Wireless networks can save money and speed turnarounds
Today refineries and other process plants have to run as close to 100% of the time as possible in order to maximize their capital assets, and downtime must be minimized. Of course things eventually do wear out, so periodic shutdowns for maintenance and improvements will always be necessary. The challenge is to make them as short and productive as possible. This article will discuss ways to use today’s wireless technology to maximize efficiency, minimize downtime, and leverage existing resources, especially during shutdowns.
One of the biggest burdens during any plant shutdown that involves changes to control equipment is doing loop checks prior to restart. It’s vital to make sure a valve does not open when told to close, and vice versa, which makes this a critical-path item that translates directly into dollars. The process is burdensome because it requires two people: a worker in the field with a portable radio to watch each valve to make sure it responds correctly when commanded, and a control room operator to send signals to the valve and watch the display to see what happens.
Enter the mobile worker
The wireless worker or mobile worker concept has spread into many businesses, in many cases with workers using their own mobile devices, including laptops, smartphones, tablets, and so on. The trend is seen most often among so-called “road warriors,” who want to keep contact with their companies while traveling, or at least try for the ultimate in telecommuting, and use Wi-Fi hotspots, email, or whatever to maintain contact. They can place orders, track their time, and exchange information with clients.
It would be very helpful to allow plant workers to do the same thing so they could, in effect, take the control room into the field. Using a wireless connection, the mobile worker would be able to not only view a control room display but actually assume the role of an operator, using a remote asset management client with access to such maintenance procedures as calibration, configuration, diagnostics, troubleshooting, and device documentation (Fig. 1). The worker would have access to all the records, documentation, and loop narratives for each device.
Having the ability to take the control room out in the field is a tremendous asset in terms of freeing the people in the control room to do other things. Crews working in the plant do not have to tie up everybody’s time with just mindlessly stroking a valve; they can go out and do it and see it at the same time.
Applying the mobile worker concept to a process plant means equipping the field worker with a portable device that connects wirelessly, generally via wireless Ethernet, to the control room and gives that worker direct access to the control system display, but with the reliability and security of a wired connection. The equipment used is provided by the company, not the individual, and can be a tablet or other handheld device, typically a hardened laptop or tablet computer (Fig. 2.). This is a considerable advance over previous remote DCS client methods that used intranet or Internet connections and required the mobile worker to plug into a plant local area network.
The system can also be set up to allow a control room operator to see what the worker in the field sees. This can even extend to video, if the field worker has the equipment to do it. Such a system can also be used for personnel and asset tracking, which is useful for safety, and for safety mustering. If a person doesn’t move within a certain time (perhaps having fallen or been overcome in some way), the system could set off an alarm.
This can pay for itself in the first or second turnaround. And the good news is, many plants already have wireless systems installed, so no new communications infrastructure would be required. And even if such a system is not in place, the investment is moderate compared to a refinery being down for an extra day.
Installing a mobile worker system
Trying to connect a field worker using the same networking techniques that a traveling salesman uses to contact the office is a recipe for failure. If a road warrior loses contact with his or her base, it is an inconvenience but does not stop all work. If a field worker controlling loops in a process plant loses communication, even for a few minutes, everything can grind to a halt. Security is another issue. Wireless security is probably not a top concern for the average road warrior, but it is vital in a process plant.
Most plants have two types of networks: a wireless field network and a wireless plant network (WPN), each with unique technical requirements. They are frequently used together, with the WPN carrying the field network traffic (which has a very small bandwidth requirement) as highest-priority traffic (Fig. 3).
Wireless field networks
A wireless field network is used for process applications such as measurement, sensing, control, and diagnostics. It connects field devices at ISA95 level 0, generally in a self-organizing mesh configuration, using message forwarding and communicating to higher levels via a gateway. Messages are generally short. Such systems are often deployed without an extensive site survey.
The field network most likely to be found in plants considering the use of mobile workers is WirelessHART as defined by IEC 62591, with radios compliant with IEEE 802.15.4. There are other protocols that offer similar capabilities. Components of the field network include wireless field devices, gateways that connect to the host via a high-speed backbone or other existing plant network, and a network manager, which may be integrated into the gateway, host application, or process automation controller.
WirelessHART supports the full range of process monitoring and control applications, including equipment and process monitoring; environmental monitoring, energy management, regulatory compliance; asset management, predictive maintenance, advanced diagnostics, and closed loop control.
Wireless plant networks
WPNs are often implemented using Wi-Fi (IEEE 802.11-2007) and are used for applications like video, mobile worker, location tracking, video over wireless, field data backhaul, and control network bridging, each with its own characteristics and requirements. Messages can be much longer than those of a wireless field network, and may include such traffic as streaming video.
It’s important to note that WPNs use a set of protocols that were developed by the IT community, not industrial networking designers with knowledge of process plant operations.
A professional site assessment is critical to the successful implementation of a WPN. This generally requires engineers to visit the plant to conduct an RF FEED (radio frequency front-end engineering design), determine access point locations, and collect other on-site information. This is followed by system architecture design; based on the site survey result and the plant’s requirements, engineers design the overall system architecture, including the network infrastructure and the appropriate applications. This is followed by the network design and planning process, which creates a detailed network infrastructure. The last step is physical network installation management and system commissioning.
Keeping wireless systems secure
A frequent question raised when wireless networks are discussed is, what about security? Can’t someone outside the plant monitor the signals and gather intelligence on plant activities, production rates, and so on? And what about hacking? If an intruder can get into the system to monitor it, can’t he also make changes? What if someone changes setpoints to cause a shutdown or even a catastrophe?
That’s where modern security comes in. Wireless field networks and WPNs are different: field networks use mesh architecture that is generally considered secure thanks to a series of critical features:
- Channel hopping on top of the standard direct-sequence spread spectrum. This makes the system inherently resistant to jamming attacks.
- AES-128 encryption (NIST/IEEE compliant) for all communications within the device mesh network and the gateway. At this point AES-128 can be considered secure against all expected attacks.
- Individual device session keys to ensure end-to-end message authenticity, data integrity, receipt validation, and secrecy through data encryption. This makes eavesdropping almost impossible.
- Hop-by-hop CRC (cyclical redundancy check) and MIC (message integrity code) calculations to ensure message authentication and verification as to source and receiver of communications. This blocks man-in-the-middle (backdoor) attacks.
- Devices must have a join key pre-configured on the device. This can be either a common join key per WFN, or optionally an individual join key per device. This prevents replay (or delay) attacks.
- White listing with individual join keys gives devices explicit permission to join the network via the gateway/network manager via an ACL entry, which also includes their globally unique HART address.
In general, although an unauthorized person might be able to detect that wireless communication exists on a wireless field network, he would be unable to gain access, eavesdrop, or otherwise disrupt the device-level network.
While the WirelessHART field network is itself secure, the host gateway by which it connects to the host may use a wired connection or a WPN. For a gateway connected to the host via Ethernet (particularly if the gateway is in an unsecured location), the best choice is to install a firewall in a secure location on the plant side of the wire. For a gateway connected via a WPN, there are additional considerations.
Security for WPNs
WPNs generally use Wi-Fi (IEEE 802.11-2007) and are more vulnerable to attack than are wireless field networks. There are plenty of warnings and horror stories about Wi-Fi networks being hacked, and in fact it wasn’t long after Wi-Fi first appeared that wardriving—traveling about with a laptop, PDA, or smartphone, often connected to a homemade high gain antenna, in an effort to find unsecured Wi-Fi networks—became popular. There are multiple types of threat vectors by which the ill-intentioned can attack a WPN, including rogue access points, ad-hoc wireless bridges, man-in-the-middle (e.g., evil twin, honey pot app, MAC spoofing, etc.) attacks, denial of service (DoS) attacks, jamming (also considered DoS), reconnaissance, and cracking.
Securing against these threats requires both administrative and technical measures. Administrative measures include managing identities such as assigning and terminating privileges as each employee’s situation changes, authentication, authorization, and accounting. Authentication ensures that a person is who he or she claims to be. It can be done using a shared secret arrangement or the IEEE 802.1x extensible authentication protocol (EAP). Authorization determines what a person is allowed to do, while accounting monitors what each person does and when, while monitoring attempts to perform unauthorized actions.
Technical measures include a wireless intrusion prevention system (wIPS), a wireless control system (WCS), and a firewall (Fig. 4). A wIPS is a system to monitor the wireless network and the RF signals in the open air. Its purpose is to detect suspicious clients or access points.
The WCS is the graphical tool that allows the administrator to configure and manage the entire wireless network easily by allowing network managers to design, control, and monitor enterprise wireless networks from a single location, simplifying operations. It oversees a series of WLAN controllers. This software provides network management including diagnostics and troubleshooting tools to keep the network running smoothly.
A firewall should be installed at each network level to serve as a belt-and-suspenders measure to ensure only traffic meant for each network level is routed through. The table summarizes common plant network threats and strategies to mitigate them.
Table 1: Threats and mitigations
It is not difficult to secure a WPN, yet unsecured installations certainly exist. In a presentation at Emerson’s 2012 Global Users Exchange, Neil Peterson, Emerson’s wireless plant solution marketing manager, suggested the main reasons for unsecured networks are human factors, poorly formulated policy (or none at all), poor configuration, bad assumptions, lack of understanding of the problem, and failure to stay up-to-date. “The latest encryption algorithm,” Peterson points out, “cannot make up for poor business processes.”
Wireless networks, at both field level and plant level, can have multiple benefits. Wireless field networks allow field devices to be installed in places where wired devices could not be economically justified, or in some cases installed at all. Wireless plant networks make it possible to speed up plant restarts, and give field operators the ability to perform actions that previously could be done only in the control room. They also allow for personnel tracking and much more. But to make such a network worthwhile it must be installed with care, and with close attention to security.
Steve Elwart, PE, PhD, is director of systems engineering, Ergon Refining, Inc., and he thanks Neil Peterson for contributions to this article.
Read more about worker mobility below.
For more on wireless security, see “Emerson Wireless Security: WirelessHART and Wi-Fi Security”
- Wireless networks can allow operators to perform control-room functions anywhere in the plant
- In a plant context, there is usually more than one kind of wireless network to cover all needed functionalities
- Wireless networks can provide a major cyber attack surface if not deployed with sufficient thought to security