Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

OPC Server Transfer Service (OSTS) Owl Computing Technologies Datadiode in the Connected Enterprise

Owl Comprehensive Perimeter Defense

Deployment at SABIC/SAFCO

Presented by:

Owl Computing Technologies, Inc.

June 2014

3

Brief Owl Introduction

The Business Issue

Typical Customer Progression

SABIC/SAFCO Use Case

Overview of Booth Demonstration

Agenda

4

Owl Computing Technologies, Inc.

US Owned & Operated Product Suite 1200+ Security

Solutions Deployed US Owned and Operated Owl Product Suite 1500+ Security Solutions

Deployed

US-based controlled supply chain

US-based R&D, manufacturing,

sales and service

Over 13 years in business

Rockwell Automation Encompass™

Partner since 2013

Owl Perimeter Defense Solution

One-way transfer systems

Configuration management and

life cycle support

Nuclear, Fossil, and Hydro Generation Oil & Gas and Mining Industries

US National Intelligence Community Department of Defense Telecommunications

European and Asian Ministries of Defense

Network security is a component of the plant’s reliability.

Reliability Reliability Reliability

Business Issue

5

• Two-way connections between the plant and business networks

• Network connection supports business efficiency

• Networks are vulnerable to cyber attack

Typical Vulnerable Two-way Network Connection

6

• Disconnection ensures plant safety from external threats

• Disconnection impedes business efficiency

• Need to strike a balance between security and efficiency

Easiest Network Security Separation

7

• Security maintains “disconnected” plant

network

• Information flows to support efficiency

• Better security permits OT and IT to coexist

Isolate Plant Network with Data Flows

8

• Security maintains a “disconnected” network

• Information flows to support business and plant

efficiency

• Best security permits OT and IT efficiency p. 9

Network Security Separation

9

A division of SABIC, Saudi Basic

Industries Corporation, a diversified

manufacturing company, active in

chemicals and intermediates, industrial

polymers, fertilizers, and metals.

About Saudi Arabian Fertilizer Company (SAFCO)

Produces, processes, manufactures,

and markets the principal fertilizers

for the local and international market

Production and manufacturing of

Ammonia, Urea, Melamine, and

Sulfuric Acid

10

Attack

Cause

& Effect

Challenges

and

Solutions

Next Generation

Cybersecurity

Review of the Owl

Perimeter Defense

Solution around the

SAFCO Process

Control Network to

enable secure export of

data to the Business

Network.

SABIC/SAFCO

Installation

Benefits

and

Summary

Overview

11

Cyber attacks on the industry's

infrastructure are projected to result

in damages costing nearly $2 billion

by 2018.1

“Isolation works; it is an effective

way of protecting critical

infrastructure from attacks of this

level of sophistication.”2

Source:

1. http://www.upi.com/Business_News/Energy-Resources/2013/11/20/Persian-Gulf-oil-industry-vulnerable-to-cyberattacks/UPI-40101384970243/

2. Martin Libnicki, Senior Management Scientist, Rand Corporation.

http://www.rigzone.com/news/oil_gas/a/121596/Middle_East_Attacks_Highlight_Cybersecurity_Threat_for_OG_Industry#sthash.GgZXMMp4.dp

uf

Cause: Cyber attack

Effect: Industrial Middle East unplugged from the Internet

12

AFTER ATTACK:

NETWORK DISCONNECTION

WAS THE INITIAL DEFENSE.

DISCONNECTING IMPEDED EFFICIENT

OPERATIONS.

13

1200+ Security

Solutions Deployed

SAFCO Challenge Owl Solution

Business Problem

Ensure network security with

network domain separations

Cybersecurity defense needed to

maintain Plant and Business network

domain separation

Restore business continuity by

allowing data flows to resume

Replicate DCS and OPC data to

business unit historians

Limit unauthorized access to plant

network from outside the plant

Install hardware enforced data diode

technology to enforce one-way data

flows

Owl Solution

14

Process Flow

1. DCS Plant Network to run the plant

2. Network security provided by

traditional software firewall

3. Business access to plant data

4. Firewall disconnected after attack

for increased security

SABIC/SAFCO Original Architecture

15

Owl Next Generation Cybersecurity

Data Diode: An appliance or device that creates a one-way communication link

to ensure that data travels securely in only one direction.

Plant Process Network

Center

Business Network

Center

Network Boundary

Separation

16

DCS

Station 153

(OPC DA)

DCS

Station 261

(OPC DA)

DCS

Station 363

(OPC DA, A&E) (OPC DA)

OwlOPC BLUE

Home Node

OwlOPC BLUE

Remote Node

SABIC New System

DCOM

DCOM DCOM

TCP/ IP

UDP

Process Flow:

1. Collect OPC data on

Plant Network

2. Collect using either

DCOM or Tunneling

3. Route OPC data to one-

way data diode

4. Diode sends data out of

Plant Network

SABIC/SAFCO OPDS Installation

17

Oversees and manages all the

operations associated with

seven LNG trains, two sales

gas production facilities, helium

production facilities, and major

shipping contracts and global

commercial partnerships

Process Flow:

1. One-way diode allows data into Business Network 4. OPC Servers are an exact replica

2. Route data to OPC Servers 5. Allow OPC compliant connections to use data

3. Tunneling avoids DCOM issues

SABIC/SAFCO OPDS Installation

18

DCS

Station 153

(OPC DA)

DCS

Station 261

(OPC DA)

DCS

Station 363

(OPC DA, A&E) (OPC DA)

OwlOPC BLUE

Home Node

OwlOPC BLUE

Remote Node

DCOM

DCOM DCOM

TCP/ IP

UDP

UDP

TCP/ IP

OwlOPC RED

Home NodeTCP/ IP

TCP/ IP

TCP/ IP

TCP/ IP

TCP/ IP

TCP/ IP

TCP/ IP

TCP/ IP

TCP/ IP

OwlOPC RED

Remote DA Sever (153)

OwlOPC RED

Remote A&E Sever (363)

OwlOPC RED

Remote DA Sever (363)

OwlOPC RED

Remote DA Sever (261)

OwlOPC RED

Remote DA Sever

Historian

OwlOPC RED

Remote DA Sever (153)

OwlOPC RED

Remote A&E Sever (363)

OwlOPC RED

Remote DA Sever (363)

OwlOPC RED

Remote DA Sever (261)

OwlOPC RED

Remote DA Sever

OSI PI

Historian

Oversees and manages all the

operations associated with

seven LNG trains, two sales

gas production facilities, helium

production facilities, and major

shipping contracts and global

commercial partnerships

Process Flow:

1. OPC server presents OPC Data 3. OSI PI OPC Interface collects OPC data

2. Data moved to OSI PI Historian 4. Tunneling avoids DCOM Issues

SABIC/SAFCO OSIsoft® PI System

19

Product Suite 1200+ Security

Solutions Deployed

Benefits

Restored business continuity by allowing data flows to resume • OPC data sent to OSIsoft® PI Historian

• OPC Foundation DA and A&E certified for compliance and easy installation

• Owl tunneling technology avoids DCOM issues

• OPC Servers are precisely replicated

Ensured network security with network domain separation • Owl DualDiode enforces Plant and Business Network domain separation

Enforced no access to plant network from outside the plant • DualDiode is hardware enforced one-way data flows out

• No access or data flows into the plant network of any kind

20

Generic Network Diagram

Owl DualDiode

Data Source:

Rockwell

FactoryTalk

Applications and

Devices

Data Destination:

OSIsoft PI Historians

OPC Historians

OPC-DA/UA for

data transport

p. 21 21

• First network security vendor in Rockwell Automation PartnerNetwork™

• Encompass™ Product Partner since 2013

• Rockwell Automation FactoryTalk interoperability with RsLink and RSView32 source applications

• Owl Perimeter Defense Solution (OPDS) provides plant network isolation and mitigates cyber-attack

• OPC Compliant

22

The Owl Perimeter Defense Solution (OPDS) is interoperable with Rockwell

Automation FactoryTalk and OPC-compliant applications. Owl DualDiode

Technology™, a proprietary data diode, is optimally constructed to complement

Rockwell Automation solutions and secure automated industrial control

systems.

OPDS and Rockwell Automation FactoryTalk

Architecture Diagram

Rockwell Automation One-way Architecture

23

p. 24

Rockwell Automation Demonstration

Receive Side Platform

RSLinx

Classic

Owl

OPC Client

RSView32

Windows

Platform

Owl

OPC Server

RSView32

Windows

Platform

OPDS100-D

Owl OPC Channel Protocol

Rockwell PLC

Send Side Platform

DualDiode Technology™

Owl OPC Channel Protocol

Remote Monitoring

24

• Security breach called for urgent need to secure the plant and

business operations

• Cybersecurity risks and challenges were effectively solved

• Business continuity and data flows were re-established

• Scalable architecture deployed that replicates to other sites easily

• Provides a new level of cybersecurity and risk mitigation previously

unavailable

SABIC/SAFCO business needs solved with Owl products

25

26

Thank You

Owl Computing Technologies, Inc.

203.894.9342

Owl Computing Technologies

38A Grove Street, Suite 101

Ridgefield, CT 06877

www.owlcti.com

Toll Free: 866-695-3387

Phone: +1 203-894-9342

Fax: +1 203-894-1297

27

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.

www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Questions? THANK YOU