owl computing technologies, inc.: owl opc server transfer service (osts)
DESCRIPTION
The Owl OPC Server Transfer Service (OSTS) application replicates an OPC client in a secure environment. In the one-way transfer architecture of the Owl Perimeter Defense Solution (OPDS), OSTS reads and transmits OPC data across the process control perimeter. The data is made available to OPC clients in the business network. • Interoperable with FactoryTalk, RSLinks, and RSView32 • OPC Foundation certifiedTRANSCRIPT
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
OPC Server Transfer Service (OSTS) Owl Computing Technologies Datadiode in the Connected Enterprise
Owl Comprehensive Perimeter Defense
Deployment at SABIC/SAFCO
Presented by:
Owl Computing Technologies, Inc.
June 2014
3
Brief Owl Introduction
The Business Issue
Typical Customer Progression
SABIC/SAFCO Use Case
Overview of Booth Demonstration
Agenda
4
Owl Computing Technologies, Inc.
US Owned & Operated Product Suite 1200+ Security
Solutions Deployed US Owned and Operated Owl Product Suite 1500+ Security Solutions
Deployed
US-based controlled supply chain
US-based R&D, manufacturing,
sales and service
Over 13 years in business
Rockwell Automation Encompass™
Partner since 2013
Owl Perimeter Defense Solution
One-way transfer systems
Configuration management and
life cycle support
Nuclear, Fossil, and Hydro Generation Oil & Gas and Mining Industries
US National Intelligence Community Department of Defense Telecommunications
European and Asian Ministries of Defense
Network security is a component of the plant’s reliability.
Reliability Reliability Reliability
Business Issue
5
• Two-way connections between the plant and business networks
• Network connection supports business efficiency
• Networks are vulnerable to cyber attack
Typical Vulnerable Two-way Network Connection
6
• Disconnection ensures plant safety from external threats
• Disconnection impedes business efficiency
• Need to strike a balance between security and efficiency
Easiest Network Security Separation
7
• Security maintains “disconnected” plant
network
• Information flows to support efficiency
• Better security permits OT and IT to coexist
Isolate Plant Network with Data Flows
8
• Security maintains a “disconnected” network
• Information flows to support business and plant
efficiency
• Best security permits OT and IT efficiency p. 9
Network Security Separation
9
A division of SABIC, Saudi Basic
Industries Corporation, a diversified
manufacturing company, active in
chemicals and intermediates, industrial
polymers, fertilizers, and metals.
About Saudi Arabian Fertilizer Company (SAFCO)
Produces, processes, manufactures,
and markets the principal fertilizers
for the local and international market
Production and manufacturing of
Ammonia, Urea, Melamine, and
Sulfuric Acid
10
Attack
Cause
& Effect
Challenges
and
Solutions
Next Generation
Cybersecurity
Review of the Owl
Perimeter Defense
Solution around the
SAFCO Process
Control Network to
enable secure export of
data to the Business
Network.
SABIC/SAFCO
Installation
Benefits
and
Summary
Overview
11
Cyber attacks on the industry's
infrastructure are projected to result
in damages costing nearly $2 billion
by 2018.1
“Isolation works; it is an effective
way of protecting critical
infrastructure from attacks of this
level of sophistication.”2
Source:
1. http://www.upi.com/Business_News/Energy-Resources/2013/11/20/Persian-Gulf-oil-industry-vulnerable-to-cyberattacks/UPI-40101384970243/
2. Martin Libnicki, Senior Management Scientist, Rand Corporation.
http://www.rigzone.com/news/oil_gas/a/121596/Middle_East_Attacks_Highlight_Cybersecurity_Threat_for_OG_Industry#sthash.GgZXMMp4.dp
uf
Cause: Cyber attack
Effect: Industrial Middle East unplugged from the Internet
12
AFTER ATTACK:
NETWORK DISCONNECTION
WAS THE INITIAL DEFENSE.
DISCONNECTING IMPEDED EFFICIENT
OPERATIONS.
13
1200+ Security
Solutions Deployed
SAFCO Challenge Owl Solution
Business Problem
Ensure network security with
network domain separations
Cybersecurity defense needed to
maintain Plant and Business network
domain separation
Restore business continuity by
allowing data flows to resume
Replicate DCS and OPC data to
business unit historians
Limit unauthorized access to plant
network from outside the plant
Install hardware enforced data diode
technology to enforce one-way data
flows
Owl Solution
14
Process Flow
1. DCS Plant Network to run the plant
2. Network security provided by
traditional software firewall
3. Business access to plant data
4. Firewall disconnected after attack
for increased security
SABIC/SAFCO Original Architecture
15
Owl Next Generation Cybersecurity
Data Diode: An appliance or device that creates a one-way communication link
to ensure that data travels securely in only one direction.
Plant Process Network
Center
Business Network
Center
Network Boundary
Separation
16
DCS
Station 153
(OPC DA)
DCS
Station 261
(OPC DA)
DCS
Station 363
(OPC DA, A&E) (OPC DA)
OwlOPC BLUE
Home Node
OwlOPC BLUE
Remote Node
SABIC New System
DCOM
DCOM DCOM
TCP/ IP
UDP
Process Flow:
1. Collect OPC data on
Plant Network
2. Collect using either
DCOM or Tunneling
3. Route OPC data to one-
way data diode
4. Diode sends data out of
Plant Network
SABIC/SAFCO OPDS Installation
17
Oversees and manages all the
operations associated with
seven LNG trains, two sales
gas production facilities, helium
production facilities, and major
shipping contracts and global
commercial partnerships
Process Flow:
1. One-way diode allows data into Business Network 4. OPC Servers are an exact replica
2. Route data to OPC Servers 5. Allow OPC compliant connections to use data
3. Tunneling avoids DCOM issues
SABIC/SAFCO OPDS Installation
18
DCS
Station 153
(OPC DA)
DCS
Station 261
(OPC DA)
DCS
Station 363
(OPC DA, A&E) (OPC DA)
OwlOPC BLUE
Home Node
OwlOPC BLUE
Remote Node
DCOM
DCOM DCOM
TCP/ IP
UDP
UDP
TCP/ IP
OwlOPC RED
Home NodeTCP/ IP
TCP/ IP
TCP/ IP
TCP/ IP
TCP/ IP
TCP/ IP
TCP/ IP
TCP/ IP
TCP/ IP
OwlOPC RED
Remote DA Sever (153)
OwlOPC RED
Remote A&E Sever (363)
OwlOPC RED
Remote DA Sever (363)
OwlOPC RED
Remote DA Sever (261)
OwlOPC RED
Remote DA Sever
Historian
OwlOPC RED
Remote DA Sever (153)
OwlOPC RED
Remote A&E Sever (363)
OwlOPC RED
Remote DA Sever (363)
OwlOPC RED
Remote DA Sever (261)
OwlOPC RED
Remote DA Sever
OSI PI
Historian
Oversees and manages all the
operations associated with
seven LNG trains, two sales
gas production facilities, helium
production facilities, and major
shipping contracts and global
commercial partnerships
Process Flow:
1. OPC server presents OPC Data 3. OSI PI OPC Interface collects OPC data
2. Data moved to OSI PI Historian 4. Tunneling avoids DCOM Issues
SABIC/SAFCO OSIsoft® PI System
19
Product Suite 1200+ Security
Solutions Deployed
Benefits
Restored business continuity by allowing data flows to resume • OPC data sent to OSIsoft® PI Historian
• OPC Foundation DA and A&E certified for compliance and easy installation
• Owl tunneling technology avoids DCOM issues
• OPC Servers are precisely replicated
Ensured network security with network domain separation • Owl DualDiode enforces Plant and Business Network domain separation
Enforced no access to plant network from outside the plant • DualDiode is hardware enforced one-way data flows out
• No access or data flows into the plant network of any kind
20
Generic Network Diagram
Owl DualDiode
Data Source:
Rockwell
FactoryTalk
Applications and
Devices
Data Destination:
OSIsoft PI Historians
OPC Historians
OPC-DA/UA for
data transport
p. 21 21
• First network security vendor in Rockwell Automation PartnerNetwork™
• Encompass™ Product Partner since 2013
• Rockwell Automation FactoryTalk interoperability with RsLink and RSView32 source applications
• Owl Perimeter Defense Solution (OPDS) provides plant network isolation and mitigates cyber-attack
• OPC Compliant
22
The Owl Perimeter Defense Solution (OPDS) is interoperable with Rockwell
Automation FactoryTalk and OPC-compliant applications. Owl DualDiode
Technology™, a proprietary data diode, is optimally constructed to complement
Rockwell Automation solutions and secure automated industrial control
systems.
OPDS and Rockwell Automation FactoryTalk
Architecture Diagram
Rockwell Automation One-way Architecture
23
p. 24
Rockwell Automation Demonstration
Receive Side Platform
RSLinx
Classic
Owl
OPC Client
RSView32
Windows
Platform
Owl
OPC Server
RSView32
Windows
Platform
OPDS100-D
Owl OPC Channel Protocol
Rockwell PLC
Send Side Platform
DualDiode Technology™
Owl OPC Channel Protocol
Remote Monitoring
24
• Security breach called for urgent need to secure the plant and
business operations
• Cybersecurity risks and challenges were effectively solved
• Business continuity and data flows were re-established
• Scalable architecture deployed that replicates to other sites easily
• Provides a new level of cybersecurity and risk mitigation previously
unavailable
SABIC/SAFCO business needs solved with Owl products
25
26
Thank You
Owl Computing Technologies, Inc.
203.894.9342
Owl Computing Technologies
38A Grove Street, Suite 101
Ridgefield, CT 06877
www.owlcti.com
Toll Free: 866-695-3387
Phone: +1 203-894-9342
Fax: +1 203-894-1297
27
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
www.rsteched.com
Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.
PUBLIC INFORMATION
Questions? THANK YOU