Keeping your cool during a firewall installation

InTech, Apr 2005 by James, Nigel, Stocke, Stephen

This historian implementation required three firewalls, one DMZ, two remote links, and lots of network savvy.

The expansion of real-time process management (RPM) systems, or historians, brings in new issues of network attack and threats as control systems pass data out on the corporate intranet.

There is a growing threat of network intrusion, especially with malicious hackers, terrorists, and viruses.

In response to this concern, the automation industry has focused on setting standards on manufacturing and control systems security to combat cyber threats. ISA - The Instrumentation, Systems, and Automation Society has now issued two technical reports on this topic:

* ANSI/ISA-TR99.00.01-2004, security Technologies for Manufacturing and Control Systems

* ANSI/ISA-TR99.00.02-2004, Integrating Electronic Security into the Manufacturing and Control Systems Environment

Avers the first of these two documents, "The need for protecting manufacturing and control systems computer environments has grown significantly over the last few years. The combination of open systems; an increase in joint ventures, alliance partners, and outsourced services; growth in intelligent manufacturing equipment increased connectivity to other equipment/software; enhanced external connectivity; along with rapidly increasing incidents of network intrusion, more intelligent hackers, and malicious software, all lead to increased threats and probability of attack. As these threats and vulnerabilities increase, so does the need for protection of manufacturing and control system."

Far flung points of data

With hundreds of oil platforms in the Gulf of Mexico, the oil and gas industry is an important part of the area's economy. Similar to chemical manufacturing facilities, most have base control systems and some have ongoing archiving of historical data.

As companies become more global and the technology becomes more pervasive, the need for enterprise wide historians is key to making better decisions faster.

The case study company we reference here wished to integrate all process data from multiple platforms in the Gulf of Mexico and Caribbean into a single secure system with the data available in the corporate office in Houston in a secure system. security of the data and system setup was a critical success factor of this project.

Specific details of the installation are:

* Corporate RPM server at client offices in Houston with capacity for 150,000 points

* Web portal in Houston for data trending, reports, key performance indicators (KPIs), and the like

* Local RPM servers at each production facility/interest

* Robust, secure data synchronization with Houston with minimal lag (less than one minute)

* Automatic recovery of data after network outages

* Gulf of Mexico platform (1,000 points)

* Caribbean platform (10,000 points)

* Easy administration of RPM servers at remote sites with no client presence

The solution was a Wonderware HMI (human machine interface), and the team opted for OSIsoft PI Data Historian for the RPM based on its installed base of oil and gas platforms and the client's head-to-head feature and cost comparison of several historian platforms.

The solution includes the RPM server on the platform and an additional server in the corporate office that will also gather the data from RPM servers on individual assets in North America.

This platform required three firewalls to protect the data communication to the corporate RPM server. These firewalls were required due to the platform having a joint venture partner, and the corporate networks of the two partners required firewalls at the interface.

In addition to the facility acceptance test (FAT), additional communications tests took place at operating company's corporate offices in Houston to verify the configuration of the firewalls at the network interface. This testing proved invaluable in validating the network configuration before commissioning activities on the platform commenced.

Logistical design issues

To get the data into the Houston office, there were several logistical design issues to cover. The data from the first platforms was to come from non-operated asset in the Gulf of Mexico. This would entail using line of sight microwave technology, which has an inherent bandwidth issue. Then the data was to transmit and share with a co-owner of the platforms while maintaining security on the confidential items. Four key issues came up during analysis of the project for which we needed solutions:

* Data integrity

* Bandwidth of wide area network (WAN) link

* Network security

* Remote management

Many platforms in today's commercial environment host multiple companies and alliances. This creates confidentiality issues as the non-operating partner does not have personnel on the asset on a full-time basis. This also adds complexity to the issues of data integrity and reliability. Being 100 miles offshore requires data to flow back via low-bandwidth line-ofsight microwave, which adds a layer of complexity.

The aforementioned ISA technical reports help us to find best practice approaches to solving these issues.