PLC network security

Christoff84

Lifetime Supporting Member + Moderator
Join Date
Jun 2006
Location
Cambridge, ON
Posts
407
This might be a little off-topic, but i figure if anyone knows the answer, this forum will.

Currently I have 4 DH+ networks in my plant, which go back to 2 DHRIO cards in a Clx chassis. There is also an ENBT card in the chassis. The ENBT card is connected to our company ethernet system.

My question is, has anyone heard of, or even know if it is possible to hack into the corporate network via the DH+ networks? The reason I ask is that I am being told I must segregate the PLCs from the main network (not a bad idea anyway) but we have a SCADA system that needs to collect data from the PLCs as well as be on the main network to send e-mail/generate reports to network drives.

It seems to me that the DH+ network is like any other external device and I would doubt that it could be used to steal data or corrupt the network.
 
Even if possible, who would have access to your internal DH+ Network that would want to hack into your company's office network?

Seems more logical that someone would try to use the ethernet to disrupt your PLCs (which... I wouldn't worry about), not the other way around.

If it's a real worry from your IT guys, just put padlocks on the PLC cabinets (of course, leaving the disconnects operational)? No access to the PLCs from unauthorized personel = no worries.
 
Corporate IT people (computer geeks) are a paranoid bunch. They get E-mails every hour from all the companies selling anti-virus and firewall programs. Naturally these marketing gurus paint a grim picture. "If you don't buy or upgrade to our product, you will be attacked by the latest xyz virus".

I am convinced that 95% of this scare is promotional hype. The other 5% is anti-virus software programmers moonlighting at night to create job security. In their position, I might do the same to insure continuing employment.
 
Last edited:
Seperating corporate IT networks from production control networks does have it's benefits.

We have our HMI's dual nic'd so that one nic can be on the production control lan, and the other on the corporate lan. This will keep the IT folks happy for their issues like security updates, network seperation, etc.

Down side is for programming terminals. You would either have dual NIC's or a bridge of some sort.
 
This is not directly related to your DH+, but is a PLC security issue that I never thought about until I came across this recently.

I do work for multiple plants of the same company and their networks are all tied together through a corporate network. A machine with RSLogix gateway on the PC was transferred from one plant to the other. While helping get the machine running in the new plant, I noticed the gateway was showing a whole list of other RSlogix gateway PC's. Out of curiosity I checked to see if it was carry over from when it was in the other plant or if the connections could be used through the corporate network. Sure enough I was able to get online with a PLC in a plant 2 states away and they would never know it was happening.

To prevent anyone from getting any ideas, I deleted the gateways from the list, but when I went back a few weeks later they were back on there.
If someone that knew a little about RSLogix wanted to sabotage the other plant, they could do it and have virtually no way of being caught.

The moral of this story is : If you use RSLogix gateway on a plant network, don't forget about the access it has from external networks.
 
Access via the corporate network also presents another issue that there is a lot of printer traffic, internet streaming traffic, etc. When you have a private process control network, the bandwidth is better without all of the other collisions.

In addition, if you set up your network appropriately, security issues are reduced - be sure to have standards and appropriate design.

There are also password features on PLC's (at least AB). If you are even more security paranoid, you could utilize a application such as RSMACC (now FTAssetSecurity) which would audit your PLC's and determine if there was a change. Once again, if set up, you could determine who and what the change was.
 
One straightforward way to separate your production and corporate networks is to use two 1756-ENBT modules. One connects to the Production network and allows you access to your DH+ controllers and other controllers on the Production network. The other connects to the Corporate network and allows their visualization and database software to access the controllers.

Another common and very inexpensive approach is to equip your SCADA computer with two NIC cards, one connected to each network.

In answer to your first question: DH+ only carries A-B controller commands. Nobody with a DH+ card in their computer is going to be able to perform PC-based services like logon or file transfer on your Ethernet network.
 

Similar Topics

Hello All, IÂ’m starting a new project where the plc is connected throught LAN with external software which write some data on PLC db, obviously...
Replies
1
Views
467
My customer wants me to set up their industrial computer hmi running factory talk view se client in the following way. They want to use a single...
Replies
11
Views
987
Hello, folks. Looking for suggestions on network layout. I'm designing 3 stations with 6 pieces of conveyor on each. They are part of the same...
Replies
21
Views
5,665
Has anyone ever encountered an issue where PLC's seem to lose connectivity momentarily, as well as all ethernet VFD's in different areas across...
Replies
18
Views
3,879
We have an RFQ from the UK for 3 of our Machines the catch is they want them integrated with their Siemens PLCs. Our the integration on our...
Replies
5
Views
1,834
Back
Top Bottom