Linked In Facebook Twitter YouTube PUMC Blog Subscribe (203) 743-6741

Monthly Archives: October 2019


Linkageless control technology makes boiler rooms more efficient and easier to operate 

In order to cut boiler room costs and solve end-user headaches, many boiler professionals are making the move to “linkageless” control systems. A linkageless system uses a burner with individual servos to control fuel and air ratios, and this in turn provides more savings to the end user. Some of the biggest benefits of linkageless systems include:

1)      Higher efficiency: O2 levels may fluctuate but will always return to position of highest fuel and electrical efficiency. In addition, turndown is often improved resulting in less cycling of the burner.

2)      Monitoring and communication: The system communicates via Modbus and reports on all functions. The main module monitors the positions of all fuel- and air-control devices. Any positioning error shuts the burner down safely.

3)      Automatic adjustments for ambient air and fuel changes: Linkage systems can cause major problems for technicians. Once all the linkage is set, the ambient air density may change, throwing the system off. In addition, instead of system readjustment every time there is a fuel switch, the positions of all servos are programmed and independent. This means that the system adjusts automatically to fuel/air ratio changes as well as fuel changes.

The new FlexFit system is an innovation in linkageless technology now being offered by Preferred Utilities Manufacturing Corporation. The FlexFit solution offers a less costly, less time-consuming retrofit to modern linkageless controls in the boiler room. Leveraging the industry-leading BMU (Burner Mate Universal) platform, the FlexFit can be used in new installations or be easily retrofitted into existing jackshaft control panels that use supported common flame safe guards. This solution is half the price of the BMU (with the same benefits), and a trained technical can install the FlexFit in one day.

Fuel savings are accomplished with parallel positioning combustion control with optional oxygen trim. Electricity savings are provided by the ability to control a Variable Speed Drive for the FD Fan. In addition to flame safeguard and combustion control, the FlexFit also includes optional draft control.

The FlexFit communicates to Building Automation Systems by Modbus or optional Ethernet. And because it is microprocessor-based and pre-engineered, the FlexFit is an economical alternative to more expensive PLC-based boiler controllers. The parts are in stock for immediate delivery and require no programming.

This is a control solution that delivers benefits for all members of your team. Owners will see savings through electrical and fuel efficiency, and they’ll have tighter control of boiler room functions. Managers will be able to get ahead of emergencies before they happen, and technicians will enjoy easy installation, in-and-out maintenance, and local support.

With a flexible design that is more affordable, more accessible, and more accurate, FlexFit is the retrofit solution you’ve been waiting for.

About Preferred Utilities Manufacturing Corporation:

Preferred Utilities Manufacturing Corporation is an engineering-based manufacturer of products for commercial, institutional, industrial and nuclear power facilities. Our products include fuel oil handling systems and components, boiler instrumentation and controllers, high quality burners, and nuclear power plant outage reduction tools and component parts. Continuous research and development are applied to our existing products and help us to lead the industry with new and innovative power plant solutions. Our manufacturing, engineering, and administrative headquarters is located in Danbury, Connecticut, and regional sales and service offices are located throughout the United States.


Luke Amory

  • YOU are at risk and have a responsibility to keep your online identities secure.
  • Use a password manager like Lastpass or 1Password.
  • Use multi-factor authentication hardware keys like a YubiKey or a Google Titan Key. Check twofactorauth.org for supported services.


Passwords– we all use them, we all loathe them, and they often fail us when we trust them to keep us secure. Everyday technology is becoming a more integral part of our lives but what largely hasn’t changed is the use of passwords as our primary method of securing our access to that technology. A password is a secret piece of information shared between a user and a computer or service that is used to identify whether a certain interaction is authentic. Because a password is just a piece of information, anyone who can obtain that piece of information is able to impersonate authentic interactions on the user’s behalf. This is often the greatest downfall of systems that rely exclusively on password protection. In 2018 alone there were more than an estimated 446 Million records exposed in data-breaches around the world (Identity Theft Resource Center (ITRC), 2018.) The data from these attacks often contains username and password credentials.

Thankfully, in the last decade most organizations now store passwords in a secure hash rather than storing the password itself. This means that even when a password data is exposed in a breach, an attacker needs to take a few more steps to reveal the user passwords. The secure hash used to store passwords is “non-reversible,” meaning you cannot undo the hash and derive the password. This means that the only way an attacker can learn your password is by repeatedly guessing inputs to the hash function until the output of the secure hash function matches that of the password contained in the data-breach.

Using modern computing technology, a well-equipped attacker can calculate these secure hash functions at a rate of approximately 100 Billion per second. As threats to our online security grow, it is imperative that we all take measures to secure our online accounts and Identities. What is a “great” password, though?

Each place we go to seems to have their own opinion and it feels like every time we create a password; we endure this process:

  • Password: bohemian TOO WEAK: MUST CONTAIN MIXED CASE
  • Password: BohemianRhapsody1975 ERROR: MUST BE LESS THAN 18 CHARACTERS
  • Password: Boh3m1anRhapsody TOO WEAK: MUST CONTAIN A SYMBOL
  • Password: Boh3m1@nRh@psody ERROR: WAIT! NOT THAT SYMBOL, TRY AGAIN
  • Password: Boh3m1anRhap$ody ACCEPTED

At the end of this process, what are we left with? A password that is difficult to remember. So, what do we do? We write it on a sticky-note and stuff it under our keyboard and hope the IT person doesn’t come scold us. Or, we commit the password to memory and end up reusing it everywhere, exposing ourselves to more risk.

The worst part is that this password isn’t even very secure.

Threats to your Online Security

There are many ways to strengthen a password. The key is to find a balance between something that is secure and something that is easy to remember. To identify what strengthening techniques work best, we need to look at the threats to your password’s security. Attackers are very resourceful and can range in capabilities from an individual to a nation state with literal armies and virtually unlimited resources. The best defense tool anyone can have is to avoid being targeted all together.

The ratio of capable attackers and vulnerable individuals makes it generally unlikely that unless you are a public figure, CEO, political activist, or enjoy Facebook flame wars; you will never become the victim of a targeted attack. That being said, there is a good chance that you will be compromised by a more indiscriminate attack that compromises many accounts at once like a data breach detailed above. These attacks can be largely mitigated by taking a few steps to better secure your online identities.

The first step in increasing the security of any online account is increasing the length of your passwords. By increasing the length of your password, you are making it more difficult for an attacker to preform what is known as a “brute force attack.” A brute force attack is when an attacker will hash every possible combination of characters up to a certain length. This process becomes exponentially more difficult as the password length increases. For example, if you are using a simple password that is 8 characters long, a resourceful attacker can try every combination in about 3 seconds. If you just increase the length of that password to 12 characters it will take 2 weeks to crack. In the same way adding mixed case, numbers and symbols will also make brute forcing much more difficult. A simple password with only lower-case letters has a character set of only 26. A good complex password that includes mixed case, numbers, and standard keyboard symbols has a character set of 95. Using the same example above, if we instead use a complex password with a character set of 95 at a length of 8, the brute forcing process takes 19 Hours and a length of 12 takes 174 Thousand Years!

Generally, rather than trying every combination of every letter number and symbol, an attacker will perform what is called a “dictionary attack.” A dictionary attack will leverage a combination of previously exposed passwords and common words against the secure hashes. Just as increasing the length and character size exponentially increased the search space; using a dictionary exponentially reduces the search space and therefore the time it takes to crack a hash. Once the available dictionary elements have been exhausted, attackers will start permutating the dictionary with rulesets. These rulesets contain everything from simple substitutions like replacing ‘e’ with ‘3’ and more advanced rules for appending important dates, sports terms, and other regional vernacular to greater increase the likelihood of a successful crack. A resourceful attacker with a good dictionary and ruleset can crack around 70% of real-world passwords in a little under 15 seconds. The reason for this speed is that we all seem to use similar features in our passwords. Many seemingly secure passwords cracked with this method look something like: ‘Yellowstone987!’ and even though an attacker would be still calculating brute force hashes against this password until long after the heat-death of the sun; this password is still extremely vulnerable to dictionary attacks.

This seems to draw from the way we make our passwords. We start out with the intent of using ‘Yellowstone’ as our password and once a website or service presents us with rules for our password; we generally append some numbers and a symbol. Attackers are so successful because they tune their dictionaries and rulesets to account for this common behavior. For this reason, a new recommendation for creating ‘Great’ passwords needs to be inherently crack-resistant otherwise attackers can adjust their dictionaries and rulesets to combat the new method. An even more successful strategy that attacker uses is what is known as Phishing.

At one point or another we have all received an email with questionable intent, coaxing us into opening a file or click some embedded link. Attackers will craft these messages to either contain a webform disguised as your email provider’s login page or a file with a hidden program designed to exploit an unpatched vulnerability in your computer. Sometimes attackers can gather enough information about a single target that they are able to tailor the content of these messages to increase the likelihood of a successful attack. Some strategies can include impersonating a superior in your organization with an urgent request or masquerading as a vendor looking for immediate payment on their latest delivery. Targeted attacks such as these are known as Spear Phishing. In the event that an attacker is able to compromise your email account they gain foothold into your network of email correspondents and they can immediately launch many more spear phishing campaigns against your colleagues, customers, and vendors.

The main takeaway from this is that no matter how “great” your password is you will always be vulnerable to attacks like these unless you use other methods of authentication in conjunction with your “great” password. Once an attacker gets a hold of your password via brute-force, dictionary, or phishing attack, they will immediately begin what is called a Credential Stuffing Attack. More likely than not most of us reuse the same password in many places. Attackers know this and if they are able to get a hold of something like the login for your car insurance account they will attempt to use or “Stuff” that same username and password anywhere they can think of. I.e. Facebook, Email Accounts, Banking Accounts. Unfortunately, these attacks are another extremely successful way for attackers to compromise your accounts. It is for this reason that it is so important to use unique passwords for every account you have.


Now that we know what the threats are, how can we defend ourselves? To start let’s review the guidelines that help defend against the attacks detailed above. Use a Long Password Long Passwords increase the time it takes for an attacker to brute force or dictionary attack your password by exponentially increasing the number of possible combinations an attacker needs to guess before correctly guessing your password. Use a Complex Password with Numbers and Special Characters Complex Passwords with large character sets further increase the search space an attacker needs to guess through before they can guess your password; making it less vulnerable to dictionary. Avoid Passwords with Predictable Patterns Patterns like appending numbers and characters to the end of your passwords or replacing ‘I’ with ‘1’ do not add much security to your password and make it easy for an attacker to permutate these types of suffixes and substitutions. With these above rules in mind a great memorable password strategy is to string four common words together. XKCD, a STEM oriented comic explains it well:

To improve on this strategy, try to use uncommon words or words from other languages to increase the difficulty of a literal dictionary attack against your password. When adding numbers and symbols to a password like this avoid the space between words and rather insert in the middle of words without substituting an existing character. This password strategy is great, but it doesn’t help with these other guidelines that improve your security:

  • Change Your Password Frequently (Every 12 Months) Because data breaches often go undetected, changing your password on a regular basis reduces the likelihood that your password has been exposed by decreasing the amount of time an attacker can spend guessing your password.
  • Use Multiple Factors of Authentication Adding a second or multiple factors of authentication significantly reduces the effectiveness of phishing campaigns and drastically improves your security overall.
  • Use a Unique Password for Every Account By using unique passwords in many places, you will be protected from a compromise of one account permeating to the rest of your online identities.

It is easy to know these guidelines; it is another challenge to implement them in your online life. These rules do not scale well and as soon as you accumulate more than a few accounts, changing and storing many long and complex passwords pushes the limits of the human memory and discipline. These rules are just not practical. Without augmentation, even the most devoted individuals will have problems with these guidelines.

Thankfully, there are many tools that have been developed to help users manage their passwords. These password managers allow you to save all your account usernames and passwords in a single location that can be securely accessed on your computer or mobile device. In addition to saving your passwords, credit cards, and other sensitive notes, password managers can run as an extension to your web browser. This extension can automatically populate usernames and passwords fields with either your own passwords or passwords that are generated with a random series of letters numbers and symbols that make it impossible for a successful dictionary attack.

Overall these password managers mitigate all the attacks detailed above and drastically improve your online security. Lastpass & 1Password are both very full featured password managers that are well integrated with many mobile and desktop operating systems. Though a password manager greatly improves your defense against phishing attacks, it does not outright prevent them. Multi-Factor Authentication solves largely solves this by requiring users to provide more than one piece of information to assert their identity.

Traditionally, services will only require one factor of authentication, typically a password. A password would fall into the category of “something you know” which, as detailed above, can be a flawed system if used improperly. Other categories can include “Something you are” which covers biometrics like your fingerprint and iris. “Somewhere you are” is the process of observing locations of users to identify abnormalities. “Something you do” consists of monitoring your behavior and actions in comparison to previous interactions to identify impersonation. “Something you have” relies on your existing access to a device or service that can assert your identity such as an ID card, a cellphone with a rolling security key, or a physical hardware security key such as a YubiKey or a Google Titan Key. Not all sites support Multiple factors of Authentication. To check which services support Multi-Factor Authentication go to twofactorauth.org Google has produced some research on securing accounts with different types of Multi-Factor authentication.

As shown above hardware security keys and mobile push notifications are by far the most effective method for preventing account takeovers. These methods are largely immune to compromise from a remote attacker. Mobile Push notifications and hardware security keys can be simple and effective, but they are largely absent from many services portfolios as they are complicated for each service to implement correctly. There are other solutions such as storing rolling security keys in an app like Google Authenticator or Authy but this process is clunky and these are much more vulnerable to phishing attacks. SMS notifications are good enough for most people but can be vulnerable to targeted attacks that allow for SIM card spoofing and SMS network compromise. In summary, securing ourselves online is a responsibility that we all share. Making yourself more secure can be easy if you use a password manager and, when you can’t, use a more informed strategy for creating passwords like the one detailed above. For sensitive accounts like your email and financial services, implement some form of Multi-Factor authentication. If you feel that you may become the victim of a targeted attack, consider consulting a personal security professional.

Identity Theft Resource Center (ITRC). (2018). 2018 End of Year Data Breach Report. San Diego, CA: Identity Theft Resource Center (ITRC). Retrieved from https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_2018-End-of-Year-Aftermath_FINAL_V2_combinedWEB.pdf
Kurt, T., & Angelika, M. (2019). New research: How effective is basic account hygiene at preventing hijacking. Mountain View, CA: Google Security Blog.
Randall, M. (2019). Password Strength. Retrieved from XKCD: https://xkcd.com/936/


Pressure atomization depends on the oil pressure inside the nozzle tip to spray a fine mist of oil, very similar to a Windex spray bottle. The micronized oil droplets are flung into the burner head, where they are thoroughly mixed with the combustion air and ignited. As mentioned above, the pressure at the oil nozzle is the key factor in the atomization process; therefore, your oil pump and pressure regulator are the key components in this system. The pump needs to be able to meet the gallons per hour (gph) requirement for the burner/boiler to meet their load capacity. The pressure regulator is set in accordance to the firing rate which is normally between 100-300 (psi). The turndown ratio for a pressure atomizing burner is normally only 3:1 or 4:1.

However, Preferred has just designed and shipped our first high turndown, 6:1 guaranteed, pressure atomized API-AF burners.

These API-AF burners are UL listed for No. 2 oil firing, utilizing pressure atomization. We demonstrated a turndown of 8:1 on pressure atomized oil firing to the UL inspector, extending the normal turndown ratio which is usually only 3:1 or 4:1



Background: In the past, using anti siphon valves between the day tank and a generator has been discouraged due to the low vacuum capability of generator pumps. A generator fuel oil pump may only be able to pull 5 in. Hg. In addition, there is a filter installed between the day tank and the generator pump that takes a 2-3” Hg pressure drop. This means that only 2” Hg could be available to open an anti-siphon valve, which poses a problem for most designs. Engineers have addressed the need to prevent siphoning from a day tank by installing a solenoid valve that opens when the generator pump turns on. However, this solenoid needs to be wired and is dependent on the controls functioning properly.

Solution: Now, Preferred has a better solution! We now have an anti-siphon valve that will open with only 2” Hg of suction available, and it is designed for application between the day tank and the generator pump. In addition, this Low Vacuum Anti Siphon Valve is UL Listed. For diesel handling components, it is important to ensure the valves one is purchasing are listed by a an agency such as UL as it ensures compliance to a standard and that the product has been independently evaluated. This Low Vacuum Anti Siphon Valve is available in ½” up to 2” NPT.


Experts from Preferred Utilities help them identify their problem, and then get it solved.

The Block Island School in Rhode Island has been considering some major upgrades in 2019, and although they’ve hit a couple of snags along the way, Preferred Utilities Manufacturing was able to help them solve a heating oil problem that threatened to stymie their whole project.

Back in March, school staff discovered a troubling heating oil spill that needed addressing. The heating fuel spilled out of a vent pipe to the school’s roof and then onto the ground below, near the playground behind the school’s south wing.

In a recent article in the Block Island Times, Sam Bird (the town’s facilities manager) said that it was not an easy diagnosis. The culprit, he and the representatives from Preferred realized, was a check valve in the fuel supply piping that did not open to send the oil back to the main tank after an electronic control unit failed. 

“The valve had not opened, or had not had a reason to open, for years,” Bird said. With the valve stuck shut, the pump still going, and the return line closed off, the oil had nowhere else to go except out the roof vent. After a few minutes, the valve opened and the fuel flowed back to its tank, and no more oil spilled from the vent. To fix it, Preferred recommended that the school replace the electronic controls on the pumps and valves that supply fuel oil to the heating system. The new system will bypass the day tanks with new piping to create a closed system, preventing the same kind of spill from recurring

After the installation, Preferred will return to start the new fuel supply system and train town or school personnel to operate it.

In addition to addressing this fuel oil problem, the school’s operations staff also had the site tested for asbestos, and the results were negative. So they are good to go with their eagerly awaited renovation project!

Preferred is happy to have the opportunity to work with schools like the Block Island School to help them solve pressing issues in their physical plants. With winter weather looming, is your school or college looking at spending too much on heating?

Call us, and we’ll look for ways to increase your efficiency and save you money!


October is National Cyber Security Awareness Month. According to a study by the University of Maryland, there is a hacking attempt every 39 seconds. And, the average cost of a data breach in 2020 will exceed $150 million.

We live in a connected world. These connections allow for a pace of commerce and communication previously unimaginable.

As everything becomes more connected, threats to the cyber security of commercial facilities and industrial equipment grow every day.

Traditionally, when working with operationally sensitive equipment such as HMI/SCADA Systems, the established practice has been to “Air-Gap” your equipment and prevent any access from the outside world. Globalization, regulations, & advanced data analysis techniques have made this practice obsolete and costly to your bottom line. Plants that choose to be “Air-Gapped” lose out on new innovations that allow for increased oversight and efficiency optimization to plant systems.

Now, you can connect to your facility and equipment from anywhere without compromising the security of your operations.

The Preferred Cloud Remote Monitoring Platform offers three levels of encrypted, secure, and continuous analytics on your equipment, while recommending cost saving and preventative maintenance options to reduce downtime and emergency service.