Professional Documents
Culture Documents
Chap 08
Chap 08
Chapter 49
49.1 Integration of Control and Information Systems
49.2 Standards and Enabling Technologies
49.3 Architecture
49.4 Data Objects
49.5 Object Linking
49.6 Open Process Control
49.7 OPC and the Internet
49.8 Openness and Security
49.9 Information and Control Security
49.10 Information Security Management
49.11 Firewalls
49.12 Demilitarised Zones
49.13 Malware Summary
49.14 Anti-Virus Software
49.15 Comments
An open system is one that is based on widely used ating systems and networks.It was difficult enough
industrial standards. This covers programming to connect one system up to a another from the
languages, operating systems, display technologies same supplier, let alone from a different supplier.
and communications networks. There are three The porting of software and implantation of new
principal issues involved in systems being open: processors was simply out of the question.
access, inter-operability and security. An open sys-
tem provides unrestricted access, from anywhere
in the system, to data for information and display 49.1 Integration of Control and
purposes. Inter-operability features include:
Information Systems
• Portability of application software, i.e. software
developed for one system capable of being run The ability to merge and manipulate real-time
on another data from control systems with cost, quality and
• Scalability of hardware, i.e. the ability to migrate scheduling data from information systems enables
to a different, more powerful, processor without operators and managers to make timely decisions
having to rewrite any software about processes and production. There is an inex-
• Ability to mix and match hardware and software orable blurring of the boundaries between tradi-
from different suppliers tional so-called islands of automation, leading to
integration of control and information systems. A
Open systems are the antithesis of the mono- variety of commercial pressures on both end-users
lithic ICS and early DCS systems, as described in and control system suppliers are reinforcing this
Chapter 38, which were based on proprietary oper- move towards open systems. For example:
352 49 Open Systems
• Access to on-line control data enables perfor- • The cost of developing quality system software is
mance against increasingly stringent environ- such that suppliers are entering into third party
mental and safety regulations to be monitored agreements rather than develop it themselves.
more effectively. Thus graphics packages, relational databases,
• Advanced control and optimisation techniques etc. are supplied as part of a system. This is only
are commonly used to maximise profits. These feasible with a common platform.
techniques are information rich and require ac-
cess to data about costs and production require-
ments.
• Responsiveness to market demands requires 49.2 Standards and Enabling
flexibility in processing to meet rapidly chang- Technologies
ing production requirements. Thus control
schedules need to take operational constraints It is obvious that a necessary prerequisite for open
into account. systems is the existence of common standards,
• Flatter management structures mean that re- whether they are of an industry de facto nature or
sponsibility for decision making is pushed down produced by a standards authority such as IEC or
to the lowest levels practicable. This is only pos- IEEE. Standards take a long time to develop which,
sible if appropriate information is readily acces- in part, explains why open systems have taken so
sible at all levels. long to come about. This is largely because the is-
• The advent of intelligent instrumentation pro- sues are complex and it is often difficult to reach
vides much more control data than hitherto. genuine agreement between end-users and suppli-
Also, data related to instrument performance is ers, and between different countries. Choices have
available, for which there is a requirement for to be made between differing practices and tech-
integration with maintenance planning. nologies and invariably there are conflicting inter-
• Control systems’ hardware is increasingly be- ests. Nevertheless, a set of common standards has
comes a commodity product. To retain prof- emerged and others are coming to fruition. The
itability, system suppliers are shifting towards enabling technologies of particular note are:
the provision of advanced control techniques • Operating systems: Windows 2003/XP, UNIX,
and the integration of control functions with Linux
MIS and CIM capabilities. • Languages: C++, Visual Basic, Java, SQL, IEC
• The end-user’s investment in application soft- 61131, DDL, etc.
ware may well be the most valuable part of a con- • Networks: Ethernet (IEEE 802.3), token bus
trol system as it represents the intellectual out- (IEEE802.4), fieldbus (IEC 61158), etc.
put of some its best engineers. The use of stan- • Data access: OLE (ActiveX), OPC, etc.
dard operating systems, languages and proto- • Data structures: ISA S95 and IEC 61512
cols enables portability, if not yet between man-
ufacturers but at least between systems from the
same supplier.
• Industrial quality control system hardware has
49.3 Architecture
to be rugged for plant and control room use. Of- The impact of open systems is to flatten the archi-
fice equipment, such as PCs and workstations, tecture of control systems into two domains, con-
is relatively cheap. There are real cost benefits trol and information, as depicted in Figure 38.11.
from being able to mix industrial and commer- Elements at the control level are connected
cial equipment in the same system. This is only to a highway which is typically token bus. If the
possible if they work to the same communica- highway is proprietary and/or non-standard, gate-
tions standards and protocols. ways are required to provide compatibility be-
49.4 Data Objects 353
tween them.Gateways also enable serial links to in- The use of data objects is only meaningful in the
telligent instruments and to HART,Profibus and/or context of distributed databases within an open
fieldbus devices. system in which the objects are globally accessible.
The information domain is invariably based on There are various advantages in using data objects:
Ethernet using TCP/IP, as described in Chapter 40,
which is the de facto multivendor network. This • Applications can access data in the form of ob-
enables any required combination of NT or UNIX jects by name only, typically a tag or block num-
based workstations, X-Windows terminals, com- ber, without reference to precise data addresses.
puters and file servers to be used. • The data object exists as a single point within the
When all the elements of a system have a system, thereby ensuring that the data accessed
common standard real-time operating system and is up-to-date, complete and consistent.
common communications and display standards, • A standard application program interface (API)
data can be accessed and displayed at all levels: can be readily defined and provided to third par-
operator displays at management levels and man- ties so that their applications and devices can be
agement displays at operator level,subject to access seamlessly integrated.
control as appropriate. Likewise, data held in rela- • Structured query language (SQL) extensions can
tional databases can be accessed by client-server be defined to access data objects within a client-
techniques at all levels. server architecture which can connect smoothly
An important development is the evolution and reside securely within larger, enterprise
of operator control stations (OCS) based on a wide, proprietary relational databases.
ruggedised form of workstation which provides
operators and engineers with a single point of ac-
cess to both control and plant-wide information. 49.5 Object Linking
Thus a single workstation doubles up as a human
interface for system development and as an opera- Object linking and embedding (OLE) is an open
tors control program (OCP) for control purposes. standard for connecting applications in a Windows
It is essential in handling information in the or UNIX environment. It provides dynamic real-
control domain that the systems are: time links with databases and networks for process
control using standard interfaces. Using OLE con-
• Robust in the sense that the operating systems
cepts, applications can be developed with a stan-
do not crash dard interface to other applications developed to
• Deterministic in that events are guaranteed to
the same standard, thereby offering true software
take place on time
inter-operability. This is depicted in Figures 49.1
• Permanent in the sense that critical software
and 49.2 which contrast bespoke customised inter-
cannot be corrupted
faces with OLE based ones.
• Reliable and able to support redundancy if nec-
essary
• Secure from faults in the information system
Application X Application Y
• Tolerant of operator errors
• Resistant to unauthorised external access
An important extension to OPC is the development with display formats and does not support re-
of OPC-DX which acts as a software gateway. Each usability of data. For example, if the same data is to
device with an OPC-DX interface has both a client be displayed and printed, two separate script files
and a server part. The client part consumes data must be created with different format instructions
from other devices for use by its application (read) for video and printer.
and the server part produces data from its device An important extension to OPC is the extensi-
for other applications (write). Connection of de- ble markup language (XML) which allows instruc-
vices using DX interfaces is done by means of a tions to be distinguished from data. OPC XML
configuration tool from a library of device types scripts enable identifiable packets of data to be
using drag and drop techniques. exchanged over the internet. XML is a web ser-
OPC-DX is of particular significance in the vice technology and control systems suppliers are
context of intelligent instrumentation. Network- starting to incorporate programs written in XML
ing of field devices has resulted in a number of to distribute process and other data across TCP/IP
widely accepted fieldbus protocols such as HART networks.
and Profibus, as explained in Chapter 50, resulting
in the need for multiple bespoke gateways to es-
tablish effective communication with third party
devices. DX offers the prospect of becoming the
49.8 Openness and Security
de facto API for communication with and between The Achilles heel of openness is security. The es-
fieldbus function blocks. sential problem is that the more open a system
becomes the more vulnerable it is to unauthorised
access. This is especially so when MIS and (even)
control systems are connected up to intranets and
the internet. There are various dangers which may
49.7 OPC and the Internet be categorised as follows:
Increasingly process control systems are being
connected to the internet. This might seem to be • Inadvertent. For example, persons using the in-
a bizarre thing to do, given the security issues de- ternet to legitimately access data within an MIS,
scribed in the following section, but there are good or functions within a control system, may in-
reasons for doing so. For example, under certain advertently corrupt data or introduce a virus. A
safety or operability related circumstances, it may summary of virus types is provided in Section
be appropriate for a control system to alert key per- 13.
sonnel to a situation by automatically generating • Mischief. Hacking is a well known phenomenon
an e-mail. Sometimes, suppliers have access via the for which tools and training is readily available.
internet to control systems that they have supplied Hackers are often motivated by the challenge
for diagnostic and maintenance purposes. Inter- and satisfaction of breaking into a system rather
net connections are increasingly used to abstract than for the damage they can cause. However, a
information from a control system into other ap- breach in security is damaging in itself because,
plications, such as SPC packages. Access is often when revealed, usually by a message left by the
provided over the internet to data within the con- hacker, there is uncertainty as to what damage
trol for management purposes. may have been caused.
For internet applications,the hypertext markup • Spying. Use of the internet, by hacking or oth-
language (HTML) is used to write small programs erwise, provides access to data in a company’s
(scripts). HTML scripts contain commands which MIS.Data such as recipes and production sched-
are executed when the program is run. However, ules can potentially give a competitor significant
HTML is a scripting language largely concerned commercial advantage.
356 49 Open Systems
• A variety of physical security measures are • Control engineers develop IT security skills
put in place.Typical examples are drive locks, and commit to system security procedures.
tamper proof casings,intruder alarms,access • Links be established between IT personnel
control systems, CCTV, etc. and control teams to build working relations,
• Control system activity be monitored to indi- share skills and facilitate knowledge transfer.
cate health of the system. This involves mon- 5. Manage third party risks.
itoring network activity and time taken for The objective is to ensure that all security risks
specific tasks against baselines for normal from suppliers,contractors and other third par-
operation. ties are managed. Good practice requires that:
3. Establish response capabilities. • All third parties that have legitimate access
The objective is to establish procedures for to the system should be identified.
monitoring, evaluating and taking appropri- • The basis of third party access be de-
ate action in response to security events. Good tailed contractually at the procurement stage,
practice entails: defining the terms of the connection and
• Forming a computer emergency response prompt notification of vulnerabilities.
team (CERT) to respond to suspected se- • Third parties agree to be bound by the end-
curity incidents. Responses may include in- users security regime.
creased vigilance, isolation of control sys- • System suppliers agree to provide anti-virus
tems and application of patches. protection,security support and patches,and
• Ensuring that appropriate security response agree to system hardening procedures.
and business continuity plans are in place • Other third parties be prevented from hav-
for the control systems, and that the plans ing access to the control systems until their
are maintained, rehearsed and tested. equipment, systems and software is proven
• Establishing an early warning system to no- to not be a security risk.
tify appropriate personnel of security alerts • There be regular security audits and reviews
and incidents, and ensuring that all such of third party access.
warnings are formally recorded and re- 6. Engage projects.
viewed. The objective is to ensure that any project that
4. Improve awareness and skills. may impact on control system security is iden-
The objective is to increase process control se- tified and that, early in the project’s life cycle,
curity awareness throughout the organisation appropriate security measures are included in
and to ensure that all personnel have the ap- its design and specification. Good practice in-
propriate knowledge and skills to fulfil their volves:
role. Good practice requires that: • Identifying all projects and developments
• Management understands the business im- that could potentially have an impact on the
plications of the security risk to control sys- control system’s security.
tems and therefore commits to the manage- • Ensuring that a named individual has re-
ment of the risk and provision of tools and sponsibility for security risk management
training. throughout the project life cycle.
• IT personnel understand the differences be- • Addressing security issues in the URS and
tween the security of control systems and IT DFS documentation and subsequent con-
security in general. For example, control sys- tracts, and ensuring that security policies are
tem operations cannot be suspended whilst adhered to.
patches are installed or reboots made to en- • Carrying out security reviews and testing se-
able upgrades. curity at key points in the control system’s
development cycle.
49.11 Firewalls 359
this approach, known as dynamic packet filter- The current position is that most firewalls on
ing, is due to the fact that the rules can be made the market use a combined stateful and appli-
conditional. For example: a packet will only be cation proxy approach.
accepted for a particular destination if it was 4. Deep packet inspection (DPI). A DPI firewall
received in response to a specific request for a offers deeper filtering into the application layer
certain type of data sent to a particular source than the traditional proxy firewall, without per-
address. forming a full proxy on the TCP connection.For
Stateful firewalls offer a high level of security, example, DPI firewalls can inspect simple ob-
good performance and transparency to users. ject access protocol (SOAP) objects in XML on
However, they are more expensive and, because web connections and enforce policy on what
of their complexity, can be less secure than objects are allowed through the firewall. This
packet filters if not administered by competent firewall market is still in development.
personnel. Firewall suppliers usually offer other services be-
3. Proxy firewalls. These work at the application sides their basic message handling functionality.
layer of the OSI model as described in Chap- Such services may comprise intrusion detection,
ter 40. The packets are opened, processed ac- deployment of anti-virus software, authentication
cording to ACL rules, reassembled, and for- services, secure encrypted “tunnels” and network
warded to the intended target device. The fire- address translation. These additional services ob-
wall is typically designed to handle a variety viously increase the cost and complexity and re-
of protocols, through the one device, and then duce the performance of the system. However,
forward the messages to individual host com- making good use of them can significantly improve
puters for servicing. Thus, instead of connect- the overall security of the control system.
ing directly to an external server, the client con-
nects directly to the proxy firewall which in turn
initiates a connection to the requested external
server.
49.12 Demilitarised Zones
Proxy firewalls can provide significant addi- There are various architectures available for de-
tional security functionality. For example, ACL ploying a firewall between an IT network and
can be used to require users or systems to pro- a control system. These configurations involve
vide additional levels of authentication before routers and switches, multiple ports, single and
access is granted. Also rules can be created that multiple firewalls, and demilitarised zones (DMZ).
are protocol specific. For example, a proxy fire- Of these, on the grounds of security, manageability
wall can be used to block all inward bound and scalability, the DMZ configurations are over-
HTTP messages that contain scripts whereas, whelmingly the most effective. One common DMZ
by contrast, a filter based firewall could block configuration is depicted in Figure 49.4.
all HTTP messages, or none, but not a subset. This configuration requires that the firewall
Whilst proxy firewalls offer a high level of secu- has three or more ports. Thus one port is used
rity, they do have a significant impact on net- to interface with the control system, a second with
work performance. Furthermore, most proxy the IT network, a third to an intermediate local
firewalls only support common internet proto- area network referred to as a process information
cols, such as file (FTP), hypertext (HTTP) and network (PIN) and possibly a fourth to either a
simple mail (SMTP) transfer protocols. Thus wireless local area network (WLAN) or remote and
messages based upon control protocols such as third party access systems.
common industrial protocol (CIP) and Mod- Common servers such as history (HM) and
bus/TCP, etc., will still require the firewall to application (AM) modules would typically be lo-
process the messages by filter or stateful means. cated on the PIN and remote users would have le-
49.13 Malware Summary 361
Ethernet Ethernet
DMZ
PIN DMZ
PIN FW GW1 FW1
HM AM
HM AM FS 2 GW1 PC2 OCS FW2 PC2
OCS
FS 2
Highway Highway
Fig. 49.4 Demilitarised zone with single firewall Fig. 49.5 Demilitarised zone with twin firewalls
gitimate access to them via the internet and the proach is increased cost and management com-
firewall. Likewise, for updating and/or application plexity.
purposes, the control system has access to these If firewalls from different suppliers are used
modules via the gateway and firewall. By locating then the diversity of design provides enhanced se-
the HM and AM modules inside the DMZ,no direct curity.Indeed,the obvious direction for the control
communication channels are required between the industry to evolve is for gateway design and fire-
IT network and the control system: each effectively wall functionality to become integrated within the
ends in the DMZ. The objective of ACL design is same physical unit.
to maintain a clear separation between the IT net- An extension to the concept of diverse firewalls
work and control system. is the use of disjoint protocols across the DMZ.
The primary security risk with this particular Thus, for example, if Ethernet is used for the IT
architecture is that if one of the modules inside network it is explicitly not allowed between the
the DMZ is compromised, it can be used to launch DMZ and the control network. Likewise, if token
an attack on the control network. This risk is ob- bus is used for the highway, then it is explicitly not
viously reduced by hardening the devices on the allowed between the DMZ and the IT network.
PIN and by actively keeping the firewall itself up to Once the firewall architecture is fixed, the main
date. focus of effort is in determining what traffic to al-
An alternative DMZ configuration, which uses low through the firewalls. The NISCC (2005) guide
a pair of firewalls between the IT network and the provides detailed guidance on recommended prac-
control system, is as depicted in Figure 49.5. tice for the design of ACL rule sets and on the man-
Again, common servers such as the HM and agement of firewalls.
AM are located on a PIN within the DMZ. The first
firewall FW1 provides security at the IT network
interface and the second firewall FW2 secures the
interface with the process control network. An at-
49.13 Malware Summary
tractive feature of the twin firewall approach to Malware is the generic term that refers to viruses,
DMZ is that it allows both IT and control groups to trojans, worms, etc. A virus is a program, or macro,
have clearly separated device responsibility since that is capable of attaching itself to files and repli-
each can independently manage its own firewall. cating itself repeatedly, typically without the user’s
The principal disadvantage of the twin firewall ap- knowledge or permission. Some viruses attach to
362 49 Open Systems
files such that when the file is executed so too is date such as Friday 13th. When the event oc-
the virus. Other viruses sit in a computer’s mem- curs, the virus activates and does its damage.
ory and infect files as they are created, opened, 6. Stealth. This type hides itself by feeding anti-
edited, copied, etc. They may display symptoms virus software a clean image of infected files
and/or cause damage, but neither symptoms nor or boot sectors. For example, the size of an in-
damage are essential in the definition of a virus: a fected file would be returned as the size of the
non-damaging virus is still a virus. file without its virus.
Viruses spread from computer to computer via 7. Trojan. This is a malicious program that pre-
network connections, via shared storage media tends to be benign and causes an application to
such as file servers and via portable storage me- behave in an unpredictable way. Strictly speak-
dia such as compact discs and USB sticks. By far ing, a Trojan is not a virus because it does not
the most common form of infection is by viruses replicate.
attached to e-mails. The effects of virus infection 8. Worm. This is a parasitic program which repli-
are various and include: cates but, unlike a virus, does not infect other
programs or files. It can replicate itself on the
• Just leaving a simple screen message same computer or send copies to other com-
• Accessing e-mail address books, replicating puters via a network, typically as an e-mail at-
messages to every address, and overloading the tachment.
network
• Deleting and/or corrupting files