Is anybody using 802.11 (WiFi) for Ethernet linking?

I'm curious if anybody is using 802.11b or 11g to link their plcs and/or OITs in their plants. I've seen alot of activity in the proprietary spread spectrum Ethernet radio area. They're mostly touted as a means to link devices wirelessly and avoid the security concerns of using an "open" wireless technology like 802.11 that D-link, Linksys and others sell at Best Buy. Theory is "If you can't understand the wireless protocol, you probably aren't gonna try and hack it." There is some truth to that logic.

However, it's hard to avoid the attractive pricing of some of the WiFi stuff out there. With WEP and the new WPA encryption, security seems less of a concern, as long as it's properly applied.

I'd like to know how everybody out there is dealing with this issue. I work in the water and wastewater field and AWWA (American Waterworks Association) and WEF (Water Environment Federation) have done an excellent job of scaring the bejesus out of everybody with security concerns at the treatment plants. I'm not convinced that there are people out there actively looking to mess with the return sludge pumps. It's prudent to be cautious, but I think it's gone a little overboard.

Tim

Today I connected wireless access point on AB PLC5/05 network it work nice.
The problem is it stop to work after about 60 foot.
The manufacture wrote that it suppose to work 300 foot.
I put D-Link unit and I still have a same problem.
I treid it at home and still have short distance.
When it will work I will wary about security.
I made line for recycle cars oil filters for company who dealing with all the mass of Batteries Biological wast and industrial wast.
The smell is not somthing you would like to smell.
All the environment are polluted.
When I comming there I try to short my staieng as I can.The smell is stick to my car my tools my computer and my clothes.
I made some drainage sites so I can understand the environment of your work.

There are a few things I'd be concerned with:

D-Link is not industrial equipment. What do code books say about that? The stuff may work fine for 10 years, but then again... Would it be wiser to find something designed for the application? What about reliability, temperature range, flame safety? You may be looking at some future headaches.

As far as security goes... Someone should need the proper programming software in order to mess with your system. WiFi might seem less secure because it's floating out there in the air. Can the guy in the parking lot really access the network? How much harder is it to connect to the PLC directly and upload? Since the guy needs RSLinx, DirectSoft, or whatever to connect; is he more likely a hacker looking to screw things up or one of your competators looking for info? What risks are you willing to take? You can SEE the guy standing there with the laptop plugged into the PLC. But, you should be able to log him if he connects to the ethernet, too.

I'd shy away from WiFi or radio if I thought I couldn't afford to LOSE the link. I don't think I'd be as concerned about the risk of always having a live air-wave connection. But, it depends on the potential for mischief, of course.

AK

I agree on the reliability issue. The consumer grade equipment has a high failure rate. I would not propose it for anything other than OIT or possibly view-only SCADA workstation links. I'm just curious as to what the experience of others has been.

Judging from the lack of responses, I assume one of three things here:

1) Nobody's done much of this.
2) Nobody cares
3) I've stepped into the grey area of nobody wanting to discuss anything to do with their own plant security issues on a public internet forum.

If 1), I'm surprised
If 2), I'm astonished
If 3), I understand perfectly and apologize for asking.

Tim:

It seems to me that option #1 is the most likely reason.

I am in a similar crunch these days. No, we don't have to reach hundreds of feet away to communicate with some remote station. Our custom-built machines are installed in our company plants in several locations - mostly US and Mexico. Regardless of the location, this is still the corporate network (everything is behind the firewall), so my group is truly blessed with the possibility to be able to access our controls stuff directly via Ethernet. We love it and we have been using it to our advantage, troubleshooting and fixing problems remotely, avoiding trips and so on. All we need is a single network drop per machine.

However, most of our plants went wireless. As a matter of fact, there is not a single PC on the production floor that has the good old RJ-45 cable plugged in. There is no drops. Period.

Of course, it is the IT department who developed the system. They are aware of the existence of workstations, desktops and laptops. They are not aware of anything else. Of course, data security was one of the primary concerns (rightfully so). The system is quite mighty and quite secure. It uses Cisco wireless access points installed throughout the plant and Cisco wirelss cards in the PCs: PCI bus for desktops, PC-Card (formerly known as PCMCIA) for laptops. This stuff supports a security scheme the name of which escapes my memory at the moment, however the basic idea is not something new. Unlike D-Links and Linksyses, where one can enable a fixed security key used to encrypt the data, this system generates a key based on user login data (and, possibly, something else) and keeps changing those keys dynamically using some secret algorythm or whatever. I don't know if anybody can hack this - everything is possible, but this must be really hard...

The point though is this: in order to support this security standard, there must be a user who logs on and off. Cisco does not have a bridging device that is wireless on one end and wired on the other. Their access points are expensive - 7 to 8 times more than a Netgear from your local Best Buy. We do not know at the moment of any other manufacturer who produces an inexpensive wireless bridge capable of supporting all this security stuff. IT department is strongly opposing to setting even a small segment of the corporate network to lower (static-key) security standard - after all, it is their a** to keeep the company data protected.

We are in limbo. There is no solution at this time my group is aware of. We have to wait for something to come up.

I carry a LinkSys WAP with me so I can go online with my PLCs at my customer sites. It works great for development and troubleshooting (the machines aren't within sight of the PLCs in most cases).

So far, only one customer of mine has said "no" to a WAP due to security concerns. They hadn't had problems in the past, but they stand by their policy, so I drag around an ethernet cable and plug in wherever I can, which works ok too.

I even have one customer who uses a WAP in conjuction with a maintenance HMI on a laptop so they can control any part of the machine remotely. At first, it seems that wireless would propose some safety issues, but actually it turned out safer than ever before because the GUI provides much more machine feedback than a remote PB panel ever could.

Akreel's points are well taken. Because the technology is relatively new, and has sped past the ability of industrial standards to keep up, I would not personally recommend a WAP to a customer. I use my own for my use only. As for the customer who uses one with the laptop, I made it clear that the "correct" way would be to install numerous ethernet drops to plug into, but that a WAP would work as well as long as they purchased it and was responsible for it.

At present I am trying to hook up a WAP to the control logix ehernet in the plant to allow to troubleshoot on a notebook right at the worksite, not 50 metres away. I am having trouble with the wireless and the LAN network conflicting in linx, but when I get it sorted I will post back here. Regards Alan

We have a number of AGV's that use wireless to communicate minor stuff like, oh, when to run and when to stop.

Sometimes, due to an error (I would have to look it up), it forgets to stop. Very exciting when this happens. Very, very, exciting. Especially since the conveyor that it would otherwise mate to already has (and it hasn't).

The unbelievable part is that the-company-who-shall-remain-nameless-whom-we-bought-this-junk-from absolutely forbids the use of their AGVs without a working gyro (so we have to walk an AGV out by hand when it dies, extremely slow) but it's ok to run the stupid thing without reliable stop/start control.


As for security, just following the home network advice will go a long ways towards making your system much more secure (not that this is a recommendation).

The problem is that your network then becomes no better than its (worst) administrator. And if that happens to be your average PLC jockey (especially me), you're in a world of hurt.

Here's some easy reading:

http://arstechnica.com/paedia/w/wireless-security-howto/home-802.11b-1.html
http://www.secwiz.com/Default.aspx?tabid=24


And Cisco has had its troubles lately...
http://news.com.com/2100-7351_3-5113232.html?tag=nefd_top

You could look into Kerberos and ssh (not without their own problems).
http://web.mit.edu/kerberos/www/
http://www.ssh.com/


Anyways, I wouldn't recommend it for control. And I'd rather be right at the panel where the action is when it comes time to program the beast.


John

I'd get that AGV company in to look at that before someone gets hurt. Our AGV system is set up to stop the vehicle if the radio modem link is gone. And speaking of radio modems, our system is quite large and has two master radios that communicate with the slaves on the vehicles. This would seem to be quite better than wireless ethernet. I haven't researched it too much, but from what I understand, the company that makes the radio modems this system uses also has one that mounts in an SLC chassis.

Wireless on the PLC doesn't make as much sense as wireless nodes for mobile users. The PLC isn't likely to go anywhere, you might as well hard-wire a connection and get an industrial switch with galvanic isolation and all the other good stuff (fiber?). Then, you can put a wireless base in the office area of a facilty for your engineers/technicians to connect through.

I've been through some training on industrial ethernet devices. You can do plenty of cool things with plain-old copper and fiber. I really don't know what will happen with WiFi. Considering the fact that there are already Bluetooth (look up "bluesnarfing") hackers out there... At least copper lines give you limited access points and the ability to put in firewalls and such; not that I've ever seen a network that was truly protected against anyone but the people who NEEDED to have access.

AK

We installed Spread Spectrum communications in our AGV's

John,

We recently installed new spread spectrum wireless communications on our AGV Systems. We have been experiencing problems where are communications our interfering with our vehicle electronics. Sounds like we may have the same unmentioned Vendor!

AGV Guy

we'd made a similar connection between two plc's using two access points about a year ago. access points are connected to ethernet port of plc's. they communicate wireless with ieee 802.11.

Couple of days ago, on of the access points stopped working(RIP). So i bought the same brand same model Access Point [DWL2100AP]. firmware versions of two devices were not same. so , i could not manage to work them together , although i had the configurations files for bıth APs.

Anyway, the machine was an important one and there was no time. So i decided to buy another couple of APs of another brand. I quicky configured the new devices and they worked. I thought the problem was solved , but i was wrong the technicians keep on calling me because the communication does not work properly. They say the communication breaks down 2-3 times a day.D-link never did the same malfunction. I advised them to connect UPS for APs. But it did not solve the problem. Possible cause of the malfunction is EM interference. Wish i could work D-links.

In this site, we had to use wi-fi , because one of the PLC's is on the turning table. This macnihe produces a part of car seats for Ford.

Is there any other idea for the reason of communication breaks?