Interested in linking to "Come together "?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
It had to happen eventually. Driven by potential efficiencies and savings, the evolution from point-to-point hardwiring to twisted-pair fieldbuses and onward to Ethernet, Internet and wireless keeps pushing inexorably outward to seek links and integrate with other networks. At the same time, progressively more sophisticated components, starting with relays and solenoids, followed by PLCs and board-level PCs, and on to Ethernet gateways and switches, continually reshapes plant-floor networks to become more similar to their corporate/environmental/information technology (IT)-governed counterparts.
However, there are just a few more wrinkles to work out.
There are two typical scenarios that demonstrate how plant-floor and corporate-IT networks are becoming more integrated. First, more plant-floor components of all types are being built with Internet Protocol (IP) addresses and other capabilities for linking to other networks, which put them under the jurisdiction of corporate IT departments and managers. Second, some corporate/physical backbones, especially Ethernet-enabled networks, occasionally are extending a few lines beyond their usual deployment, and reaching down to monitor some production functions, rather than replicating another Ethernet network just for the plant floor.
Both of these examples show how formerly separate networks are overlapping, and taking the first steps to overall integration. However, to gain the benefits and minimize the risks of network unification and simplification, users must teach their plant-floor engineers and IT staffs to cooperate, implement some essential security infrastructures, and train these staffs to use and maintain them.
“Before 9/11, security meant I was concerned about keeping valuable tools from walking out of the plant,” says Bill Lessig, plant manager at Honeywell Specialty Materials’ 1,900-acre facility in Geismar, La., which recently integrated its process control and physical security systems. “Now, my security concerns have shifted to thinking about threats from external sources, assuring business continuity, minimizing impacts in the event of an attack, and making sure the surrounding community is safe."
As your network links grow, your problems grow. “Everyone is running into these same issues,” says Bob Huba, DeltaV System Security product manager at Emerson Process Management. “The tendency is to think of requests for links to plant networks and their data as just another IT job, but there’s often a lack of knowledge between the corporate local area network (LAN) and physical control of manufacturing assets. IT departments like to lay their procedures onto plants, but they need to grasp the differences between the process control system and the business level. Each side is listening and learning the other’s issues, but it’s still a little painful.”
Huba reports one of Emerson’s chemical plant customers recently outsourced its IT management internationally, and then found its process controllers couldn’t talk to its network devices through its HMI when their firewall was disabled remotely. He says several misconfigured switches were slowing the network, but it took a week to get through the IT firm’s management layers to secure the required passwords and permissions. Huba adds that another client had a network router that kept failing and refusing to pass data, and that an investigation revealed that a remote IT person was reconfiguring it repeatedly to meet corporate standards from which the router was supposed to be exempt.
Job Descriptions Merging
“In energy management, for instance, most facilities previously had monolithic systems separated by job title for power, HVAC, lighting, elevators, security, and life/fire safety, and each had its own PCs and interfaces,” says Barry Haaser, senior director of Echelon’s LonWorks infrastructure business. "Software changed these industries, and allowed device functions to increase and reliance on separate PCs to decrease. We’ve ended up with peer-to-peer networks that can talk to each other like they do on the plant-floor, and we now have whole buildings that are programmable and driven by software. The true benefit of this is that we can instruct these systems, for example, to lower temperature 2 ºC in occupied area at times when electrical costs are twice normal.”
In fact, Shaoguan Iron and Steel Group recently implemented a LonWorks network to more accurately measure and manage energy consumption in real-time at its 10-square-kilometer plant, and reduced its operating costs 10%. Now, data from the plant’s energy and control devices is integrated with its manufacturing execution system (MES) to help it identify best-case use scenarios for energy consumption and production. Located in Guangdong, Shaoguan produces 5 million tons of steel per year.
“In China, energy can be a third of a steel plant’s overall operating costs,” says Jianmel Huang, Shaoguan’s IT director. “Echelon’s technology gave us the ability to create an infrastructure that helps us quickly deploy a scalable system, and achieve our energy and operating goals.”
Ironically, while plant-floor networks typically provide application data to the overall enterprise, sometimes the corporate network can directly aid the plant process, too. Jason Urso, Honeywell Process Solution’s product marketing manager, adds that video surveillance has long been a part of the physical security infrastructure at many facilities, but network integration often is giving video a new dual role in aiding process control.
“Because physical security devices are already in the process control setting, these cameras also can be used to check for leaks, vibration damage, and other adverse situations,” says Urso. “Data sharing technology also enables users to examine streaming video with algorithms that can note differences such as changes in thermography.”
Gospel Accorsding to Geismar
To protect chemical plants and refineries from potential attacks and other incidents, Honeywell Process Solutions is offering other companies the program it recently used to integrate security and process control at its Geismar specialty materials plant, near New Orleans. Honeywell developed and implemented a multi-layered security system that integrates its Experion PKS process control system and its Electronic Building Integrator (EBI) cyber, electronic and physical site security systems over its common distributed server architecture, and these links reportedly allow faster, more efficient responses to any adverse events. Developed and implemented over 16 months and at a cost of $3 million, this multi-layered security system reportedly takes a holistic approach, and integrates process control, automation and security systems to reduce risk and increase safety preparedness.
|FIGURE 1: BIG MUDDY MONITORING|
A radar antenna and cameras monitor the Mississippi river near Honeywell Specialty Materials’ dock in Geismar, La., as part of the 1,900-acre facility’s layered security program.
The Geismar plant is located on the Mississippi River (See Figure 1), and the site is occupied by Honeywell and four other companies. Honeywell employs approximately 275 people at the site, with another 85 contractors on site at any given time. Counting the other companies’ staffs, headcount at the site is more than 1,000 people. As host, Honeywell is responsible for the perimeter security of the entire site, as well as the security of its own facility. Honeywell produces several chemical products at Geismar, including hydrofluoric acid, fluorocarbon refrigerants and Alcon resin.
“The goal at Geismar, like other chemical facilities, was to enhance safety and security to match the increased risk levels of the plant,” says Lessig. “As a chemical manufacturer and as a process control, security and building controls supplier, Honeywell was in a unique position to take a look at securing the site in an innovative way.”
The program’s current capabilities and benefits include:
“Having the security system totally integrated with process control is what makes this project best in class” adds Lessig. “If there’s ever an incident on site, everyone (security and process employees) knows about the incident in real time. We’re now able to get the right information out to the right people quickly, and go into action immediately. This reduces risk, enhancing not only security, but safety."
Urso adds that Geismar will combine its wireless components and a third-party ultrawideband (UWB) radio frequency identification (RFID) technology to pinpoint precise locations of individuals at the plant by the end of 2007. The facility’s current ID card swipe system only documents last-known locations.
“The biggest trend and challenge now is linking process control with business systems, so users can have a fully linked supply chain,” says Urso. “This is where two worlds that used to be in isolation now need to securely exchange information. This can help a refinery reconfigure itself sooner and with less labor to, for example, better handle a ship full of a certain type of crude oil, and allow it to better respond to market dynamics.”
Despite the apparent ease and advantages of simply opening connections between plant-floor and corporate networks, experienced users warn that these links must only occur through well-defined, thoroughly tested, and maintained firewalls, demilitarized zones (DMZs), or virtual private networks (VPNs). However, as network integration causes potential connections to multiply, it becomes harder to enforce these security directives, even though they’re needed more than ever. Likewise, performing a thorough network inventory, data blueprint, and risk assessment becomes an even more crucial starting point.
Brad Hegrat, Rockwell Automation’s senior network and security engineer, suggests that users employ:
Hegrat adds that firewalls are more secure because they filter all data through one point, but routers and switches are less secure because they usually have multiple network connections. “One of our customers that makes heavy equipment in the Midwest had a virtual local area network (VLAN) with several access points, and last summer the Zotob worm virus found a hole in it,” says Hegrat. “This event brought down production for seven hours at dozen of plants, and cost millions of dollars in lost production time.” They had to scrub this virus the old-fashioned way and manually restore thousands of devices across the U.S.
“Today, intelligent firewalls can monitor network traffic, respond to network-based events like this by logically disconnecting themselves, and separating corporate/external networks from production,” says Hegrat.
To further help users safely integrate control and corporate networks, Bennet Levine, Contemporary Controls’ R&D manager, advises them to implement:
“Ethernet requires a little more awareness because it’s too flexible to some extent,” says Levine. “If you’re not careful, you easily can access an office network from the plant or vice-versa, and potentially flood the other with unwanted data.” To prevent these problems, Contemporary Controls supplies EIS8-100T and UL 864-rated Ethernet switches to segregate and direct network traffic.
In fact, system integrator ATS Automation recently used EIS8-100T switches to help implement an integrated Alerton distributed digital control (DDC) system at the new, combined 42-story Washington Mutual (WaMu) Bank and Seattle Art Museum. ATS senior sales engineer Pete Segall says this application shows how plant and corporate networks can be successfully integrated because it combines:
|FIGURE 2: SWITCHES COMBINE CONTROL|
Two Ethernet switches are physically connected to an Alerton BACnet/Ethernet smoke control network to jointly run day-to-day HVAC, alarm-based smoke handling, and other equipment at the 42-story WaMu Bank and Seattle Art Museum.
Segall reports that two EIS8-100T switches helped ATS develop an integrated control that could jointly monitor and control HVAC, smoke, and other combined smoke-and-HVAC equipment both daily and on an alarm-event basis. “Pure smoke control systems don’t function on a day-to-day basis, but HVAC and combined systems do,” adds Segall.
The two Ethernet switches were physically connected to the Alerton BACnet/Ethernet smoke control network via Cat 5 cabling, so precise, required DDC logic routines could be carried out (See Figure 2). One switch is located in the central fire control room, and the other is in a telecom room on WaMu’s second floor. In addition, one switch is used as a gateway between the non-smoke control Global DDC logic boards and the building management system’s computer and user interface.
“Ten years ago, this kind of integration would have been extremely difficult because there were no open protocols, and we would have had to write proprietary system drivers to translate between the fire, control and security protocols,” says Segall. “Open protocols such as BACnet and Modbus make all of this easier, and having a single point of connection between the several hundred Ethernet devices in our dedicated HVAC and fire network and WaMu’s overall corporate network gives us secure flexibility.”
Whatever technical methods are used to integrate industrial and business networks, everyone agrees none will be secure without plant and IT cooperation, jointly developed security policies, and training.
Jay Hardison, plant superintendent for Colorado Springs Utilities (CSU), says the utility has been using EtherNet/IP for its corporate backbone, and Profibus and DeviceNet for its plant-floor water/wastewater treatment plants for several years, and recently added Rockwell Software Maintenance Automation Control Center (RSMACC). RSMACC adds required security and offers supplemental authentication, auditing, archiving, and verification.
|FIGURE 3: SPRINGS IN COLORADO|
|Northern Water Reclamation facility combines EtherNet/IP, Profibus, DeviceNet, and maintenance automation software at its water/wastewater treatment plant.|
Hardison explains that CSU is integrating its networks into an overall historical database, which it will use to drive its Maximo work management system and preventive, run-time-based maintenance program. He adds that subsequent reading and diagnostics will let CSU run its plant on a more unmanned basis using a VPN, and increase capacity to handle the 3,000 taps it’s added annually for the past several years without adding manpower.
“We’re able to do this because we have a good working relationship and a common vision with out IT department, “ says Hardison. “Our IT people participate on the plant-floor, learn about our controls, and even go to control conferences. Meanwhile, they’ve educated us about Ethernet, switches, routers, and firewalls. We usually meet twice each month to talk about security and how to marry different plant and business-level applications. If we had an adversarial relationship with IT, we’d never have been able to do what we’ve done.”
Primary methods for ensuring effective integrated network security should include:
Source: Honeywell Process Solutions
In its “Process Control Network—Reference Architecture” whitepaper, Invensys Process Systems recommends segmenting process control networks into four major security zones, including Internet, data center, plant network, and control network, as well as several supplementary sub-zones as needed. Each zone is separated by a firewall. Secure network design dictates that the perimeter firewall comes from a different manufacturer to provide maximum resistance to penetration. This one firewall might be a pair of high availability units in a fail-over mode. For networks that require real-time or near real-time communications to the process control network, it’s recommended that at a minimum this device be a high-availability or redundant unit.
The network is divided into the following major zones and sub-zones:
Field I/O—Communications in this zone typically are direct hardwired communications between the I/O devices and their controllers. Security is accomplished by physical security means.
Controls Network—This zone has the highest level of security and carries process control device communications. Traffic on this network segment must be limited to only the process control network traffic as it is very sensitive to the volume of traffic and protocols used.
Plant Network—Carries general business network traffic such as messaging, ERP, file and print sharing, and Internet browsing, etc. This zone might span multiple locations across a wide area network. Traffic from this zone may not directly access the Control Network Zone.
Data Center—This could be one or multiple zones that exist at the corporate data center.
Internet—This zone consists of the unprotected public Internet.
Sub-Zones—Added sub-zones may be implemented to provide an extra level of control. These commonly are implemented as DMZs on the firewall. Typical uses of these sub-zones are:
ControlDesign.com is the only multimedia source dedicated to the controls, instrumentation, and automation information needs of industrial machine builders, those original equipment manufacturers (OEMs) that build the machines that make industry work.