Controllogix networking and security

Hi,

I'm involved with implementing a controllogix base system for a customer using a single controllogix on a process Ethernet network with a number of Flex I/O devices and Rockwell 2100 MCC with E1+ devices. This is controlling a process plant the customer is installing in one of their customer's sites.

Thing is they need to exchange a couple of points of data from their system with their customer's PLC (also controllogix) which is running their plant. Neither need to write data, just read from each other. My suggestion was to run discrete signals (all 4-20mA) between the two as it is only 5 signals, and it could be easily provided by spare capacity on a Flex I/O unit.

However, their customer wants to connect the two systems via Ethernet in order to share data. I'm not keen on this due to the security and potential network issues this raises.

Anybody got any suggestions on how best to implement this? I want to prevent network problems / virus issues etc on one side impacting on the other, and there is the concern that their customer might be accessing their system (there are some intellectual property issues with my customer's process ).

To avoid IP theft, password your PLC.

To avoid network issues at either end, install dedicated ENBT's in each rack specific for the purpose, making them physically isolated from the primary networks..

Yeah, have considered putting in dedicated ENBT each end, cuts out http traffic but still allows CIP traffic across backplane so each PLC can read tags on the other. Thing is I need to restrict this to certain tags only. Customer doesn't want their customer to see what is happening in their process. Also concerned about any other CIP traffic (faulty devices, D.o.S virus) causing problems with PLCs at either end. My customer's plant is a 5 million USD plant and the other PLC system sits on a control network for a paper machine. Screwing up either plant for any length of time would be expensive!

Both systems are connected to management networks, both have Scada PCs on the process network, and the management networks are internet connected to allow remote access. Have got a firewall on the ADSL coming in to my customer's management network, and the link to the process network is either through a **** router for me, our via a dual Nic data collector PC sitting on both networks for my customer's engineers to access using Linx.

Have looked into a suitable firewall to sit between the two PLCs. It will need to be selective on what CIP messages are passed and which are blocked. Having trouble finding what I need, so if anyone has any experience please let me know!

Passwords on Logix 5000 would be good in terms of protecting access. Just needs careful management I guess, as both myself and my customer's engineers will have access.

Logix has data access controls per tag - see http://literature.rockwellautomation.com/idc/groups/literature/documents/pm/1756-pm004_-en-p.pdf
Not sure if this will do what you want - might make those tags unavailable to all clients, perhaps you just want to restrict to specific clients.

The Tofino guys (part of Belden/Hirschmann) have deep-packet inspection firewalls for EtherNet/IP explicit messaging available now. Schneider Electric has it - not sure who else markets this feature. I haven't tried this yet (I have used the ModbusTCP device) but would expect that your request to be common - restrict tags to specific clients - so I would think it would do it.

Dedicated Ethernet network for PLC-PLC communications isn't anything new. You can used produced/consumed tags to limit what tags are accessed read and finally any specific code can be locked down via security without the need for passwords. So, you can grant access to 80% of the logic that someone may need to maintain, and lockout the remaining 20% that is specific to the process.