Protecting Industrial Control Systems from Cyberattack

By Owl Computing Technologies

The Security Landscape

As operations and critical infrastructure components become increasingly digitized, the threat to these structures moves from physical threats and attacks to cyber assaults. This means that your electronic perimeter is now as – if not more – important as the physical fence you have around your facility. But there’s a critical problem.

When you have a physical gate, fence, or barrier, your facility is isolated from the outside world. There are actual gatekeepers controlling the flow into and out of your plant, which impedes movement speed but nevertheless moves everything where it needs to be.

With a cyber system, this is much more difficult. What if, as happened in the Middle East in August 2012, you’re struck by a cyberattack that compromises your perimeter security? Your digital “gatekeepers” have a weakness, and you’re forced to go on lockdown to prevent hackers from accessing critical control systems. The problem that results from this “lockdown” approach is the prevention of necessary information from leaving the control network, creating significant operational inefficiencies. To regain the operating efficiencies and
mitigate cyberattacks, data needs to flow in a secure manner between authorized networks.

Addressing this challenge is Owl Computing Technologies’® suite of cybersecurity solutions based on its proprietary DualDiode Technology™ architecture for securing OPC, OSIsoft PI Enterprise and many other control systems. To see the effectiveness of the Owl solutions, let’s take a look at an application in one of the more volatile regions and industries in the world: the Middle East and petrochemicals.

The Security Challenge

In August of 2012, a number of heavy industry locations in the Middle East suffered a serious cyberattack. Many of the plants in the region unplugged from their corporate networks and isolated their process control networks from their business networks to reduce their vulnerability to cyberattacks. Saudi Arabia Fertilizer Company (SAFCO), an affiliate to Saudi Basic Industries Corporation (SABIC), also proceeded to isolate its plant network to minimize its cyberattack risk exposure.

This forced isolation and network lockdown was a challenge for SAFCO, as it needed to move process data safely and efficiently from applications on the plant control system network to the business network in order to operate.

The Security Solution

To restore business continuity SAFCO installed the Owl Perimeter Defense Solution (OPDS). The OPDS is a one-way data diode transfer solution, to support the secure transfer of industrial control information, using OPC-DA and OPC A&E to the corporate network into the OSIsoft PI and Yokogawa® Historians.

To this end, the first step was the installation of the OPDS network isolation security product at the customer site to protect the process control network from cyberattack. Next, Owl OPC Server Transfer Service (OSTS™) application software was installed to provide efficient and robust transfer of the required OPC data from the process control network to the corporate network. OSTS extracts data from various customer OPC servers on the process network. The OPC data is then transferred across the OPDS network boundary isolation product. The Owl
OSTS software creates an OPC server on the customer business network making the data available to corporate applications as necessary. Owl’s OSTS software solution utilizes the OSIsoft OPC Client connector to extract the data from the Owl created OPC server and places the data into an OSIsoft PI historian. In doing so, the Owl OSTS software solution interoperates with the PI historian, OSI OPC Connector, and ProcessBook™.

As a result of this implementation, high priority data is now flowing from the SAFCO plant network applications to the OSIsoft PI system historian located on the SAFCO business network. Similarly, Yokogawa’s OPC Historian connects to the Owl OPC Server in the business network. In this manner, the Yokogawa Historian also collects the OPC data into the Yokogawa Historian in the business network.

The Security Impact

The plant network is no longer subject to compromise from a cyberattack originating from the business or outside networks. Engineers and business management have immediate access to both real-time OPC data and historical data from the OSIsoft PI historian located on the business network, which had been unavailable following the forced disconnect. SAFCO no longer had to physically perform data examination and queries from within the plant
perimeter, thus reinstating the operational efficiencies lost as a result of the plant network isolation.

Owl Computing Technologies’ DualDiode™ solutions have been implemented successfully for government, military, and critical infrastructure entities around the world. The SAFCO installation is the first time a live implementation of the Owl DualDiode Technology with the OPC certified DA/AE software was deployed in Saudi Arabia. As a hub to the petrochemical industry that has become so crucial to business operations and society in general, this was a very important milestone to improve cybersecurity best practices for SABIC and its affiliates.

Owl Perimeter Defense solutions ensure that the right defense barrier against cyberattacks has been deployed in the most critical situations, eliminating threats to network infrastructure. As critical systems continue to be digitized, an effective electronic perimeter is more important than ever.