PI in an IT security Context

PI in an IT security Context

Marc WeinbergMarc WeinbergProcess Engineering Process Engineering

ATOFINA ATOFINA Research – Feluy (B)Research – Feluy (B)

Email Email marc.weinbergmarc.weinberg@atofina.com@atofina.com

Marc SoucheMarc SoucheATOFINA DCTIATOFINA DCTI

Atofina Technical Center Lyon (F)Atofina Technical Center Lyon (F)

Email: marc.souche@atofina.comEmail: marc.souche@atofina.com

Ref MS/ II n° 22/03Rev 0Ref MS/ II n° 22/03Rev 0

TOAFINAELF GROUPTOAFINAELF GROUP

• World’s 5th largest oil company.

• Active in more than 120 countries, organized in over 900 consolidated companies.

• With more than 122000 Employees.

• Structured in 3 branches

– Upstream : Exploration & Production, trading Gas & Electricity

– Refining and Marketing

– Chemistry

ATOFINAATOFINA

• Chemical branch of the group.

• World’s 6th largest chemical company

• With more than 70000 employees more than half of the human resources of the TotalFinaElf Group. (11000 in the US)

Key activities:

• Base chemicals and Polymers: Olefins, Aromatics, Polyethylene, Polypropylene, Styrene, Polystyrene, Elastomers, Chlorochemicals and Solvents, VCM, PVC and Downstream, Fertilizers.

• Intermediates and Performance Polymers: Acrylics, PMMA, Fluorochemicals and Peroxides, Thiochemicals and fine Chemicals Performance Products, Additives, Engineering Polymers, Formaldehyde resins, Agrochemicals.

• Specialties: Rubber-based products (Hutchinson - Mapa Spontex), Adhesives (Bostik Findley), Resins including Photocure Resins (Cray Valley, Sartomer, Cook Composites Polymers), and Electroplating (Atotech).

Corporate Technology Group (CTG)Corporate Technology Group (CTG)

• Part of the STRATEGY & RISK ASSESSMENT directionPart of the STRATEGY & RISK ASSESSMENT direction• The CTG is a Network of technologists of all three The CTG is a Network of technologists of all three

branches of TotalFinaElf.branches of TotalFinaElf.

• Missions :Missions :

• Promote free access to the Group’s technical competencies and help Promote free access to the Group’s technical competencies and help maintain the teams’ technical know-how.maintain the teams’ technical know-how.

• Raise the Group’s technological level by pooling experiences and by Raise the Group’s technological level by pooling experiences and by formal and informal transfer of information relating to know-how. formal and informal transfer of information relating to know-how.

• Promote optimization of the Group’s technological resources and exploit Promote optimization of the Group’s technological resources and exploit the Group’s leverage due to size when negotiating with suppliers.the Group’s leverage due to size when negotiating with suppliers.

• Coordinate action with industry and equipment standards organizations.Coordinate action with industry and equipment standards organizations.• Anticipate the Group’s future technology needs.Anticipate the Group’s future technology needs.• Monitor external technology changes and keep pace with them when Monitor external technology changes and keep pace with them when

appropriate.appropriate.• Manage key technical suppliers relation ship ( for ex OSISOFT,…)Manage key technical suppliers relation ship ( for ex OSISOFT,…)

PI within TOTALFINAELFPI within TOTALFINAELF

• Over 100 systems installed from refineries to small fine chemical sites

• ATOFINA (hosting most of the PI servers) has a dedicated PI global support team.

• Yearly internal PI User meetings in Europe and US

• Internal Training sessions

• Corporate founding to develop internal PI tools, to test and evaluate new PI features

• Used on all levels of the company… from APC DATABASE to IT network monitoring

TFE & “Cyber” SecurityTFE & “Cyber” Security

•Standard IT security is today addressed in Standard IT security is today addressed in almost all industriesalmost all industries

•Process IT security adds a new dimension Process IT security adds a new dimension to the security: A SAFETY DIMENSIONto the security: A SAFETY DIMENSION

POTENTIAL PHYSICAL HARM POTENTIAL PHYSICAL HARM

TO PEOPLE TO PEOPLE

AND AND ENVIRONMNETENVIRONMNET

TFE & “Cyber” SecurityTFE & “Cyber” Security

•The CTG has launched a working group to The CTG has launched a working group to address the problem on Group leveladdress the problem on Group level

•Primary Objectives: Primary Objectives: • Remove any danger for action on plant Remove any danger for action on plant

operation from outside (Internet, operation from outside (Internet, Intranet , Corporate LAN).Intranet , Corporate LAN).

• Guarantee System Availability and Guarantee System Availability and System integrity System integrity

•Secondary Objective Secondary Objective • Improve confidentiality on informationImprove confidentiality on information

TFE & “Cyber” SecurityTFE & “Cyber” Security

Background•Yesterday:Yesterday:

• Control systems used proprietary hard and software which gave the system a certain immunity against external attacks.

• Systems were stand alone applications with (almost) no connections to the external world.

•Today:Today:

• Cost reduction pushed all suppliers on relying more and more on standard hard and software in process control and process control related applications:

• TCP/IP; Windows NT W2K; wiring and connectors; network structure and elements (hubs, switches, …)

• Increased demand for information exchange (ERP (SAP), LIMS, RTPDB, ASSET Management) pushed supplier to deliver open solutions, often resulting in weakened security.

TFE & “Cyber” SecurityTFE & “Cyber” Security

Our project Goals:

• Establish the interconnection requirements of the sites.

• Study a tailor-made solution for the interconnection of an IT network with a process control network (compatibility with vendor specifications).

• Run one some pilot sites (set-up, functional and intrusion test).

• Define a ‘low cost’ standard solution which gives a minimal certified and tested solution affordable for all sites.

• Define an implementation guideline for those interconnections.

• Define a corporate standard for the security of process control systems.

• Roll out the standard solution

A Global PictureA Global Picture

Corporate WAN

Remote Site LAN

Process Control LAN

Proprietary Control Network

P r o c e s sController

SDPROLIANT 1850R

Application ServerFixed IP

PrinterFixed IP

Process Firewall

RouterApplication Server

Fixed IPProcess Maintenance

DHCPProcess Maintenance

fixed IP

ACE Server

P r o c e s sController

²

Supplier MaintenanceSystem

SD

P70

SD

DESKPRO

Operator Control StationFixed IP

SD

P70

SD

DESKPRO

Engineering StationFixed IP

Remote UserInternet

Router

Modem Pool

Corporate Firewall

Remote User

²

Supplier MaintenanceSystem

PhoneOperator

Wireless PC

Wireless LAN

Wireless Bridge

Site LAN

RouterUser Workstation

Fixed IPUser Workstation

DHCPClient/Server Application

Fixed IPPrinter Server

Fixed IP

TFE corporate process IT security standardTFE corporate process IT security standard

• Today we have defined a corporate Today we have defined a corporate security standard for process IT.security standard for process IT.

• Implementation phase is rapidly Implementation phase is rapidly ongoing.ongoing.

• Effects on own personnel and on Effects on own personnel and on subcontractor staff (remote subcontractor staff (remote maintenance).maintenance).

• Among effects on all interconnections Among effects on all interconnections between ‘office’ IT and process IT there between ‘office’ IT and process IT there are also important drawback on how to are also important drawback on how to structure, install and locate a PI server structure, install and locate a PI server in a (our) secure environment. in a (our) secure environment.

PI & IT security PI & IT security

• Where to put a PI Server ??Where to put a PI Server ??

• If it is a server for data consultation : If it is a server for data consultation : office side.office side.

• VPN between PI server and Firewall.VPN between PI server and Firewall.

• Use dedicated PI interface on process Use dedicated PI interface on process side.side.

• APC PI Servers or PI Servers with DCS APC PI Servers or PI Servers with DCS write capability on process side. Data write capability on process side. Data transfer to ‘Office IT’ with PItoPI on transfer to ‘Office IT’ with PItoPI on separate PC.separate PC.

PI & IT security PI & IT security

• What to installWhat to install

• On Process PI servers or interfaces On Process PI servers or interfaces on process side : nothingon process side : nothing

• On Office PI Servers:On Office PI Servers:

• Securemote client (VPN) with Securemote client (VPN) with preshared secret.preshared secret.

• Service to start tunnel Service to start tunnel automatically (with no operator automatically (with no operator interaction)interaction)

PI Servers in a secure environmentPI Servers in a secure environment

• Recommended OSISOFT Recommended OSISOFT scheme witch was used scheme witch was used primirlallyprimirlally

• The danger is the The danger is the vulnerability of the vulnerability of the Windows PI Server.Windows PI Server.

• Once someone has Once someone has access to the PI server, access to the PI server, he has physical access to he has physical access to the Process Net and the Process Net and through the PI interface through the PI interface to the Control Net.to the Control Net.

• Potentially dangerous if Potentially dangerous if the PI server has write the PI server has write capability. (Erroneous or capability. (Erroneous or malicious change of a tag malicious change of a tag configuration)configuration)

SD

PROLIANT 1200

DLT

SD

DESKPRO

IT Net

Process NET

PI Server

PI Interfaceand/or

DCS Gateway

ControlNET

PI Servers in a secure environmentPI Servers in a secure environment

• One possibility is to put One possibility is to put the PI server behind a the PI server behind a Firewall.Firewall.

• Access can then be given Access can then be given on an IP address base on an IP address base and PI-Port filtering.and PI-Port filtering.

• Disadvantages are:Disadvantages are:

• AAccess list difficult to ccess list difficult to manage if there is a manage if there is a large number of users.large number of users.

• Problems of selectivity Problems of selectivity in DHCP environments.in DHCP environments.

• Impossibility of Server Impossibility of Server management (Tivoli, ..) management (Tivoli, ..) in integrated in integrated environments.environments.

• Danger if the server has Danger if the server has write capability.write capability.

SD

PROLIANT 1200

DLT

SD

DESKPRO

IT Net

Process NET

PI Server

PI Interfaceand/or

DCS Gateway

ControlNET

Firewall

PI Servers in a secure environmentPI Servers in a secure environment

• Standard set up for read Standard set up for read only PI Servesonly PI Serves

• Process section is Process section is protected through protected through Firewall and VPN tunnel Firewall and VPN tunnel (Port filtering)(Port filtering)

• Interface runs in read-Interface runs in read-only mode.only mode.

• Access to the interface is Access to the interface is only possible from the PI only possible from the PI Server through the PI-Server through the PI-Port.Port.

SD

PROLIANT 1200

DLT

SD

DESKPRO

IT Net

PI Server

PI Interfaceand

DCS Gateway

VPN Tunnel

Process NET

PI Servers in a secure environmentPI Servers in a secure environment

• Standard set-up for Standard set-up for systems with APC PI systems with APC PI Servers (having R/W Servers (having R/W access).access).

• Data is gathered on the Data is gathered on the APC PI Server.APC PI Server.

• Data in transferred to the Data in transferred to the “Office” PI Server “Office” PI Server through a PItoPI through a PItoPI interface.interface.

• The PItoPI interface runs The PItoPI interface runs on a separate machine. on a separate machine.

• The “Office” PI Server The “Office” PI Server has only access to the has only access to the PItoPI interface (VPN + PI PItoPI interface (VPN + PI port). This eliminates port). This eliminates rebound possibilities. rebound possibilities.

SD

PROLIANT 1200

DLT

SD

DESKPRO

IT Net

PI Server

PI Interfaceand

DCS Gateway

VPN Tunnel

Firewall

Process NET

SD

PROLIANT 1200

DLT

PI to PISD

DESKPRO

APC - PI ServerWith write to DCS

PI Servers in a secure environmentPI Servers in a secure environment

• Future set-up for a Future set-up for a “office” PI Server with “office” PI Server with write access.write access.

• A special write interface A special write interface (internal development), (internal development), isolated from the IT Net, isolated from the IT Net, reads write data from the reads write data from the “office” PI Server.“office” PI Server.

• Then it writes the data to Then it writes the data to DCS via OPC.DCS via OPC.

• Tag list is handled as an Tag list is handled as an encrypted local encrypted local configuration file which configuration file which can be managed by DCS can be managed by DCS administrator (if different administrator (if different from PI administrator)from PI administrator)

• This interface can also This interface can also run on the PI-interface run on the PI-interface node.node.

SD

PROLIANT 1200

DLT

SD

DESKPRO

IT Net

PI Server

PI Interfaceand

DCS Gateway

VPN TunnelFirewall

Universal CustomWrite interface

SD

DESKPRO

Read specific point list(text file) from PI via PIAPI

A) Write to DCS viaOPC.

B) Write to other ProcessPI server via PI API

Can run on the Interfaceor the process PI Server

SD

PROLIANT 1200

DLT

Process PI Server (ieDetaV) with RO

interface

Wishes for PI security Wishes for PI security

• Interfaces : improve the yes /no Interfaces : improve the yes /no mechanism for writing to DCS’s. mechanism for writing to DCS’s. (possibility to filter DCS tag reference for (possibility to filter DCS tag reference for writing). This would eliminate the special writing). This would eliminate the special interface described beforeinterface described before

• Use Strong Authentication for PI Use Strong Authentication for PI administratorsadministrators

• Have access to the firewall table Have access to the firewall table remotely and securely as it is possible remotely and securely as it is possible now with PI trust tablenow with PI trust table

• Increase PI buffer size because PI server Increase PI buffer size because PI server not directly on the DCS networknot directly on the DCS network

PI in an IT security context.PI in an IT security context.