Defending Your Plant

Securing the Perimeter Just Isn't Enough. You Have to Have Inside Defense Too

2 of 2 1 | 2 > View on one page

The Active-Beaconing RFID tag from GAO RFID is an ideal solution. It transmits its ID every two seconds and can be read from 98 ft, so anyone carrying an item with the tag can be detected by any RFID monitor. It also has an anti-tampering feature that sends an alarm if anyone tries to dislodge it. Similar RFID tags are available from a host of vendors.

Of course, if your plant has remote areas, you might have the same problem as Duke Energy did. Duke Energy in North Carolina was being plagued with copper theft at its substations and construction sites. Standard video monitoring was ineffective because of the distances involved. It was too expensive to transmit live images long distances over wire, so Duke tried to use cameras and recorders. All Duke’s security got for its troubles were hours of videos of intruders and crimes committed the previous day, but not sufficient evidence to prosecute the thieves.

Duke Energy installed Videofied, a wireless security system that reports video alarms over a cell-phone network. When an intruder trips a motion sensor, the night vision camera takes a 10-second video and sends it to Duke’s monitoring station. Once security personnel see what is happening, they call the police. Now, instead of just having videos of crimes, Duke Energy has videos of police arriving on the scene and arresting thieves carrying armloads of copper.

The Big Picture

Enabling a single point of viewing for the entire enterprise could be the next trend, says Hesh Kagan, Managing Consultant, Enterprise Architecture and Integration, at Invensys Process Systems (IPS). “Merging physical security and control system monitoring enables users at control stations not only to see who is near their systems at hand and far away, but also to monitor process anomalies, such as steam emissions, leaks and excess vibrations,” says Kagan.

IPS and its partner, Industrial Video & Control Company (IVC) are integrating access and perimeter monitoring systems with plant control systems. IPS consultants develop fully integrated solutions based on implementing a secure wireless infrastructure that includes video. IPS defines policies and procedures for managing available wireless bandwidth to enable multi-purpose integration of video monitoring, while IVC implements cameras at strategic locations to implement the plans.


Camera images from all over this water treatment plant in Nevada can be viewed on the plant’s HMI/SCADA system.

“Operators at workstations can also control the viewing angle and zoom on these cameras, so they can get a really clear picture of what is going on with their systems,” says IVC president Norman Fast. “This is valuable whether the systems are in a room down the hall or coming from a remote, hazardous location miles away. This saves time, money and surely improves safety.”

An IVC installation at the Simi Valley Water Works in Simi Valley, Calif.,(Figure 2), is an IPS-based video system that is used for both security and monitoring operations. It accommodates access control, security and SCADA, with additional cameras (Figure 3) added as needed to monitor key locations. Operation of all this is managed by IVC video management software, which includes an alarm server that listens for and parses alarm messages from access control systems, perimeter security devices, motion detectors and the SCADA system.

Honeywell, Invensys and other control system vendors, working with video suppliers like IVC, have successfully integrated video monitoring with HMI/SCADA systems, so operators at process control systems, building management systems and security systems can watch and record what is happening in and around the plant. Unlike the closed-circuit TV systems of the past, these new video monitoring systems integrate directly into the plant’s existing wired or wireless industrial networks.

Apprion Inc. has created an integrated video, voice over Internet protocol (VoIP), data backbone called ION that integrates these new video monitoring systems directly into the plant’s existing wired or wireless industrial networks. Not only can operators see intruders, they can watch over the entire plant.  

Rich Merritt is a Control contributing editor.

Securing the Control Room

One of the key targets for bad guys is the control system. If they know what they are doing, they can overflow a tank, blow up a batch reactor, steal information from your system or otherwise wreak havoc. You should physically protect your control system from an internal assault by visitors, vendors or disgruntled employees.

Several years ago, a process control engineer explained to me the security procedures his company followed when installing control systems in areas of the world where plants are vulnerable to sabotage. He explained that control and equipment rooms—because they are clean and air-conditioned—are favorite gathering places for employees.

Many control rooms are “trophy rooms,” he said, where management brings visitors to show off their ultra-modern displays, wall panels, wide-screen TV monitors and so on. In both cases, visitors and workers will sit at HMI displays and play with the keys and displays. To ensure that no one can change the control system either intentionally or unintentionally, this  process control engineer recommends securing everything from the hardware controllers to HMIs in the control room:

  • Put locked bars over the controller faceplates so no one can manually change settings.
  • Lock the cabinet containing the controllers.
  • Lock the room containing the cabinets.
  • Control access to the building containing the controller room.
  • Put the main control room on a different floor or in a different building.
  • Control access to the main control room.
  • Make sure that the HMIs in the main control room can only monitor the system, not change controller settings.
  • Put HMIs that can change controller settings in a different locked room.
  • Protect those HMIs with user names and passwords, so only a very few authorized people can change control settings.

While these may seem excessive for a domestic plant, such Draconian procedures make it very difficult for anyone to gain access to critical control equipment. Modern technology even makes it possible to move the actual control room hundreds or even thousands of miles away from the plant. At the very least, all the plant’s data, configurations, historians and software should be backed up—perhaps at a secure data center in Marion, Iowa.

Security at Geismer, Part 2: The Inside Job

The Honeywell Geismer plant in Geismer, La., follows a structured, layered approach to plant security that involves procedures and hardware to

  • Identify and control who enters and exits a facility.
  • Track movement of building occupants and assets.
  • Control access to restricted areas with ID cards.
  • Track and locate equipment, products and other resources.
  • Track the location of personnel on the site.
  • Integrate security and control systems.

Assets are tracked with RFID tags. The system monitors mobile physical assets continuously throughout the facility. This helps reduce theft and loss of intellectual property and decreases lease and capital expenditures by continuously tracking the real-time location and utilization rates of high-value equipment. The solution also increases process uptime and helps to improve regulatory compliance by ensuring that equipment can be located for scheduled maintenance or recalibration.

Security cameras inside the facility watch the comings and goings of people on the site.

Since Honeywell's building and process control systems share the same distributed server architecture, the company was able to integrate physical and cyber security tightly with control systems.


2 of 2 1 | 2 > View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments