Page 23: of Offshore Engineer Magazine (May/Jun 2013)

22 24

Security failover of the primary PLC proces- sor to the backup processer would not impact control communications, and that the security appliances in turn would maintain security func- tionality, regardless of the switcho- ver state of the PLCs.

In total, 12 security appliances were used on the platform. All were loaded with a frewall-loadable security module. The central man- agement platform, which manages all of the security appliances from a central location, was installed on a server in the facility.

Challenges and Outcomes

As with many IT devices deployed

Simplifed network diagram.

into an automation environment, a challenge during the project was the these layers. ment strategy, making the confgura- perception that frewalls make the

The frst step was to install an IT tion of multiple security appliances job of operations and maintenance frewall to protect the entire plat- effcient. more diffcult. Initially staff had a n form. However, this would do little Users can install automation-spe- “knee jerk” reaction to blame the to defend against problems such cifc, loadable security modules as frewalls any time there were net- as worms introduced via laptops needed. work problems. With a thorough test- n or USB drives. So the automation The solution is simple to install ing regime, however, it was shown and business networks were next and maintain by operations and that the proper protocols were en- separated using managed switches maintenance staff. abled to accommodate all operations.

and frewalls. Demilitarized zones The cyber security solution has

Design and Installation (DMZ) were there to protect the now been in operation for fve years. process control system from the The PLCs at Level 1 in the process The result has been increased reli-

Internet and the business network. control network (PCN), as well as ability and availability of the plat-

After careful review of available switchgear and various packaged form. A virus outbreak (introduced security products, the engineering process units, were protected with by a contractor) was contained by team selected an industrial security security appliances loaded with a the separation strategy. The project solution for the control system fre- SCADA specifc frewall module. is widely seen as a good example of walls. The reasons for this decision Only the necessary operating pro- how a well-designed security solu- included: tocols were allowed through the tion can actually reduce costs and n The security appliances can be frewalls, determined by a data improve productivity on offshore

DIN rail mounted, the standard for exchange strategy. platforms. offshore industrial cabinets. Reliability of the system was a core The security appliances are rated requirement. Redundant security Eric Byres is a leading expert in the n for Class 1, Division 2 hazardous appliances were installed in front of feld of critical infrastructure securi- areas (important on offshore facili- redundant Allen-Bradley PLCs. The ty. He is CTO and VP Engineering at ties). security appliances were then con- Tofno Security, a Belden brand. His The system uses a central manage- fgured and tested to assure that the email is [email protected] n oedigital.com May 2013 | OE 25 0513OER_Byres col2_b.indd 25 4/22/13 3:31 PM