Microsoft Visual Studio .

NET
Customer Solution Case Study

Honeywell Builds Secure Process

Knowledge Systems with Microsoft

Overview “When we talk with customers, one of the

Country or Region: United States
Industry: Industrial Automation things that differentiates us is that we make
security part of the infrastructure of the
Customer Profile
Honeywell Process Solutions (HPS) system. It’s pervasive: it’s at every level, it’s
provides products and services to in everything.”
the process automation industry,
including cyber security for the Kevin Staggs, Control System Solution Planner, Honeywell Process Solutions
company’s large industrial and
Honeywell Process Solutions (HPS) builds and delivers
petrochemical customers. automation products and services to support a wide
Business Situation
range of heavy industries, including refining, chemicals,
HPS realizes the benefits of open pharmaceuticals, mining, and energy. The reliability and
technology and recognizes the need
to secure automation systems
security of control systems in these industries is critical
against abnormal situations and not only to efficient plant operation and business
nontraditional threats.
success, but also to the avoidance of failures and risk
Solution mitigation. Honeywell’s flagship product Experion®
HPS committed to continual
improvement in the security of its
Process Knowledge System (PKS) is a process
flagship Experion® Process knowledge system with key components based on
Knowledge System (PKS) product
and deepened its partnership
advanced Microsoft® Windows® operating systems
commitment with Microsoft to joint, and .NET connection software. Working in close
trustworthy computing.
collaboration with Microsoft, HPS has pioneered
Benefits groundbreaking methods of securing Windows-based
 Improved plant operations
 Outstanding collaborative support
solutions that improve the decision-making
for security effectiveness of plant operators under normal and
 Easy migration and integration
abnormal conditions.
Situation
Honeywell Process Solutions (HPS), a
business unit within Honeywell’s
Automation and Control business
segment, serves a U.S.$15 billion
installed-customer base and supplies
them with process automation
products. Clients depend on HPS for
the infrastructure that controls
complex production processes
involving high temperatures and
pressures typically found in
production industries such as energy,
chemical, and pharmaceutical.
In recent years, threats against open
systems have escalated the need for
securing computing infrastructures
within production facilities. In 2004,
the U.S. Department of Homeland
Security advised that refineries and
petrochemical plants are to be
considered potential terrorism
targets. This heightened reality has
given momentum to industry and
government initiatives aimed at
enhancing the security of industrial
facilities in ways that meet
nontraditional threat scenarios.
Says Kevin Staggs, Control System
Solution Planner at HPS, “Our clients
are operating some very sensitive
processes. A significant failure can
cause a plant to shut down or worse,
so everything we do is built around
safety and availability. When we talk
with customers, one of the things that
differentiates us is that we make
security part of the infrastructure of
the system. It’s pervasive: it’s at
every level, it’s in everything.”
Honeywell has long had a reputation
for delivering process automation
products that exceed the highest
standards for safety and security. Its
flagship system is the Experion®
Process Knowledge System (PKS).
Experion PKS is designed for
operators to monitor and control
complex processes. It gathers data
from a range of diverse sources,
including field sensors, control
equipment, and other supervisory
systems, then presents this data to
the operator through graphical
displays. A single point of access to all
process information helps improve
operator performance and ensure
safety.
Experion PKS comprises a Control
Execution Environment (CEE) at the
industrial controller level that controls
plant processes, using Experion
servers and databases to gather and
organize information, and Experion
stations to provide the human-
machine interface (HMI) with the
operator. At the industrial controller
level, HPS manufactures equipment
integrating proprietary, real-time
operating systems. Starting in 1996,
the server-level software has run on
Microsoft® Windows® operating
system platforms. Operator stations
run on Windows-based PCs and use
Microsoft Internet Explorer technology
as a basis for the HMI display. A
medium-size implementation might
include 15 operator stations and two
Experion servers.
The entire Experion PKS architecture
includes many products that securely
integrate into a complete
performance solution, as shown in
Figure 1.
Honeywell Process Solutions wanted
to introduce new features and
capabilities into Experion PKS. The
goal was to increase the level of
Figure 1. Experion PKS servers
and stations in the Experion
platform architecture.
information visibility between higher-
level business applications and lower-
level process control systems to
create a truly enterprise-wide
knowledge system for manufacturing
organizations. Any changes to the
HPS process automation software,
however, would have to meet two
stringent requirements.
1. All changes must accommodate
legacy technology. The industries
served by HPS depend on complex
systems with life spans of 15 years
and longer. “We need to be able to
integrate today’s technology with
controllers that we shipped in 1974,”
points out Staggs. “We will never
leave anybody behind, which creates
some very significant challenges.”
2. Safety and security must remain
priority one. Increased levels of
integration between the realm of
business applications and the world of
industrial controls might run the risk
of creating new susceptibilities and
possibilities for failure. Understanding
and eliminating such risk remains the
utmost concern of HPS when
considering any changes to Experion
PKS.
Solution
The most recent release of Experion
PKS, R300, represents the latest step
in Honeywell’s carefully considered
 plan to provide greater value to its
customers through the inclusion of
advanced Microsoft technologies. The
Experion server, which first migrated
from UNIX to a Windows platform in
1996, now runs on Microsoft Windows
Server™ 2003 operating system and
uses Microsoft SQL Server™ 2000.
Some of the Experion applications are
built with Microsoft Visual Studio®
.NET 2003 on the Microsoft .NET
Framework version 1.1. Technologies,
such as Windows Forms, provide
information from both the plant floor
and the business enterprise to human
operators on Windows XP operating
system–based client stations.
HPS developers use .NET-connected
technologies extensively in carefully
selected parts of Experion PKS,
particularly in its user interface
elements and offline configuration
tools. “Applications, such as
movement automation, blending
applications, and business
applications, are utilizing .NET,” says
Andrew Duca, System Architect at
HPS. “All our integrated tools used for
configuring and engineering a system
within our Configuration Studio are
“The new based on smart client technology
technologies coming and .NET.”
down the road in The user interface provided by the
Windows and .NET company’s own HMIWeb technology is
a particularly important component of
will help us the Experion PKS system because it is
accomplish [our] directly tied to the ability of the
operator to control processes
goal through efficiently. During system
constantly implementation, the HMIWeb Display
Builder is used to create custom
improving displays showing graphical
collaborative representations of processes (such as
pumps, valves, tanks, and pipes).
decision-support Animation and scripts can be used to
tools and better
change the visualization of the display
when changes occur. This
customization of Internet Explorer–
based display can be accomplished by
using .NET-connected technologies
like Windows Forms.
HPS has a Premier Independent
Software Vendor (ISV) agreement
with Microsoft and works closely with
Microsoft Partner Services on security
topics. In order to deploy secure
Windows-based server and
workstation products, Experion PKS
R300 uses a number of special
techniques that include:
 A series of scripts lock down the file
system and registry during the
installation of the operating system.
A series of local groups are created
and the system is locked down
based on those groups before any
HPS application is even installed on
the machine.
 Experion Server is installed onto a
Windows Server 2003 Service Pack
1 (SP1) platform, and the Experion
Server firewall feature is—by
default—on.
 A strict separation is enforced
between the process control side of
the system and the business
application side. A client on one
side never crosses the boundary to
access a server on the other side.
Server-to-server interactions across
that boundary are carefully limited
through protocols that require, for
example, special shadow servers.
 Increasingly, Experion products are
moving toward a domain model in
which an application must be
deployed into a Windows domain—
either the business domain or the
control domain. Eliminating trust
relationships between the domains
will compartmentalize risk.
“Our collaboration
 Group policy objects are used in
Experion deployments. HPS
onprovides
security
its groupwas a
policy templates
two-way street. The
(based on provided group policy
objects) for its customers to
HPS engineers
integrate into organizational units.
learned about our
In some cases, HPS scripts the
whole process of creating a domain
approach
and setting up to threat
security.
modeling, and they
Honeywell will continually place an
gave
emphasisus goodPKS security.
on Experion
feedback that we
Future versions will likely be built on
an even more compartmentalized
incorporated
model that will eliminateinto
all trust
our own
relationships between domains and
synchronization between machines.
methodology.”
To test the effectiveness of its
security measures, Honeywell’s
“white hat” teams stage network-
based attacks against the Experion
servers and stations.
Benefits
Safety and environmental protection
go beyond regulatory compliance,
with constant pressure to safeguard
people, assets, and profitability while
increasing efficiency. Honeywell
Process Solutions uses the power of
Windows to extend the role and scope
of automation for its customers. Using
Microsoft .NET software, Honeywell
continues to improve the ability of
plant operators to view and
comprehend processes in real time,
especially under abnormal conditions.
Improved Plant Operations
Experion PKS uses Windows operating
systems and .NET connection
software to help integrate process
control information with business
information in manufacturing plants.
Better visibility into enterprise-wide
information increases efficiencies,
improves uptime, and reduces plant
life-cycle costs for its customers. Not
only are the Windows-based servers
and workstations securely locked
down, but also their advanced ability
to gather, store, analyze, and present
information to plant operators can
actually improve the safety and
security of the plant under abnormal
conditions. Better information
delivered more quickly to the
operator can prevent or mitigate
catastrophic failures.
“Windows platforms will enable us to
build next-generation operator
environments that use best guidance
from the Abnormal Situation
Management Consortium,” remarks
Duca. “We are working toward an
integrated cockpit that brings exactly
the right information to the operators
at the exactly the right time, without
overloading them with too much non-
critical information. The new
technologies coming down the road in
Windows and .NET will help us
accomplish that goal through
constantly improving collaborative
decision-support tools and better
display technology.”
Outstanding Collaborative Support for
Security
Honeywell Process Solutions has
introduced the latest Windows and
.NET technologies into an
environment tightly constrained by
extreme safety and security
requirements. In collaboration with
Microsoft, Honeywell’s years of
experience and Six Sigma
methodology have enabled it to
pioneer some of the safest and most
secure methods in the world for
implementing Windows-based
systems.
The Microsoft Partner Services team Solutions, therefore, takes
provides both proactive and reactive tremendous advantage of Microsoft’s
support for development and extended product life-cycle policies to
deployment projects by HPS. support HPS customers over the long
According to Duca, “The Partner term. HPS helps its customers
Services team is a virtual extension of maintain older systems and augments
our development team.” those systems with new features and
capabilities that take advantage of
The benefits of close collaboration for the latest Windows technologies.
trustworthy computing are When it is time to upgrade, the
exemplified by the Threat Modeling continuity of the Windows platform
Workshop Microsoft delivered for the enables HPS to offer its customers a
developers and architects at HPS. clear upgrade path from any previous
Microsoft experts shared their internal point to the current product.
methodology used to test business
application security, then the
Microsoft and HPS engineers worked
together to determine how threat
modeling could best be applied to the
HPS systems. “Our collaboration on
security was a two-way street,”
according to Ned Curic, Strategic
Security Advisor at Microsoft. “The
HPS engineers learned about our
approach to threat modeling, and
they gave us good feedback that we
incorporated into our own
methodology.”

Easy Migration and Integration

Honeywell’s customers deploy the
latest Experion PKS servers and
stations, which are based on Windows
Server 2003 and Windows XP, right
alongside other systems that have
typically been in place for 10 years or
more. Everything about these
Experion products has been designed
to be safe, secure, and compatible
with the proven technologies of
Honeywell’s legacy process control
systems.

Customers in the automation industry

do not typically upgrade their
systems as often as do other
enterprises. Honeywell Process
For More Information
For more information about
Microsoft products and services, call
the Microsoft Sales Information
Center at (800) 426-9400. In
Canada, call the Microsoft Canada
Information Centre at (877) 568-
2495. Customers who are deaf or
hard-of-hearing can reach Microsoft
text telephone (TTY/TDD) services
at (800) 892-5234 in the United
States or (905) 568-9641 in Canada.
Outside the 50 United States and
Canada, please contact your local
Microsoft subsidiary. To access
information using the World Wide
Web, go to: www.microsoft.com
For more information about
Honeywell Process Solutions
products and services, call 1-877-
466-3993 or visit the Web site at:
www.honeywell.com/ps
© 2006 Microsoft Corporation. All rights reserved.
This case study is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, IN THIS SUMMARY.
Microsoft, MSDN, the .NET logo, Visual Studio, the
Visual Studio logo, Windows, the Windows logo,
Windows Server, and Windows Server System are
either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or
other countries. All other trademarks are property of
their respective owners.
Document published December 2005
Microsoft Visual Studio Microsoft .NET Framework
.NET The Microsoft .NET Framework is an
Microsoft Visual Studio .NET is the integral Windows component for
rapid application development (RAD) building and running the next
tool for building next-generation Web generation of applications and XML-
applications and XML-based Web based Web services.
services. Visual Studio .NET empowers
developers to rapidly design broad- For more information about the .NET
reach Web applications for any device Framework, go to:
and any platform. In addition, Visual msdn.microsoft.com/netframework
Studio .NET is fully integrated with the
Microsoft .NET Framework, providing
support for multiple programming
languages and automatically handling
many common programming tasks,
freeing developers to rapidly create
Web applications using their language
of choice.
For more information about Visual
Studio .NET, go to:
msdn.microsoft.com/vstudio
Acquire Visual Studio .NET:
msdn.microsoft.com/vstudio/howtobuy
MSDN® Subscriptions:
msdn.microsoft.com/subscriptions
Software and Services  Technologies
 Microsoft Windows Server − Microsoft .NET Framework
System™ version 1.1
− Microsoft Windows Server 2003 − Microsoft Windows Forms
− Microsoft SQL Server 2000  Partner Solutions
 Microsoft Internet Explorer − Abnormal Situation
 Microsoft Visual Studio .NET 2003 Management® Consortium
 Microsoft Windows XP − Experion Process Knowledge
 Services System
− Microsoft Partner Services