to sell us their software, with demo versions and SI discounts. And the software from other manufacturers normally lasts more than a year before bombing out. Rockwell are near impossible to deal with for a small SI.
We normally try to get around the security issue (when an air gap is unpractical) by having a separate control network with one PC on both networks. This isn't the best of solutions, but it is probably the most practical we've come up with.
On the other hand when the SI password protects the PLC so another SI can't get in and fix the system(because the first SI is now out of business), now we can get in and do it without re-engineering the whole system. Sometimes low security has benefits.
90% of the security we implement is air gap. Once someone has physical access to the control panel, you've lost anyway, they could start swapping wires and pulling relays if they wanted. If the system must be on a network, we put it on physically separate network, with at most one SCADA PC on both(because the client demanded it). Still, you can set up a nice secure(ish) system, and two weeks later the client's IT department has screwed it up completely.
The major catastrophe you're waiting for is actually surprisingly unlikely. Sure a malicious person could cause a lot of damage, but from what I have seen people are more interested in stealing stuff than blowing it up. Why go to all the effort of destroying the mill on the goldmine when you could go to all the effort of smuggling gold out? They'd rather get on the internet to check their facebook, and once they realise the control PC is not on the internet they don't care anymore.
Interestingly some of them are coming out with GPRS/3G/CDMA modems as well in this country, which should also not interfere. Power line carrier can be a little problematic, from the utilities' point of view and 3G seems to work fairly well.
One might suggest you read your previous posts to find where you said what. If a god is interactive, it follows you can establish the correct position through interaction. Your tone appears emotional, which is fine, but not so useful for discussion. You do appear to have a dog in the fight to use your expression. I see no reason to continue this. The truth of a matter does not depend on its advocates abilities to defend it. Leave it at that. I intend to.
no worries. I am not defending any particular group or viewpoint. I simply don't discount the possibility because the advocates may be closed minded. The search for truth has little to do with who can debate better.
if you're debating only the Christian god, then you failed reading comprehension. Even so, the false dilemma remains. You are not considering all possibilities. I find your responses emotional, not objective. Therefore I do not see the point in continuing this discussion. Have fun.
Perhaps let me clarify. You seem to be stating that it does not make sense to talk about something we can not fully define? even if we may define parts of it?
So, you're saying nothing can exist which can not be defined by a human being? Sounds a Lot like a philosophical position to me. Fair enough, but I see no reason to subscribe to that view.
Slashdot Mirror
Because it is the industry standard and they would be fired for suggesting otherwise? Wake up, the world isn't full of perfect ideals.
I agree, but what you suggest is impractical. Normally the consultant would have specified the requirements, and then chosen from a list of options given. Practically, all of those options would be Windows, because, guess what, it is the industry standard. Practically then, any contractor suggesting a different system would be at a disadvantage because they would be deviating from the de facto standard. Industry has so much momentum changing from windows is excessively difficult.
I call bullshit. Engineers often get tested for drugs and you don't last long in the business if found with drugs in your system. Most factories I go to test you and the mines are a heck of a lot worse.
His story is not credible. As an engineer I can tell you that they do do drug checks and spot checks at random and they can detect it going way back. If you are found with drugs in your system you will be removed from site and at minimum be doing a rehabilitation program very quickly. At maximum you will lose your job and be banned from site. Same goes for alcohol, but they normally then just bar you from site until you sober up. I had a friend who did pot once and found himself in a world of trouble when they did a random check on site. This is a world wide thing too. Even here in South Africa it happens like that.
Nokia? Is that you?
He may be an old earth creationist. Or evolutionary creationist. Perhaps even a deist. To say one is a creationist doesn't mean one believes the YEC heresy... :P
I don't know hey. Given that these things dynamically overclock parts to when there is thermal/power headroom available, I would guess, yes, you would see it using tdp. Most processors under the right load should see tdp or close to it in the right loads. It might be tdp minus 2% or 3%, but close enough. If you have better cooling or a lower ambient, you might run into the power limit, which is generally set close to the rated tdp. But it all depends what your load is.
Power factor is a useless measure anyway. It is just a ratio. A bad power factor at 2W is not as bad as a bad power factor at 200kW. Use Vars instead. A much more useful value to have. Given the math of it I fail to understand why anyone is interested in PF. Source; I have designed PF correction systems (up to about 10MVars).
That is actually a very good idea. Sort of what OPC UA is trying to achieve. It is a great pity nobody has implemented it that I can see.
Well, which is a better target? A nuclear power plant or a water recovery plant for a mine in the middle of nowhere. Set up your security accordingly - lock down the nuclear plant tightly. The water recovery plant can go down for weeks until someone bothers to go fix it and plug any minor issues. Seriously whats with all the paranoia on /. today?
Ethernet is actually good enough for a number of things if and only if the network is unloaded. Reading values from a Modbus based protection relay for example. The values are not critical and even if the network fails the protection relay will still trip, but they are useful values to have and mean someone doesn't have to keep walking into the substation to look at them. I can think of a number of other such use cases where ethernet/ip is more than good enough. For remote IO, I would use something better, like DeviceNET(RS485, basically). But Even then, some remote ethernet IO is also good enough. It depends entirely on your use case. One size does not fit all. I am quite aware of the limitations of ethernet IP, and a lot of systems use the same physical layer as ethernet, but make special hubs (remember those?) mandatory instead of switches. I believe ethercat is one such system if you must know. In general ethernet IP is more than sufficient for any SCADA system (with a few exceptions). Time critical stuff should always be done in the (far more reliable) PLC not the (inherently suspect) SCADA system. But that is standard practice. Mostly. I have seen some horrible systems....
My skillset includes setting up linux security as well as programming PLCs and setting up windows security. I run various OS systems in industrial environments. But it is obvious you have never really worked with these systems? Your ideals are nice, but the real world called and wants to know if you'd like to meet for coffee sometime.
When people buy a machine they buy a machine. They don't think about the password because they bought a machine and they need no password to operate it. The salesman comes in and gives his spiel, and then they buy it. The SI or manufacturer password protects the PLC to protect his "IP" and that is that. It is annoying, yes, but I am more inclined to blame the SI/manufacturer than the customer. The customer's skillset does not include programming the PLC and if the system is made right, it should not have to. That is the point of the entire system - so that the customer does not have to worry about it. That is what sells. That is how it is, and how it works, and it is unlikely to change.
Well, ultimately the customer is going to care more about downtime than about security. Even if security has a nebulous risk (that they have not run into yet) of causing downtime. Where I work, we also remote into systems, sometimes directly over a 3G modem. It is a massive security issue, but the convenience sometimes trumps it. Admittedly you'd have to hack a private APN to get into the system, and then bypass the passwords. It is doable, I am sure, but it would be a lot of effort to go to to get into, say, a water recovery plant in the middle of nowhere.
Most of the PLC software I work with, thankfully only requires activation once(or in one case not at all). Rockwell's system of software licensing and flashing the blasted PLC every time you need to do something that should be standard actually does them no favors with me. I will not recommend them to clients and I will only use them if the customer specifies that I do. I am much happier with an Omron or Mitsubishi system. Hell, I'll even take Toshiba over their stuff. Not to mention the terrible support I've gotten out of Rockwell. No thank you very much.
Ultimately there is a compromise on these systems between security and convenience. And that is just the way it is.
OPC UA promises to fix all of this, but nobody is implementing it...
The top boss normally demands access to the SCADA in a monitoring mode. Or the SQL based reporting system at least, which should have a blame trail logged in it... Normally you don't want anyone but a qualified engineer messing around in a PLC.
"Passwords will be forgotten". I don't recall saying that. Perhaps let me spell it out for you AC. The password may never have been given in the first place. A common despicable tactic by some less scrupulous vendors and SIs.
As for "Linux will fix it", we know about that, and sometimes use it. However, there are other very good reasons for having your control network physically separate apart from security. Network load and response times spring to mind. But then Slashdot's default "throw linux at it and your problems will magically go away" response is hardly surprising.
I have found DeviceNET a pleasure to work with. Omron do it extremely well, and it is very easy to use. It is also sufficiently fast for most applications. My biggest hassle was connecting a Toshiba PLC to an Omron SliceIO system. Once it was working though, it worked exceptionally well. I'd much rather work with DeviceNET than ethercat or any of the other systems.
Ask him about the horror of OPC and DCOM. As a result of those two abominations most people just disable all security and add "Everyone" to all the lists in order to just get the damn thing working in a reasonable amount of time.
You are correct sir. We have never had to connect any PLC to the internet, and we deal with almost all manufacturers. Rockwell's horrible licensing scheme is why we don't use them so much. Other PLC manufacturers give SIs their software cheaply because that sells lots of hardware that way. Not Rockwell. I suppose it is better than Toshiba's "free" software (which I think was last updated in the 90s), but come on, don't Rockwell want to sell hardware? Even the evil Siemens practically fell over themselves trying to sell us their software, with demo versions and SI discounts. And the software from other manufacturers normally lasts more than a year before bombing out. Rockwell are near impossible to deal with for a small SI.
We normally try to get around the security issue (when an air gap is unpractical) by having a separate control network with one PC on both networks. This isn't the best of solutions, but it is probably the most practical we've come up with.
On the other hand when the SI password protects the PLC so another SI can't get in and fix the system(because the first SI is now out of business), now we can get in and do it without re-engineering the whole system. Sometimes low security has benefits.
90% of the security we implement is air gap. Once someone has physical access to the control panel, you've lost anyway, they could start swapping wires and pulling relays if they wanted. If the system must be on a network, we put it on physically separate network, with at most one SCADA PC on both(because the client demanded it). Still, you can set up a nice secure(ish) system, and two weeks later the client's IT department has screwed it up completely.
The major catastrophe you're waiting for is actually surprisingly unlikely. Sure a malicious person could cause a lot of damage, but from what I have seen people are more interested in stealing stuff than blowing it up. Why go to all the effort of destroying the mill on the goldmine when you could go to all the effort of smuggling gold out? They'd rather get on the internet to check their facebook, and once they realise the control PC is not on the internet they don't care anymore.
Interestingly some of them are coming out with GPRS/3G/CDMA modems as well in this country, which should also not interfere. Power line carrier can be a little problematic, from the utilities' point of view and 3G seems to work fairly well.
One might suggest you read your previous posts to find where you said what. If a god is interactive, it follows you can establish the correct position through interaction. Your tone appears emotional, which is fine, but not so useful for discussion. You do appear to have a dog in the fight to use your expression. I see no reason to continue this. The truth of a matter does not depend on its advocates abilities to defend it. Leave it at that. I intend to.
no worries. I am not defending any particular group or viewpoint. I simply don't discount the possibility because the advocates may be closed minded. The search for truth has little to do with who can debate better.
if you're debating only the Christian god, then you failed reading comprehension. Even so, the false dilemma remains. You are not considering all possibilities. I find your responses emotional, not objective. Therefore I do not see the point in continuing this discussion. Have fun.
Perhaps let me clarify. You seem to be stating that it does not make sense to talk about something we can not fully define? even if we may define parts of it?
So, you're saying nothing can exist which can not be defined by a human being? Sounds a Lot like a philosophical position to me. Fair enough, but I see no reason to subscribe to that view.