Top 10 Portable Apps for SCADA System Integrator

For the generations who have been through the DOS and Windows 3.11 era, they must not have forgotten the good old days that they could easily copy a program around without caring about the installation file, but they were struggling on squeezing files into the fragile floppy disks instead. Now that we have a memory stick or USB/thumb drive that can carry giga bytes of data, but most of the program nowadays will require installation that have lots of dependency on Windows system files or other files at different directories, which made the programs no longer portable.

Thanks to the PortableApps.com we can now enjoy the similar portability again and yet on large capacity of storage. It’s extremely useful for System Integrators as they need to work across different system. The beauty of PortableApps is you could add any well written application into the portable app directory. Alternatively, there’s another simpler version of Portable Start Menu. Below are 10 applications in alphabetical order that are very useful when working at site.

  1. 7zip
    Is there any need of other file compressing software? 7zip produced faster and smaller file compression, especially in 7zip format.
  2. Free Download Manager
    The Internet connection at site might be weak, you may need a sophisticated downloading tool to fight for every byte of the bandwidth. Free Download Manager is not packaged in PortableApps, but you can easily create one by clicking on the File menu and select Create Portable Version.

  3. Free File Sync
    Free File Sync is a very fast and efficient tool to synchronize two directories for backing up or merging purpose. Although Free File Sync is not packaged in PortableApps, but you could simply copy the whole directory from Program Files and put them into your portable disk and then uninstall it from your system.
  4. Mozilla Thunderbird
    S.I. should be conservative and defensive, so that is why Thunderbird is the choice. Generally, desktop mail client provides a mean to view mail archive during offline session, which is a likely condition at site. Or, it’s a efficient way to send/receive mail over poor Internet connection.
  5. Mozilla Firefox
    When there’s any need/chance of using Internet Browser to search for information in limited time at site, you will want to use a browser with setting that you used to. And you don’t want to leave any personal information behind.
    Other than Firefox, there are another two popular portable browsers that come later, namely Google Chrome and Opera.
  6. Notepad Plus Plus
    We are not aware of any other better text editor especially for engineering purpose.
  7. Libre Office
    In any case that you need to open up a spreadsheet for calculation, or if your company service report is written in ODT format. Note that Libre Office is the successor of Open Office, or you can simply assume it as the upgraded version of Open Office.
  8. Team Viewer
    This requires no further explanation.
  9. WinDirStat
    Over the times, very often database system at site may encountered hard disk space constrain due to some large temporarily files that copied/installed onto it during project execution stage. It can be tricky to find out if it was installed or stored by other system integrator. WindDirStat could come to rescue to help finding out which directories are containing files that occupying precious space unnecessarily.
  10. WinMerge
    WinMerge is not just for programmer, many engineering programs’ configuration may require text file to be edited. And WinMerge is an extremely useful tool to help identify the differences between files or even directories.

If you have ever checked for application version from “Support Information” in Add or Remove Programs applet (or Version column in Programs or Features applet in Vista or above), you may noticed some applications (including IntegraXor) have mismatched version number displayed here compared to the one in their respective binaries. This is because the Windows fetches the version from the application installer. If the application installer reports a different version than the version compiled into the binaries, or worst, if the application installer does not report a version at all, then you see a mismatch.

IntegraXor binaries and installer are developed using Visual Studio, the binaries version string is in MM.NN.BB.RR (major.minor.build.revision) format, while Installer project only allow version string in MM.NN.BB (major.minor.build) format. This caused the version mismatch in IntegraXor “About Box” and in “Add or Remove Programs” applet.

Versioning scheme is not as simple as incrementing numbers, there are quite some aspects to be considered as well to ensure it’s systematic and consistent. In order to ensure the About Box version is matched with Support Information pop up, we will now start with version string of MM.NN.BBBR.0 (major.minor.build+revision.0) format, and BBB will be used for stable release and R will be used for beta numbering. Stable release will always have trialling zero for R and Beta release will have incremental number from the last stable release.

For example:
3.60.4011.0 -> beta
3.60.4012.0 -> beta
3.60.4013.0 -> beta
3.60.4020.0 -> stable
3.60.4021.0 -> beta
3.60.4022.0 -> beta
3.60.4030.0 -> stable
… …

  1. + Added SQL Database Authentication with Read/Write level control.
  2. ^ Tag Watch List can be saved across session.
  3. ^ Server stability improvement.
  4. * Debugging message in status output window will be hidden when debug mode is turned off.

Project Editor Database Configuration

Every database could have its own read and write level setting which associated to User level/privilege setting. Note that the default level for both read/write is nil which has no security, this is to ensure compatibility issue for previously developed project. User must manually enter higher level of security as per project requirement.

SQL Authentication Vulnerability

IntegraXor 3.6.4000.5 is now added with Read and Write level column to database table which allows user to configure security level for individual database entry. Now only user with security level higher than or equal to the read level can browse for trend and alarm data, and user with security level higher than or equal to the write level can acknowledge alarm. The credit for finding this vulnerability goes to Security Researcher from Virtual Security Research who has reported to ICS-CERT at 22nd December 2010.

Project Editor Database Configuration

Every database could have its own read and write level setting which associated to User level/privilege setting. Note that the default level for both read/write is nil which has no security, this is to ensure compatibility issue for previously developed project. User must manually enter higher level of security as per project requirement.

Along with this SQL authentication feature, we have also fit in the improvement done for Watch List – Now Watch Window could save user defined list created across session. And also server stability improvement. Lastly, debugging messages in status output will be hidden when debug mode is turned off.

Summary of Event
  • 22-Dec-2010: ICS CERT Contacted IntegraXor support team. Technical report for the vulnerability is received.
  • 27-Dec-2010: IntegraXor development team acknowledged the vulnerability.
  • 11-Jan-2011: Security fixed is issued as official release for general download.
  • 11-Jan-2011: Public announcement is made by IntegraXor support team.

Crossing 2011 seems to be quite challenging for IntegraXor team in handling security issues. However we are very glad that several security researcher are helping us in finding security vulnerability and even help us to verify the patched release when the loophole is fixed. We wish to thank them and also Kevin, Kathy & Bryan from Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) who have been very helpful and responsible in verifying and coordinating.

In fact it was our original idea to invite white hat hackers to find any vulnerability in IntegraXor SCADA, as we don’t believe security in obscurity. Now that so many excellence security researchers come by and we truly welcome them, and we are very pleased that we could response and patch the vulnerability within very fast time frame. Thanks to the development team who have carefully designed the well structured architecture that could be easily improved and maintained.

SCADA Vulnerability Alerts

Having done and said that, we do not always response fast to security issues that we may otherwise judge not severe, especially some vulnerability issues that required physical present of the attacker. Some security issues will also take us longer time to fix when it involves different GUI design as we concern a lot on user friendliness. Also we will have concern on compatibility impact as we wish to ensure previously developed project can be easily upgraded to latest release so that the attacker will not be interested to develop any malware targeting older versions of IntegraXor.

We wish to thank everyone again in making IntegraXor Web SCADA to become more secure than ever.

Further to our earlier security note about buffer over flow, it seems the publication has drawn more interest from security researchers, Industrial Control System Cyber Emergency Team (ICS-CERT) has again contacted us on Directory Traversal attack. This vulnerability can be exploit by attacker to download files from the SCADA server. However, attack by deleting file is not possible, but we still took immediate action to patch this security issue with our latest official release 3.6.4000.1. It can be obtained from our download link at http://www.integraxor.com/download/igsetup.msi. We urge our user especially who open their SCADA for Internet access to upgrade to this latest version. And mean time please move any sensitive or confidential files away from the said SCADA server.

We take this opportunity to wish everyone Merry Christmas and Happy New Year!

Summary of Event
  • 22-Dec-2010: ICS CERT Contacted IntegraXor support team.
  • 22-Dec-2010: Technical report for the vulnerability is received.
  • 22-Dec-2010: Security fixed is issued as official release for general download.
  • 24-Dec-2010: Public announcement is made by IntegraXor support team.
  • 24-Dec-2010: Security researcher Luigi Auriemma confirmed the vulnerability issue has been fixed.
  1. + Added most waited innovative report module, allowing one time layout configuration for both display and printout at one go.
  2. + Added setSql() and getSql() for more convenient database interactions.
  3. + Added table import/export function for faster data entry work.
  4. + Added OPC server into standard release.
  5. ^ PE save tables based on proper dependency order.
  6. ^ PE file view auto refresh.
  7. ^ PE text editor supports code folding for html and script files.
  8. ^ PE fix problem openning projects from MRU when there is 1 or more table already opened.
  9. ^ Server GUI port monitor splitter pane is now resizable.
  10. ^ Support system tags as alarm and script trigger.
  11. ^ Server script won’t cause stack overflow when the script calls itself.
  12. ^ Improved comm. establishment for OPC driver connection.
  13. ^ Improved system stability.
  14. * Driver treats connection as disconnected only if timeout.
  15. * Fixed varios PE project saving bugs.
  16. * Fixed alarm task bugs.

3 steps report creation

A Simple Report Layout with Automated Archiving Interface Buttons

Earlier this October, the Industrial Control System Cyber Emergency Team (ICS-CERT), managed and operated by the United States Department of Homeland Security Control Systems Security Program, has received a report from an independent security researcher of a vulnerability in IntegraXor. ICS-CERT works in coordination with US-CERT, with a focus on control systems cyber security. Below is the contact details for additional information.
US CERT Contact Info

The independent security researcher, Jeremy Brown has indicated that previous versions (before 3.53900.10) of IntegraXor have a security vulnerability whereby an attacker may exploit the system on the SCADA server machine by using malware, badware or any type of viruses that specifically target IntegraXor. IntegraXor development team has immediately acknowledged and fixed the loophole, and the patched version has been released as “igsetup-3.5.3900.10.msi” and there after. Note that this security vulnerability has no impact on the client machine or Internet access.

As part of the procedure, we are making this public announcement on this vulnerability; however, before that we have requested a grace period from ICS-CERT and security researcher to announce this vulnerability by the end of 2010 so that our existing registered users can upgrade their previous version accordingly. We urge our existing registered users who are still using any version earlier than 3.5.3900.10 to download the latest version from our download page and migrate their existing project to the latest version ASAP so their SCADA system will not be exposed to this vulnerability. Meanwhile, please ensure that the SCADA machine is protected by an anti-virus system upgraded with latest virus pattern. We are truly sorry for the inconvenience caused and will support our users in migrating old project to current version of IntegraXor. Please contact [email protected] for any support issue.

Summary of Event
  • 06-Oct-2010: ICS CERT Contacted IntegraXor support team.
  • 07-Oct-2010: Technical report for the vulnerability is received.
  • 08-Oct-2010: Security fixed is issued as Release Candidate for inspection.
  • 14-Oct-2010: Security fixed is issued as official release for general download.
  • 15-Oct-2010: Security researcher confirmed the vulnerability issue has been fixed. Grace period of two month before public announcement is started.
  • 15-Dec-2010: Public announcement is made by IntegraXor support team.

It has been quite a while that we hold IntegraXor users to work on Inkscape 0.46. Finally our SAGE developer Teow has managed to spend some times to migrate SAGE to the latest version of Inkscape 0.48.

Spray is not the only feature that added into Inkscape 0.48 release, there are a lot more to discover, but if you think you have had enough tool to draw a SCADA mimic, then you will still be able to enjoy more stability. Anyhow, as it turns out and we discovered, many users do not just use Inkscape SAGE for SCADA, so just download this latest version of Inkscape and start spraying some snowflakes now!

Season's Greetings

Credits:

Snowflakes drawn by: molumen.
Snowman drawn by: TheresaKnott.

S.I. engineers need to be conservative, below are some best practices.

  1. Backup and Write Changelog

    Needless to say, creating backup is a very basic surviving skill in project life. Not only you should create a backup before leaving site. You should also create a backup upon arrival, before making any changes, while the work reaching one stage, despite still more to go. Create a “version.txt” or “changelog.txt” in your project directory. Name your backup file with date: YYYYMMDD-HHMM.zip.

  2. Proper Naming and Documentation

    This sounds so easy yet so little people doing it right. Proper naming is needed in all aspects, from tagname, filename, directory name, project name to everything. To understand proper naming, look at some keywords in bad naming examples: “new”, “old”, “latest”, “test”. These types of description only relevant for few days, it will become confusing after that.

    Additional project documentation is not “allowed” in most conditions, so you need to create the tag name in a descriptive manner. Add in description wherever possible, as if you are trying to explain the system flow to your colleague, whoever takeover will appreciate it. And you will love it when you need to revisit the site 3~4 years later.

  3. Restrict Operator Access

    Plant operator working life can be boring at times, especially when working at night shift. The SCADA system that sitting idle can be very tempting for them to use it as game console, movie player or use it to print some documents since SCADA system normally equipped with a report printer. We don’t really mind they leave the SCADA system running at the background, but what we dislike is they insert a USB drive which infected with malware or any type of virus into the system and mess up the SCADA before the end of warranty period.

    Running the SCADA with fullscreen mimic will not work, you will need sometimes to acquire the skill to restrict the operator access. Learn How To Use the Group Policy Editor to Manage Local Computer Policy in Windows XP.

  4. Install Antivirus Software

    No project budget? “Proven antivirus protection for free? that’s what I need.” Microsoft has released a free antivirus software, Security Essentials. S.I. Engineer should install it and at least patch it with the latest virus pattern before shipping the system to site. Project development stage and commissioning stage is the time that the system will exposed to most threats, this is the time you need the protection most.

    Most of the time the end user may not want to connect the server to the internet to avoid any misuse. As such the Antivirus software may no longer be up to date after a while. However, this is still better than nothing and very likely it’s recent enough to sustain for one year to block most threats. You don’t want to receive call because of virus/malware slow down the system or hogging the network during the warranty period.

  5. Backup Disk Image

    Backing data and Restricting user’s access do not guarantee that the system will not corrupt. Reinstalling the OS, patching security fixes, setting up programs, tools, database are tedious, time consuming and totally no fun, and you can’t be sure you or your colleague can restore the system to the original working state, after leaving the site for a year or even more.

    In order to ensure the original working condition can be restored, you will need to save the drive partition image, this is the best way to put things back to exactly how it was left. This Taiwanese made tood is our favorite: Clonezilla, however, be aware this is Linux based program and you may need some times to learn up. Otherwise, go for commercial package.

  6. Split System and Data Partition

    Operating System and Program Files is always good to be stored separately from Data Files. Data Files can be stored in a separated partition or simply another disk. So that when the the operating system corrupted or behaved strangely, S.I. engineers can simply restore the System partition without worrying of data, and it’s normally more convenient to do it before rather than after the problem has occurred. For instance, you can easily restore previously backup Drive partition into the System partition without overwritting the accumulating data.

    A newly purchased PC do not normally split into two partition in advance. So you will need a good tool to “Make your life easy!” Check out EASEUS Partition Master.

  7. Avoid Changes at Site

    The rule of thumb is “If it doesn’t break, don’t fix it.”, this sounds like the SI engineer is incapable of handling the work. However, the fact is human make mistake, especially in the rush, under pressure, in unfamiliar working environment, noisy site etc.

    Any single minor or major changes must be tested in its functionality. For instance, if your change a report layout, although just a title, just print it before you leave. Who knows if you accidentally disturbed the structure of the report and break the entire report generation?

    If the customer do not mind to pay for you to standby for monitoring one more day at site, do it. Otherwise, try to convince your boss to allow you to check in hotel and stay till check out time. Stay one more night is normally cheaper than traveling back to site. Prepare yourself with book, video or anything to fill up your time like preparing claim form. This will give more buffer for the operator to test run the system after your site service. Give a call to control room before you check out hotel, they will appreciate it. And because you know you will be eating your own dog food, this will force yourself to carefully do an extremely great job when you are at site.

  8. Use Remote Access Program

    If the site has Internet connection, train the site operator to start up TeamViewer. Otherwise, spend a little budget to insall a modem at site so you can call operator to plug in the phone line and dial in to check what’s going on at site. This is far cheaper than traveling to site.

  9. Don’t trust site personnel completely

    When you have to talk to operator either at site or over the phone, do your own judgment. Use system event log to track what had happened. You can’t expect the operator who has messed up the system to tell you the truth. Firstly s(he) doesn’t want to be scolded by boss, secondly they don’t want to void the warranty.

    And when you have to ask question, especially over the phone, ensure you ask Open Question. Don’t ask “can you see the button on the top right corner?”, a better question is: “What can you see on the top right corner?”. If the operator answer a Blue Tank, then you know he could be on the wrong screen.

  10. Stick Name Card on Site PC

    Do not try to avoid calls from customer, this is like avoid to face the problem if any. What a good engineer should do is to stick his/her business namecard onto the site PC to make him/herself very accessible to customer. This is a simple good marketing channel and you will gain good reputation by doing this. And the best way to avoid the customer to call you for problem is to do a good job.

Disclaimer: All listed methods or tools are not associated with nor warrantied by ECAVA or IntegraXor. You shall take your very own full responsibility for using anyone of them.

256 colors are not necessary required in most cases. Enter 6 digits (256bit) color code and check out the outcome in 3 digits (16bit). If the difference is acceptable, you can save 3 characters every time a color is used.

Type Code Preview
256 bit Color #

16 bit Color #

Below are steps to create IntegraXor database in Microsoft SQL Server Express 2008, replace “project_id” with desired name in the steps:

  1. Create a folder for database storage, for instance “c:\ecava\database\project_id”.
  2. Execute the following script in SQL Server Management Studio to create the database:

    USE [master]
    GO
    CREATE DATABASE [project_id] ON PRIMARY
    ( NAME = N'project_id', FILENAME = N'C:\Ecava\Database\project_id\project_id.mdf' , SIZE = 266240KB , MAXSIZE = UNLIMITED, FILEGROWTH = 1024KB )
    LOG ON
    ( NAME = N'project_id_log', FILENAME = N'C:\Ecava\Database\project_id\project_id.ldf' , SIZE = 219264KB , MAXSIZE = 2048GB , FILEGROWTH = 10%)
    COLLATE SQL_Latin1_General_CP1_CI_AS
    GO

  3. Lastly execute the following script to create the needed tables:

    -----------------------------------------------------------------------
    -- table
    -----------------------------------------------------------------------

    --drop table alarm;
    CREATE TABLE alarm (
    time_stamp datetime NOT NULL,
    event_id int NOT NULL,
    tag_id int NOT NULL,
    tag_name varchar(64),
    group_name varchar(64),
    description varchar(255),
    state int,
    data_type int,
    nvalue float,
    old_nvalue float,
    svalue varchar(255),
    old_svalue varchar(255),
    [message] varchar(255),
    inactive_timestamp datetime,
    ack_timestamp datetime,
    ack_user varchar(64),
    constraint alarm_pk PRIMARY KEY (time_stamp, event_id, tag_id)
    );

    CREATE INDEX all_alarm ON alarm (state, ack_timestamp);
    CREATE INDEX updated_alarm ON alarm (state, ack_timestamp, time_stamp, inactive_timestamp);
    create index purge_alarm on alarm (time_stamp);

    --drop table audit;
    CREATE TABLE audit (
    time_stamp datetime NOT NULL,
    event_id int NOT NULL,
    tag_id int NOT NULL,
    tag_name varchar(64),
    group_name varchar(64),
    description varchar(255),
    state int,
    data_type int,
    nvalue float,
    old_nvalue float,
    svalue varchar(255),
    old_svalue varchar(255),
    [message] varchar(255),
    inactive_timestamp datetime,
    ack_timestamp datetime,
    ack_user varchar(64),
    constraint audit_pk PRIMARY KEY (time_stamp, event_id, tag_id)
    );

    CREATE INDEX all_audit ON audit (state, ack_timestamp);
    CREATE INDEX updated_audit ON audit (state, ack_timestamp, time_stamp, inactive_timestamp);
    create index purge_audit on audit (time_stamp);

    --drop table [log];
    CREATE TABLE [log] (
    time_stamp datetime NOT NULL,
    tag_name varchar(64) NOT NULL,
    tag_id int,
    state int,
    data_type int,
    nvalue float,
    svalue varchar(255),
    unit varchar(16),
    constraint log_pk PRIMARY KEY (time_stamp, tag_name)
    );

    CREATE INDEX trend ON [log] (nvalue, state, time_stamp, tag_name);
    create index purge_log on [log] (time_stamp);

    --drop table persistence;
    CREATE TABLE persistence (
    time_stamp datetime NOT NULL,
    tag_name varchar(64) NOT NULL,
    tag_id int,
    state int,
    data_type int,
    nvalue float,
    svalue varchar(255),
    unit varchar(16),
    constraint persistence_pk PRIMARY KEY (time_stamp, tag_name)
    );

    CREATE INDEX tag_name ON persistence (tag_name);

    --drop table userdata;
    CREATE TABLE userdata (
    [name] varchar(128) NOT NULL,
    data_type int,
    nvalue float,
    svalue text,
    constraint userdata_pk PRIMARY KEY ([name])
    );
    CREATE INDEX UDIndex ON [userdata] ([name]);

  • Updated front-end Alarm Viewer for faster loading over slow Internet connection.
  • Updated minor section of documentation.
  • Fixed stability issue for specific add-in module.

Recently we found that Firefox has changed the type of object of a function. Below is the test code:

<DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>FX function status test</title>
</head>
<body>
    <script type="text/javascript">
        function hello() {
            this.hello = "hello";
            this.world = "world";
            this.status = "status";
 
            var txt = this.constructor;
            txt += this.hello + " " + this.world + " " + this.status;
            document.getElementsByTagName('body')[0].innerHTML = txt;
        }
        hello();
    </script>
</body>
</html>

This test attempted to show what type of constructor the function ‘hello’ is on browser, and also the properties ‘hello’, ‘world’ and ‘status’. As the screen shot shown, different browser treats the function object differently, especially Firefox. Latest Firefox (in this case, version 4 beta 6) treated it as an Object. but previous version of Firefox (3.6.3 or older) treated it as an object Window and note that ‘status’ is missing from Firefox’s output as compare to other browsers. This mean Firefox prohibited the usage of property name of “status”. A property name that called “status” can only be used when it is in a Javascript class.

result in various browsers

On the other hand, one foolproof practice is to convert a function object into a new Javascript class like below:

function myFunc() {
    if (!(this instanceof Object)) {
        return new myFunc();
    }
 
    this.hello = "hello";
    this.world = "world";
    this.status = "status";
    return this;
}


This code will fail since Firefox 3.6.8+ updated its instance to Object (as shown in screen shot). As a result, developer need to remove this interlocking code as it’s no longer useful, but the workaround is to call it as a new function class when using it.

  • Added find and replace.
  • Added always on top option.
  • Added email output support, which allows alarm to be sent via email.
  • Added Modbus driver string data type support and fixed ASCII mode bug.
  • Added interval timer support, configured via Timer table.
  • Added tooltip help for each column header in all table grid.
  • Added configuration for all drivers within PE.
  • Added right click on grid row header while no row selected will select the entire row.
  • Added reloading persist tag upon database reconnect when tag not in memory.
  • Added web server retry during startup.
  • Removed millisecond support for schedule timer (replaced by new Interval Timer).
  • Removed or hided lengthy alarm statuses.
  • Fixed opc driver async configuration mixed up.
  • Fixed opc driver async mode reading.
  • Fixed timer issue with millisecond only contain a single number.
  • Fixed PE crash when trying to retrieve OPC servers list.
  • Fixed printer output issue.
  • Fixed front-end user login issue.
  • Fixed unnecessary alarm logging during project startup.
  • Improved OPC server DCOM setting not removed after OPC server is closed.
  • Improved OPC server does not overwrite existing DCOM setting if the setting already exist.
  • Improved output task so it shall close faster if printer output is invalid.