Professional Documents
Culture Documents
Management
L3SW as a Core Router
Domain Controller Anti-Virus WSUS Backup & Network PRM PRM PRM FAST/Tools FAST/Tools FAST/Tools ISER
(Active Directory) Server Server Recovery Management Server Client TS Server Server STARDOM ENG Client Server
Server Server (Master)
Plant-A
SCADA Zone
Safety PCN
EHIS
(Emergency
HISENG L3SW DCS Zone
SCADA PCN HIS)
DCS PCN (Process Control Network)
Level 2
number of devices are involved or they are distributed in a connected directly to the Internet.
wide area, AV servers must be introduced. Whether to choose The Level-3.5 AV server pulls the information from
AV servers or a manual update by the EPS service is finally the Level-4 AV server or pulls it directly from the vendor
decided depending on discussions with customers considering site via the Internet. The Level-3 AV server pulls the same
the number and locations of target devices and the running information from the Level-3.5 AV server and distributes it to
cost of the AV servers. each workstation and server.
DMZ network The EPS ser vice offers a means in which ser vice
engineers manually apply MS patches for each client. As
Level 3
The AV server on PCN obtains information on pattern files, virus search
an additional means, this paper introduces an integrated
3 engines and patches from the AV server on the DMZ network.
System Hardening
Level 4 (Out-Of-Scope) 1 The upper level WSUS server on the office domain network
obtains all MS patches for software in use from the Microsoft
Update site via the Internet.
●● Disable autoruns
SERIES
Level 3
●● Disable NetBIOS over TCP/IP
3 The WSUS management server obtains only required
MS patches from the WSUS server on the DMZ network. ●● Set audit policies
Only required MS patches authorized ●● Disable removable media access
by the administrator are maintained.
improving the efficiency of engineering and plant operation. requires comprehensive knowledge not only on the design
In this network configuration, even if the DCS is infected and implementation of security countermeasure systems but
with viruses, the SIS must not be affected. Thus, Yokogawa is also on the entire lifecycle from the initial stage of developing
offering engineering in which a SIS is connected with a DCS security policies and introduction plans to emergency
network via protective devices such as a firewall. procedures on incidents during actual operation.
Regarding the GICSP as impor tant, Yokogawa has
SECURITY TRAINING
developed a dedicated training module for engineers to acquire
For implementing security countermeasures for control this qualification and started the training at each global office
systems, engineers need to apply security solutions based to promote companywide acquisition of this qualification.
on information system technology on the premise of a good
CONCLUSION
understanding of the control system itself and availability and
safety of the plant. This paper has introduced Yokogawa’s security concept
For this purpose, Yokogawa provides its control system for control systems and related engineering. Regarding
engineers with training that enables them to understand security countermeasures, Yokogawa studied those in general
the security system based on the best practices and suitable information systems, selected solutions best suited for control
for control systems, and enables them to perform actual systems, and formulated their architecture, implementation
engineering. and operation as best practices. Control systems for critical
The training consists of the following three steps. infrastr uct ures must be protected from cyber-attacks.
Engineers who have passed the qualifying examination after Yokogawa provides proper security engineering based on the
the course are enrolled and treated as Yokogawa security- best practices to reduce security risks, and will continue to
certified engineers. support secure and stable operation of plants.
●● Total system architecture
REFERENCES
●● Advanced module for each security solution
●● Practical module for each security solution (1) ANSI/ISA-99.00.01-2007, Security for Industrial Automation and
In 2013, the global industrial cyber security professional Control Systems Part 1: Terminology, Concepts, and Models, ISA,
2007, pp. 69-73
(GICSP) certification program was established. The GICSP
is a professional qualification for security staff in critical * CENTUM, ExaQuantum, STARDOM, Vnet/IP, Prosafe, PRM, FAST/
infrastructures and one of the certifications awarded by Global TOOLS, Exasmoc and Exarqe are either trademarks or registered
Information Assurance Certification (GIAC), a certification trademarks of Yokogawa Electric Corporation.
organization that provides many other certification programs * All other company names and product names mentioned in this paper
are either trademarks or registered trademarks of their respective
in the fields related to cyber security. The GICSP certification holders.