Type of Engagement: project
Timeframe: 04/14 – 11/14
Value Range: >1m
Description of Engagement
Control networks segregation from the Enterprise network was a new requirement in this tier 1 mining company as a consequence of new Security & Networking corporate requirements established in recently issued Group Level Documents GLD.048.01 information Management – Security Technical Specifications, and accountability of Information Services team described in GLD.001 Organisation Design.
Type of Deliverable
Vantaz has analysis, design and implementation experience in segregating the PCN and Business networks to make the Industrial Network secure, fit for purpose and compliant to GLD. We follow a risk based approach to streamline the application landscape in business and PCN networks.
From a technical standpoint, the initial situation of this tier 1 mining company was characterized by several existing issues, in terms of control networks being segregated:
- PCN solutions security, capacity and availability levels were not being met despite the over assignment of technical and technological resources.
- Management of Industrial Network Operational Technology (PCN) systems and applications required access to corporate Enterprise network as many PCN systems were functioning on 1Desktop computers
- Enterprise Services definitions and “One” corporate initiatives (1SAP, 1Desktop) lacked the security elements required to protect control networks
After the described issues analysis, a framework was developed to enable the identification of all elements required to define a Core Network Model, which allowed:
- Unification within a common environment all services required for all Business Units demanding access to control systems and other core network services in this tier 1 mining company .
- Central administration and use of economies of scale to provide IS services
- Increased Security, Availability and Standardisation levels within control areas of Industrial Network Operational Technology team (DCS in tier 1 mining company ).
Focus was made in this specs:
- Design based on all-class industry standards such as ISA 95 & ISA 99.
- Platform for Common services under an unique core domain (ESCCORE)
- Industrial Network Operational Technology teams from different operational units all Integrated under the same platform
- Security and independence under the DCS specific requirements.
- Flexibility, integration ability and scalability
- IS Services standardisation
Common services platform was developed based on a Security Model that enabled all business, PCN & technical components to integrate, through ISA standards.
To help the client in the development of a Security Model for PCN Segregation, Vantaz delivered the following at different project stages, using the Small Project Management Framework as client requested:
- Stakeholder analysis
- Local change impact assessments and completing follow up actions
- Requirements gathering and analysis
- Basic/ high level Discovery.
- Project Initiation document (PI).
- Conceptual Solution and IT Alternatives.
- High level ROM development.
- Set KPI’s, as per business and Sponsor requirements.
- Identify customer expectation.
- Project Scope of Work Document (SOW)
- Impact and Risk Analysis.
- Cost Estimating Document, detailed ROM development.
- Scope the segregation and remediation actions to align to business needs.
- Plan schedule and WBS built.
- Architecture Design and Technology Frame of the IT solution.
- Development of Basic Engineering.
- Development of Detailed Engineering.
- Recruitment and team management
- Request for Proposal support and Assistance to select a Provider.
- Lead the KOM meeting and the topics, moderator skills.
- PMO set up for the project.
- Business and Technical Change management
- Communication and training plan and implementation
- Risk Assessment Workshop with tier 1 mining company’s method. (Using GLD).
- Standard project plan, tracking and status reporting (including weekly status).
- Budget control
- Risk issues assumptions and dependency logs
- Vendor / 3rd party relation, procurement, stakeholder management and RACI development.
- Conflict management and resolution on field. RCA when needed.
- Direct contact with client and LSP to schedule implementation date and time.
- IT Assistance over SAT (Site Attendant Testing).
- Ensure and define all the facility specific requirements (HVAC, energy, racking space and best practices).
- Relation and Services Request to IBM (LSP).
- Commercial contract impact assessment and negotiations
- QA of key design elements recommended by technology partners (from RFP).
- Project control, resource induction, travel, logistics arrangement, procurement planning.
- Hand over to Support corresponding documentation and execution plans.
- Develop and review of As Built Documents. (Network and DataCenter).
- Debrief customer survey and benchmarking within the tier 1 mining company.
- Close out meeting with learned lessons workshop.
After the Hand Over to Operation of the PCN Security Model, the production plants began an Integration Process to this new segregation standard. This was perfectly aligned in time to when the upgrade of the Control Systems took place, with planned operational outages.
The following operations sites / plants were integrated with Vantaz support and assistance. Vantaz delivered a PM, Design and Technical Assistance service in order to ensure that the standards and best practices were in place for the integration.
- Oxide / Sulphide – Date 2011, Upgrade to Industrial 800xA 4.0.
- Laguna Seca – Date 2012, Upgrade to Industrial 800xA 5.1.
- Desalinator – Date 2012, Upgrade to Industrial 800xA 4.0.
- Los Colorados – Date 2013, Upgrade to Industrial 800XA 5.1.
- Filter & Port – Date 2014, Upgrade to Industrial 800XA 5.1.
- Oxide / Sulphide – Date 2014, Virtualization and Upgrade to Industrial 800XA 5.1.
- Desalinator – Date 2014, Upgrade to Industrial 800XA 5.1.
- ECT Pipeline – Date 214, IT Guidance and Definitions for Integration.
- OGP1 Concentrator – Date 214, IT Guidance and Definitions for Integration.
The Security Model for CORE Network Segregation is current and standard for the tier 1 mining company, operating and delivering custom benefits to PCN related sites.
The implemented solution took places on the Mine Site, at ER16a Communication Room, where the new segregation layer was deployed with an infrastructure solution of Firewalls, distribution/ access Switches and a robust Vmware farm to host decentralized IT services for the sites mentioned that will eventually be integrated.
Vantaz provide detail Engineering for the design of the complete solution, within network layout, systems and infrastructure, to fit the technology frame of the tier 1 mining company, at the desired performance and availability (as HA was an important focus on the technical side). Procurement support for each case was also delivered to ensure a compatibly matrix, life cycles renewal and synchronism with the planned chart, as per customer expectations.
A new Microsoft Domain was created specifically for PCN Environment, called ESCCORE.local, which had a set of primary and local Domain Controllers on each site, so replication of objects could occur with a security layout for each user. Systems were organized and arranged to achieve integration to the Domain, creating new Organisational Units (OU), one for each Control /Expert System, so segregation on this level was also a subject to take into count. This new Domain had no Trust Relationship with AMERICAS Enterprise Domain, so objects, groups and GPO policies were independent for PCN environment.
Vantaz performed the design and solution for this new Domain, working with Microsoft, and also with the primary vendor for Control Systems, so they can also arrange and prepare this change already from Factory stage on each Upgrade project, therefore change management on this technical dependency was controlled early with participation of Vantaz on FAT and SAT testing, advising the DCS and IS customer at all times.
Security among the Firewall Rules and the business definition about what to allow or deny from the Access List, was also under Vantaz advice to the Local Service Provider, considering IT services, data collection or Remote Access for the post implementation support, from Restricted Connect, to LAN, Firewall and the PCN, all controlled.
Our knowledge and long experience on company standards and practices allowed us to provide integral solutions for PCN requirements using IT as a facilitator, at both Group Level and Business level. This solution is case of success currently for IS Management, creating a dedicated standard about the tier 1 mining company’s Network Security Model for PCN Segregation.