KapStone’s Cyber Security Initiative Presented by

Transcription

KapStone’s Cyber Security Initiative Presented by
KapStone’s
Cyber Security
Initiative
Presented by James Wardlaw
KapStone Paper & Packaging Co.
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
Agenda
•
•
•
•
•
About KapStone Paper & Packaging
Pre-security project network architecture
Reasons for upgrading
New cyber security scheme
Benefits of the project
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
2
About KapStone Paper & Packaging
Capacity:
2.7 Million Tons
Paper Mills – 4
Saw mill – 1
Converting Plants – 22
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
3
Pre-Security Project Architecture
Pulp/Utilities
PI #3
Power
House
15 K Tags
PI Clients
`
DCS/PLC
Environmental
Pulp Mill
Woodyard
PI #2
1K Tags
`
Water/
Wastewater
DCS/PLC
PI #1
Paper
Machines
`
DCS/PLC/Gauging
Systems
Paper Machines
15 K Tags
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
4
Pro’s and Con’s of this network
Pro’s
Con’s
Easy device configuration (plug & play)
Weak security – everything on IT
network
Simple network, simple troubleshooting
Any network disruption caused data
loss, no redundancy
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
5
Shortfalls of this PI System
Con’s
3 PI Systems to maintain
No buffering due to lack of resources on
old control systems
Comm faults resulted in PI data loss
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
6
3 Goals for Improvement
2-year schedule
• Consolidation/Maintainability
• Improved Reliability
• Improved Security
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
7
Resources Applied
• The Rockwell security audit
– Control systems, PI and network
•
•
•
•
OSIsoft cyber security expert, Bryan Owen
OSIsoft field service, Dennis Hui
IT Network Administrator
Process Control Engineers
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
8
Consolidation 1
Pulp/Utilities
PI #3
Power
House
15 K Tags
PI Clients
`
DCS/PLC
Environmental
Pulp Mill
Woodyard
PI #2
1K Tags
`
Water/
Wastewater
DCS/PLC
PI #1
Paper
Machines
`
DCS/PLC/Gauging
Systems
Paper Machines
15 K Tags
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
9
Consolidation 2- PI2010
PI #2
Power
House
New MS
Clustered Server
with Disk Array
Utilities/Pulp/Environmental
PI Clients
`
DCS/PLC/BatchFL/OPC/RDBMSI
Pulp Mill
Water/
Wastewater
PI #1
Paper
Machines
`
DCS/PLC/Gauging
Systems
Paper Machines
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
10
Reliability
Imperative to improve data reliability to Mill
Systems and Business Systems
Alternatives considered
• Microsoft Cluster
• PI High Availability
– PI 2012 HA does not support MS cluster
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
11
Security
Requirements
• Isolate process network from Business utilizing
DMZ
• Restrict access to process network
• This is what funded the project
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
12
Pattern 1: DMZ PI System
DMZ
Control Network
Protected
Domain
PI Interface
PI ProcessBook
PI Datalink
Corporate Domain
TCP
5450
5457
5459
PI ProcessBook
PI Datalink
Web Server
PI Coresight
PI Notifications
PI Webparts
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
13
Pattern 2: PI High Availability
DMZ
Control Network
Corporate Domain
Protected
Domain
PI – Interface
PI ProcessBook
PI DataLink
PI ProcessBook
PI DataLink
Web Server
PI Coresight
PI Notifications
PI Webparts
TCP
5450
5457
5459
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
Final KapStone Configuration
Control Network
Corporate Domain
DMZ
Protected
Domain
GE/Proficy Server
TCP
5450
PI Interface
TCP
5450
5457
5459
HA
5450
PI ProcessBook
PI DataLink
PI ProcessBook
PI DataLink
Remote
Desktop
Gateway
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
Advantages of new architecture
• Much more robust security for process network
• Ability to isolate control network from business
network without affecting operations
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
16
Advantages of PI High Availability
• Patch & maintain PI Server at will
• Plant floor can connect to both servers for
improved availability
• Built-in disaster recovery
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
17
KapStone Security & Reliability
PI 2012 HA
40k Tags
2 Collective Servers with SAN
•
•
Improve security of control
network
•
Reconfigured network and
added DMZ
•
Reduced maintenance cost
•
Best practice security
Improve data reliability
•
Added PI High Availability
•
•
All Interfaces now use
Buffering
Reliable data for Business
Systems
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
20
James Wardlaw
[email protected]
Process Engineer / IT Analyst
KapStone Paper and Packaging Corporation
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .
21
Brought to you by
© C o p yr i g h t 2 0 1 3 O S I s o f t , L L C .