IP is improving cyber security for remote assets
Authored by David Bell, Consulting Solutions Architect, Cisco
From oil well heads drilled into Arctic tundra to pumping stations far beyond the walls of water treatment plants, Internet Protocol (IP) technology is driving down the cost and complexity of monitoring remote operations while increasing critical data flows and improving cyber security.
IP creates a single, streamlined platform upon which to deliver all the services necessary to operate satellite assets. That’s a significant leap forward from the conventional approach of multiple segmented systems.
Consider this: Automation controls, physical security and surveillance systems; each of these remote services have in the past required multiple, often proprietary, networks and configurations to deliver their data to central control centers. Such diversity drives up operating expenses, including the high costs of maintaining disparate services and cross-training staff on the intricacies of mismatched technologies.
Contrast to the use of IP: A single unified, wired and wireless networking platform, with integrated cyber security that easily interconnects different types of devices and streamlines data delivery and control. This just scratches at the surface of the benefits that can be gained.
IP’s “always on,” connections provide the ability to collect far greater quantities of data. More data provides the opportunity to perform more analytics – and more analytics means faster, more intelligent decisions to manage, monitor and maintain remote assets. This really is the “Internet of Everything” in action.
However, with this surge of data comes the need for careful planning and engineering to ensure that each remote service receives the appropriate level of network access and priority. If the network can’t differentiate the types of traffic coming from the asset and manage them based on priority, then all the data will potentially be fighting over the network uplinks.
The best systems also are tailored to the security needs of the remote asset, from both physical and cyber security aspects.
STREAMLINED WASTEWATER MANAGEMENT
Good planning equals good network design. Early engagement of network and automation vendors will help ensure companies with remote assets have the right services with the correct capabilities.
A case in point: Early engagement was key in the recent deployment of converged platforms for water/wastewater treatment centers in the UK and Netherlands. Each treatment center required a number of different remote outstations, depending on the size of their geographical reach.
Each outstation had remote telemetry units collecting various data about the localized treatment process, such as the pH, turbidity and water flow rates.
Information from these outstations is critical to helping water utility operators manage their hydrological models. The more data they have, the more information they can feed into these models to improve the efficiency of the algorithms that help balance supply of treated water and ensure capacity to treat wastewater. Getting this right drives down operating costs and reduces the risk of expensive fines from releasing untreated water into rivers, streams and seas.
For example, if heavy rain falls in one region, process operators know the system will receive an influx into the treatment systems there. The operators can then adjust their processes to ensure capacity is available or to divert untreated water into storage reservoirs.
In the past, limited data from this telemetry would have been delivered to the central control center via an automation network, with separate networks for video surveillance, swipe-card entry systems and other onsite security.
Today, outstations are connected using a single IP network infrastructure that carries all data from the automation equipment, closed-circuit television and physical security devices as well as normal office traffic, such as e-mail and IP telephony.
This is possible because of various technologies, such as quality of service (QoS), Application Visibility and Control (AVC) and bandwidth management. These technologies are built into the IP network devices and accomplish the critical task of delivering network data according to the needs of the specific applications. If issues arise that cause network congestion, QoS and AVC ensure the most critical automation control traffic is delivered first and the prioritized delivery of other business and security traffic depending on criticality.
For example, non-essential closed-circuit video from the outstation could be classed as low priority traffic, closed-circuit video for process monitoring would have a higher level of priority and automation control traffic would be the highest priority.
IN-DEPTH NETWORK SECURITY
Oil well heads and drilling pads tend to be located in remote locations, including some of the hottest and the coldest places on the planet. These assets may be far from the nearest human outpost, however, they are still targeted by people who want to gain unauthorized access to the IP network supporting them.
The first lines of defense are simple: physically securing remote assets with fences and putting the automation and network devices into locked enclosures and cabinets. It may also be appropriate to provide closed-circuit surveillance and associated video analytics to detect intrusions. However, how should the network be secured from a “cyber” standpoint? If somebody successfully bypasses these physical barriers, they can plug into the network. How do you protect against that threat?
Some of the simplest safeguards come down to the capabilities built into the network access switch and then more advanced technologies can be layered on top to provide the “Defense-In-Depth” approach that presents multiple barriers to cyber attackers.
Managed switches have basic built-in security capabilities to limit the number and types of devices that can be connected, some with the ability to prevent the connection of unauthorized devices.
Firewalls can restrict traffic flows between certain devices but have no understanding of “who” may be using those devices. The addition of modern security technologies such as Identity Services, enable connected devices, the user of the device and their associated traffic to be profiled. This enables the creation of company-wide policies that determine who should have what level of network access, regardless of where they physically connect to the network. This could be wirelessly connected in the company headquarters or physically plugged in with a cable while out maintaining a remote asset. In another example, if a company employee logs onto a company laptop and accesses the network, they could be given unrestricted access. However, if a contractor is logged onto the very same laptop, they could be restricted to accessing just the automation devices and servers they support.
Other technologies like Intrusion Prevention and Detection can continuously scan and monitor the traffic crossing a network. These can delve deep into network packets, providing a view into how the network and automation protocols are behaving. If something abnormal occurs within the automation protocol, whether intentional or malicious, alerts can be generated allowing operators early visibility of potential issues. If the alerts relate to remote assets, operators can bring up closed-circuit video cameras, see what’s happening on that site and then provide the appropriate response limiting the spread of any problems.
REMOTE ASSETS DON’T SEEM SO REMOTE ANYMORE
More and more process and automation managers are looking for the infrastructure and technologies that will help them better monitor and operate their satellite assets. Many of these managers have already begun the migration toward IP tools, devices and services that can help them create a single, streamlined communications platform. This move is driving down the cost and complexity of monitoring remote assets, while increasing critical data flows and improving cyber security. As a result, remote assets are becoming nearly as easy to manage as local assets.