1

Industrial Control System Virtualization

Chris HughesIACS Infrastructure

ArchitectFreeport-McMoRan Copper & Gold

www.fcx.com

S4x14January 14th, 2014

Increased redundancy

Decreased recovery time following a failure

Hardware refresh is simpler

System upgrades / rollbacks are easier

OS / system patching are simpler – allows for a “golden image” that can be easily patched

Deployment of additional servers/services is quicker

2

ICS Virtualization Benefits

Virtualization for Industrial Control Systems

Can the same benefits that traditional IT receives be realized?

The simple answer? It Depends…

3

ICS Virtualization

When dealing with ICS and virtualization, there are a few questions that need to be asked:

Will the vendor support it?

Are we ready culturally?

Is it technically feasible?

Is it economically feasible?

4

ICS Virtualization

Challenges for Adoption:

◦ Vendor Support Proprietary hardware? Legacy technology constraints?

◦ Cultural – IT / Control System Staff / Plant Management Virtualization not often fully understood Can be seen as “all eggs in one basket” Training – sufficient skills exist? Support – ICS Staff, MIS or a combination? Fear of the unknown or IT takeover…

5

ICS Virtualization

Challenges for Adoption:

◦ Technical Feasibility Some vendors still use proprietary hardware

Can be internal server cards or external communication/support devices: Fieldbus cards (Modbus, MB+, Profibus, etc.) Ethernet devices Other devices/restrictions?

◦ Economic Feasibility Initial deployment costs can be high Hidden costs?

Training Network infrastructure

Costs typically overridden by advantages gained

6

ICS Virtualization

Assuming we’ve made it past the first 4 questions, what does ICS virtualization look

like?

7

ICS Virtualization

Design Considerations

◦ Virtual Infrastructure Recommend clusters with common storage pool Recommend 2 clusters in separate locations Eliminates “all eggs in one basket”

◦ Plant LAN / Process Control Network Redundancy is the primary consideration – work to eliminate

daisy-chaining and other topology issues Existing networks may be restricted to 100Mb/s or less -

virtualization requires at least 1Gb/s – preferable 10Gb/s to avoid storage or other bottlenecks

Often times, plant network upgrades and virtualization go hand-in-hand

8

ICS Virtualization

ICS Virtualization – An Approach:

◦ Select an IT industry standard platform, ex. Cisco/NetApp Flexpod using VMware

◦ Develop virtualization standards specific to ICS Hardware Software Testing/Deployment strategy Administration Maintenance / Life-cycle Management

9

ICS Virtualization

10

ICS VirtualizationExample Deployment Scenario:

The deployment scenario:

◦ Provides for full redundancy, above and beyond clustering within each individual environment

◦ Allows ICS redundancy to be split: Between plant and secondary location if

desired/needed Primary servers in plant and secondary servers in 2nd

location

◦ Highly Scalable - Allows for easy expansion

11

ICS Virtualization

Implementation Challenges/Caveats:

◦ Deployment: If possible – stand up virtual infrastructure in parallel

to existing system – allow sufficient time and testing prior to cutover

Ensure redundancy is fully tested/verified – within virtual infrastructure and network

Look for ICS specific catches:

12

ICS Virtualization

13

ICS Virtualization

Host 1

Host 2

Host 3

Host 4

PRIBU

VMware DRS ClusterExample ICS Caveat

• Single Cluster

• Primary & Backup HMI Servers On Same Host

• Host Failure

• Both Servers Down

• Operations Blinded

14

ICS Virtualization

Host 1

Host 2

Host 3

Host 4

PRI

BU

VMware DRS Cluster

“Primary” DRS Group

“Backup” DRS Group

• Single Cluster

• Cluster Divided into Groups

• Host Failure

• Backup HMI Server Still Available

• Primary HMI Server Moves To New Host

• Operations Is OK

◦ Cutover:

Proper planning is the key! A staged approach is best…

Be prepared as any issues, related or not, will be pinned to the virtual infrastructure…

15

ICS Virtualization

Questions?

16