Transparent cybersecurity

Aug. 10, 2011
Protect plant-floor data without limiting industrial network access.

In brief:

  • A steel plant that used a server to interconnect its PLCs with its automation system enjoyed more intensive interconnectivity when it installed QMOS, a software system specially developed for steel operations, that could also integrate its MES and SCADA systems.
  • Having as many as 40,000 to 50,000 I/O points can help improve troubleshooting capabilities because operators can track down the problem to the minutest detail. This makes it possible to trend any variable to determine if the cause was human error or equipment problem.
  • Operations are separated into two domains, the plant floor/process side, which has the PLCs, and historian, and the corporate side, which has the ERP. Sophisticated software delivers data that both corporate and the process people use.

View more content on PlantServices.com

Fire and water don’t play well together. Firefighters will tap a hydrant to battle a blaze. By the same token, if you want to boil water to evaporation, there’s nothing like a hot flame. As eternal combatants, fire and water thwart one another endlessly.

Much like a waterfall, data cascades through an organization, spilling from the plant floor and pooling where it’s needed, whether that’s the maintenance staff or the executive boardroom. But, as any IT director worth his bandwidth will tell you, that data needs to be protected and the network needs to be secure. Some still argue that multiple firewalls are the only surefire way to ward off cyber-infiltration, but how do you keep the data flowing?

Cyber protection

The challenge to manufacturers and IT staff is to evaluate and identify the points of vulnerability of the production operations and acquire an understanding of the security tools and technologies available to help minimize the vulnerabilities. Mike Miclot, vice president at Belden’s industrial solutions division and Jeff Cody, industrial Ethernet technical support engineer for Hirschmann, a Belden brand, recommend looking at industrial networking firewalls and routers, security appliances, virtual private networks (VPNs), authentication and encryption devices. When they’re properly applied and installed, these mechanisms and techniques can provide security required for directly connecting either the network or individual production devices to the Internet, corporate or remote offices, remote production facilities, or other areas in which secure industrial network communications are needed.

Firewalls and firewall/routers: Firewalls come in many types, and some are transparent products that operate right out of the box. These plug-and-play devices can be installed anywhere on the network without the need to configure or reconfigure end devices. No changes to network settings (IP addresses, subnet masks and default gateways) are required and networks don’t have to be divided into separate IP subnets. Firewall/routers are combination devices that combine both firewall and routing functionalities. They excel at protecting the industrial network edge — the points of vulnerability where the industrial network meets the corporate network or the Internet. These devices can segment networks, be used as a gateway and enable safe Internet access. Firewall functions include isolating critical devices from threat sources, separating the network into security zones, restricting communications between zones and protecting controllers from known vulnerabilities.

Security appliances: These are another type of in-line hardware that give a single device or group of devices real-time protection from undesirable traffic. The newest types offer zone level security, including deep packet inspection for groups of PLCs, a distributed control system (DCS), remote terminal units (RTUs) and human-machine interfaces (HMIs) and their industry-specific protocols. These devices typically are easier to install than many other security products and can be installed on a live network with no special training, preconfiguration or system downtime. With a properly installed security appliance and management software, users can view the status of the entire system on a single screen that provides real-time information about non-conforming events in the network.

VPNs, authentication and encryption: Secure communications can be extended beyond the network’s edge, local security cell or device level using remote user authentication or VPN connections. Most firewalls support VPN connections using secured socket layer (SSL), pre-shared key (PSK) or X509 certificates to provide encrypted access across intermediate or inherently untrustworthy networks, such as the Internet. Additional secured communications can be established using user authentication and user-specific firewall rule bases. As mentioned previously, the firewall itself might be used on a network’s edge between the enterprise and plant floor or duplicate production cells, or it can act as a gateway to the Internet.

For example, a VPN should produce secure tunnels of communication over untrustworthy networks, including the Internet or corporate business network. It should be easy to deploy, test and manage and should provide ways to build preconfigured installation files to help ensure that security isn’t compromised by configuration errors. In addition, it should support industrial automation devices and protocols, be industrially hardened and be able to be combined with other equipment to build a comprehensive and effective security solution.

Putting it all together: Selecting devices to secure the industrial communications network is only part of the challenge. Installing the right equipment properly in the right place also is essential. Different products are designed for different purposes. For example, a security appliance protects at the device level and has no routing or network segmentation capabilities. If the plant staff needs to link to the Internet to connect to its main corporate office, a firewall would be a better choice. Because systems vary so widely, specifics are difficult to prescribe. That’s why it’s important for each plant to understand its own network vulnerabilities and take the time required to research and select appropriate solutions. In general, when implementing an industrial network security system, it’s important to ask and answer several key questions. Does the device or system provide scalable security functionality? Is it easy to integrate into the existing architecture? Is it easy to install, operate and maintain? Does it support redundancy mechanisms? If these goals are met, you’re well on your way to effective cybersecurity.

Steeling fire

Gerdau Ameristeel (www.gerdauameristeel.com), a mini-mill steel producer and steel recycler in North America with an annual manufacturing capacity of more than 10 million metric tons of mill-finished steel products, has 11 mini mills running a manufacturing execution system (MES) called QMOS. While QMOS oversees the management of information to the company’s ERP system, it relies heavily on KepServerEX communication technology and OPC server from Kepware Technologies (www.kepware.com) to manage myriad diverse PLCs distributed throughout the mills.

“We have a variety of different PLCs — just about every platform out there, Siemens, Allen-Bradley, GE,” says Jason Magill, application architect at Gerdau Ameristeel. “We’re trying to become more standardized, but each mini-mill has its own sets of PLCs. The great advantage of using KEPServerEX is that its drivers are able to connect to all the PLCs, regardless of their individual specifications.”

The company’s Jacksonville, Florida, mill has two major operations — the melt shop and rolling mill. Other locations have a shredder, which takes large objects such as cars and other large pieces of metal and shreds them down to be melted in the furnace at the melt shop. The average car contains approximately 1 ton of steel, and the Jacksonville operation is melting and rolling about 90 cars/hr or up to 750,000 cars/yr.

While the Jacksonville plant originally was using the Kepware technology to tie GE PLCs to a PC-based automation system, it expanded its use when QMOS was launched because of the Kepware technology’s interoperability with the plant’s MES and SCADA, along with the PLCs, explains Jarrod Parrotta, improvement facilitator at the Jacksonville plant. “When QMOS came into play,” says Parrotta, “we replaced everything with Kepware.”

The Jacksonville rolling mill operation is monitoring approximately 13,000 I/O points, and the melt shop has another 10,000 being acquired from smart devices via KepServerEX, and the plant is only about halfway to where it wants to be. “Our target is somewhere between 40,000 to 50,000 I/O points,” says Parrotta.

The plant has four Wonderware terminal servers — two in the rolling mill and two in the melt shop. Future implementation of Wonderware’s FactoryFocus will be used on the corporate network to provide executives with a more granular view of specific operational information. Process data are collected, and staff can link data from multiple OPC data sources. “With the current system configuration, I will never have to let anyone through the firewall,” reveals Parrotta. “Using the two servers across the firewall allows me to provide a security control feature and limit the amount of traffic on the process network.”

But the I/O points improve troubleshooting capabilities. “If an operators have issues, they can literally track down the problem to the minutest detail,” says Parrotta. “They can technically re-create anything the operator did via Wonderware or pushbutton interfaces. We can trend just about anything and find out if it was a human error or whether it was, for example, a sensor that failed. As long as we have every I/O logged, we can troubleshoot anything.”

QMOS receives a schedule from the ERP system and covers the management of the planning, scheduling and production in the rolling mill and the melt shop. It manages the process from receiving customer orders, creation of production schedules as well as managing the demand for the steel, up to the production of the billets and bundling and packaging and shipment of semi -finished or the finished products to the customers.

“QMOS figures out which ingredients are needed for the products,” explains Parrotta. “Recipes for those orders reside in both QMOS and Wonderware. QMOS is keeping track of each step in the process. It’s tracking all of the operational parameters that are critical, for example, Amps, pressures, kiloWatt hours, time start/stop. All this is tracked inside the QMOS MES system. We’re pulling data out of the Oracle database on the opposite end within certain parameters and we’re sending those to the KepServerEX to manage the tags to the PLC. In this way, the operators don’t have to manually do it, which eliminates the possibility of human errors.”

In the Jacksonville plant, Kepware provides the connectivity between the PLCs, QMOS, Wonderware and integrated IBA historian. Operations are separated into two domains, the plant floor/process side and the corporate side. The ERP resides on the corporate domain, while Wonderware, the PLCs and historian reside on the process domain. QMOS and Kepware straddle between the process side and corporate because QMOS via Kepware’s communication delivers data that both corporate and the process people use.

“We also use Kepware’s LinkMaster to deliver tags from the melt shop to corporate and to the rolling mill in order to generate some of the plant energy readings such as gas and electric,” says Parrotta. “LinkMaster enables us to transfer data to and from the melt shop to corporate and back to the rolling mill or in any data configuration we need.” The data then goes to the IBA historian for a complete plant utility report. The historian adds tags together, calculates the values and delivers a comprehensive report.

{pb}

Is it safe?

[pullquote]

“The interconnection of the enterprise and industrial Ethernet using common, standards-based communications protocols has brought measurable advantages to industrial companies,” says Mike Miclot, vice president at Belden’s industrial solutions division (www.belden.com). “For many, seamless interoperability and real-time information flow from the shop floor to the front office has become a reality and helped reduce costs and drive increased efficiency and productivity.”

Organizations with multiple locations can operate on a common networking system, connecting internal departments with personnel in the field. However, the evolution of Ethernet from the enterprise to the plant floor isn’t without challenges for industrial plants. Sharing a common networking platform can open vulnerabilities that put manufacturing operations at greater risk for inadvertent and deliberate network intrusion, explains Jeff Cody, industrial Ethernet technical support engineer for Hirschmann, a Belden brand. In fact, as automated production and the instrumentation systems that connect and control equipment and operations have grown increasingly more complex, cybersecurity vulnerabilities also have increased.

“The security mechanisms and controls that protect enterprise networks are insufficient for industrial networks,” explains Cody. “Although the two might use similar equipment and protocols, they have different characteristics and performance criteria and can be affected in dramatically different ways by the same type of events. Enterprise networks supporting front- and back-office activities typically can withstand periodic network outages ranging from a few minutes to a couple of hours, with no lasting damage. Firewalls and proxy servers protect them from external threats, and operating system patches and security software usually are effective in keeping them safe from viruses and malware.”

But industrial networks are a different stream altogether. “They have a more specialized nature, with environments ranging from climate-controlled clean rooms to harsh and sometimes hazardous operating conditions,” says Miclot. “In addition, industrial operations typically involve deterministic control networks with strict timing constraints rather than intermittent traffic. In this data-intensive environment, outages are intolerable. Any disruption is too long and can lead to waste or contamination of raw or in-process materials or goods. It also might mean an entire process needs to be restarted from the beginning. Further, production machines rarely can be secured with a software patch, anti-virus system or intrusion protection mechanism.”

Another cybersecurity consideration is how the industrial network links to the corporate network, warns Cody. “Some are directly connected on the same enterprise domain,” he says. “Others consist of segmented networks connected by routers or virtual local area networks. Still others remain completely isolated while sharing common resources over the Internet. Too often, however, security measures and controls on the plant side simply mirror the mechanisms implemented on the corporate side and are inadequate to address the specialized requirements of the industrial network.”