Security segmentation protection using Innominate mGuard firewalls.

Innominate mGuard firewall installation

ZF Sachs, an international automotive supplier for drive and chassis components, headquartered in Schweinfurt in Germany, has permanently improved the security of its industrial networks, by introducing a decentralized security architecture with industrial firewalls.

The requirement for stronger security in the production plants was primarily because of virus problems in the office network. Compared to the manageable risk of an office computer infection, the risk potential for production facilities was considered to be significantly higher. In order to minimize the risk of possible disturbances or even production downtimes through faulty accesses or malware, ZF Sachs decided to implement additional security precautions.

Decentralized security philosophy

The task of the new security architecture was to protect the production plants from both undesirable external and internal accesses and limit the spread of infiltrating virus attacks.

Sealing off the office network from the production network was considered to be the most suitable strategy; this was carried out with a large firewall and structured security architecture (defense in depth), with which critical individual systems could also be safeguarded. The control and filtering of network traffic through firewalls took on a key role. More perfectly organized and distributed protection, along with the greater degree of flexibility for a typical industry network design and lower investment/operating costs: all these factors argued in favor of a decentralized architecture with firewalls. The segmentation through VLAN-compatible switches into logically separated segments was evaluated and rejected, as virtual LANs were considered to be too difficult to control from a security point of view.

The automation technology and machine maintenance departments were responsible for the implementation, in coordination with the IT department. Along with the use of virus scanners in the production area, the most important measure became the segmentation of the production network into small and manageable machine networks. The assignment was conducted spatially based on building zones with additional Profinet components for individual installations. A total of 40 decentralized machine networks were implemented and each of these subnetworks was secured by an mGuard firewall from Phoenix Contact and Innominate.

“We evaluated different firewall security products under two main criteria. Industrial suitability with an extended temperature range was particularly important to us. We also needed a solution that could be integrated – as flexibly as possible and with a low level of complexity – into our automation component environment,” says Asmund Hey, head of automation technology for ZF Sachs technical services, in explaining the choice of the mGuard security solution.

Setting up decentralized firewalls

The implementation of the decentralized security architecture was based on the network structure plan. This describes the individual network segments and contains specifications concerning which device is attached to which port, as well as which IP addresses, MAC addresses, firmware version and product designations are given.

“To ensure that the decentralized architecture with 40 individual machine networks did not lead to greater configuration and operative effort, we first developed a basic set of common firewall rules for all subnetworks as an overriding control. The implementation was relatively simple,” reports Asmund Hey. For the rollout, the master parameters were read out from a memory chip upon start-up and applied to the subnetwork. This meant that most of the requirements were already covered. Only individual rules had to be added for special cases, e.g. for controller access to office server shares.

A three-month introductory and learning phase followed start-up, allowing any missing accesses or ports to be included. “During this phase, we realized how important a careful network architecture plan is. The more time invested here, the smaller the correction effort will be later. We also discovered the advantages of central device management,” says Asmund Hey, listing the most important experiences gained during the start-up.

Automation technology requirements

Various requirements need to be taken into account when setting up the decentralized security architecture. The production facility with Profinet components needed to be sealed off from disturbances from the network. The “8HP” (a torque converter for 8-gear automatic transmissions) requires TCP/IP communication on the level of Profinet protocols. In the process, a good deal of IP addresses had to be managed and a clear segmentation and sealing-off were necessary for the field bus components. As a jitter period of less than a microsecond is given for the response time behavior of the components in real time, they had to be consistently sealed off in a network to prevent disturbances like the typical broadcast. Therefore a dedicated network segment was reserved for the 8HP. A further requirement was 1:1 NAT (network address translation) for DNC (distributed numerical control) machines. This concerned the software for the distribution of the DNC programs running in the office network. Since the mGuard components support 1:1 NAT, no adjustments to the internal address space of the machines were necessary for the software.

Setting up port forwarding was a further important requirement, as central databases had to be accessed from the outside in the plant stations. Strict outgoing rules were also necessary. The spatial separation of plants leads to a distribution of the software and process data, which must then be centrally merged again on a server. Access to the central server is enabled through rules in the central firewalls, but any other uncontrolled access is prevented.

Decentralized firewalls have increased security

The mGuard security solution has been used at ZF Sachs for two years now. The decentralized firewalls in new plants or in plants with Profinet components are now equipped to protect against disturbances. “The decentralized networks run smoothly. There is nothing that halts the automation technology and operation continues largely without maintenance. We also successfully protected several older machines without virus protection from disturbances and attacks. Thanks to the segmentation, any virus brought in by a technician has not been able to spread into the network,” says Asmund Hey in summing up his experiences. And he has a good comparison, as the virus problem continues to be present in the office area or in old machines without firewall protection. Asmund Hey emphasizes that a secure production flow is also guaranteed when other network components fail. If this is the case, the firewall protects the plants from disruptive broadcasts or defective packages.

“The experiences we’ve had with the launch, operation and the security standard attained through the decentralized firewalls have all been very good. This is probably also due to the excellent support provided by Innominate. The response times are short, and if we have ideas or improvement suggestions, these are normally included in one of the next versions,” says Asmund Hey in describing the collaboration.

Further improvements are planned

One of the extensions under way now is setting up a central administration for the decentralized machine networks. Goals include standardization to the largest extent possible, uniform configuration and an easier administration of the networks. To this end, the Innominate Device Manager (IDM) is being introduced, which provides the status information of all administered components for a central monitoring. Finished configurations or updates can be transferred from the IDM to the decentralized firewalls. And a high degree of automation for the configuration of individual devices can be obtained through its template and inheritance technology.

Another project is related to the use of mGuards for remote maintenance. The plant manufacturer, but also the internal test equipment design, requires remote maintenance access. The employees at ZF Sachs have longstanding experience with remote maintenance. Through the new security architecture with the machines behind the firewall, however, a new solution needs to be found that is aligned with the altered security rules. The secure remote access via VPNs is therefore a highly interesting additional benefit provided by the mGuard protection.

About ZF Sachs

As the driveline and chassis components division of ZF Friedrichshafen AG, ZF Sachs AG is headquartered in Schweinfurt / Germany and employs a staff of 16,500 workers around the world. For more than 100 years, ZF Sachs has been a renowned partner of the automotive industry. Its products are not only used with traditional applications in cars, commercial vehicles, rail, construction and agricultural technology, but also in motorsports.

Advertisements

UK’s WWEM expo partners with SWIG

WWEM 2012, the Water Wastewater & Environmental Monitoring event (Telford, 7/8th November 2012) has announced a partnership with SWIG to help accelerate the sharing of knowledge between academia and industry at this year’s event.

SWIG (Sensors for Water Interest Group) is a not for profit information exchange and networking group with a diverse UK-wide membership drawn from the water and process industries, sensor manufacturers and their distributors, academic institutions involved in sensor research, regulatory bodies and consultants working in the field of water management.

SWIG focuses on the use of sensor and associated technologies for measurement and control in water and wastewater treatment processes and infrastructure, as well as in natural environments and waters.

SWIG Programme Manager Linda Smith says: “WWEM 2012 will be a great opportunity for everyone involved with water quality and flow to come together and exchange ideas during an event that will be entirely focused on testing and monitoring. We therefore welcome this opportunity to encourage collaboration between parties interested in research, development and sensor deployment, and we anticipate strong participation from our members.”

WWEM 2012 organiser Marcus Pattison says he is “delighted with SWIG’s involvement because partnerships will be a central theme for this year’s event.”

Further information is available at www.wwem.uk.com and www.swig.org.uk  

ARC says Wonderware HMI has largest global market share

Invensys Operations Management is reported to have achieved the #1 market share position as a global provider of human machine interface (HMI) software and services in a recent ARC Advisory Group market study. The report affirms the market share-leading position of the company’s Wonderware InTouch and ArchestrA System Platform software products for use in HMI, supervisory and SCADA applications. 

As the first major HMI software offering to begin running on Microsoft Windows more than 20 years ago, the company’s Wonderware brand has been synonymous with continuous innovation and ease of use. Over this long history, the ARC Advisory Group’s HMI software and services study has consistently listed the Wonderware brand as one of the top market share leaders. In the 2011 ARC report, which covers the 2010 calendar year, Invensys Operations Management outpaced market growth to gain the #1 position in market share, increasing its percentage lead over its nearest competitor.
“We are thrilled to see the results of our accelerated focus on the HMI market, and we sincerely appreciate the recognition we have received from the ARC report. As a primary source of market data and analysis, their findings greatly validate the customer acceptance we are gaining,” said Rashesh Mody, senior vice president of software and advanced applications for Invensys Operations Management. “It should be noted, as well, that unlike other vendors, this is all organic growth as Invensys has not acquired any other HMI companies in recent history. In all, we remain committed to the HMI and supervisory control market, and our customers tell us that we provide the most scalable, open and extensible platform for HMI, ranging from offerings that fit OEM / machine builders all the way to full enterprise control visualisation. Our active installed base for HMI is approaching 700,000 licenses, and for more than two decades, many of our customers have upgraded and migrated their applications to take advantage of new capabilities with just a few simple mouse clicks. We are proud that our offerings continue to address three key efficiencies—engineering, IT and operations—that help our customers empower their people and achieve real-time operational excellence.”  
The ARC report said in part that to further its real-time enterprise control strategy, Invensys has released several extensible HMI components for supervisory and SCADA users, as well as a number of industry-focused solutions, including ArchestrA Workflow, that enable systems designers to implement prototypes and real-world applications. These and a number of other key aspects of the ArchestrA technology architecture differentiate Invensys Operations Management. The ability to configure a complete level-2 (control visualisation) and level-3 (production visualisation) solution with a single namespace means that intercommunication is intrinsic and integration with higher-level systems is simplified. And because they are open and extensible, the company’s external systems can be rapidly integrated into practically any other application.
According to Craig Resnick, research director for ARC Advisory Group and author of the recent study, “Invensys Operations Management has a multi-faceted strategy to enhance its market position, as well as to further its InFusion enterprise control system concept. The company continues to update its Wonderware InTouch and ArchestrA System Platform product lines and is placing strategic emphasis on the SCADA and geo-SCADA arena, which is reflected in the functionality delivered by the latest release of its software products.”
“By being object–oriented, ArchestrA System Platform enables end users to pilot applications, and due to the scalability of its architecture, they can grow these pilots into large-scale implementations with minimal re-engineering. Managing standards and change is also inherent to the architecture, so an HMI software application, or even just an element of the application, can be changed once and rolled out to multiple end users, helping end users achieve real-time business optimisation,” Resnick said.

Werum PAS-X goes live in Indian pharma plant

The pharmaceutical major, Dr. Reddy’s Laboratories Ltd, is the first Indian company to improve its manufacturing processes by installing an electronic PAS-X Manufacturing Execution System (MES). Dr. Reddy’s opted for Werum’s MES PAS-X to help enhance the quality and compliance and to optimize the efficiency and productivity of its pharmaceutical shop floor processes, and the system has recently gone live with the first implementation phase of the MES system.

Implementing PAS-X forms part of Dr. Reddy’s expansion strategy. The first step, now successfully completed, involved installing PAS-X at one of the company’s FDA and MHRA approved production facilities at Bachupally in Hyderabad.

In its first step, the PAS-X handles and controls the Warehouse Management System, such as receiving, sampling and storing of materials. It also carries out Weighing & Dispensing and Equipment Management operations.

Using mobile terminals, PAS-X coordinates the barcode-controlled process for material tracking and tracing of containers as they travel from the warehouse to the dispensing area. An automated interface allows PAS-X to communicate directly with Dr. Reddy’s ERP (SAP).

The project is being carried out by a team of experienced experts at Werum’s Asia Support Centre with Dr. Reddy’s Internal Core Team.

Sensonics turbine protection systems in China

Machine monitoring and protection specialists Sensonics have recently completed a project for the Chongqing steel company in China. The contract for the supply and installation of Sentry G3 Protection Monitors and Proximity Probes was successfully completed in conjunction with Sensonics Shanghai based partners, Star Royal Industry & Engineering Co Ltd.

The four new systems provide online monitoring and shutdown protection of a new turbine installation delivered through the Chinese based OEM Qingdao turbine.  Commenting on the project, Joe Chin, the Managing Director of Star Royal said, “The Sentry G3 concept of a universal platform to cover all machine measurements and protection functions is very good and we are pleased to see the installations functioning reliably,” he confirmed: “The Sentry G3 installation went smoothly and the system has now been up and running for over 8 months.  The reliability of the system has been excellent and the end user is very happy with the system performance and the user-friendly features”.

Two of the systems are installed in the combined cycle power plant where waste heat from the blast furnace is utilised to drive two 25MW thermal recovery turbines manufactured by Hangzhou Steam Turbine (HTC). The other two G3 racks are installed on Qingdao turbine machines which form part of the Coke Dry Quenching Technology used at the plant.  This advanced closed system circulates gas to extract energy from the spent fuel which in turn is used to generate steam to drive the turbines.

The turbine supervisory system consists of; 8 channels of shaft relative vibration (X and Y position on 4 sleeve bearings), 2 channels of thrust position at the HP end of the turbine, 2 channels of rotor to case differential expansion and 2 channels of turbine speed measurement.  Standard 8mm (2.5mm range) diameter proximity probes were utilised for the vibration measurements and for the differential expansion points. Sensonics PRD08 disk probes were used to provide 8mm of differential expansion range against a shaft collar.

Extended range probes were implemented at the thrust position locations to allow for easy calibration. These 4mm range probes in an 8mm diameter package are unique to Sensonics and are ideal for measurement ranges that push close to 2mm, but still need to allow for a minimum gap set-up as well as any possible float. The complete measurement chain is contained within a single Sentry G3 3Ux19” rack system. This also includes spare slots for up to 8 additional channels to be added at a later date if required, (absolute bearing vibration measurement may be added in the future). 

Only one type of Sentry G3 module is required to cover all the measurement modes and each channel has the capacity to be programmed to any of the required turbine supervisory regimes.  This not only permits efficient usage of hardware (note that the first module in the rack is programmed for two channels of thrust position and two channels of speed) but also minimises the required spares holding.  The hot swappable modules can be replaced online and the previous settings are simply uploaded through the user interface software.

The Sentry G3 system offers an integral LCD display to the module which offers several modes of display, this obviates the requirement for additional hardware and the need for a separate panel mounted LCD for local viewing of readings and events.  Through the G3 display each channel measured (value and alarm status) can be rapidly understood while further analysis of dynamic channels can also be performed through the inherent FFT (vibration frequency analysis) facility available for each channel.  An event log in each module permits the recall of up to 100 events to enable the user to determine past performance and capture fleeting channel alarms. Regarding the FFT facility, the site engineer commented, “This is the first time I have seen and utilised such a tool within this type of monitoring system and it’s proved to be very useful with the Sentry G3 diagnostics”

The completion of the Chongqing project is another example of continued success for Sensonics in theFar East and underlines their commitment to developing the most effective solutions for vibration, position and speed monitoring for critical machine condition monitoring applications.  

Metso valves and control systems for major containerboard project in Poland

Metso has received an important automation order for the new Stora Enso Narew Sp.zo.o containerboard production line at Ostroleka in Poland. The production line will produce 455.000 tonnes of light-weighted testliner per year. The EUR 285 million investment project is scheduled to be completed in the first quarter of 2013.

Metso´s delivery scope includes the MetsoDNA Automation System, the Process Info Management System, the latest Web Inspection technology – integrated with high speed Web Break Analysis system, control and on/off-valves as well as consistency transmitters and other field instruments. The main shipments will take place during the third quarter of 2012.

“We are very pleased about this extensive automation order and privileged to continue working with the professional Stora Enso Narew team after the successful power plant project implementation,” says Ari Pinjamaa, Regional Vice President, Metso.

Honeywell Experion enables remote operation of Statoil Valemon

Honeywell has been selected by Statoil, the international energy company headquartered in Norway, to deploy its Experion Process Knowledge System (PKS) and Honeywell Distributed System Architecture (DSA) at Statoil’s Valemon platform in the North Sea. The DSA will allow Honeywell to integrate Experion with Statoil’s existing Kvitebjørn platform to enable remote command of the facility, aiming to reduce overall costs and lowering the risks associated with resource recovery.

The Valemon field is located 160 kilometres west of the Norwegian coast and is one of Statoil’s largest development projects. The site contains recoverable reserves of 26 billion cubic metres of gas and five million cubic metres of condensate, which equates to over 1 percent of Norway’s gas reserves.

Honeywell’s Integrated Control and Safety System (ICSS) means work can be continuously controlled and the safety of subsea and topside operations monitored without the need for personnel on site. The entire operation can be operated remotely from the existing Kvitebjørn platform. Honeywell’s technology reduces the investments needed to achieve the goal of an unmanned platform as minor additional equipment and minimum engineering is required. The DSA will minimize production costs and increase safety for Statoil personnel, as well as reduce the risk of otherwise duplicated ICSS databases becoming inconsistent over time.

Guantak Park, purchasing manager, Samsung Heavy Industries, said: “We selected Honeywell because of the ability of their Process Knowledge System to seamlessly integrate with existing technology. The proven robustness and functionality of Experion PKS gives us the ability to source solutions to maximise productivity safely and at low cost, and will positively impact our competitive position.”

Orhan Genis, vice president, sales, Honeywell Process Solutions, EMEA, commented: “The use of Honeywell DSA and PKS technologies at Valemon demonstrates the industry’s recent step forward in resource recovery. The ability to work remotely is opening up the possibility of extracting large untapped reserves in locations, such as the deep North Sea, that were previously too difficult, distant or dangerous to reach, while also helping to drive down costs and increase efficiency.”

With production planned to begin in 2014, the gas extracted from the Valemon field will be sent via existing pipelines to supply European gas consumers. Samsung Heavy Industries is acting as the Engineering, Procurement and Construction (EPC) contractor for the project.