Home / Industries / Pulp and Paper / Sample Project

Process Control Network (PCN) and Plant Data Network (PDN) Security Review

Universal Dynamics was engaged to conduct a network security review for an overseas electric power utility company. There had been a number of ongoing process automation and modernization programs employing the intranet/internet technology at the customer’s generation and power transmission distribution facilities. The growth of the network traffic and expansion of the physical network infrastructure with a mixture of state-of-the-art and legacy installations created challenges in the implementation and enforcement of security measures. The security objectives were system/data integrity, availability and confidentiality. 

The customer has a corporate security policy in place developed by an IT consultant with primary focus on corporate IS operation issues. However, security requirements for real-time process control networks and plant information systems have unique operation constraints and priorities. Security issues in a process control network environment are quite different from the corporate IS perspective and are not usually well addressed with the same level of details as IS issues. The customer also discovered that it is very difficult to find external technical resources with expertise in both process control and IT background who understands the practical issues of an operating plant. The project team involved in the security review not only has to have the technical knowledge on the equipment and technology employed in the process control network environment and process operation. They also need to have the IT knowledge in the latest computer network protocols and communication technology in order to appreciate the system’s security vulnerability and personnel safety related issues.

The Universal Dynamics team was selected by the customer based on the team’s diversified technological field of expertise in process control, power utilities and computer networking. The scope of review included the following major areas:

• Data Transport & Telecom Network fibre optic rings, microwave links
• Firewall, router management
• Non-destructive internal and external penetration tests
• SCADA, RTU systems
• Wireless control, remote signaling communication systems
• Turnkey, proprietary network subsystems – energy management, environmental monitoring, turbine controls
• Network communications with business partners and suppliers.
• Corporate network backbone infrastructure.
• Corporate security policy versus world best practice BS 7799

With the full cooperation of the customer’s system owners, the Universal Dynamics security review team was able to conduct analysis of each system and submit reports and presentations to the customer’s management on budget and on schedule. The customer was satisfied with the results of the review to the fact that not only existing weaknesses that can be mitigated immediately were identified for further actions, but more importantly we came up with ideas and creative concepts to manage their security issues more effectively in order to meet their long team growth objectives. The Universal Dynamics project team consisted of a total of six engineers and systems analysts for a duration of eight weeks with half of the time spent on site. It was a worthwhile learning experience for both the customer and the UD project team with the awareness that managing security is both an art and science in a very dynamic environment and the building of technical counter measures is only a small part of the whole picture.

A security review exercise will help the customer to become more familiar with his/her system’s security characteristics and requirement in order to properly configure the most effective and appropriate protection necessary to improve system/data integrity, availability and confidentiality.