Control Networks (anyone on my side?)

Hi All,

As most control engineers would state, keep off our control netwok if you are on the business network.

But what if you are a control engineer who is miles away from the control site, and your only way of quick troubleshooting is accessing the PLC or SCADA via the business network?

I am one is such a position, I have for the past few months been taking advantage of a control system that linked to a business network, hence I have modified mimics, downloaded PLC code. Created reports from live data, All from the office, hundreds of miles away.

From then, other control engineers from work have wanted my head to be cut off.

I still want to be able to gain access to the control network, would a dial in server be a possible solution, or any way of ensuring that only an authorised person can access or connect to the control PC's? Including any pings to the PLC's.

Help needed! We are in year 2006, there must be a way of securely sharing the networks.

I agree they should be kept as seperate as possible for the sake of reliability and plant operations.

In a plant I helped build a few years ago, the entire control network was isolated, but the data historian PC and the main programming PC's were equipped with a secondary NIC card to provide connection to the plant LAN. Access was of course firewalled and password protected.

This allowed remote access to the required machines but kept traffic off the control network. We also had modems installed for dial-up access.

I believe this was one of the best layouts I've seen. A couple years ago, at a different facility I saw a problem where we were losing barcode uploads conveniently on Friday afternoons. We traced it back to our Scada Engineer doing massive weekly backups over the network and slowing it down so much that our barcode scanner couldn't upload in time and rejected product.

Why not install a router/firewall/VPN device between the control network and the business network? Basically treat the control network like any other LAN and treat the business network like its the public internet.

This would mean that traffic on the business network would never hit the control network, but that devices on the control network could initiate communications with devices on the business network if needed.

If someone on the business network needs to initiate communications with a device on the control network then that person must first establish a VPN connection to the control network.

Seems pretty simple to me...

-EDIT-

If you are away from the office, but have access to the business network (probably via a VPN) then you should be able to connect to the control network via a VPN connection inside of the 'normal' VPN connection.

marksji said:

Why not install a router/firewall/VPN device between the control network and the business network?

Click to expand...

That's what we do, works very well and at the same time keeps each networks traffic off of the other network

Thanks for the replies

Hi Guys,

Thanks a lot for the replies, I am now putting together a list of items required and an implementation strategy. I have no doubt there will be a buy for implementing such a system.

Thanks,