Plant Networking Help

I currently have well over 300 plc's and associated I/O and other automation hardware in our plant

We have a little of almost everything but about 85% is Rockwell Automation.

The bulk of the rockwell stuff is on data highway. We have 2 data highway netwoks maxed out and many devices not networked at all.

We also have abot 7 nodes on 1 ethernet network.

All of this is maintained by using a couple desktops and laptops in the maintenance shop. The problem is none of these computers are on our plant network because it does not want the pc's that are connected to the automation to be on the network because of security.

It is difficult to maintain this equipment in this manner. I would like to get some kind of connection to the network to save programs and to maybe have some version control software and software liscense control. Right now we are always moving dongles arounf and activations around to get the work done.

I am looking for some secure network examples,tips,ideas,etc to have these functions and not put ethernet ip multicast traffic on our corporate/global network. I am trying to convert to all clogix and ethernet ip with distributed i/o on ethernet ip.

our IT Dept here is very worried about security network crashes,etc. And they are very difficult to deal with and not open to many ideas so i need some idea i can put on paper and show them how it would be secure.

Problem is my networking skills are very simple i have seen people do this with dual nic's on all the pc's connected to the plant floor network but how secure is that?

You could create your own Automation VLAN that would be very secure.

The easiest way is to build your own network, create an IP mapping scheme for your automation network and have at it.

Then equip your desktops with a second ethernet card, so one is configured for your office network the other is configured for the automation network.

Laptops, ask if you can get wireless in your maintenance shop for office network access and keep your wired port setup for the automation network. You could also consider docking stations that take another ethernet card, so when docked that card is for the office network, the built in is for the automation network. I'm not sure how many docks out there can take another ethernet card, I know older dell D docks could do this.

I do plan on building our own network.

When using the 2 nic idea exactly how secure is this? can anyone expand?

From my mind the main downside to the 2 nic solution is that we would be locked into using these computers only and since we now have factory talk activation it would be nice to setup an activation server and using any pc on the network but maybe this is not possible and still have the security and isolation.

As far as laptops we have begun to scan all prints and manuals and all techs have a laptop to do workorders ,parts,pm,and to get maintenance documents off the network and we have other laptops for programming. It would be nice to combine this.

The tech laptops are currently using wifi to access the company network

This is definately do-able. I'm not into IT, but I have worked at plants that have the infrstructure needed.

I believe it's VLANs and Managed Switches that solve the issues, even allowing secure remote access via the Internet.

our IT Dept here is very worried about security network crashes,etc. And they are very difficult to deal with and not open to many ideas so i need some idea i can put on paper and show them how it would be secure.

Click to expand...

Isn't that their job ?

Look at Real VNC

There is currently another thread about Real VNC. You might find it a low cost tool to help manage your different brands of PLC's etc. I too recommend you create your own network.

Tell your IT department to do their job.. it can be done using managed switches. You can use a certain subnet for your PLC network completly seperate from your company network.. Dual Nics would be fine as long as you dont bridge them

If your plant employed the S95 model, that would provide you with redundancy as well as a "production" lan seperated (can be virtually) from the "outside". Once an "attack" comes on the network, a "bridge" can be lifted that will isolate the production lan from the outside world.

plc noob said:

I am looking for some secure network examples,tips,ideas,etc to have these functions and not put ethernet ip multicast traffic on our corporate/global network. I am trying to convert to all clogix and ethernet ip with distributed i/o on ethernet ip.

our IT Dept here is very worried about security network crashes,etc. And they are very difficult to deal with and not open to many ideas so i need some idea i can put on paper and show them how it would be secure.

Click to expand...

Your IT department is putting up a smoke screen. There are six dozen ways to skin that cat.

Using any of several technologies and protocols combinations, you can set up the network infrastructure with the appropriate isolation, network security, traffic management, traffic direction, inter-network communication, etc., etc.

However, with that said, it will require a significant amount of network engineering, and probably some capital expense to build. More than can be accomplished here.

IMO you will need to find someone to work with that can help you build a network design and business plan/value proposition that you can escalate up through the IT department.