Category Archives: New Technology

Windows 10 Lean – Microsoft’s essential step (back) to the future?

29 April 2018

The report “Windows 10 Lean: Latest build offers first glimpse of Microsoft’s new cut-down OS” (1) published by Liam Tung on 24 April 2018 at ZDNet made me really curios.

Why is the industry in desperate need of a cut-down Windows OS? To answer this question we need to dig into the history of computing.

Tandberg TDV 1200 Terminal. Picture Credits (2)

Tandberg TDV 1200 (2)

In the nineteen sixties and seventies IT business was largely based on host-based computing. Usually the end-user devices were character based terminals with very restricted functionality. Business reports or letters were a real challenge on a Tandberg terminal with IBM ISPF. Individual changes to the user interface were usually limited to the change of the highlight colors and the function key assignment.

Apollo Domain DN330 Workstation

Apollo Domain DN330 (3)

The introduction of server-based computing in the nineteen seventies was a significant benefit for the end users. Graphics-based workstations, often diskless, opened up new fields of application, e.g. desktop publishing, CAD or CAPE. Here, too, the users had only limited options to customize the user interface or to install applications.

With the introduction of Windows NT AS 3.1 in 1993 everything changed. For the first time an operating system had an easy to use graphical user interface, was easy to operate through this GUI , and had easy to use inbuilt peer-to-peer networking capabilities. This was the Wild West for the users.

Unfortunately, very often the Wild West ended up in chaos. With Windows 2000 everything was under control again. Server-based computing was the standard again, peer-to-peer networking capabilities were hardly used.

SAAS, e.g. O365, OneDrive, Sharepoint Online, Box for Business or Google’s G Suite, takes us eventually back to host-based computing: The cloud is the new host.

Once the industry has adopted SAAS every interaction with the cloud is based on the HTTPS protocol. SMB and all the client-server and peer-to-peer networking capabilities of Windows are no longer needed. Even for printing the IPP protocol can substitute SMB.

Thus it is time to eliminate these networking capabilities from the OS. And with this, we eliminate all this EternalBlue, EternalRomance, WannaCry and NotPetya stuff because lateral movement depends heavily on the Windows Peer-to-Peer networking capabilities.

Chrome OS is Google’s answer to this trend. Will Microsoft follow with Windows 10 Lean?

From Liam Tung’s report we learn:

“Windows 10 Lean was revealed on Twitter by Windows enthusiast Lucan, who noted the heavily cut-down OS has no wallpaper and is missing apps like Registry Editor and Microsoft Management Console, as well as drivers for CD and DVD drives.”

From my point of view that’s not enough to deal with the IT security challenges the industry faces today.

Have a great week.


  1. Tung L. Windows 10 Lean: Latest build offers first glimpse of Microsoft’s new cut-down OS [Internet]. ZDNet. 2018 [cited 2018 Apr 24]. Available from: https://www.zdnet.com/article/windows-10-lean-latest-build-offers-first-glimpse-of-microsofts-new-cut-down-os/

  2. Picture credits: Telemuseet, Wikipedia, https://digitaltmuseum.no/011025208286/datautstyr

  3. Picture credits: Jim Rees, Wikipedia, https://commons.wikimedia.org/wiki/File:Dn330.jpg

Advertisements

Microsoft announces unbreakable Edge Browser with Windows 10 Fall Creators Update

4 November 2017

On 13 July 2015 Bromium announced a partnership with Microsoft to integrate the Bromium micro-virtualization technology in Windows 10. Two years later, on 23 October 2017, Microsoft announced the Windows 10 Fall Creators Update. With this update, Microsoft enhances Systems Center Endpoint Protection by many new security functions. The Bromium micro-virtualization technology is integrated in Windows Defender Application Guard (WDAG):

Windows Defender Application Guard makes Microsoft Edge the most secure browser for enterprise by hardware isolating the browser away from your apps, data, network and even Windows itself. WDAG protects your Microsoft Edge browsing sessions so if users encounter malware or hacking attempts while online they won’t impact the rest of your PC.

This sounds very promising! For details see this post published on 23 October 2017 in the Windows Security blog.

Unfortunately, currently only enterprise customers benefit from WDAG. I would appreciate it if Microsoft would integrate WDAG as soon as possible in all Windows versions to allow consumers and small businesses to benefit from WDAG as well.

Have a great weekend.

Why is the industry such vulnerable against WannaCry and NotPetya style attacks? Part I

9 July 2017

“Germany’s BSI federal cyber agency said on Friday that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week.” The report “Germany says cyber threat greater than expected, more firms affected” published in the Reuters Technology News on 7 July 2017 is worth reading.

But the big question is: Why is the industry such vulnerable against WannaCry and NotPetya style attacks?

In my opinion, the main reasons for this are

  • the aging IT infrastructure, and
  • the built-in features of the Windows operating system.

Aging IT infrastructure

SMB Version Introduced with Version Year of Release
V1.0 Windows 2000 2000
Windows XP / 2003 Server 2001 / 2003
V2.0 Windows Vista / 2008 Server 2007 / 2008
Windows 7 / 2008 Server R2 2009
V3.0 Windows 8 / 2012 Server 2012
Windows 10 / 2016 Server 2015 / 2016

Table 1: SMB Versions

The source of today’s problems, SMB V1.0, was introduced with Windows 2000. With the end of the extended support for Windows XP on 8 April 2014, and Windows 2003 Server on 14 July 2015, Windows XP/2003 Server became a big security issue.

Nevertheless, systems with XP or Windows 2003 Server are still operated in data centers and industrial networks. Since these systems must exchange data with other Windows-based systems, SMB V1.0 cannot be just switched off. Even Windows systems which support SMB V2.0 or higher must allow SMB V1.0 for data exchange with older versions.

The big question is: Why takes it so long to shut down Windows XP/2003 Server? The answer is easy: Software and hardware manufacturers have not sufficiently cared about the software life cycle, at least in the past. Let me illustrate this with an example.

A package unit in Healthcare industry is a large machine with lots of inbuilt computers. Since package units are very expensive, they are operated for many years and extensively changed to support new products. With this, a package unit delivered in 2008 with embedded Windows XP control units may still be in use 24 hours a day in 2017.

The hardware of the computers is designed to control a high-speed packaging process. To ensure sustained high operational quality the manufacturer often allows neither the installation of anti-malware software nor service packs for the OS, not to mention the upgrade to newer versions of the Windows OS.

Since the MES (Manufacturing Execution System) copies files to and from the packaging unit through files shares on the embedded Windows XP control stations, the MES must communicate through the SMB V1.0 protocol. The same is true for computers used in remote maintenance. With this, a single Windows XP machine reduces the security level of an entire network.

The big challenge is to design maintenance-friendly industrial computer systems: An exchange of hardware and software components, which are near End-of-Life or which have reached technical limits, must be easily possible. This requires a change in the design of software in industry. In addition, hardware should be dimensioned such that basic security features like anti-malware protection could be operated.

Manufacturers were often not aware of the software lifecycle and its impact on cyber security and integrity of product and production in the past. A change is desperately needed, in particular with regards to the increased use of IIoT devices.

Have a great week.

IIoT is killing ISA 95!?

12 February 2017

At the end of his great post ‘IIoT is killing ISA 95 !! …a.k.a. the operators that talked to the CEO‘, Antonio Buendia, Head of Manufacturing Process Control at Novartis, asks 3 questions:


What do you think?

(1) Do you think that ISA 95 is dead, and we are going to have a series of devices each of them talking to each other? And those devices will be able to digest and process the information by themselves?

(2) Do you think that the IIoT will bring enhanced communication capabilities, but we still need to establish a hierarchy, a set of common rules for orchestration, but a new model has to be created?

(3) Or do you think that ISA 95, with some minor tweaks, is still the model of reference for the IIoT?”


There is no simple answer to this question. In my opinion the answer depends strongly on the issues one is going to solve with IIoT devices.

Even in the age of IIoT ISA 95 will still be a reference model in production. Let me be quite clear: For just the execution of a manufacturing order the ISA 95 model will fit more or less well even in the age of the IIoT.

For other production related issues the ISA model may possible not fit. Let me make this clear with an example:

For the execution of a huge production order it would be helpful to know in advance of the likelihood of equipment breakdowns during the execution time. IIoT devices like smart pumps or smart valves are able to gather operational data. This data can be used for the prediction of the remaining run time of the devices. If the remaining run times of all devices are known, it is easy to predict whether a production order can be executed without major delays.

This is one possible added value we create from IIoT devices. Currently only few manufacturers are collecting these data. The Industrie 4.0 concept goes far beyond the local collection and analysis of operational data. If the data is sent to the equipment manufacturer for further analysis, we can create more value from the data because the device vendor may correlate the data with the data from thousands of similar devices. With this, remaining run times can be estimated more accurately.

From my point of view, it is not necessary that an individual device contacts the vendors database to get details about its remaining run time. It is enough if the device management system does this job. I don’t think that the ERP system must be involved at least during this analysis phase in this communication.

With this, my answer is: ISA 95 is still a reference model for manufacturing in the age of IIoT. But we have to develop other models or extent the ISA 95 model if we are going to turn the capabilities of the IIoT into EBIT.

Have a good week.

Unsecured IIoT devices in untrusted networks

28 January 2017

I am currently reviewing a draft of the German Federal Office for Information Security (BSI) about Operational and Control Technology. The goal of the paper is to define suitable requirements for IT security in OT.

IIoT devices, e.g. moderns sensors like the Schneider Electric PowerLogic ION7650 power meter, offer many communication options, including an optional Ethernet port:

PowerLogic ION 7650 communication options

Schneider Electric PowerLogic ION7650 communication options

With the Ethernet port activated the power meter behaves like a standard web server which provides standard internet communication options for access, e.g. ftp via port 21, http via ports 80, 81 and 443.

The BSI paper introduces the concept of ‘required connections‘ to communication partners outside the production network. This concept is based on the idea that production networks are isolated from a company’s office network as well as from the internet through security devices. The number of required connections, e.g. a connection from the ERP system to the Manufacturing Executions system (MES), should be kept as low as possible. In addition, required connections and the related communication endpoints must be specially protected to prevent misuse.

Lots of the PowerLogic ION7650 power meters are not operated in a production network. They are directly attached to the internet through an internet router, thus directly attackable by all internet users.

With this, each power meter creates its own production network, and every connection becomes a required connection. The major difference to the classic production network is that the power meter is far short of the protection capabilities a classic production network provides.

Thus, special attention has to be paid to the secure configuration of the devices and the attached internet routers during commissioning. Unfortunately, neither the service personnel setting up the device nor the operators seem to be aware of the dangers which result from this limited protection options because lots of unsecured devices are directly attached to the internet.

It is not very likely that a single compromised power meter has an impact on the national power grid. But if an attacker is able to compromise hundreds or thousands of devices …

The BSI paper provides a comprehensive set of technical and organizational measures to OT organizations to deal effectively with IT security issues in production environments.

Nevertheless, I recommend to the operators to review the configuration of and secure their devices. Besides financial loss due to malfunctions unsecured devices can be hijacked and included into bot nets.

Have a good weekend.

O2 not hacked – O2 customers victims of cybercrime

6 August 2016

On 26 July, the Register reported that “Hackers have gained access to customer data on UK telco O2 – and put it up for sale on the dark web.” The BBC Victoria Derbyshire Programme and Graham Clueley brought similar reports.

All reports made clear that O2 has not been hacked. BBC reports that “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data in a process known as “credential stuffing”.

Poor user habits, like recycling of usernames and passwords, are indeed a major problem. But in my opinion many service providers are at least co-responsible because they do not sufficiently protect their customer’s account details.

Many service providers still have not enforced Two-Factor Authentication (TFA), although this technology is easy to implement and to use, in particular for high-tech businesses like O2. Even if account details are stolen, the likelihood of cyber-crime is dramatically reduced because the cyber-criminals have no access to the second factor.

From my point of view it is time that the regulatory authorities finally do their job and protect the citizens and businesses from cyber-crime. We need a European regulation which makes the use of TFA compulsory for all service providers. Unfortunately, this will not have any impact on the O2 customers because of the Brexit …

Have a good weekend.