At the 2024 Emerson Exchange Conference in Düsseldorf, Germany, Saudi Aramco’s Abdulmohsen Alahmed and Reenad Almutairi presented Cybersecurity Challenges: The Journey Toward Virtualization and Centralization. Here is their session abstract:

With the dynamic nature of cybersecurity and the expansion of ICS systems, the need to have a centralized and virtualized cybersecurity system becomes crucial. In this talk, we will showcase an oil and gas facility’s journey to deploy virtualized central cybersecurity Systems for Emerson DCS and SCADA, In addition to benefits, challenges faced and corresponding Emerson solutions. This system architecture redesign was part of upgrade projects at an Aramco facility. The main drivers of the upgrade project were obsolescence, newly mandated cybersecurity requirements, loss of Emerson support for the old version, and new features added in the new versions.

They opened highlighting the need to upgrade their distributed control system and SCADA systems due to obsolescence, compliance to cybersecurity, vendor support, and to gain new features.

The concept of virtualization and centralization of cybersecurity management is not a new concept when it comes to IT, and it has been introduced to the OT side for a while. The full adaptation is a journey especially for brown fields. In the case of this project, they started the projects at the middle of this journey.

The initial architecture considerations included:

• Partial virtualization
• Duplicate solutions
• Control System servers used for other services
• Missing cybersecurity requirements
• Space limitations

This approach would add to the number of duplicate solutions, complicate administration, and maintenance activities, and increase the cybersecurity risk, not to mention the added cost for all.

Here was the process they followed to address the cybersecurity challenges in their journey to virtualization and centralization.

 

 

The chosen approach was to virtualize all new systems and implement centralized cybersecurity management where applicable, except for DCS which will be part of 2024 plan. The objective was to enhance network security by modifying architecture and adding network protection controls, and to sequence the execution plan.

They sequenced the changes beginning with some of the SCADA systems, then a DCS with thin clients and operating systems, followed by other SCADA systems. Each phase different scopes and requirements.

The cybersecurity requirements were challenging.

• Cybersecurity requirements are getting more and more complex and costly
• Centralize and virtualize cybersecurity systems to meet requirements and future expansions (Scalability). Where possible. partial enhancement is better than none
• Patch management for example there is still a manual process involved
• Limited expertise when it comes to cybersecurity solutions and virtualization environment
• Improper configuration to virtual environment and cybersecurity solutions leads to increased risk and false sense of security training

Another challenge were different licensing requirements for the different systems and software and how a virtualized environments affects the licensing. It’s something to plan for in advance. Another challenge is network segmentation:

• Redesign network architecture to be aligned with cybersecurity and virtualization objectives
• Due to the time and shutdown restrictions, scope of changes was limited
• Limiting one-to-many, many-to many communication
• Firewalls, VLANs, etc.
• Field Network Threat – adding a firewall between field and SCADA.

From an operational impact perspective:

• Testing during FAT may arise at site in the actual plant set up
• Gradual deployment even if tested at FAT
• Offline activities – upgrading OS, firmware, switches replacement, firewall deployment. Example—SCADA field firewall
• Application whitelisting tool

For the projects, they had a tight shutdown schedule and material delays since the projects occurred in the COVID area. Due to delays in material delivery and a tight schedule, the project was completed in two phases (software then hardware), utilizing temporary hardware to avoid impacting the plant shutdown schedule. Rigorous planning and testing are essential to overcome cybersecurity challenges, but tight schedules sometime hamper this planning.

From a performance perspective, properly setting network interface parameters for the virtualization environment is very important. Uninstalling unneeded third-party applications where possible. It is important to test and properly configure cybersecurity settings prior to mass deployment. For some systems, having systems baselines to understand performance to see how cybersecurity settings will affect it.

The more vendor software and systems involved, the more challenging your cybersecurity hardening journey will be since each security and network solution is different. Ongoing support from suppliers, especially during the first year, is recommended to develop internal cybersecurity skills for maintenance and support.

Here is a summary of their learnings and benefits attained:

• Savings in hardware cost, power, and space due to the reduction of assets due to virtualization
• Enables a scalable architecture for future expansions
• Enables cost savings for future upgrades
• Upgrade happened in two phases – phase one only software upgrade took place and in phase two it was hardware replacement which did allow to the upgrade to take place in the allocated shutdown window. Avoided shutdown requirement for upgrade.
• Enables flexibility in future expansions for additional machines to meet cybersecurity dynamic requirements because of employing virtualization technology.
• Planning in design phase is crucial (complexity, cost, will be much simpler and straight forward compared to do in it at later stage)

The more time that goes in the planning phase, the smoother the project executing phase should go.