Customer Solution Case Study
/ / Honeywell Builds Secure Process Knowledge Systems with Microsoft Technology
Overview
Country or Region: United States
Industry: Industrial Automation
Customer Profile
Honeywell Process Solutions (HPS) provides products and services to the process automation industry, including cyber security for the company’s large industrial and petrochemical customers.
Business Situation
HPS realizes the benefits of open technology and recognizes the need to secure automation systems against abnormal situations and nontraditional threats.
Solution
HPS committed to continual improvement in the security of its flagship Experion® Process Knowledge System (PKS) product and deepened its partnership commitment with Microsoft to joint, trustworthy computing.
Benefits
n Improved plant operations
n Outstanding collaborative support for security
n Easy migration and integration / “When we talk with customers, one of the things that differentiates us is that we make security part of the infrastructure of the system. It’s pervasive: it’s at every level, it’s in everything.”
Kevin Staggs, Control System Solution Planner, Honeywell Process Solutions
Honeywell Process Solutions (HPS) builds and delivers automation products and services to support a wide range of heavy industries, including refining, chemicals, pharmaceuticals, mining, and energy. The reliability and security of control systems in these industries is critical not only to efficient plant operation and business success, but also to the avoidance of failures and risk mitigation. Honeywell’s flagship product Experion® Process Knowledge System (PKS) is a process knowledge system with key components based on advanced Microsoft® Windows® operating systems and .NET connection software. Working in close collaboration with Microsoft, HPS has pioneered groundbreaking methods of securing Windows-based solutions that improve the decision-making effectiveness of plant operators under normal and abnormal conditions.
Situation
Honeywell Process Solutions (HPS), a business unit within Honeywell’s Automation and Control business segment, serves a U.S.$15 billion installed-customer base and supplies them with process automation products. Clients depend on HPS for the infrastructure that controls complex production processes involving high temperatures and pressures typically found in production industries such as energy, chemical, and pharmaceutical.
In recent years, threats against open systems have escalated the need for securing computing infrastructures within production facilities. In 2004, the U.S. Department of Homeland Security advised that refineries and petrochemical plants are to be considered potential terrorism targets. This heightened reality has given momentum to industry and government initiatives aimed at enhancing the security of industrial facilities in ways that meet nontraditional threat scenarios.
Says Kevin Staggs, Control System Solution Planner at HPS, “Our clients are operating some very sensitive processes. A significant failure can cause a plant to shut down or worse, so everything we do is built around safety and availability. When we talk with customers, one of the things that differentiates us is that we make security part of the infrastructure of the system. It’s pervasive: it’s at every level, it’s in everything.”
Honeywell has long had a reputation for delivering process automation products that exceed the highest standards for safety and security. Its flagship system is the Experion® Process Knowledge System (PKS). Experion PKS is designed for operators to monitor and control complex processes. It gathers data from a range of diverse sources, including field sensors, control equipment, and other supervisory systems, then presents this data to the operator through graphical displays. A single point of access to all process information helps improve operator performance and ensure safety.
Experion PKS comprises a Control Execution Environment (CEE) at the industrial controller level that controls plant processes, using Experion servers and databases to gather and organize information, and Experion stations to provide the human-machine interface (HMI) with the operator. At the industrial controller level, HPS manufactures equipment integrating proprietary, real-time operating systems. Starting in 1996, the server-level software has run on Microsoft® Windows® operating system platforms. Operator stations run on Windows-based PCs and use Microsoft Internet Explorer technology as a basis for the HMI display. A medium-size implementation might include 15 operator stations and two Experion servers.
The entire Experion PKS architecture includes many products that securely integrate into a complete performance solution, as shown in Figure1.
Honeywell Process Solutions wanted to introduce new features and capabilities into Experion PKS. The goal was to increase the level of information visibility between higher-level business applications and lower-level process control systems to create a truly enterprise-wide knowledge system for manufacturing organizations. Any changes to the HPS process automation software, however, would have to meet two stringent requirements.
1. All changes must accommodate legacy technology. The industries served by HPS depend on complex systems with life spans of 15 years and longer. “We need to be able to integrate today’s technology with controllers that we shipped in 1974,” points out Staggs. “We will never leave anybody behind, which creates some very significant challenges.”
2. Safety and security must remain priority one. Increased levels of integration between the realm of business applications and the world of industrial controls might run the risk of creating new susceptibilities and possibilities for failure. Understanding and eliminating such risk remains the utmost concern of HPS when considering any changes to Experion PKS.
Solution
The most recent release of Experion PKS, R300, represents the latest step in Honeywell’s carefully considered plan to provide greater value to its customers through the inclusion of advanced Microsoft technologies. The Experion server, which first migrated from UNIX to a Windows platform in 1996, now runs on Microsoft Windows Server™ 2003 operating system and uses Microsoft SQL Server™ 2000. Some of the Experion applications are built with Microsoft Visual Studio® .NET 2003 on the Microsoft .NET Framework version 1.1. Technologies, such as Windows Forms, provide information from both the plant floor and the business enterprise to human operators on Windows XP operating system–based client stations.
HPS developers use .NET-connected technologies extensively in carefully selected parts of Experion PKS, particularly in its user interface elements and offline configuration tools. “Applications, such as movement automation, blending applications, and business applications, are utilizing .NET,” says Andrew Duca, System Architect at HPS. “All our integrated tools used for configuring and engineering a system within our Configuration Studio are based on smart client technology and .NET.”
The user interface provided by the company’s own HMIWeb technology is a particularly important component of the Experion PKS system because it is directly tied to the ability of the operator to control processes efficiently. During system implementation, the HMIWeb Display Builder is used to create custom displays showing graphical representations of processes (such as pumps, valves, tanks, and pipes). Animation and scripts can be used to change the visualization of the display when changes occur. This customization of Internet Explorer–based display can be accomplished by using .NET-connected technologies like Windows Forms.
HPS has a Premier Independent Software Vendor (ISV) agreement with Microsoft and works closely with Microsoft Partner Services on security topics. In order to deploy secure Windows-based server and workstation products, Experion PKS R300 uses a number of special techniques that include:
n A series of scripts lock down the file system and registry during the installation of the operating system. A series of local groups are created and the system is locked down based on those groups before any HPS application is even installed on the machine.
n Experion Server is installed onto a Windows Server 2003 Service Pack 1 (SP1) platform, and the Experion Server firewall feature is—by default—on.
n A strict separation is enforced between the process control side of the system and the business application side. A client on one side never crosses the boundary to access a server on the other side. Server-to-server interactions across that boundary are carefully limited through protocols that require, for example, special shadow servers.
n Increasingly, Experion products are moving toward a domain model in which an application must be deployed into a Windows domain—either the business domain or the control domain. Eliminating trust relationships between the domains will compartmentalize risk.
n Group policy objects are used in Experion deployments. HPS provides its group policy templates (based on provided group policy objects) for its customers to integrate into organizational units. In some cases, HPS scripts the whole process of creating a domain and setting up security.
Honeywell will continually place an emphasis on Experion PKS security. Future versions will likely be built on an even more compartmentalized model that will eliminate all trust relationships between domains and synchronization between machines. To test the effectiveness of its security measures, Honeywell’s “white hat” teams stage network-based attacks against the Experion servers and stations.
Benefits
Safety and environmental protection go beyond regulatory compliance, with constant pressure to safeguard people, assets, and profitability while increasing efficiency. Honeywell Process Solutions uses the power of Windows to extend the role and scope of automation for its customers. Using Microsoft .NET software, Honeywell continues to improve the ability of plant operators to view and comprehend processes in real time, especially under abnormal conditions.
Improved Plant Operations
Experion PKS uses Windows operating systems and .NET connection software to help integrate process control information with business information in manufacturing plants. Better visibility into enterprise-wide information increases efficiencies, improves uptime, and reduces plant life-cycle costs for its customers. Not only are the Windows-based servers and workstations securely locked down, but also their advanced ability to gather, store, analyze, and present information to plant operators can actually improve the safety and security of the plant under abnormal conditions. Better information delivered more quickly to the operator can prevent or mitigate catastrophic failures.
“Windows platforms will enable us to build next-generation operator environments that use best guidance from the Abnormal Situation Management Consortium,” remarks Duca. “We are working toward an integrated cockpit that brings exactly the right information to the operators at the exactly the right time, without overloading them with too much non-critical information. The new technologies coming down the road in Windows and .NET will help us accomplish that goal through constantly improving collaborative decision-support tools and better display technology.”
Outstanding Collaborative Support for Security
Honeywell Process Solutions has introduced the latest Windows and .NET technologies into an environment tightly constrained by extreme safety and security requirements. In collaboration with Microsoft, Honeywell’s years of experience and Six Sigma methodology have enabled it to pioneer some of the safest and most secure methods in the world for implementing Windows-based systems.
The Microsoft Partner Services team provides both proactive and reactive support for development and deployment projects by HPS. According to Duca, “The Partner Services team is a virtual extension of our development team.”
The benefits of close collaboration for trustworthy computing are exemplified by the Threat Modeling Workshop Microsoft delivered for the developers and architects at HPS. Microsoft experts shared their internal methodology used to test business application security, then the Microsoft and HPS engineers worked together to determine how threat modeling could best be applied to the HPS systems. “Our collaboration on security was a two-way street,” according to Ned Curic, Strategic Security Advisor at Microsoft. “The HPS engineers learned about our approach to threat modeling, and they gave us good feedback that we incorporated into our own methodology.”
Easy Migration and Integration
Honeywell’s customers deploy the latest Experion PKS servers and stations, which are based on Windows Server 2003 and Windows XP, right alongside other systems that have typically been in place for 10 years or more. Everything about these Experion products has been designed to be safe, secure, and compatible with the proven technologies of Honeywell’s legacy process control systems.
Customers in the automation industry do not typically upgrade their systems as often as do other enterprises. Honeywell Process Solutions, therefore, takes tremendous advantage of Microsoft’s extended product life-cycle policies to support HPS customers over the long term. HPS helps its customers maintain older systems and augments those systems with new features and capabilities that take advantage of the latest Windows technologies. When it is time to upgrade, the continuity of the Windows platform enables HPS to offer its customers a clear upgrade path from any previous point to the current product.
Microsoft Visual Studio .NET
Microsoft Visual Studio .NET is the rapid application development (RAD) tool for building next-generation Web applications and XML-based Web services. Visual Studio .NET empowers developers to rapidly design broad-reach Web applications for any device and any platform. In addition, Visual Studio .NET is fully integrated with the Microsoft .NET Framework, providing support for multiple programming languages and automatically handling many common programming tasks, freeing developers to rapidly create Web applications using their language of choice.
For more information about Visual Studio .NET, go to:
msdn.microsoft.com/vstudio
Acquire Visual Studio .NET:
msdn.microsoft.com/vstudio/howtobuy
MSDN® Subscriptions:
msdn.microsoft.com/subscriptions
Microsoft .NET Framework
The Microsoft .NET Framework is an integral Windows component for building and running the next generation of applications and XML-based Web services.
For more information about the .NET Framework, go to:
msdn.microsoft.com/netframework