Developers: | IBM |
Last Release Date: | 2020/06/18 |
Technology: | EAM |
Content |
2020: Correction of the vulnerability allowing to get in network of the enterprises
The vulnerability in the IBM Maximo Asset Management1 system detected by experts of Positive Technologies Arseny Sharoglazov and Andrey Medovy can simplify to malefactors penetration into internal network of the large companies. This system of class CMMS2 is used for management of maintenance and repair of production assets in the pharmaceutical, oil and gas, automobile building, space, railway companies, at the airports, on nuclear power stations and in other spheres. Announced this Positive Technologies on June 18, 2020.
The vulnerability of CVE-2020-4529 detected in versions 7.6.0 and 7.6.1 IBM Maximo Asset Management is connected with a possibility of counterfeit of requests from server side (SSRF) and has the high level of danger (7.3 points on a scale of CVSS). It is able to allow the authenticated malefactor with low privileges to send an illegitimate request from a system for scanning of network or for development of other attacks.
IBM Maximo Asset Management is used at the big systemically important enterprises, and vulnerabilities in it can involve APT groupings which want to get access to internal network — Arseny Sharoglazov tells. — Can be attacking with low privileges, for example, the storekeeper who is far off connected to a system and brings positions in base; or his operating station infected with a virus can act as a source of threat. The IBM Maximo web interfaces are, as a rule, available from all warehouses of the company, and warehouses can be placed in different regions and even in the different countries. If the conditional storekeeper is connected through correctly configured VPN, its access in corporate network is limited, for example, by this system and mail. The vulnerability detected by us allows to overcome this restriction and to address other systems where it is possible to try to have, for example, an opportunity of remote accomplishment of the code, and at attack development — access to all systems, drawings, accounting documents, to APCS network. Employees can sometimes be connected to IBM Maximo and directly from the Internet, without VPN, using simple passwords that simplifies the attack. |
Vulnerability mentions also specialized industry solutions of Maximo for Aviation, Maximo for Life Sciences Maximo for Nuclear Power, Maximo for Oil and Gas, Maximo for Transportation, Maximo for Utilities and also products SmartCloud Control Desk, IBM Control Desk and Tivoli Integration Composer.
For elimination of vulnerability it is necessary to update IBM Maximo Asset Management and solutions and products connected with this system to the latests version. Experts of Positive Technologies recommend to use firewalls of level of applications (for example, PT Application Firewall) for protection against the attacks through a web uzvimosti, regularly to carry out works on testing for penetration and to provide access to systems for internal use only using certificates or through VPN. Besides, automated systems of the analysis of security and compliance to standards, in particular MaxPatrol 8 timely will help to reveal web vulnerabilities in infrastructure.
2015: IBM Maximo Asset Management
As of 2015 IBM Maximo Asset Management is one platforms of end-to-end systems of asset management. Systems on its basis solve a broad spectrum of tasks of increase in efficiency of ownership of property for all its lifecycle, namely: accounting and analysis of indicators of operation of a real estate, cutting of costs for maintenance and repair of the equipment and units and also ensuring continuity of maintenance and repairs of the objects of operation.
2010: Key functions of a packet Maximo
According to information for 2010 the Maximo system is aimed at support of all complex of assets of the enterprise for lifecycle of its operation and connects asset management with general strategy of business, solving the following main objectives:
- increase in capital productivity;
- cutting of costs for acquisition and use of assets;
- acceptance of more reasoned decisions concerning assets;
- increase in level of the provided services;
- ensuring compliance to requirements of regulating authorities;
- performance improvement of work of personnel;
- business flexibility improvement;
- decrease in total cost of ownership assets.
By software it is implemented in the form of a packet of Maximo Enterprise Suite consisting of six key subsystems which allow to manage successfully available assets (including production capacities, buildings and constructions, vehicles), works, purchases, services, warehouses and contracts for the benefit of achievement of the main business objectives of the company.
The specialized product, allows the director, the chief engineer, the staff of repair service and service of Assets, the staff of all other divisions concerning management processes, repair and service of Assets, can perform the functions more effectively, reducing the volume of maintenance overheads and repair of Assets of the enterprise.
Use a system gives the chance to see all Assets of the enterprise from within, to look how your equipment, main systems functions, to see where and at the expense of what it is possible to minimize costs that increase is interfered by profit, to increase in productivity. You will be able quickly to obtain the consolidated information arriving from the most remote divisions of the organization and if necessary to detail this information to the level of the Asset, spare parts, materials, investigating and analyzing the business, finding ways and opportunities for its improvement and organization of the existing problems.
Thanks to the MAXIMO system the level of transparency of your business by capital assets increases, i.e. the controllability of business increases.
At this MAXIMO does not require cardinal changes and reorganization of business and does not substitute other customized applications which are at the enterprise (accounting, personnel and so forth). These applications can use information which arrives from MAXIMO. MAXIMO expands their functionality, peacefully coexisting with them and executing the purpose — increase in controllability of Assets.
Feature of the MAXIMO system is that it increases controllability Assets of the enterprise, at the same time reducing costs for their service. In this regard MAXIMO allows:
From the point of view of the head:
Make the correct and timely decisions: about decommissioning of unprofitable Assets, about acquisition of new Assets, about need of upgrade and reconstruction of already available Assets, about need of cost optimization on a MRO, etc.
Heads of many enterprises want, is proved to make decisions on an output of this or that Asset from operation because of its unprofitability for the enterprise. Without having near at hand all information on a real status of Assets, it is difficult to define troubled, unprofitable Assets and to make decisions on their upgrade or liquidation.
Thanks to the MAXIMO system heads have an opportunity to receive as in a report type, and in real time information on that:
- What Assets are available and where are?
- Their status, cost and importance for business?
- What processes and transactions are executed with Assets throughout ZhTs?
- What housekeeping overheads and repair of Assets?
- Who is responsible for each of processes of a MRO on each asset type?
- When it is necessary to make major repair or replacement of fixed assets?
- How existing processes of a MRO meet business objectives and market demands?
- etc.
Besides, MAXIMO allows to apply modern accounting methods and write-offs of repair costs and service of Assets of the enterprise. Costs are written off "selectively" for each Asset of the enterprise, thereby doing this process absolutely transparent and proved, allowing to keep statistics of costs by each Asset.
From the point of view of the head of service and repair of Assets of the enterprise, the chief engineer, the chief technologist.
Control and coordinate execution of works on service and repair of the equipment.
In the course of accomplishment of control and coordination of the performed works on repair and service of Assets of the enterprise for heads it is extremely important to obtain information of a certain accuracy necessary to them and in required terms. In case of the bad organization of process of information support of heads situations when solutions to have to accept almost "blindly", based on incomplete or untimely information are possible.
MAXIMO gives an opportunity in real time to control accomplishment of planned and unplanned works on providing and repair of Assets of the enterprise, to control costs and to quickly make decisions, coordinating work of the relevant service.
From a point sight of staff of service and repair of Assets of the enterprise:
It is simple and convenient to execute high-quality work planning.
MAXIMO allows to facilitate considerably accomplishment of work planning on prevention and repair of Assets, providing the contractor with all necessary information and tools.
Thus two main objectives are solved: costs for work planning decrease, and the quality of planning grows.
Long time was considered that the ratio of scheduled repairs to unplanned should not exceed the limit of 90% to 10%. If such ratio was broken and there was an increase in unscheduled repairs, then review of the execution plan of scheduled maintenance was executed. In the modern world of fight of competitive advantages for the enterprises there is relevant the maximum decrease in level of unscheduled repairs, in ideal option up to 0% that is implemented due to work planning quality improvement.
Besides, at high-quality work planning there are no situations of idle time of repair services on an absence reason of the required material or personnel that, in turn, leads to cost reduction.
It is possible to claim that the high quality of planning of precautionary repairs and scheduled maintenance, the less occurs breakdowns of Assets, idle times and hardware failures are reduced. To work quickly at emergence of problems or failures in work of Assets of the enterprise.
The responsible is enshrined in the MAXIMO system behind each Asset. In case of a problem with some Asset of the enterprise, information on it is instantly transferred responsible and to the specialist of a support service who can decide (to fix) this problem. Thus, the response time is considerably reduced by the arisen incident and a downtime of the Asset decreases. Simplify processes of interaction and information transfer to other services implementing support of process of service and repair of the equipment: accounting, to finance division, personnel department, department of logistics, economic department, etc.
From the point of view of finance division:
Timely obtaining correct data and correctly processed finance documents from places of implementation of economic transactions that considerably reduces loading of finance and accounting division of the enterprise, and respectively, reduces costs for recovery and renewal of documents.
From the point of view of economic department:
Implement effective accounting of all repair costs and service of Assets of the enterprise that allows to make costs "transparent" and available to the analysis in any cuts. To timely obtain correct data for budgeting on a future period that increases quality of the created budget and reduces labor costs of process of its drawing up.
From the point of view of service of logistics:
Obtain information and actual data (statistics of breakdowns, failures, complexity in service) about quality of the goods purchased at suppliers and the equipment, information on accomplishment by suppliers of the obligations, data of accomplishment of repairs on a guarantee, etc.
In order that there were no situations when the service of supply due to the lack of necessary information buys materials or the tool not of suitable quality or buys them from the supplier who is negligently carrying to the obligations for maintenance of goods it is convenient to have near at hand all information on goods quality of the specific supplier and quality of the services provided to them.
MAXIMO allows to obtain quickly information on suppliers and on the basis of the analysis of this information to make decisions on the conclusion of contracts with them. Thus, a system insures the staff of service of supply against the conclusion of the unprofitable transactions and reduces housekeeping overheads due to use of reliable materials, component parts and tools. To timely obtain information on the necessary materials for execution of works on service and repair of Assets.
Using MAXIMO the staff of service of logistics has an information access about planned activities and about what materials and tools will be necessary in the nearest future. This information allows to plan competently work of service of supply (to avoid works involving all hands and haste), to order the necessary materials and tools from suitable suppliers and to the appointed term to provide their existence in a warehouse of the enterprise.
Thus it is provided cost reductions due to liquidation of idle times of repair work waiting for the necessary materials. Optimize warehouse stocks.
Often a large amount of materials and spare parts which are not demanded by service and repairs of the equipment long time is stored in warehouses of the enterprise. Storage of such excesses in warehouses of the enterprise can lead to significant increase in costs.
MAXIMO allows to optimize stocks of spare parts and materials so that they were available by the time of carrying out scheduled or unscheduled repair, but did not collect in warehouses and did not lie "a dead load".
Reduce the prices of purchases of materials and spare parts due to use of the centralized service of purchase and enlargement of the ordered batches.
From the point of view of the safety engineer:
Reduce risks of non-execution of safety regulations at accomplishment of dangerous works.
MAXIMO allows to inform contractors on safety regulations at accomplishment of dangerous works, necessary means of protecting. This function of a system allows to remove excessive loading from the safety engineer and to reduce the probability of threat of life and to human health.
2006
IBM in the fall of 2006 purchased public company MRO Software, the famous supplier of consulting services and software for service management and assets. Among her clients there are many largest enterprises of the world which use the solutions MRO for effective management of purchases, storage and decommissioning of assets (a production equipment, installations, vehicles, program and the IT hardware) in the different industries, such as production, utilities, power industry, pharmaceutics and communication.
MRO Software company — one of veterans of the computer industry. It was founded in 1968 (at first under the name PSDI), and since then its headquarters is placed to Bedford (piece Massachusetts, the USA). Its key product — Maximo, program system for management of strategic assets and services which can be used together with different ERP systems. Software of Maximo works with different databases, including Oracle, the Microsoft SQL Server and IBM DB2. The latest version of Maximo 6 (known also under the name MXES) is implemented on the J2EE platform in the form of the SOA solution (for the first time the Web-centric option of this software appeared in the previous version, Maximo 5).
During 2007 the IBM corporation completed integration of the purchased software into the software family. The program under the name IBM Maximo develops as a part of the direction of software development IBM Tivoli now.
- The shared directory according to the solutions IBM Maximo (545KB)
- IBM Maximo technologies for increase in flexibility of IT infrastructure and business (473KB)
- Asset management and services for reasonable transport transportations (443KB)
- Services of IBM on implementing solutions based on IBM Maximo (271KB)
- Effective management of configurations of difficult assets (518KB)
- Processes of management of IT assets using Tivoli Asset Management for IT – training at an example of real IT processes (12.27MB)