Page 34: of Offshore Engineer Magazine (Sep/Oct 2014)

Read this page in Pdf, Flash or Html5 edition of Sep/Oct 2014 Offshore Engineer Magazine

Offshore Engineer Magazine, page 33, Sep 2014

Offshore Engineer Magazine, page 34, Sep 2014

Offshore Engineer Magazine, page 35, Sep 2014

FPSO “They could write a password on a sticky note and leave it lying around, or they’ll make their password too easy.” Or

Business network people assume the wireless networks are segregated. “They get bored out there, so they plug in their USB sticks and download

Wireless access point web sites for personal use or charge their phone,” Speake said. “They aren’t necessarily making phone calls but maybe listen-

CCTV

CCTV screenVoIP phones cameras ing to music, and you don’t know what’s on the phone.” While

IT ?rewall

CCTV Domain I/O I/O TerminalHistorianData most oil platforms have a separate line accessing the internet servermanagercontroller/serversservers serverAnalysis ?le server (DMZ) servers that might not be available for the control room. “But they’ll

Compressor SCADA

HMI HMI clients printer Server rack fnd ways,” Speake said. “They might hook up a separate wire-

Redundant control network less hub off of their personal laptop and connect to it from the

MCS control room.”

RTU

HMI PDU

The key to isolating traffc is to think about radio frequency (RF) protection and include only what is really needed. “The

Industrial

Primary/ Primary/

PCs Pump PLCs

Compressor Dehydrator backup backup onshore link should only be used for things that are absolutely

PLC PLC process PLCssafety PLCs

Generator Generator

Modem

Process Safety #1 #2 Platform Process Safety necessary, Gilsinn said. “Email is necessary, but web surfng racks Pump motors

I/O rack I/O rack switchgearswitchgear MCC I/O rack I/O rack should be limited. The actual process communication should

Typical junction boxGenerator switchgearSubsea cabinet PLC cabinet have a higher priority,” he said. “You should control network

Security appliances loaded with a SCADA-specifc frewall fow going through your wireless link, since it’s your sole link module protect PLCs, switchgear, and packaged process units.

from corporate to the outside world.” So while you can never eliminate web traffc, you can limit it in terms of the bandwidth because it allows an authenticated user to perform a known set it uses.

of authorized actions,” Gilsinn said. Whitelisting works along

Standards as an anchor the lines of known programs can pass through, but if the soft- ware is not on the accepted list, then it ends right there. That Knowing which standard to use with offshore wireless technol- compares to blacklisting which lets users pinpoint the source ogy isn’t so easy because such a variety of groups developed of the virus after it’s happened. Until a blacklisting tool knows independently and represent different industries and needs. about a virus, it can’t block it. Some choices include IEEE 802.11 WiFi for use in wireless local area networks (WLANS) or Zigbee or Bluetooth stan-

Segregation keeps network clear dards for personal area network systems are intended for

With the potential for malware or viruses intruding on the short-range communication. Yet, as the automation industry network, even accidentally, operators need to make sure their is moving to IP-based technologies, some experts are now networks remain segregated so operators on the rig can access opting for standards that allow more system fexibility. ANSI/ the web, communicate with family on Skype, and rest assured ISA-100.11a-2011, Wireless systems for industrial automation: all that activity is segregated from the control network, said Process control and related applications, “has tried to go a lot

Graham Speake, principal systems architect at Yokogawa. With farther than WirelessHART,” Czubba said. “It’s object orien- the use of more sophisticated technology and frewalls, random tated and designed to support a lot more functionality, such checks sometimes occur to make sure nothing unusual is get- as Foundation Fieldbus, which sees use more offshore than ting into the network. But because of limited manpower and the onshore. Plus the standard has a high performance and reliabil- rigs’ remoteness, these checks don’t occur on a regular basis, ity factor.”

Speake said. Think of the offshore platform, with its several “One great element about ISA-100 is it allows system fexibil- areas of operation as akin to your house with its several rooms, ity and is aligned to IP networking, Amidi said. “A distributed

Schaffer said. “Once someone gets inside your house, maybe system allows you to have a central hub from which you can get through an open window in the kitchen, they have unfettered all your data and manage transmitters.” access to other rooms in your house because you don’t put up The standard also allows vendors with big data packets, such signifcant barriers in between your rooms.“You want to layer as vibration, to use proprietary protocols without having to your protection and compartmentalize your network so a com- make changes, Amidi said. They can use the tunneling features promise of one area does not immediately impact other areas,” of ISA100.

Advanced encryption standards (AES) let you protect data

Schaffer said. “That way you are mitigating your damage, kind in fight. “AES-256 tells you how big the key is to encrypt of like having locked doors between the rooms of your house, or and decrypt the data. It’s pretty much unhackable,” Schaffer at least a Rottweiler.” said. “The 802.11 Internet protocol (IP) standard will sup-

Stupid human tricks port radios as a way to authenticate. But some of the other

While attacks and malicious intrusions are a concern in wire- industrial protocols, such as Bluetooth, which can be used less communications, out on the rig itself, malicious intent isn’t in industrial settings, have weak or nonexistent authentica- quite as problematic. “You’re probably less susceptible to the tion,” Schaffer said. “You can follow the standards and have hacker coming in across the network because it’s diffcult to a secure system or insecure system based on the choices you make. The standard doesn’t demand you use AES-256 breach the short bandwidth in the middle of the ocean,” Speake encryption. If you choose not to do that, you’re still fol- said, but it’s easy for people to accidentally cause a problem. It’s lowing the standards, but you’ve severely weakened your kind of like David Letterman’s segment on stupid human tricks, security.” In such a diverse world of standards for wireless

Gilsinn said.

September 2014 | OE oedigital.com 36 034_0914_FPSO2_OER Avoiding.indd 36 8/21/14 2:48 PM