Security CERT Global

    • CVE-2020-27272 (anydana-a_firmware, anydana-i_firmware, diabecare_rs_firmware)
      SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, The communication protocol of the insulin pump and AnyDana-i,AnyDana-A mobile apps doesn't use adequate measures to authenticate the pump before exchanging keys, which allows ... read more
    • CVE-2021-2029 (scripting)
      Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Miscellaneous). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access ... read more
    • CVE-2020-27256 (anydana-a_firmware, anydana-i_firmware, diabecare_rs_firmware)
      In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a hard-coded physician PIN in the physician menu of the insulin pump allows attackers with physical access to change insulin ... read more
    • CVE-2020-27276 (anydana-a_firmware, anydana-i_firmware, diabecare_rs_firmware)
      SOOIL Developments Co Ltd DiabecareRS,AnyDana-i & AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i & AnyDana-A mobile apps doesn't use adequate measures to authenticate the communicating entities ... read more
    • CVE-2020-27270 (anydana-a_firmware, anydana-i_firmware, diabecare_rs_firmware)
      SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically ... read more
    • CVE-2021-21270
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server ... read more
    • CVE-2020-28487
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element ... read more
    • CVE-2020-12511
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web ... read more
    • CVE-2020-12513
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection. ... read more
    • CVE-2021-21259
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker ... read more
    • CVE-2020-4766
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** IBM MQ Internet Pass-Thru 2.1 and 9.2 could allow a remote user to cause a denial of service by sending ... read more
    • CVE-2020-12512
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting ... read more
    • CVE-2020-12514
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a ... read more
    • CVE-2020-12525
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data ... read more
    • CVE-2021-21260
      Gravedad: NonePublicado: 22/01/2021Last revised: 22/01/2021Descripción: *** Pendiente de traducción *** Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers ... read more
    • CVE-2020-4887 (aix, vios)
      IBM AIX 7.1, 7.2 and AIX VIOS 3.1 could allow a local user to exploit a vulnerability in the gencore user command to create arbitrary files in any directory. IBM ... read more
    • CVE-2020-28707 (stockdio_historical_chart)
      The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. ... read more
    • CVE-2021-25178 (drawings_software_development_kit)
      An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A stack-based buffer overflow vulnerability exists when the recover operation is run with malformed .DXF and .DWG files. ... read more
    • CVE-2020-28480 (jointjs)
      The package jointjs before 3.3.0 are vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the object's key and set the value is not properly sanitized, leading ... read more
    • CVE-2020-27733 (manageengine_applications_manager)
      Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request. ... read more
    • CVE-2020-23342 (anchor_cms)
      A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users. ... read more
    • CVE-2020-28479 (jointjs)
      The package jointjs before 3.3.0 are vulnerable to Denial of Service (DoS) via the unsetByPath function. ... read more
    • CVE-2021-25177 (drawings_software_development_kit)
      An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause ... read more
    • CVE-2020-4983 (spectrum_lsf, spectrum_lsf_suite)
      IBM Spectrum LSF 10.1 and IBM Spectrum LSF Suite 10.2 could allow a user on the local network who has privileges to submit LSF jobs to execute arbitrary commands. IBM ... read more
    • CVE-2021-25176 (drawings_software_development_kit)
      An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause ... read more
    • CVE-2020-12511
      Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface. ... read more
    • CVE-2020-12525
      M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage. ... read more
    • CVE-2020-12512
      Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting ... read more
    • CVE-2020-12513
      Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection. ... read more
    • CVE-2020-12514
      Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd ... read more
    • CVE-2021-2058 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network ... read more
    • CVE-2021-2055 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network ... read more
    • CVE-2021-2088 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with logon ... read more
    • CVE-2021-2036 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network ... read more
    • CVE-2021-2038 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker ... read more
    • CVE-2021-2048 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network ... read more
    • CVE-2021-2072 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with ... read more
    • CVE-2021-2061 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with ... read more
    • CVE-2021-2030 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network ... read more
    • CVE-2021-2042 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to ... read more
    • CVE-2021-2060 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Easily exploitable ... read more
    • CVE-2021-2122 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network ... read more
    • CVE-2021-2032 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows low ... read more
    • CVE-2021-2056 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with ... read more
    • CVE-2021-2031 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network ... read more
    • CVE-2021-2087 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with logon ... read more
    • CVE-2021-2076 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network ... read more
    • CVE-2021-2070 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network ... read more
    • CVE-2021-2046 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with ... read more
    • CVE-2021-2081 (mysql)
      Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with ... read more

SEC Automation: Choosing the Right Systems Integrator for your Automation Project

Choosing the Right Systems Integrator for your Automation Project – Industrial Control Systems: SCADA – Systems Integrators

 

Many automation system projects run into problems in the late phases of an overall project schedule, where “unforeseen revelations” disrupt the careful planning of the various disciplines. Project Stakeholders must consider and take the systems integration efforts and scope into the overall project plan early in the process and categorize it as a major project item.

 

Key to select and evaluate your system integrators.

  • Registered Professional Engineering Firm
  • Registered Professional Engineers

 

Affiliation with:

 

  • International Standards Association (ISA)
  • American Society of Mechanical Engineers (ASME)
  • Institute for Electronic and Electrical Engineers (IEEE)
  • Control System Integration Association (CSIA)
  • National Fire Protection Association (NFPA)
  • American Society of Heating, Refrigeration, and Air-conditioning Engineers (ASHRAE)
  • American Society of Plumbing Engineers (ASPE)
  • Institute of Validation Technology (IVT)
  • Project Management Institute (PMI)
  • National Society of Professional Engineers (NSPE).
  • Controls and testing facilities: DCS, PLC and programming test bench, field measurement instruments
  • Computerized Drafting and Design Capabilities: Plant 4D industrial workgroup software, 3D modeling, Trane Trace, Crane Piping Analysis, AutoCAD, Microstation, MS Project, Genesis and other CADD programs
  • Preferred System integrator status with “Name of Vendors based on organizations need”; experience with applicable “Vendors” and other DCS/PLC architectures.

 

A typical submittal from an Automation System Integrator may include:

 

Corporate Overview

Company Overview
Areas of Expertise
Industries Served
Qualifications and Capabilities
Details of Key Team Members
Project Management & Project Execution

 

Overview
Service (Project Planning, Design etc.…)
Process Engineering Service

Facilities Overview and Experience

Automation and Control Engineering Services with Experience

Process System Experience

Specification for selection of a System Integrator

 

General

The Process Automation and Control Company (PACC) {aka. system integrator}, shall be responsible for the final design and assembly of the control system. The system shall be designed to provide the control capabilities and functions indicated and implied by the drawings, control strategy and specifications including applicable electrical sections of the Organizations Master Specifications document and to provide trouble-free operation with minimum maintenance. The system shall readily enable manual operation of all functions in the event of failure of component or control system.

Included is the PACC scope of supply is this section, applicable electrical section of specifications, Variable Frequency Drives and other system and network related sections.

Process Automation and Control Company (PACC)

The PACC shall be a single business entity located (x miles from the job site – local or national based on your needs). All necessary engineering, programming, fabrication, service, and training shall be performed by the PACC with no aspect of the project subcontracted, developed, or obtained from any person(s) or company outside the PACC.

The PACC shall be an authorized Systems Integrator for the “Named vendors applicable to the Owners system” with documented experience in the design, assembly, testing, installation, commissioning and service of control systems for municipal water and wastewater facilities (applicable industry) of the same scale and complexity as this job under its present company name for at least (X) years.

In addition, at least one Microsoft Certified Professional Systems Engineer shall be present on staff. All PACC employees assigned key roles associated with this project will have a minimum of (X) years of related experience.

All HMI, PLC, DCS, RTU, MCC’s and Control panels associated with the project and provided by the PACC shall be calibrated, commissioned and tested using system simulation equipment prior to customer delivery. The PACC will carry General Liability Insurance and Professional Liability (Errors and Omission) Insurance.

 

Fabrication

The PACC shall maintain an in-house panel fabrication facility certified by Underwriter’s Laboratories (UL-508,913) and Electrical Testing Laboratories (ETL).

All panels shall be laid out for logical and functional order with maintenance friendly organization and permanent interior labels for easy recognition.
Fabrication personal shall be skilled in their areas of expertise with a minimum of ten (10) years of experience.
Service

The PACC shall maintain a service department supervised by a full-time Service Manager staffed with dedicated full-time factory trained field service personnel available 24 hours a day, 7 days a week. Field service capabilities will include start-up services, on-site programming for DCS, PLC’s and operator interface (HMI) systems. The PACC will also provide emergency control systems repair, trouble shooting, testing, remote assistance via modem for quick diagnosis and repairs, preventative maintenance and calibration service, documentation (O&M and drawings) maintenance, and system-wide training inclusive of all related field instruments.

 

Warranty

The PACC shall perform the repairs, replacements, modifications and adjustments required to eliminate the defects in design or workmanship that may be identified within the one-year warranty period. The PACC shall begin these repairs, replacements, modifications and adjustments within 24 hours of notification by the Owner or Engineer and shall complete such repairs, replacements, modifications and adjustments within 48 hours of notification. Should the PACC fail to complete the work within this period, the Owner may proceed to complete the work. In such event, the PACC and their surety shall be liable for all reasonable costs incurred by the Owner.

 

Acceptable PACCs

The Process Automation and Controls Company, (PACC) shall be selected by the General Contractor from the following pre-approved acceptable companies:

 

Pre-approved System Integrator listed here
No equal unless modified by addendum as required below for pre-approval. The owner reserves the right at their sole discretion to reject any and all proposal submissions for an alternate PACC. The Contractor, sub-contractor, or submitted non-pre-approved PACC shall not be entitled to an extension of time or to any claim for damages because of extra and unanticipated costs, hindrances, delays or complications caused by or resulting from the Owner not approving the PACC for whatever reason.

 

PACCs not listed under acceptable PACCs

 

A PACC not listed under acceptable PACCs will require strict specification compliance, no exceptions, and be pre-approved prior to bid by the Owner. A submission packet by a PACC requesting pre-approval will include a copy of this and the above specification section with PACC notations as follows:

 

Each paragraph will require the initial in the right column by the PACC indicating specification compliance. Any area of non-compliance will be circled and explained. The following supplemental information should be attached to this document.
Submission for PACC pre-approval requires a list of a minimum of five (5) similar projects in size, complexity, and value completed within the last three (3) years that will include:
Names of PACC employees involved in each system
Detailed description and drawings of each system.
Cost of each system.
Names and telephone numbers of owner site individuals involved in the operation and maintenance of each system.
Submission for pre-approval must include a company profile and description of the ownership and organization. Include resumes of principals and key employees who will be working directly in the engineering, assembly, testing and commissioning of the system for this project.

 

Indicate who will be responsible for integrating the following parts of the project:

 

Project management
Human machine interface (HMI)
SCADA Design
Telemetry Design
DCS Programming
PLC/RTU programming
Control system connectivity
Start-up
Training

 

A “Letter of Assurance” to the owner will be included, which states that the employee responsible for his/her respective part of the project will remain the same individual throughout the duration of the project.

 

Tags: ASHRAE,ASME,ASPE,CSIA,IEEE,Industrial Control Systems,ISA,IVT,NFPA,NSPE,PMI,SCADA,Systems Integrators,