KapStone’s Cyber Security Initiative Presented by
Transcription
KapStone’s Cyber Security Initiative Presented by
KapStone’s Cyber Security Initiative Presented by James Wardlaw KapStone Paper & Packaging Co. © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . Agenda • • • • • About KapStone Paper & Packaging Pre-security project network architecture Reasons for upgrading New cyber security scheme Benefits of the project © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 2 About KapStone Paper & Packaging Capacity: 2.7 Million Tons Paper Mills – 4 Saw mill – 1 Converting Plants – 22 © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 3 Pre-Security Project Architecture Pulp/Utilities PI #3 Power House 15 K Tags PI Clients ` DCS/PLC Environmental Pulp Mill Woodyard PI #2 1K Tags ` Water/ Wastewater DCS/PLC PI #1 Paper Machines ` DCS/PLC/Gauging Systems Paper Machines 15 K Tags © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 4 Pro’s and Con’s of this network Pro’s Con’s Easy device configuration (plug & play) Weak security – everything on IT network Simple network, simple troubleshooting Any network disruption caused data loss, no redundancy © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 5 Shortfalls of this PI System Con’s 3 PI Systems to maintain No buffering due to lack of resources on old control systems Comm faults resulted in PI data loss © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 6 3 Goals for Improvement 2-year schedule • Consolidation/Maintainability • Improved Reliability • Improved Security © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 7 Resources Applied • The Rockwell security audit – Control systems, PI and network • • • • OSIsoft cyber security expert, Bryan Owen OSIsoft field service, Dennis Hui IT Network Administrator Process Control Engineers © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 8 Consolidation 1 Pulp/Utilities PI #3 Power House 15 K Tags PI Clients ` DCS/PLC Environmental Pulp Mill Woodyard PI #2 1K Tags ` Water/ Wastewater DCS/PLC PI #1 Paper Machines ` DCS/PLC/Gauging Systems Paper Machines 15 K Tags © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 9 Consolidation 2- PI2010 PI #2 Power House New MS Clustered Server with Disk Array Utilities/Pulp/Environmental PI Clients ` DCS/PLC/BatchFL/OPC/RDBMSI Pulp Mill Water/ Wastewater PI #1 Paper Machines ` DCS/PLC/Gauging Systems Paper Machines © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 10 Reliability Imperative to improve data reliability to Mill Systems and Business Systems Alternatives considered • Microsoft Cluster • PI High Availability – PI 2012 HA does not support MS cluster © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 11 Security Requirements • Isolate process network from Business utilizing DMZ • Restrict access to process network • This is what funded the project © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 12 Pattern 1: DMZ PI System DMZ Control Network Protected Domain PI Interface PI ProcessBook PI Datalink Corporate Domain TCP 5450 5457 5459 PI ProcessBook PI Datalink Web Server PI Coresight PI Notifications PI Webparts © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 13 Pattern 2: PI High Availability DMZ Control Network Corporate Domain Protected Domain PI – Interface PI ProcessBook PI DataLink PI ProcessBook PI DataLink Web Server PI Coresight PI Notifications PI Webparts TCP 5450 5457 5459 © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . Final KapStone Configuration Control Network Corporate Domain DMZ Protected Domain GE/Proficy Server TCP 5450 PI Interface TCP 5450 5457 5459 HA 5450 PI ProcessBook PI DataLink PI ProcessBook PI DataLink Remote Desktop Gateway © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . Advantages of new architecture • Much more robust security for process network • Ability to isolate control network from business network without affecting operations © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 16 Advantages of PI High Availability • Patch & maintain PI Server at will • Plant floor can connect to both servers for improved availability • Built-in disaster recovery © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 17 KapStone Security & Reliability PI 2012 HA 40k Tags 2 Collective Servers with SAN • • Improve security of control network • Reconfigured network and added DMZ • Reduced maintenance cost • Best practice security Improve data reliability • Added PI High Availability • • All Interfaces now use Buffering Reliable data for Business Systems © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 20 James Wardlaw [email protected] Process Engineer / IT Analyst KapStone Paper and Packaging Corporation © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C . 21 Brought to you by © C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .