About the customer and prerequisites
In peacetime, it would be unlikely that we would agree to name the customer, especially when the country has been at war for more than a year and the terrorist country continues to hunt for Ukrainian critical infrastructure and leading industrial sites. And this applies not only to physical destruction, but also covers a number of other risks, among which one of the leading places is occupied by information and cyber attacks.
Therefore, when we mention the customer, we can determine that he belongs to critical infrastructure facilities and protects the energy independence of Ukraine. The project covered four production units at a distance of 30 to 130 km from the company’s headquarters.
Project uniqueness
- The duration of production shutdown during implementation was 0 minutes.
- The architecture is a five-tier Purdue model.
- The number of Integrator employees involved in the project is more than 70 people.
- The number of customer employees involved in the project is less than 10 people.
The prerequisites for the project were primarily based on the consistent development of the customer’s innovation and technical maturity. An important contribution was made by corporate recommendations to reduce the risks of information loss and production interruption in the event of cyberattacks and incidents. In particular, it is worth mentioning the Resolution of the Cabinet of Ministers of Ukraine No. 518 dated June 19, 2019 “On Approval of the General Requirements for Cyber Security of Critical Infrastructure Facilities”, which defines the organisational, methodological, technical and technological conditions for organising cyber security of such facilities. In particular, technological innovations were pushed by the system of interactions that had been built over the years, which required audit and systematisation in accordance with the new agreed architecture, and the requirement for documentary standards would help unify systems when building new facilities.
Solution composition
The primary task of the Integrator team was to ensure access control and control of changes to Automated Process Control Systems. The second priority was to protect the Automated Process Control Systems from cyber threats, and to detect and prevent equipment failures in a timely manner. As a result, in order to achieve the priority tasks, it was necessary to modernise the basic industrial infrastructure, build a resilient cybersecurity system and implement proactive protection mechanisms using systems for collecting and analysing event logs, detecting anomalies and cybersecurity incidents. Another stage was the development of a secure and controlled demilitarised zone for data exchange between industrial and IT networks. It was also important to ensure the autonomy of each production unit in the event of a compromise or failure of a particular production unit. The ultimate goal was to ensure full integration and compatibility of the built solution with the mechanisms, software and hardware complexes of existing systems, which was also implemented during the project.
Manufacturers involved in the integration:
Results:
- Local area network
The project included the configuration and implementation of an industrial network infrastructure based on the fault-tolerant Resilient Ethernet Protocol (REP) in conjunction with Spanning-Tree Protocol (STP). It also includes the implementation of DMVPN (IPSEC) technology, and even a backup channel for 3G/4G telemetry networks. To ensure the security of the industrial network components, in accordance with their interaction with each other, the existing productive technological network was divided into a multi-level Purdue model. A new IP addressing plan was developed taking into account the new network design. Multi-vendor inspection and traffic filtering between the tiers was implemented at each facility. The DMZ design was implemented based on Microsoft’s service architecture.
Cisco Prime Infrastructure was used to implement a centralised system for monitoring and managing network devices.
- One-way data transmission by DataDiode
The Waterfall Unidirectional Security Gateway solution used in the implementation is unique because it provides a high level of security due to the physical separation of network segments. This class of solutions is used specifically to solve the problems of secure exchange between segments of industrial and corporate networks at critical infrastructure facilities, such as nuclear power plants, industrial sites, oil production and refineries, etc. The implemented solution is necessary for secure OPC Data Access data exchange between three production sites and the customer’s head office, protecting technological networks from external threats.
- Modernisation of engineering infrastructure
The scope of work to modernise the engineering infrastructure included auditing existing communication lines and creating new data transmission channels to fully duplicate critical production units, as well as ensuring that backup channels are set up automatically. The communication lines were labelled in accordance with the new IP addressing plan. The main and backup power supply for existing and new equipment was provided, as well as maximum utilisation of the existing infrastructure.
- Protection against malware
The use of a Next Generation Antivirus solution allowed us to implement a centralised malware protection system for technological equipment, including production servers, engineering machines and control panels for technological devices.
- Data storage
During the project, a centralised data backup and recovery system was implemented based on target recovery levels for critical process control systems in accordance with RTO\RPO requirements that meet the customer’s business criteria.
- Remote access
A remote desktop service was deployed in the production units and a logical structure and topology of sites for the network environment was implemented. Remote access security was ensured through the implementation of workstation and server management policies and an access matrix to information resources. Among other things, DNS, certification, NTP, and Terminal server technical solutions were implemented to provide remote access for employees and contractors.
- Incident monitoring
To monitor incidents and attack vectors, a unified centralised system for collecting, analysing and storing event logs from all components of the IT infrastructure – network equipment, security subsystems, servers and workstations – based on Trellix’s SIEM solution was implemented.
Conclusions
Valentyn Herasymovych, Project Manager of IT-Integrator: “Our team was able to implement this complex and multi-layered project, which covered the implementation of almost all parts of the customer’s infrastructure, from engineering to high-powered cybersecurity systems. Despite the outbreak of a full-scale enemy invasion of the country, we successfully completed all deliveries, installation, commissioning of equipment, staff training and post-implementation support. Moreover, we were able to establish standards that can be applied to other facilities in the future, continuing the path of productive digitalisation of the customer’s processes.”
Nadiia Omelchenko, Vice President of IT-Integrator, said: “We have successfully implemented the first project in Ukraine of an information security system for Automated Process Control Systems using secure unidirectional network devices – Data Diodes. The approach and security technology developed in this way can now be implemented and quickly scaled up for all critical infrastructure facilities and enterprises in strategic industries, which guarantees 100% physical protection of such facilities’ information systems from incoming cyberattacks.”
