Optimizing and Securing an Industrial DCS with VMware



Similar documents
SCADA. The Heart of an Energy Management System. Presented by: Doug Van Slyke SCADA Specialist

Maintaining HMI and SCADA Systems Through Computer Virtualization

VDI can reduce costs, simplify systems and provide a less frustrating experience for users.

IT Security and OT Security. Understanding the Challenges

Virtual Servers VIRTUAL DATA CENTER OVERVIEW VIRTUAL DATA CENTER BENEFITS

Network Management and Monitoring Software

Networking Topology For Your System

HMI Mobility. A White Paper from InduSoft

Secure Networks for Process Control

Leveraging the Industrial Internet of Things (IOT) to Optimize Renewable Energy

PLCs and SCADA Systems

Cloud Computing. Chapter 8 Virtualization

Secure access to a water treatment plant s SCADA network

CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.

Ease Server Support With Pre-Configured Virtualization Systems

Balancing CPU, Storage

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

Cisco Unified Computing Remote Management Services

Recommended IP Telephony Architecture

Verve Security Center

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Aerohive Networks Inc. Free Bonjour Gateway FAQ

Introduction to Virtualization. Paul A. Strassmann George Mason University October 29, 2008, 7:20 to 10:00 PM

SOFTWARE-DEFINED NETWORKS

IBM PureFlex System. The infrastructure system with integrated expertise

ADVANCED NETWORK CONFIGURATION GUIDE

MANUFACTURING IN THE CLOUD IMPROVED PRODUCTIVITY AND COST SAVINGS ARE ON THE HORIZON

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

WinMan. Utilizing Terminal Services. Quick Results. Summer, ver a d v a n c e d s y s t e m s

Virtualization Reduces the Cost of Supporting Open Industrial Control Systems

Work Process Management

Radware ADC-VX Solution. The Agility of Virtual; The Predictability of Physical

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

MSP Service Matrix. Servers

Server Virtualization in Manufacturing

LEOSTREAM. Case Study Remote Access to High-Performance Applications

PR03. High Availability

Innovative Defense Strategies for Securing SCADA & Control Systems

ClearCube White Paper Best Practices Pairing Virtualization and Centralization Increasing Performance for Power Users with Zero Client End Points

Virtualization In Manufacturing Industries. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Release Version 3 The 2X Software Server Based Computing Guide

Overcoming Security Challenges to Virtualize Internet-facing Applications

Expert Reference Series of White Papers. VMware vsphere Distributed Switches

MEDIAROOM. Products Hosting Infrastructure Documentation. Introduction. Hosting Facility Overview

FlexNetwork Architecture Delivers Higher Speed, Lower Downtime With HP IRF Technology. August 2011

VMware vsphere 5.0 Evaluation Guide

Healthy. COUNTRY: Canada INDUSTRY: Healthcare FOUNDED: 2006 NUMBER OF EMPLOYEES: 115 WEB ADDRESS:

Secure Communication Made Easy

VIRGINIA DEPARTMENT OF TRANSPORTATION SPECIAL PROVISION FOR NETWORK SWITCHES TEST PLAN

Custom Systems Corp.

Wireless Process Control Network Architecture Overview

How To Design A Data Centre

Cisco Network Switches Juniper Firewall Clusters

The Next Phase of Datacenter Network Resource Management and Automation March 2011

Before we can talk about virtualization security, we need to delineate the differences between the

Virtualization, SDN and NFV

Network Management System (NMS) FAQ

Cloud Computing for SCADA

Sustain.Ability Honeywell Users Group EMEA. Virtualization Solutions: Improving Efficiency, Availability and Performance

Andrew McRae Megadata Pty Ltd.

Dr. György Kálmán

SERVER VIRTUALIZATION IN MANUFACTURING

Session 14: Functional Security in a Process Environment

How To Monitor A Network For Prime Security

Reducing the Risk, Cost and Frequency of Production Stoppages Using Network Redundancy

Load Balancing ContentKeeper With RadWare

Install Guide for JunosV Wireless LAN Controller

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

PLC Security for Water / Wastewater Systems

Municipality Moves SCADA System from Desktop Computers to Terminal Services

Virtual Desktop Infrastructure (VDI) made Easy

Microsoft Exchange Solutions on VMware

Radware ADC-VX Solution. The Agility of Virtual; The Predictability of Physical

SAN Conceptual and Design Basics

IP Telephony Management

Lucent VPN Firewall Security in x Wireless Networks

SDN CENTRALIZED NETWORK COMMAND AND CONTROL

Desktop Virtualization Technologies and Implementation

Secure Remote Support

Preparation Guide. How to prepare your environment for an OnApp Cloud v3.0 (beta) deployment.

Simplifying the Transition to Virtualization TS17

A Platform Built for Server Virtualization: Cisco Unified Computing System

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Data Storage for Video Surveillance

Deployment Guide. How to prepare your environment for an OnApp Cloud deployment.

iscsi SANs Don t Have To Suck

Data center virtualization

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

EMC Invista: The Easy to Use Storage Manager

Virtual Server Hosting Service Definition. SD021 v1.8 Issue Date 20 December 10

Transcription:

Optimizing and Securing an Industrial DCS with VMware Global Process Automation deploys a new DCS using VMware to create a secure and robust operating environment for operators and engineers. by Doug Clarkin Global Process Automation

Introduction Distributed Control Systems have been used in manufacturing processes since the 1970s. Originally these were isolated systems that ran on proprietary hardware by companies such as Honeywell, Bailey, and Fischer. The 1980s added intelligence and the first signs of truly distributed systems began to pop up. It was in the 1990s that there was a movement to use commercial off the shelf components and traditional IT standards such as Ethernet networks. The last decade has seen the proliferation of a more standard IT network in the realm of industrial control systems. Windows servers and workstations running DCS software applications are now the norm. Networks are now interconnected with corporate systems and data is readily available outside of the manufacturing facilities. The next step in the evolution of these systems appears to be virtualization. VMware has emerged as the clear leader in virtualization technology. The benefits of a virtualized environment are numerous. These systems are reliable and robust two of the most important factors in the 24/7 environment of manufacturing and they are ushering in a new era of technology. Virtualization also offers more flexibility in how systems are secured. An often overlooked area of industrial systems, security has been brought to the forefront with the release of the first ever major computer worm targeted at an industrial system, Stuxnet. Stuxnet was crafted to specifically target and attack the Siemens Supervisory Control And Data Acquisition (SCADA) systems and infect the systems Programmable Logic Controllers (PLCs). This computer room brought to life something security analysts had warned about for years, but until now was only a hypothetical threat. Global Process Automation is at forefront of bridging the gap between process control and information technology. We are experts across the spectrum of automation applications including process control, data historian, production and environmental reporting, process modeling, steady state and dynamic simulation, and process optimization. In addition we staff a team of information technology experts who have worked extensively within the process control environments of some of the largest manufacturers in the world. This paper will highlight the real life process of planning, designing, and optimizing VMware on an Industrial DCS System.

ABOUT This document covers a real life system implementation of the ABB 800xA Process Portal A system in a large paper mill facility. System names and network information have been changed for security purposes. PLAN The plan was to upgrade an older version of the ABB system software and to replace hardware that was nearing its end of life. We had been using VMware virtualization technologies in other areas of the mill operations such as data historians, web servers, and Active Directory servers. We decided to continue down this path and completely virtualize the operational area covered by the software upgrade. The main hurdles we anticipated were getting buy in from the operators, getting data from the older MOD300 control systems, and implementing the new system with a minimal amount of downtime. The plan was to perform the installation during the mill s annual outage. We decided to go with thin clients for operator stations because of the harsh environment often encountered in a paper mill. We wanted to choose a thin client with no moving parts. In the past, we found that video cards, fans, and hard drives of traditional thick clients were not lasting as long as expected due to heat, dirt, and vibration. Our biggest requirement hurdle was screen resolution. Many of the operators use a quad screen setup with each monitor running at a resolution of 1920x1200. We were unable to find a zero client (no traditional operating system) that could meet this requirement and ended up selecting a thin client with a small linux operating system. Servers were virtualized because of the increased efficiency of moving to a virtual environment. The ABB software being used requires a number of different application servers. When installed on traditional server hardware these systems are extremely underutilized. By pooling hardware resources together within VMware we are able to use much more of the systems resources. In addition we would be able to make critical system servers fault tolerant using VMware HA. Traditionally the mill production environment network had been very static and segmented. This provided for a simple way to manage and segregate network areas. It became apparent that systems were becoming more meshed and access to different areas was becoming a more common request among mill personnel. By implementing virtual local area networks (VLANs) we would be able to overcome the limitation of the physically separate networks and reduce the number of physical switches on the mill floor.

DESIGN Figure 1 Design Overview The basic layout consists of two or more physical ESXi hosts. We used redundant blade server enclosures with adequate processor and memory specs and fiber channel storage devices. Every server that was

needed for the DCS was installed as a Windows 2008 virtual server. Servers were broken up into pairs and installed on resources in such a way that the system was load balanced and fault tolerant. This setup would allow us to survive any single hardware failure without interrupting the normal operation of the plant area. We established two VMware View servers, one to work as a replica of the other. Most of the operator stations around the mill have at least two machines to work from. Often these machines are running a quad monitor setup giving the operators eight screens to display graphics and trends. We decided to separate each pair of machines into two groups. Each group connected to a separate physical network, a separate VLAN, and each routed to a unique View server (each View server also ran DHCP as well as a thin client management application). We used the tag functionality of VMware View to segregate which pools a given View server would allow access to. This allowed us to further separate the virtual machines into groups. This essentially gave us two separate systems running side by side, but allowed us to manage them through one View Server Connection Group. We wanted to provide access to clients from the process network and we decided to implement a View Security Server. Running as a virtual machine on the same ESXi hosts, this box sits on the DMZ of the network firewall and provides access to any client within the View servers. This feature provided much needed access to managers and other corporate personnel while still ensuring the security and integrity of the process system. Another design element we considered was ease of deployment when putting new thin client hardware into service or replacing failed hardware. Our thin client vendor supplied us with a management application to handle this. Once we configured our thin client images, we captured those on an FTP server that was accessible to the thin clients. We then created a rule that would push our custom image out anytime a new machine was discovered on the network. This allowed us to empower the people onsite to replace hardware anytime they had a problem without needing to configure any parameters. It would work right out of the box. OPTIMIZE The cost of implementing any new system needs to be offset by gains in at least some of the areas of performance, functionality, and reliability. We needed to be able to prove that going to thin client hardware with virtual machines in place of physical servers was going to meet these criteria. We felt that we could show the gains in functionality and reliability on paper, but we had to prove that there would be increased performance.

We decided to go with VMware s PCoIP display protocol for our communications between thin clients and View servers. Using this setup, with adequate bandwidth, we were able to provide the operators with a desktop like experience that many were unable to distinguish from using a traditional desktop computer. We followed VMware s recommendations for optimizing the Windows 7 virtual machines, which included turning off ports in the BIOS, changing performance settings, and turning off all of the extra features that are not being used. One of main areas that provided a performance boost was the speed at which the DCS application servers were able to communicate. By having all of the servers virtualized onto just a couple of hosts, servers were no longer communicating over a standard Ethernet network. Application servers were communicating within the virtual distributed switches provided by VMware. This allowed for faster graphics loading and quicker refreshes of dynamic data. The operators were now getting more timely information and able to change between various displays with faster refresh time. This was a significant performance increase for the operation of the mill. Alarm and event monitoring is greatly simplified when moving to virtual servers. VMware provides a number of ways to monitor and notify based on the performance of your virtual machines. This allows network administrators to ensure adequate resources are available to the virtual machines and to keep an eye out for runaway processes or memory leaks. CONCLUSION VMware is ushering in a new era in how enterprises handle their IT infrastructure. Distributed Control Systems and industrial facilities are typically behind the curve when it comes to adopting new technologies, but there is a very real benefit to those companies that make the investment to get up to speed. Security is becoming more of a concern in the increasingly connected nature of plant systems. VMware provides a real path towards providing a secure environment while maintaining a high level of usability and performance.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information