What are the essential and critical systems in refinery plants, for its production safety and consistency? Generally, the process control system includes Safety Instrumented Systems (SIS), Distributed Control Systems (DCS) and SCADA systems.
Process control system consists of field layer and process layer, also all network connected to the company layer system.
The signals of a DCS are usually over ten thousand. For those large-scale comprehensive refinery plants with annual production of ten million tons of refined oil and one million tons of ethylene, the signals are even more than one hundred thousand. The terminals and network nodes in the system are up to nearly 1,000, and the connection between the field layer and the process control layer is almost a hundred. Additionally, the interaction among the systems such as SIS, SCADA system and DSC system even increase the intersystem network connection, makes it more complex to cybersecurity protection of each system.
Emerson is one of the key OEMs of DCS in refinery industry. They apply traditional commercial firewalls to protect the boundary of control system to application servers and NTP servers.
As main Safety Instrumented Systems (SIS) manufacturers, Honeywell and Schneider provide refinery industry complete automation systems to ensure production safety, so as to prevent accidents and reduce corresponding impacts and losses. Though the Modbus protocols that run at device layer are relatively closed, they are still connected to the process layer through application services, and less consideration of related cybersecurity risks.
In that case, AVCOMM EdgeFirewalls provide boundary isolation for field layer and process layer, also prevent the risks spread from different system to others. AVCOMM has experiences of working with Emerson, Honeywell, and Schneider, Siemens in different systems.
While ensuring cybersecurity is the responsibility of owners themselves. A relatively stable triangular structure is to adopt the automatic equipment manufacturers' control systems, as well as professional, third-party industrial cybersecurity solutions.
AVCOMM OT Cybersecurity Solution Protects both Network and Application
When comes the protection of industrial cybersecurity, the Network Layer and the Application Layer shall be highly concerned. At Application Layer of industrial control system runs the dedicated industrial protocols from automation OEMs.
Traditional firewalls are proficient at providing protection for Internet access and services, such as DDoS, ARP attacks, and malicious code DAT; while in industrial control systems, the defense mechanism of Internet vulnerability is incomplete because they do not understand the industrial systems and protocols.
AVCOMM can provide both protection for TCP/IP protocol family through ACL strategy at Network layer, and large variety of industrial application protocols resolution at the Application layer, which include:
OPC：Most popular industrial application
S7 and Profinet：Siemens
Modbus TCP：Schneider and many other OEMs
Ethernet/IP CIP：Allan Bradley
IEC 104：Smart Grids
Whitelist Strategy and Perpetual License
Different from the information security priority queue of Confidentiality-Integrity-Availability, Industrial control system place Availability as its highest priority because Industrial control system focus on precise real-time performance, any delay or unavailability may cause safety issue and asset losses.
Since communicating devices of control systems are assured and responding to new joiners or infrequent requests are not often. In this case, the whitelist protection strategy is more adaptable than the blacklist. For protecting the access control and industrial application protocols, the whitelist strategy is more effective and can better solidate the system operation.
Perpetual License is also suitable for industrial control system and its users. The period of return on investment (ROI) of industrial control systems generally takes several years or even longer. Providing users with one time investment and creating sustainable returns is more appropriate to users' expectation and concern. Since it is unnecessary to update the virus DAT or updating for vulnerability frequently, whitelist strategy can be free of subscriptions which is also the advanced feature of Perpetual License.
AVCOMM Provides Consultant, Implementation and Turnkey Basis
AVCOMM offers four hours complimentary cybersecurity consultant to refinery plant owners regarding to existing control system and network. The more understanding of the current system assets, the more effective plan could be drawn.
As the central cybersecurity platform, AVCOMM EdgeCommander provides three Working Modes to generate and apply the Whitelists. In Learning Mode, Whitelists is generated by learning the running systems, instead of creating and editing of each policy.
AVCOMM also provide turnkey project that based on different requests of the owners. Started by assisting owners to analyze their industrial control systems and assets, AVCOMM suggests OT cybersecurity investments by phases. The crucial risks should be prevented in advance. Also, the awareness and practice of OT cyber are built as the project pushed forwards.