IT in Manufacturing


Sharing data in the unified enterprise

December 2012 IT in Manufacturing

Ideally, manufacturing and mining enterprises are unified entities with business goals and priorities, which can only be realised through the efficiency and performance of their operational or wealth-creating processes. History bears ample witness to the foolishness of trying to divorce business from operational systems. So, when it comes to sharing information, it is clear that transparency is the key.

But transparency is vulnerable to risks and threats from both inside and outside the enterprise, which makes the provision of information to those who need it more challenging than ever – especially when considering the different needs of process control and enterprise networks.

Deon van Aardt, MD Invensys Wonderware Southern Africa.
Deon van Aardt, MD Invensys Wonderware Southern Africa.

Control system industry LAN security recommendations

The best practice recommendation for an industrial control system (ICS) is to separate the process control from the enterprise network, mainly because the nature of traffic on these two is different:

* Internet access, FTP, e-mail and remote access will typically be permitted on the enterprise network but not on the process control network.

* Rigorous change control procedures for network equipment, configuration and software changes may not be in place on the enterprise network.

* If process control network traffic is carried on the enterprise network, it could be intercepted. By having separate networks, security and performance problems on the enterprise network should not be able to affect the process control network.

However, practical considerations often mean that a connection is required between the networks. This connection is a significant security risk and careful consideration should be given to its design.

If the networks must be connected, it is strongly recommended that only a single connection is allowed and that the connection be through a firewall, or better yet, an active intrusion prevention (IPS) appliance. It is also important to establish a demilitarised zone (DMZ) for any data warehouse or data warehouse proxy (recommended for a very secure configuration).

A DMZ is a separate network segment that connects directly to the firewall. Servers containing data from the process control system, which need to be accessed from the enterprise network, are placed on this network segment. Only these systems should be accessible from the enterprise network. With any external connections, the minimum access should be permitted through the firewall. Only the ports required for specific communication should be opened to the external environment.

Network firewalls

These are devices or systems that control the flow of traffic between networks employing differing security approaches. In most modern applications, firewalls and firewall environments are discussed in the context of Internet connectivity and the TCP/IP protocol suite.

Firewalls can be applied to network environments that have nothing to do with Internet connectivity. For example, many corporate enterprise networks use firewalls to restrict connectivity to and from internal networks servicing more sensitive functions such as those found in the accounting or personnel departments.

In an ICS environment, firewalls are most often deployed between the ICS domain and the corporate LAN. Properly configured, they can greatly restrict undesired access to and from control system host computers and controllers, thereby improving security. They can also potentially improve a control system’s responsiveness by removing non-essential traffic from the network.

Once the firewall is in place, the next problem is determining exactly what traffic should be allowed. Configuring the firewall to deny all except for pinholes absolutely required for business is every company’s basic premise, but the reality is much more complex. Exactly what does ‘absolutely required for business’ mean and what are the security consequences of allowing those pinholes?

DMZ network

Implementing an intermediate DMZ network is an acceptable approach to enabling communications between a process control network and a business domain network. The DMZ should be connected to the firewall so that specific (restricted) communication can take place only between the enterprise network and the DMZ and between the process control network and the DMZ so that the enterprise and process networks cannot communicate directly with one another. Data warehouse proxies are usually placed in this environment.

Defining the secure process control environment

Looking at what the control system is (what it does, what its intrinsic value is and what its requirements are), we can easily see that traditional IT security techniques imposed on the system impede operability and functionality. The cumulative effect is that continual problems arise in keeping the control system running reliably.

Standard IT security techniques and strategies are not only minimally effective, but can be reckless and dangerous when applied to control systems. This is because IT practitioners apply standard techniques and strategies in the production environment.

The machine functionality between a standard IT business network and a control system network is virtually 180° in opposition. Elements of the two network types look virtually identical, (machine hardware also looks identical when viewing from a high level), but that is where the similarity ends.

The functionality and operation between the two network types are different and not directly or desirably compatible without appropriate security and/or proxy interfaces.

When implementing security for the control system environment, the following should be determined:

* What the total environment accomplishes.

* How it accomplishes the tasks it is assigned.

* What might be done to protect the system, while assisting or improving system and process efficiency?

Defining the layered security model

Industry guidance and policies state that machines have to be buried in layers of security, and this statement is essentially correct. However, implementing traditional security guidance policies in a control system environment is difficult and ultimately counterproductive.

Current industry guidance shows several areas of high security with lessened security requirements in areas that might break the functionality of the system. This guidance is highly fragmented and completely discounts the operation of tile process control or scada system functionality in favour of a belief about what might be secure.

Additionally, there is one outstanding problem with this approach that makes it almost completely and uniformly undesirable and it is that control system networks are seldom laid out so neatly. Normally, parts of a control system may reside in a remote location across a sub-domain, an unsecured WAN or an Internet connection, which leaves it more vulnerable to attack and infection.

Therefore, a systemic approach should be used when reviewing process control networks and scada system environments. The ArchestrA secure architecture reference recommends layered security through multiple firewalls to multiple functional blocks as required. We can no longer look at individual machines needing a particular security profile without it affecting the entire enterprise. To accomplish adding security to such an environment, it is necessary to apply security as experts recommend, but with an additional requirement: only one point of ingress/egress to/from the control system.

Conclusion

Information is an enterprise-wide necessity which follows natural tiers of granularity. And so it makes sense to separate the real-time world of the production floor from the transactional environment of business processes because they each have their own and very different network and access needs. Today, we know a great deal about the structuring of firewalls and DMZs in such a way as to provide effective security while allowing the unimpeded flow of bidirectional information for effective decision support at all levels of the organisation.

For more information contact Jaco Markwat, Invensys Operations Management, +27 (0)11 607 8100, [email protected], www.iom.invensys.co.za





Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Overcoming the bottling industry’s fragmented visibility
Schneider Electric South Africa IT in Manufacturing Electrical Power & Protection
Beverage bottling facilities are among manufacturing’s most energy-intensive environments, yet many still operate without granular insight into where that energy goes. Rezolia Muller-Potluri of Schneider Electric explains how tiered metering architecture and advanced

Read more...
Advancing intelligent apparel manufacturing with industrial AI and humanoid robotics
IT in Manufacturing
Jack Technology, a global maker of industrial sewing equipment, has chosen Siemens software and engineering tools to bring artificial intelligence and humanoid robots into apparel production, aiming to shorten development cycles and lift manufacturing efficiency.

Read more...
New chiller line for high-density AI data centres
Schneider Electric South Africa IT in Manufacturing
Schneider Electric has launched the Uniflair XCA, a new series of air-cooled and free-cooling chillers designed for artificial intelligence-driven, high-density liquid-cooled data centres.

Read more...
Turning system integrators into trusted technology partners
Schneider Electric South Africa IT in Manufacturing System Integration & Control Systems Design
Schneider Electric’s Alliance Partner Programme is repositioning system integrators from hardware suppliers into lifecycle-value partners. Oriel Soupen explains the competency framework, certification model and real-world results that are already helping African system integrators win higher-value, longer-term engagements.

Read more...
Why renewable projects need integrated protection and control
IT in Manufacturing
Fragmented secondary plant integration in renewable energy projects causes costly delays during commissioning. ACTOM Protection and Control’s Secondary Plant Integration solution consolidates all secondary systems under a single engineering framework, reducing risk and accelerating grid

Read more...
When digital twins move from concept to critical tool
IT in Manufacturing System Integration & Control Systems Design Maintenance, Test & Measurement, Calibration
Digital twins are moving out of the lab and onto the mine, the factory floor and the transport network where they predict failures before they happen. Amritesh Anand looks at where they earn their keep, the data and integration work behind them, and the security questions every organisation should ask before switching one on.

Read more...
How a digital foundation can overcome the LNG trilemma
Schneider Electric South Africa IT in Manufacturing SCADA/HMI
The LNG sector is racing to add capacity, but without a digital backbone, growth creates complexity rather than capability. Christophe Begat of Schneider Electric explains how connecting data, systems and analytics across the LNG value chain can resolve the trilemma of secure supply, lower emissions and tighter costs.

Read more...
Decarbonisation is reshaping mining strategy in Africa
Schneider Electric South Africa IT in Manufacturing Electrical Power & Protection
Mining companies across Africa are embedding decarbonisation into operational strategy, driven by investor, regulatory and customer pressure to reduce emissions while improving resilience.

Read more...
Siemens and HighByte partner to scale industrial AI
Siemens South Africa IT in Manufacturing Fieldbus & Industrial Networking
Siemens is expanding its Industrial Edge ecosystem through a partnership with HighByte, enabling customers to connect, contextualise and transform data from operational technology and information technology sources to build AI models and applications at scale.

Read more...
Africa on the edge of a digital future
Schneider Electric South Africa IT in Manufacturing
Edge computing promises lower latency, stronger reliability and real-time responsiveness across Africa, yet its rollout keeps colliding with one stubborn obstacle, power. Steven Santini explores how renewable microgrids, smart energy management and the right partnerships could turn the continent’s energy gap into its biggest edge opportunity.

Read more...









While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd | All Rights Reserved