Centralized Control System Architecture

Transcription

1 Centralized Control System Architecture Standards Certification Education & Training Publishing Conferences & Exhibits Speakers: Hassan Ajami, PE CAP Anil Gosine 2016 ISA Water / Wastewater and Automatic Controls Symposium August 2-4, 2016 Orlando, Florida, USA

2 Presenter Hassan Ajami, PE CAP General Manager at Process Control & Instrumentation (PCI) He has over 16 years of experience in the Water/Wastewater industry Specialty is Control System design and integration Licensed Professional Engineer (PE) Certified Automation Professional (CAP) MS in Industrial Engineering, BS in Chemical Eng. Aug 2-4, 2016 Orlando, Florida, USA 2

3 Presenter Anil Gosine Anil Gosine has been involved in the Water/Wastewater industry for over 10 years. He has worked in the Chemical and Oil & Gas industries previously. Program Manager at the Detroit Water & Sewerage Department (DWSD) Manages the Department Wide Control Systems Aug 2-4, 2016 Orlando, Florida, USA 3

4 Presentation Outline Background Why? - Then vs Now Why? Realize the Benefits Why? - Security Following the Standards System Architectures Making Connections Parts & Pieces Additional Features Additional Options Summary Aug 2-4, 2016 Orlando, Florida, USA 4

5 Background How much to centralize or de-centralize a control system has been a long debated topic There are 2 aspects to this the control itself and the I/O systems Disparate systems cause headaches Maintenance On-Site access to facilities Limited remote possibilities Security No central user database Manual synchronization of user accounts and passwords Automation Industry is evolving Centralized Architecture Aug 2-4, 2016 Orlando, Florida, USA 5

6 Why? - Then vs. Now Independent Islands Local security configuration Limited tie-in to other islands Higher maintenance requirements Everyone wants to do more with less Connected Architecture Central security configuration All facilities connected WAN Remote predictive maintenance becomes a more economical option Aug 2-4, 2016 Orlando, Florida, USA 6

7 Why? Realize the benefits Integration of geographically distributed assets through centralized control: Improves responding to supply and demand fluctuations Reduces costs of operations Allows for process efficiencies Ability to perform data gathering and audit report generation from a centralized area helps manage costs related to regulatory requirements Control software management is simpler Aug 2-4, 2016 Orlando, Florida, USA 7

8 Why? - Security With the close coupling of IT and control system environments, security risks now cascade from corporate networks into control system networks. Historically, poor security protocols, rarely done patch management and lack of threat protection for control systems did not appear to have our critical infrastructure at risk. Today, these security failures cannot be tolerated and the management and acute awareness of risks need to be centrally managed. Holistic view of the entire system is now required. Aug 2-4, 2016 Orlando, Florida, USA 8

9 Following the Standards NIST ICS Security Guide ISA Security Standards Cybersecurity policy Network segmentation Patch, password, configuration management Intrusion Detection and Prevention (IDPS) Access Control Direct and Remote Wireless and VPNs Assessments Training to be Secure Aug 2-4, 2016 Orlando, Florida, USA 9

10 System Architectures Old Way Workstation Workstation Controllers Field Devices Controllers Field Devices New Way Workstation 3 rd Party Devices WAN Router Firewall Firewall Router Controllers Field Devices Security Center Domain Server Aug 2-4, 2016 Orlando, Florida, USA 10

11 Making Connections Unidirectional gateways Physical separation of your system Firewall Configured protection of your network from the external environments Routers Segment the network Do not mix systems on the same flat network VPNs Build separate logical networks for systems Logically isolated from others Data transfer Plan for handling data to/from other systems Aug 2-4, 2016 Orlando, Florida, USA 11

12 Parts & Pieces Firewalls - devices configured to monitor and control network traffic, implementing security policies limiting access to internal systems Well known network equipment Remote Access Points - points of entry to the control network used to perform remote maintenance or operations and configuration activities Managed switches and routers - route traffic through to different network segments in a LAN and provide connectivity to WAN and long-distance communications networks System logs VPN settings Port security settings Aug 2-4, 2016 Orlando, Florida, USA 12

13 Parts & Pieces Intrusion Detection and Prevention Systems Updates Patch management system Access Control Accounts and Passwords Physical security To be effective with Centralization, the architecture must encompass every link in the chain from external points of entry down to control logic and critical data required for safe and reliable operations. Aug 2-4, 2016 Orlando, Florida, USA 13

14 Additional Features A centralized control platform minimizes complexity with a unified software platform and network. Automation and controls architecture should help decrease the time and effort required to build and commission a system. Centralized technology can be advantageous when designed to run faster and more powerful control algorithms than is typically possible with many distributed small controllers. Aug 2-4, 2016 Orlando, Florida, USA 14

15 Additional Options High-Security Firewall One-Way Data-Diode Application Security Full White-Listing Aug 2-4, 2016 Orlando, Florida, USA 15

16 Summary Strong and enforced security policies and procedures are key. Change Management is vital. Keep your systems up to date Best Practices for implementing new technologies ICS-CERT and ISA can guide you Regularly assess your system - annually Find the hidden gaps Use industry standard hardware Detect, isolate and block the attack before it happens Aug 2-4, 2016 Orlando, Florida, USA 16

17 Questions For additional information, contact us: Hassan Ajami Anil Gosine Aug 2-4, 2016 Orlando, Florida, USA 17