“Because physical security devices are already in the process control setting, these cameras also can be used to check for leaks, vibration damage, and other adverse situations,” says Urso. “Data sharing technology also enables users to examine streaming video with algorithms that can note differences such as changes in thermography.”
Gospel Accorsding to Geismar
To protect chemical plants and refineries from potential attacks and other incidents, Honeywell Process Solutions is offering other companies the program it recently used to integrate security and process control at its Geismar specialty materials plant, near New Orleans. Honeywell developed and implemented a multi-layered security system that integrates its Experion PKS process control system and its Electronic Building Integrator (EBI) cyber, electronic and physical site security systems over its common distributed server architecture, and these links reportedly allow faster, more efficient responses to any adverse events. Developed and implemented over 16 months and at a cost of $3 million, this multi-layered security system reportedly takes a holistic approach, and integrates process control, automation and security systems to reduce risk and increase safety preparedness.
|FIGURE 1: BIG MUDDY MONITORING|
A radar antenna and cameras monitor the Mississippi river near Honeywell Specialty Materials’ dock in Geismar, La., as part of the 1,900-acre facility’s layered security program.
The Geismar plant is located on the Mississippi River (See Figure 1), and the site is occupied by Honeywell and four other companies. Honeywell employs approximately 275 people at the site, with another 85 contractors on site at any given time. Counting the other companies’ staffs, headcount at the site is more than 1,000 people. As host, Honeywell is responsible for the perimeter security of the entire site, as well as the security of its own facility. Honeywell produces several chemical products at Geismar, including hydrofluoric acid, fluorocarbon refrigerants and Alcon resin.
“The goal at Geismar, like other chemical facilities, was to enhance safety and security to match the increased risk levels of the plant,” says Lessig. “As a chemical manufacturer and as a process control, security and building controls supplier, Honeywell was in a unique position to take a look at securing the site in an innovative way.”
The program’s current capabilities and benefits include:
- Identify and control who enters and exits the facility
- Track movements of building occupants and assets
- Control access to restricted areas
- Track and locate equipment, products, and other resources
- Track the location of personnel on site in the event of an incident
- Integrate control and security systems for greater speed and efficiency
- Protect process automation networks and systems from cyber threats
- Integrate vital waterway and dock monitoring through a radar system
- Respond proactively to alarms and events
- Share data to generate cost savings
“Having the security system totally integrated with process control is what makes this project best in class” adds Lessig. “If there’s ever an incident on site, everyone (security and process employees) knows about the incident in real time. We’re now able to get the right information out to the right people quickly, and go into action immediately. This reduces risk, enhancing not only security, but safety."
Urso adds that Geismar will combine its wireless components and a third-party ultrawideband (UWB) radio frequency identification (RFID) technology to pinpoint precise locations of individuals at the plant by the end of 2007. The facility’s current ID card swipe system only documents last-known locations.
“The biggest trend and challenge now is linking process control with business systems, so users can have a fully linked supply chain,” says Urso. “This is where two worlds that used to be in isolation now need to securely exchange information. This can help a refinery reconfigure itself sooner and with less labor to, for example, better handle a ship full of a certain type of crude oil, and allow it to better respond to market dynamics.”
Despite the apparent ease and advantages of simply opening connections between plant-floor and corporate networks, experienced users warn that these links must only occur through well-defined, thoroughly tested, and maintained firewalls, demilitarized zones (DMZs), or virtual private networks (VPNs). However, as network integration causes potential connections to multiply, it becomes harder to enforce these security directives, even though they’re needed more than ever. Likewise, performing a thorough network inventory, data blueprint, and risk assessment becomes an even more crucial starting point.
Brad Hegrat, Rockwell Automation’s senior network and security engineer, suggests that users employ:
- Stateful packet inspection (SPI) firewalls and/or deep packet inspection (DPI) firewalls that check if data is bound for the correct destination address, and that it comes from the proper source address.
- Packet-filtered firewalls, which also allow or deny communication based on IP addresses, but are quicker than SPI and DPI methods.
- Application gateway or proxy firewalls, which sever connections at the proxy level, and then use that proxy to serve the data when asked. These devices are used for corporate web traffic, and they’re the most secure, but also the slowest.
Hegrat adds that firewalls are more secure because they filter all data through one point, but routers and switches are less secure because they usually have multiple network connections. “One of our customers that makes heavy equipment in the Midwest had a virtual local area network (VLAN) with several access points, and last summer the Zotob worm virus found a hole in it,” says Hegrat. “This event brought down production for seven hours at dozen of plants, and cost millions of dollars in lost production time.” They had to scrub this virus the old-fashioned way and manually restore thousands of devices across the U.S.