In the infrastructure PI it is possible to use waterfall Instead of firewall?
I'm assuming you're referring to the unidirectional data diode device from waterfall Solutions? I don't have any direct experience using the Waterfall security device, but have previously spoken with one of the guys that used to work for the company. Their unidirectional device apparently directly supports the PI system as well as major industrial protocols like OPC, Modbus, etc. While I believe that this is a compatible option for use within your PI system infrastructure, you should do your research to make sure it's an appropriate fit for your environment.
Bryan Owen might have some more knowledge about the usage of Waterfall within the PI system security model.
If John is correct and you are referring to data diode devices from Waterfall Solutions, they are an OSIsoft partner and they can be used with OSIsoft products. However, it is important to understand the inherent limitations of their use with certain products/applications.
See KB01099 - Data Diodes for some more information
Hope this helps,
Yes, I would say so, in most cases. The Waterfall product is essentially a PI-to-PI interface with a physical one way connection between the two networks.
Yes, we've implemented a Waterfall unidirectional gateway solution to separate the operations network from the enterprise network to protect plant control systems. The plant uses a Citect SCADA system and the two networks connect using a PI-to-PI interface. If you have a strict budget, it's worth noting this setup means you will need two tags for every data point you want to monitor - one for the operations side and one for the enterprise side.
Edited to add: Take a look at this NIST Cybersecurity Practice Guide, Special Publication 1800-7: “Situational Awareness for Electric Utilities". This describes the proof-of-concept project that led to the full implementation I now work with at UMCP, including the PI system and Waterfall installations and connection.
Consult with your OSIsoft regional representative - usually the "forwarding" PI server on the protected side of the data diode can be licensed differently because it basically just forwards data and therefore doesn't do all of the functions of a normal PI server.
That's very interesting, Steve. I will have to check up on that. Thanks for the info!
Kelsey, Nice info and Thanks for sharing in community. Could you please also highlight, are there any specific OSISoft licenses required to transfer data across data diode, may be PI Ancillary Server License, PI to PI Interface License, PI PSA License etc...
Thank you in advance.
Retrieving data ...