Network Security

daithi1979

Member
Join Date
Sep 2011
Location
Limerick
Posts
11
Hi All,

I am in the middle of connecting some machinery to our compnay LAN for data acquisiton via Factorytalk Historian. I am running into some issues with IT who are reluctant to give static IPs and and allow the equipment to be connected to the network referencing viruses such as Stuxnet.

To try and persuade them to allow connection I have said that I will install a seperate NIC on the machines and essentially greate a VLAN with an internal and external network. So the HMI running windows will not be directly connected to the external (company) network.

My question to you is, does this VLAN solution make sense or is their a better solution when connecting PLCs to a company network that will deliver added security.

Can a virus jump from one NIC to the other.

Appreciate any help.

Dave.
 
Your mileage may vary, and your IT department may just be "We Must Be In Total Control Of Everything Connected To Us" as many are.

My solution is several fold...
For Ethernet I/P controls / drives networks, I put a separate Ethernet card in for I/O and drives communications, on a local private network (192.168.1.xxx). Then I put in a completely separate Ethernet card for communications upstream to the plant. All of the machines are linked to a higher level machine network, which ultimately should have the Historian on it. Then, there is a router/switch that provides a single point of connection up to the corporate IT department.

They can do whatever they want on their side of the single connection router, and have absolutely no rights or authority on the machine side.

VLAN's can work, but that still lives huge holes for Corporate IT to completely and randomly screw up machine operations, as they typically don't care about anything except what they feel they need to play with at the moment.

And, a targeted virus can do just about anything it is written to do.
 
Thanks for the reply.

Same approach I am proposing I guess.

Are you aware of any other solutions, managed switch at machine level etc. Would be interested to know if this is the most robust solution available.

Thanks Again,
Dave.
 
Any solution that allows IT to touch ANYTHING on the machine side is bad. You need to do an analysis to determine the degree of badness you are willing to put up with.
 
daithi1979,

If the existing network is lets say 100.100.100.xxx
and your proposed network is 192.168.32.xxx and the two cannot see or connect to each other at all, you may have a leg to stand on.

We have 2 networks here: corporate and plant.
The 2 could see each other and someone on the corp. side brought in a virus and it went everywhere on both networks.

Now the corp side cannot see the plant since it has internet access,

regards,
james
 
you should probably have them recommend a solution. In my experience with nazi like IT dept, no solution you propose will be good enough.
 
Granted, it is now in the wild and alot of unscrupulous individuals have access to it. But keep in mind that it took a nation-state to develop Stuxnet. Are you doing something that would draw that kind of attention? Stuxnet is kind of a bad example in this case anyway. One of its more brilliant aspects was its manipulation of the human condition to spread. Nothing your IT guys are talking about would stop that.

As rdrast said, in the end you need to decide what level of risk you are willing to bear versus the level of pain it will cause to mitigate that risk. Be careful of seeing ghosts.

Keith
 
IT departments are a PITA, but this stuff is important to be honest.

So the machine running FT is already on the corporate LAN?

The second NIC is not a bad idea as keeping a separate network means the FT machine needs to become compromised for an attacker to gain access to the control network. (Assuming you have no other external access points)

You can go a step further and add a transparent firewall between the FT terminal and the control network, and limit access to specific MAC addresses on required ports only. Just make sure that this practice is documented as it can be very confusing if someone changes the PC and now the comms doesn't work!

I don't know how big your company is but they should really have a corporate policy on Cybersecurity that defines the requirements for this sort of thing. IT, management and engineering all need to be involved in the development of such a policy. It's a big job but well worth it so that there are no arguments like this when the IT manager changes etc.
 
I agree, them trying to use Stuxnet as the reasoning is poor. They clearly don't understand that situation. But, perhaps your company is making stuff that is extremely dangerous or has a lot of priceless IP. But if you're just making chocolate milk o_O

I would add a hardware firewall solution as well, I know something like this has been recommended in the past. I've never used it but have considered it.

https://www.tofinosecurity.com/products/tofino-xenon-security-appliance

I would like to think that an IT company understands that the business needs to be successful and its their job to ensure people can do their jobs and continue to make the company productive while keeping it secure. The should have suggestions and be working with you to find an acceptable solution.
 
First let's determine what you need. Then let's determine why you need it.

You say you want to connect to the corporate LAN but why? Why do you need to do that?

Are you planning to have a historian or other data collection? maybe it's best for that to reside on the machine network if only people who have access to the machine network need it such as maintenance and Engineering.

The best solution is to have a fully separate network for the machine network meaning separate switch, Separate media such as copper Ethernet of fiber or a serial network and then connect to the corporate LAN only if it's needed and only at one point with a firewall on both sides.

Things like Historians, recipe servers, etc that need access from both sides should set in a DMZ with a firewall on the corporate end and on the machine network controlling and allowing only specific traffic that is needed into and out of the DMZ.

Maybe you only need traffic flow in one direction such as from the machine network to a historian and that's it then use a specific firewall rule to allow flow in one direction or use a data diode http://www.owlcti.com/products/products_hardware.html but for traffic that does not require an acknowledgement.

On the machine side you need to use a firewall that's geared for manufacturing equipment and is industrial protocol aware.

You also want to avoid Internet access on the machine network if you care about security and you will be best server to no use common ports for any data being exchanged across the 2 networks for security purposes.

Put some careful thought into what you really need, Why you need it and the best method to implement it. Just slinging something together is a recipe for getting hacked. Script kiddies love industrial control systems now because the security is so poor and the targets are so easy to find door to poor implementations.

I have done corporate IT for many years as well as engineering and your IT dept is likely just being careful with technology they don't fully understand and control and if something goes wrong it's their arse on the line.

This can be done in a safe and secure manner that gives you the functions you needs but it's not as simple as just adding a second NIC and to your question yes a virus can cross a NIC. If traffic flows via routing, NAT, VLAN's or any other method the virus can flow also.

To have a good result it will require some research and learning from both those managing the machine network and corporate IT. Put yourself in their shoes and them in your shoes.

These things can be battles and can get heated from time to time but I think at the end of the day it come from everyone is just trying to do a good job and not mess up and lose their job. When you get hacked people get fired innocent or not.
 


My friend here in post # 9 has provide you an excellent choice in the Tofino firewall. I have used those many times and been well pleased with them.

For anyone interested here are some other options I have used in the past and in the order of how I like them.

Also depending on how critical your process is you may need a machine based firewall like the tofino and then an Core firewall on the machine network which is where I really like Palo Alto.


https://www.paloaltonetworks.com/solutions/industry/scada-and-industrial-control.html

https://www.tofinosecurity.com/products/Tofino-Firewall-LSM

http://ab.rockwellautomation.com/Networks-and-Communications/Stratix-5900-Services-Router

https://www.securecrossing.com/

https://www.phoenixcontact.com/onli..._p-03-09/3bd0489c-fcd0-4c5f-84e6-8d02e094bbcb

http://www.schneider-electric.us/en/product-range/1106-connexium-industrial-firewalls/
 
Hi All,

I am in the middle of connecting some machinery to our compnay LAN for data acquisiton via Factorytalk Historian. I am running into some issues with IT who are reluctant to give static IPs and and allow the equipment to be connected to the network referencing viruses such as Stuxnet.

To try and persuade them to allow connection I have said that I will install a seperate NIC on the machines and essentially greate a VLAN with an internal and external network. So the HMI running windows will not be directly connected to the external (company) network.

My question to you is, does this VLAN solution make sense or is their a better solution when connecting PLCs to a company network that will deliver added security.

Can a virus jump from one NIC to the other.

Appreciate any help.

Dave.

What would be the objection to a NAT box?
Solves the issue without a new card....IT can see "their" address, which the NAT will poliltely translate to look at the PLC.
 

Similar Topics

Does anyone have any good resource suggestion on automation network (enet) security? Website links or book suggestions?
Replies
2
Views
2,131
I am currently trying to harden our control network. Right now, everything is on one network. I am proposing to use to seperate VLANS, with only...
Replies
10
Views
3,252
This might be a little off-topic, but i figure if anyone knows the answer, this forum will. Currently I have 4 DH+ networks in my plant, which...
Replies
6
Views
3,492
I want to establish a Profinet network in my production plant to connect multiple devices, including a PLC, HMI, and multiple Profinet-based...
Replies
19
Views
562
Greetings Folks, This is my first post after a long gap (almost 13 years) on this forum and i hope that i will get things fixed with your...
Replies
10
Views
236
Back
Top Bottom