Case study Energy

Designing a safety critical IP network

Designing and implementing a secure and resilient network for critical site systems

Vopak run a 24/7 operation at their terminals, and the most critical pieces of infrastructure they own are the systems which allow them to transfer product between ships, storage tanks and trucks. Waterstons were asked to design and implement a new network solution to improve security and resiliency for these critical site systems.

The challenge

Vopak run a 24/7 operation at their terminals, and the most critical pieces of infrastructure they own are the systems which allow them to transfer product between ships, storage tanks and trucks.

Waterstons were asked to design and implement a solution to improve security and resiliency for Vopak’s critical site systems. Historically these systems, collectively known as SCADA, (Supervisory Control And Data Acquisition) have been implemented with their own separate physical communication lines and protocols; however, as Ethernet and IP have become more pervasive these systems are more frequently being found using a shared IP network for communication.

Vopak’s systems are no exception, having grown organically to the point that the vast majority utilise the IP network.

As the security of these systems is paramount to Vopak, Waterstons were asked to implement a solution which would improve the security of their SCADA systems, adhering to the latest Vopak corporate and industry standards.

Implementation

As their trusted IT partner, Waterstons have a proven track record of successful project delivery at Vopak, in addition to a clear understanding of the complexity of working in such a safety critical environment.

Waterstons initially carried out a high level design exercise. This highlighted four key implementation phases which would provide Vopak with full security and resiliency to their critical systems. These include introducing improved fibre connectivity at London and Teesside to improve resilience for critical site systems, and the provision of a disaster recovery (DR) server room at each site to ensure continued operations in the event of issues in the primary facility.

Waterstons re-architected the network to allow for segregation between different categories of device, maximising security; for example a device connected to the wireless network is segregated from critical business systems. Communication between different types of device can be controlled so that only legitimate business traffic is allowed.

As the work involved changes to the underlying network topologies, disruption was necessary and unavoidable; it was planned, managed, and understood in co-ordination with Vopak. This ensured that terminal operations could continue with the minimum amount of downtime.

Defining the security policy for the network was particularly challenging. It was essential that key devices were able to communicate, maintaining safe and efficient operations, while unnecessary communications were prevented. Waterstons used network monitoring tools, combined with logging and analysis methods, to determine how devices were communicating and whether or not the communication was relevant to the business. From this analysis a security policy was designed and implemented.

As the network infrastructure at Vopak is business critical, the implementation ensured resiliency at key points in the network by eliminating single points of failure and implementing active/standby clusters where applicable. This allows one device to fail without negatively impacting the business.

The benefits

Vopak now has secure and resilient network infrastructure at both London and Teesside. Downtime during implementation was minimised.

  • Device segregation with stringent restrictions protect all areas of the network, with a particular focus on business critical systems.
  • The implementation was designed to be compliant with the Vopak corporate and latest industry standards. Waterstons
    worked within these parameters to deliver a solution suitable at both global and local levels.
  • The solution was designed so that it can be split across additional physical locations as future project phases. This will allow the site to survive the total loss of the main server room in a disaster recovery scenario.
  • Management and monitoring has been improved to allow Vopak to see historical and live traffic analysis, and trending. Logging also shows when traffic is blocked by any of the firewalls. This lets Vopak plan for future capacity requirements and anticipate threats to the environment.
The bulk storage market is an extremely volatile one, with regular changing demands from both customers and regulators. Waterstons used their knowledge of Vopak and this sector to design a robust, resilient and secure network which will scale easily as our business requirements change
Richard Betts UK IT Manager