Migrating a distributed control system (DCS): upgrading the operational infrastructure

In a previous blog article, we discussed the main steps in a phased migration of a distributed control system (DCS), which are:

• Phase 1 – Operational infrastructure and human-machine interfaces (HMIs)
• Phase 2 – Migration of industrial controllers, I/O and control programs

In this article, we discuss the first aspect of Phase 1 in greater detail, i.e., upgrading the operational infrastructure.

To start, a modern DCS relies on an array of systems that can look like IT systems but are tailored specifically to be used in OT infrastructure. The following systems must be in place for the solution to be viable:

• Physical: fibre optics, copper, wireless, etc.
• Routing and switching: switches, routers and firewall
• Servers: applications, databases, etc.

An architecture that meets specific project needs is fundamental. It must clearly define the roles of the users, machines and servers needed for solution implementation, while meeting the highest standards in cybersecurity, redundancy and resiliency. The architecture must permit clear segregation of information technologies (IT) and operations technologies (OT) and establish methods for making the required exchange of information between the two systems available.

As we described earlier, just adding switches or other network devices to connect various pieces of equipment to your industrial network is not enough to mitigate the possible cybersecurity risks. You need to have a work plan that is defined by the system architecture. Regardless of the size of your operational infrastructure, it is a good idea to segregate it into different sectors to clarify the purpose and area of responsibility of every piece of equipment in use:

Corporate network (IT)

• Already exists, under IT team responsibility

- Contains all systems that meet the company’s needs

- Notably includes the corporate data historian

Industrial DMZ (iDMZ – IT/OT)

• Generally needs to be defined
• Contains all systems of exchange required for adequate operation of the underlying industrial network
  
  - Dedicated Windows Server Update Services (WSUS)
  
  - Antivirus signature services
  
  - Secure file transfer
  
  - Industrial network back-up system
  
  - Intermediate data historians
  
  - Industrial network asset tracking system: SolarWinds, WhatsUp Gold, etc.

Industrial network (OT)

• Generally needs to be defined
• Contains all industrial systems necessary for production
  
  - Operations consoles
  
  - Industrial controllers
  
  - Main industrial network backup system

With two distinct and physically separated network sectors, direct connection between the systems can be avoided. An infrastructure like this makes it possible to exchange information between the two systems using the iDMZ in a controlled and secure manner. With this type of solution, in the worst-case scenario, security breaches will have minimal impacts limited to specific sectors.

It’s also wise to segregate the industrial network using virtual local area networks (VLANs), regardless of the number of devices making up the network. Again, a well-planned architecture with clearly defined roles can respond to new needs in the network. In addition, the impact on all equipment is minimized when network anomalies or cyberthreats occur, including:

• Poor network configuration, duplicate IPs, etc.
• General broadcast or multicast problems
• Viruses, worms and advanced persistent threats (APTs)

Depending on the cybersecurity policies in place, equipment can be segregated according to their purpose, their main communication protocol or other technical considerations. For example:

By type of equipment

• Industrial controllers (PLC, DCS, remote I/O)
• Data servers
• Operations consoles
• Management consoles: iDRAC, iLO or IPMI

By type of protocol

• Industrial – Ethernet/IP, Modbus/TCP, PROFINET, etc.
• Management – SSH, HTTPS, SFTP, etc.

Along with installation of the industrial network, careful attention must be paid to the data servers that are to be deployed. With recent advances in microelectronics, the availability of system resources (CPU computing power, RAM, disk space and network connectivity) for a single server can easily exceed what is necessary for a given application. To avoid wasting system resources and increase density in the IT server installations, various virtualization technologies have come into being.

At the heart of the technology is a hypervisor, which acts as a conductor orchestrating the simultaneous installation and running of several operating systems on the same server, which then become virtual machines. The operating system for each virtual machine is not the server owner, but is in a sense a tenant in the server and must use the resources assigned to it through the hypervisor that behaves like a landlord.

The advent of virtualization technologies is just as useful in an industrial context as it is in the IT world. Applications can be added smoothly and easily without the need for installing new physical servers. The hypervisor provides an abstraction layer in relation to the underlying equipment and makes it possible to transfer from a virtual machine to a new server in an entirely transparent way for the operating system. Virtualization thus minimizes dependency on hardware components and facilitates long-term support of the OT environment.

To learn more about IT/OT solutions for industrial environments, please contact our team.