I&C Exercise 1 - Event Monitoring

Scenario

In this exercise you will investigate abnormal behavior on an Engineering Work Station (EWS). As you investigate, you will also determine steps to mitigate this behaviour. This exercise targets the EWS running within an Instrumentation & Control (I&C) environment.


Objective

This exercise will teach some of the basic tools available for performing investigations and audits on a Windows computer. You will learn skills in this exercise that will be used during the remainder of the lab exercises.


Exercise Steps & Questions

Step 1 - Log onto the EWS and Start TIA

Log on to the EWS using the following credentials:

  • Username: iaea
  • Password: iaea

After logging on to the EWS, start the Siemens Totally Integrated Automation (TIA) Portal by double-clicking the TIA Portal V13 icon on the Desktop of the EWS.

tia-desktop-icon

Step 2 - Open the TIA Project

Open the process by selecting IAEA_PROCESS in the Open Project Window and then click the Open button.

tia-open-project

Step 3 - Connect to the PLC

Click the Online & Diagnostics tab on the left side of the TIA screen. Wait a moment for the screen to update, and then double-click on the PLC_1 icon found in the center of the screen.

tia-plc_1-open

The display should change to the screen below. This screen displays the online status of EWS/PLC communications. The EWS is now receiving real-time values from the PLC.

tia-plc_1-online

Notice that all the Input/Output (I/O) tags on the right of the screen have green checkmarks by them. This means that the EWS is properly connected to the PLC and receiving real-time values.

Step 4 - Simulate the HMI

Start a local runtime Human Machine Interface (HMI) screen on the EWS. Select Portal view (lower left corner of the window), and at the main menu of the TIA portal, click the Visualization tab on the left side of the screen. Wait a moment for the screen to update and then select the Simulate Device button. Press the Simulate Runtime bullet on the right side of the screen then the Simulate runtime button. It will take a minute to start the simulation runtime and generate the HMI display.

tia-simulate-process

Interact with the process by clicking on the various buttons found on the HMI screen. You can do this on either the EWS runtime or directly on the HMI touch screen panel.

Questions

Step 5 - Run I&C Exercise 1

Open the Firefox browser and click on the Automated Lab Exercise bookmark. The Automated Lab Exercise Web Server is located at http://192.168.0.200. Click the Continue button and then click the Instrumentation & Control icon link. Click on the I&C Exercise 1 icon link. While watching the EWS screen, press the Run Exercise button. Do not log back into the EWS until the next step!

Question

Step 6 - Log back into the EWS

Log back into the EWS using the same credentials as before – username ‘iaea’ and password ‘iaea’.

Question

Hint: You can check the running process on the computer using the Task Manager. This will display the running processes and applications along with information about who started the process. You can start the Task Manager by right-clicking the taskbar and selecting Start Task Manager or by pressing [Ctrl + shift + Esc].

Step 7 - Review Event Logs

On the EWS, review the event log information by building a Microsoft Management Console (MMC):

  1. Press the [Windows Key + R], and run the following command: mmc.exe. When asked if you want to allow the program to make changes to this computer, click Yes.

run-mmc

  1. Add a Snap-in to view the Windows Logging information. Do this by clicking File, Add/Remove Snap-In… or pressing [Ctrl+M].

  2. In the list of Available snap-ins, select Event Viewer and click the Add button in the middle of the dialogue.

mmc-snap-ins

  1. When the Select Computer dialogue opens, ensure the Local Computer radio-button is selected and then click OK.

mmc-select-computer

  1. Now click the OK button to close the Add/Remove Snap-ins dialogue box.

  2. The MMC console will now have the Event Viewer (Local) available in the Console Root. Expand the Event Viewer tree and determine what information is available. Note: Some Windows Event Logs require Administrator permissions. If you are having difficulty at this time, please notify your instructor.

mmc-event-viewer-local

Questions

mmc-logon-information

Step 8 - Review Windows Firewall Logs

On the EWS, add the Windows Firewall Snap-in to your MMC Console by performing the same steps when you added the Windows Event Logs: click File, Add/Remove Snap-In… and then select and add the Windows Firewall snap-in.

mmc-logon-information

Question

Step 9 - Disable Firewall Rules

Disable the Remote Desktop (TCP-In) rule in the Windows Firewall Inbound Rules. Right-click on the rule and select Disable Rule.

mmc-disable-fw-rule

Question

Additional Exercise

Alternatively, Remote Desktop can be enabled or disabled in the Control Panel. Open the Control Panel and type System in the search bar in the top right corner. Now click on the item to Allow remote access to your computer. Here you can disable or modify settings that govern Remote Desktop Access.

control-panel-remote-access

Exercise Control

I&C Exercise One

  • Form submitted
  • Exercise completed