Todays chemical plants increasingly rely on digital communications not only for control at the field level but throughout the automation system and beyond. Such communications can provide tighter and better control of the process and enable increased integration between automation and business systems. Fortunately a number of parallel activities are underway to make this integration effective, safe and secure.
Figure 1, which is similar to the model used by the ISA-95 committee, shows the various layers of a typical facility. This article will specifically examine safety and security for Levels 0 and 1, the field layers of the automation system. Levels 2 and above mostly include computer systems similar to those found in the IT or office environment and generally use the same forms of security as those with the added requirement of high reliability and increased redundancy versus whats expected in the Level 4 business system.
Figure 1. Most chemical plants use an architecture that contains five layers.
Each layer of the system is protected from the other by the use of firewalls, at least for the Ethernet-based communications systems. Fortunately, to date there havent been any documented attempts to compromise the Level 0 fieldbus networks. Therefore, the only concern here is keeping the network safe and reliable.
Reliability is paramount in automation systems. This means they must be safe, secure, fault tolerant and easy to maintain. Control engineers are familiar with designing systems to be reliable and easy to maintain usually through redundancy and specifications that result in industrially hardened equipment that can operate in the presence of hazardous and corrosive gases across broad temperature ranges (typically -40°F to 180°F). What theyre not as familiar with is digital communications fieldbus and Ethernet. Lets start at the bottom with Level 0 fieldbus communications.
Fieldbus systems have built-in features to ensure the reliability and integrity of the communications. However, because they involve networks rather than single wire pairs, such systems require a variety of new tools. Both handheld maintenance units as well as continuous fieldbus-network analyzers are now available to help check the health of a system.
The field-level diagnostic tools monitor parameters unique to the relatively harsh environment in which the networks reside. Typical parameters include:
Voltage. There must be sufficient energy to power the field devices and ensure that the signals are detectable above background/environmental noise that may be induced on the cables.
Average and peak noise. This indicates the system is being affected by external noise signals such as EMI, (electromagnetic interference) RFI (radio frequency interference) and crosstalk between cables.
Short circuits. When these network faults occur, they will lead to the loss of one or more signals. Continuous monitoring will help in troubleshooting what may appear to be random failures by one or more devices.
Device retransmissions. An increase in how often signals arent getting through on the network often provides the first sign of impending larger problems.
Number of devices recognized on the bus. This can confirm that all devices are connected to the network and can track if devices are tending to drop, then reconnect and pin down the reason, whether due to a faulty device or other possible electrical problems.
A handheld diagnostic tool can help when a problem is happening. Continuous diagnostic systems capture the information on an ongoing basis and also provide a record of how the system changes over time. This is even more important than knowing whats happening at a single point in time because it can indicate when a possible failure is imminent.
Fortunately these tools are now available for a variety of fieldbus networks.
In the past, most control systems used proprietary protocols, which as a result afforded a measure of security. Today, though, automation vendors have largely switched to open systems, which are much more susceptible to attack.
For instance, connectivity, especially at Levels 2 and 3, now generally involves OPC. This software-based tool to connect across protocols and systems presently heavily relies on Windows COM and DCOM. One of the security challenges associated with this is that its very difficult to secure the multiple ports required to open and close as part of the communications. Fortunately, there are some options. Proprietary solutions use various forms of tunneling similar to creating a Virtual Private Network (VPN) between the client and the server, but this is done differently by each manufacturer. A second option being groomed by the OPC Foundation is OPC UA (Unified Architecture), which during its development included security considerations. The OPC UA specifications are nearing completion and developers are now preparing the appropriate code, so expect the initial production releases of this version around the end of the year and demonstrations at ISA this fall. Interoperability testing should begin in early 2008.
Most fieldbus protocols now have gateways to convert their field-level signal to an Ethernet-based system, normally at Level 1; as a result this makes them susceptible to being compromised in the same way as the office environment, which also is based on Ethernet. Now, almost all the protocols are open and supported by not-for-profit organizations. Many of the details on the protocols can be found on the Internet. For example, the most widely used protocol, Modbus, is available from www.modbus.org without the need for any form of registration. Therefore, like the office environment, the solution in the automation arena is now defense in depth.