Presentation is loading. Please wait.

Presentation is loading. Please wait.

PI in an IT security Context Marc Weinberg Process Engineering ATOFINA Research – Feluy (B) Marc Souche ATOFINA DCTI Atofina.

Published byJessica Johnston Modified over 9 years ago

Similar presentations

Presentation on theme: "PI in an IT security Context Marc Weinberg Process Engineering ATOFINA Research – Feluy (B) Marc Souche ATOFINA DCTI Atofina."— Presentation transcript:

1 PI in an IT security Context Marc Weinberg Process Engineering ATOFINA Research – Feluy (B) Email marc.weinberg@atofina.com Marc Souche ATOFINA DCTI Atofina Technical Center Lyon (F) Email: marc.souche@atofina.com Ref MS/ II n° 22/03Rev 0

2 TOAFINAELF GROUP World’s 5th largest oil company. Active in more than 120 countries, organized in over 900 consolidated companies. With more than 122000 Employees. Structured in 3 branches –Upstream : Exploration & Production, trading Gas & Electricity –Refining and Marketing –Chemistry

3 ATOFINA Chemical branch of the group. World’s 6 th largest chemical company With more than 70000 employees more than half of the human resources of the TotalFinaElf Group. (11000 in the US) Key activities: Base chemicals and Polymers: Olefins, Aromatics, Polyethylene, Polypropylene, Styrene, Polystyrene, Elastomers, Chlorochemicals and Solvents, VCM, PVC and Downstream, Fertilizers. Intermediates and Performance Polymers: Acrylics, PMMA, Fluorochemicals and Peroxides, Thiochemicals and fine Chemicals Performance Products, Additives, Engineering Polymers, Formaldehyde resins, Agrochemicals. Specialties: Rubber-based products (Hutchinson - Mapa Spontex), Adhesives (Bostik Findley), Resins including Photocure Resins (Cray Valley, Sartomer, Cook Composites Polymers), and Electroplating (Atotech).

4 Corporate Technology Group (CTG) Part of the STRATEGY & RISK ASSESSMENT directionPart of the STRATEGY & RISK ASSESSMENT direction The CTG is a Network of technologists of all three branches of TotalFinaElf.The CTG is a Network of technologists of all three branches of TotalFinaElf. Missions :Missions : Promote free access to the Group’s technical competencies and help maintain the teams’ technical know-how.Promote free access to the Group’s technical competencies and help maintain the teams’ technical know-how. Raise the Group’s technological level by pooling experiences and by formal and informal transfer of information relating to know-how.Raise the Group’s technological level by pooling experiences and by formal and informal transfer of information relating to know-how. Promote optimization of the Group’s technological resources and exploit the Group’s leverage due to size when negotiating with suppliers.Promote optimization of the Group’s technological resources and exploit the Group’s leverage due to size when negotiating with suppliers. Coordinate action with industry and equipment standards organizations.Coordinate action with industry and equipment standards organizations. Anticipate the Group’s future technology needs.Anticipate the Group’s future technology needs. Monitor external technology changes and keep pace with them when appropriate.Monitor external technology changes and keep pace with them when appropriate. Manage key technical suppliers relation ship ( for ex OSISOFT,…)Manage key technical suppliers relation ship ( for ex OSISOFT,…)

5 PI within TOTALFINAELF Over 100 systems installed from refineries to small fine chemical sites ATOFINA (hosting most of the PI servers) has a dedicated PI global support team. Yearly internal PI User meetings in Europe and US Internal Training sessions Corporate founding to develop internal PI tools, to test and evaluate new PI features Used on all levels of the company… from APC DATABASE to IT network monitoring

6 TFE & “Cyber” Security Standard IT security is today addressed in almost all industriesStandard IT security is today addressed in almost all industries Process IT security adds a new dimension to the security: A SAFETY DIMENSIONProcess IT security adds a new dimension to the security: A SAFETY DIMENSION POTENTIAL PHYSICAL HARM TO PEOPLE TO PEOPLE AND ENVIRONMNET AND ENVIRONMNET

7 TFE & “Cyber” Security The CTG has launched a working group to address the problem on Group levelThe CTG has launched a working group to address the problem on Group level Primary Objectives:Primary Objectives: Remove any danger for action on plant operation from outside (Internet, Intranet, Corporate LAN).Remove any danger for action on plant operation from outside (Internet, Intranet, Corporate LAN). Guarantee System Availability and System integrityGuarantee System Availability and System integrity Secondary ObjectiveSecondary Objective Improve confidentiality on informationImprove confidentiality on information

8 TFE & “Cyber” Security Background Yesterday:Yesterday: Control systems used proprietary hard and software which gave the system a certain immunity against external attacks. Systems were stand alone applications with (almost) no connections to the external world. Today:Today: Cost reduction pushed all suppliers on relying more and more on standard hard and software in process control and process control related applications: TCP/IP; Windows NT W2K; wiring and connectors; network structure and elements (hubs, switches, …) Increased demand for information exchange (ERP (SAP), LIMS, RTPDB, ASSET Management) pushed supplier to deliver open solutions, often resulting in weakened security.

9 TFE & “Cyber” Security Our project  Goals: Establish the interconnection requirements of the sites. Study a tailor-made solution for the interconnection of an IT network with a process control network (compatibility with vendor specifications). Run one some pilot sites (set-up, functional and intrusion test). Define a ‘low cost’ standard solution which gives a minimal certified and tested solution affordable for all sites. Define an implementation guideline for those interconnections. Define a corporate standard for the security of process control systems. Roll out the standard solution

10 A Global Picture

11 TFE corporate process IT security standard Today we have defined a corporate security standard for process IT.Today we have defined a corporate security standard for process IT. Implementation phase is rapidly ongoing.Implementation phase is rapidly ongoing. Effects on own personnel and on subcontractor staff (remote maintenance).Effects on own personnel and on subcontractor staff (remote maintenance). Among effects on all interconnections between ‘office’ IT and process IT there are also important drawback on how to structure, install and locate a PI server in a (our) secure environment.Among effects on all interconnections between ‘office’ IT and process IT there are also important drawback on how to structure, install and locate a PI server in a (our) secure environment.

12 PI & IT security Where to put a PI Server ??Where to put a PI Server ?? If it is a server for data consultation : office side.If it is a server for data consultation : office side. VPN between PI server and Firewall.VPN between PI server and Firewall. Use dedicated PI interface on process side.Use dedicated PI interface on process side. APC PI Servers or PI Servers with DCS write capability on process side. Data transfer to ‘Office IT’ with PItoPI on separate PC.APC PI Servers or PI Servers with DCS write capability on process side. Data transfer to ‘Office IT’ with PItoPI on separate PC.

13 PI & IT security What to installWhat to install On Process PI servers or interfaces on process side : nothingOn Process PI servers or interfaces on process side : nothing On Office PI Servers:On Office PI Servers: Securemote client (VPN) with preshared secret.Securemote client (VPN) with preshared secret. Service to start tunnel automatically (with no operator interaction)Service to start tunnel automatically (with no operator interaction)

14 PI Servers in a secure environment Recommended OSISOFT scheme witch was used primirlallyRecommended OSISOFT scheme witch was used primirlally The danger is the vulnerability of the Windows PI Server.The danger is the vulnerability of the Windows PI Server. Once someone has access to the PI server, he has physical access to the Process Net and through the PI interface to the Control Net.Once someone has access to the PI server, he has physical access to the Process Net and through the PI interface to the Control Net. Potentially dangerous if the PI server has write capability. (Erroneous or malicious change of a tag configuration)Potentially dangerous if the PI server has write capability. (Erroneous or malicious change of a tag configuration)

15 PI Servers in a secure environment One possibility is to put the PI server behind a Firewall.One possibility is to put the PI server behind a Firewall. Access can then be given on an IP address base and PI- Port filtering.Access can then be given on an IP address base and PI- Port filtering. Disadvantages are:Disadvantages are: A ccess list difficult to manage if there is a large number of users.A ccess list difficult to manage if there is a large number of users. Problems of selectivity in DHCP environments.Problems of selectivity in DHCP environments. Impossibility of Server management (Tivoli,..) in integrated environments.Impossibility of Server management (Tivoli,..) in integrated environments. Danger if the server has write capability.Danger if the server has write capability.

16 PI Servers in a secure environment Standard set up for read only PI ServesStandard set up for read only PI Serves Process section is protected through Firewall and VPN tunnel (Port filtering)Process section is protected through Firewall and VPN tunnel (Port filtering) Interface runs in read-only mode.Interface runs in read-only mode. Access to the interface is only possible from the PI Server through the PI-Port.Access to the interface is only possible from the PI Server through the PI-Port.

17 PI Servers in a secure environment Standard set-up for systems with APC PI Servers (having R/W access).Standard set-up for systems with APC PI Servers (having R/W access). Data is gathered on the APC PI Server.Data is gathered on the APC PI Server. Data in transferred to the “Office” PI Server through a PItoPI interface.Data in transferred to the “Office” PI Server through a PItoPI interface. The PItoPI interface runs on a separate machine.The PItoPI interface runs on a separate machine. The “Office” PI Server has only access to the PItoPI interface (VPN + PI port). This eliminates rebound possibilities.The “Office” PI Server has only access to the PItoPI interface (VPN + PI port). This eliminates rebound possibilities.

18 PI Servers in a secure environment Future set-up for a “office” PI Server with write access.Future set-up for a “office” PI Server with write access. A special write interface (internal development), isolated from the IT Net, reads write data from the “office” PI Server.A special write interface (internal development), isolated from the IT Net, reads write data from the “office” PI Server. Then it writes the data to DCS via OPC.Then it writes the data to DCS via OPC. Tag list is handled as an encrypted local configuration file which can be managed by DCS administrator (if different from PI administrator)Tag list is handled as an encrypted local configuration file which can be managed by DCS administrator (if different from PI administrator) This interface can also run on the PI-interface node.This interface can also run on the PI-interface node.

19 Wishes for PI security Interfaces : improve the yes /no mechanism for writing to DCS’s. (possibility to filter DCS tag reference for writing). This would eliminate the special interface described beforeInterfaces : improve the yes /no mechanism for writing to DCS’s. (possibility to filter DCS tag reference for writing). This would eliminate the special interface described before Use Strong Authentication for PI administratorsUse Strong Authentication for PI administrators Have access to the firewall table remotely and securely as it is possible now with PI trust tableHave access to the firewall table remotely and securely as it is possible now with PI trust table Increase PI buffer size because PI server not directly on the DCS networkIncrease PI buffer size because PI server not directly on the DCS network

20 PI in an IT security context.

Download ppt "PI in an IT security Context Marc Weinberg Process Engineering ATOFINA Research – Feluy (B) Marc Souche ATOFINA DCTI Atofina."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Secure Computing Network

Secure Computing Network
Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.

Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.
Firewall Configuration Strategies

Firewall Configuration Strategies
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Information Security in Real Business

Information Security in Real Business
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.

Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Basel Accord IITRANSITIONSERVICES Business Integration Support FCM Management Limited Paris New York Toronto.

Basel Accord IITRANSITIONSERVICES Business Integration Support FCM Management Limited Paris New York Toronto.

Similar presentations

Ads by Google