Network topology advice

Hello Gents,

I have a dilemma at work that I'm trying to weigh and decide on that I'd like some help with.

In other places I worked, our PLC's were all connected in a optical ring configuration then separately the SCADA units would all be connected in another optical ring configuration and both these along with the Data server, clock server and external network (for remote support and monitoring) connected to a CISCO router.

This to me made sense as the only thing the CISCO router would affect was the possibility of the SCADA to retrieve historical data from the History Station.

I have now arrived at my new place of work and my predecessor decided to have the network without structure (all machines connect to a couple of switches linked through copper and what I don't understand is that third party PLC's (that are critical to the process) are separated by a router.

I could understand if the third party devices were computers, but they're just PLC's and having another device that can fail in the loop is definitely not something I like seeing.

What is your opinion? Do you guys separate PLC systems from vendors with a router or do you keep all of them together in the same network and use the router to separate and manage traffic between networks and devices?

First, ideal solution is not always what is done. Not all solutions are result of actually designing the needed solution.

Secon, it really depends on the needs. More secure it needs to be, more hw there will be between outside world and the last level device.

Ideally I would like:

1. Own fully separated network for field devices
2. Own fw separated networks for different parts of the plant (plant network segments) for scada etc. needs.
3. DMZ for all those server requirements attached to nw2
4. "office" network connected throuhg fw to dmz.

Now, redundancy needs (optical rings, double thedevices etc.) are derived from the need and cost of such solutions. All plants have their own needs and the cost that can be justified.

Security needs should be derived from risk assesment, not all plants need tight security that makes it hard to penetrate even for NSA.. that must be also taken into the account with cost the security brings.

There really is no hat that fits all heads.

You say that you have been accustomed to some solution. But the real question is why such a solution has been done. Same goes for your current plant. Why is some devices been separated with a router? Maybe it was easiest way to give them their own private network...

Thanks for the reply.

The solution I'm used to is derived from the high cost and impact of losing communications between machines (there were around 8 machines linked together by network that needed comms between each other to have the system work). For this reason, having a router dividing a network of PLC's was not a good idea.
Having the router separating SCADA from PLC's from support networks did make sense in terms of security.

Although now, I have a router separating two PLC networks and they require comms between each other to have a fully functioning system. For this reason, I don't see the need of a router separating these networks. I'm also not sure what kind of delay the router will add to the comms and whether it is stable or not.

A properly configured route should have negligible impact on communications.
Probably a ms or 2, Assuming the network hardware isn't operating > ~90% load.

That said, I agree w/ having as few points of failure between devices that need to communicate where possible.

TurpoUrpo said:

4. "office" network connected throuhg fw to dmz.

Click to expand...

This should be the constant with every facility. Protect your controls network from the enterprise side (IT sees it the other way around).

How the controls network is configured will be different everywhere depending on reliability needs, up front design consideration, and even the knowledge of your predecessor.