Most manufacturing and mining operations could not operate without the scada systems that are responsible for the most complex and sensitive parts of their production processes. While on-line hacking is always a threat (the Stuxnet virus of 2010), in-house threats are also present as is the operation of systems by unqualified or unauthorised personnel. Lonmin decided to take steps to mitigate these risks.
Project goals
* Ensure 100% success rate when authorised users log into the InTouch software.
* Users must not be able to bypass the security by logging in as someone else.
* Eliminate the need for usernames and passwords which users often swap with one another leading to potentially dangerous situations such as unauthorised access to various functions.
* Provide an auditable trail of who used what and when.
* Simplify the log-in process by replacing the password with a fingerprint template. This would also eliminate the need for resetting passwords and unlocking accounts.
Challenges
In Windows XP, Windows Server 2003, and earlier versions of the Windows operating system, services and applications run in the same session as that started by the first user who logged onto the console. This session is called Session 0. With the release of Windows 7, Microsoft implemented changes to isolate services from user applications, making it harder for malicious software to run with elevated privileges. Doing this made Windows a much more secure operating system.
“This, however, meant that we could not implement the Biometrix intelligence as a standard Windows service as was requested, as it would simply not talk to InTouch,” says Eduan Marais, MES application development analyst at Lonmin. “So I developed the solution in a Windows forms application, but ran it as if it was a service. It starts as a minimised task in the taskbar that cannot be closed, so it is practically invisible, but we still had the luxury of interfacing with InTouch and communicating with users via dialogues if necessary.”
Wonderware allows communication via DDE. However, DDE is not available to Visual Studio 2010 anymore. An external driver was found on the Internet, called nDDE, which was incorporated into the solution to enable DDE communication between InTouch and the fingerprint reader.
“Since the fingerprint reader does not require a password, we had a problem as InTouch uses a username and password for ID authentication,” says Marais. “A management decision was taken to standardise on the password. This made sense because users no longer had the option to log in via the normal InTouch login screen, making personal passwords meaningless. And so the password was reset to be the same for all users.”
A username is saved to a fingerprint template on enrolment. Once the user uses the fingerprint reader to log into the application, the username associated with the fingerprint is returned, together with the standardised password. This is passed to InTouch via nDDE followed by the normal ID authentication procedure to log the user onto InTouch. This all happens in a few milliseconds.
Implementation
From development to implementation on the first workstation took two months. The administrators were then trained and users once the fingerprints had been captured, they were able to continue operations as normal.
The fingerprint software decrypts the user’s fingerprint and verifies it against the database to return the matching username. It returns an error if the authentication fails and anyone monitoring remotely can be made aware of the fact.
“The application monitors the fingerprint reader continuously and once a finger is detected, the software does the rest,” explains Marais. “It is important to note that the integration was done in such a way that no other systems had to change. Proper research saved us a lot of time, as we did not fall into the traps that exist with this type of implementation. This project also highlighted the fact that IT and production can work together to implement a solution that is useful to both.”
Benefits
* Software savings – by developing the application in-house, savings of around R1000 per workstation as well as the elimination of yearly licence fees were realised.
* Faster log-ins – no more typographical errors causing locked accounts. Forgotten usernames and passwords are also no longer an issue.
* Proper identification of users – Since users can no longer use one another’s passwords, it is now possible to know with certainty who was actually logged in and when. This is also important when tracing the root cause of a problem, since it is now possible to talk to the people who were involved at the time.
* Less administrative work – since usernames and passwords are no longer used, administrators do not have the tedious task of resetting passwords and unlocking accounts due to finger trouble.
For more information contact Jaco Markwat, Invensys Operations Management, +27 (0)11 607 8100, [email protected], www.iom.invensys.co.za
© Technews Publishing (Pty) Ltd | All Rights Reserved