Password Protect Network

careed_25 · Jun 11, 2009

First of all i am not an IT guy so some of the following might not be dead on but hopefully you can get the just of my need. I am in charge of the plcs and hmis at an underground coal mine that is one of several mines owned by a father ccmmpany. With that comes mutiple networks and mutiple technician and engineers access each network. Here is what happened the other day: An engineer testing a starting box at a remote office, had a controller with a loaded program in it that happen to be the program that was in a starting box in service underground here at my mine. He thought he was totally disconnected from all networks, except the switch that resides in the starting box which had his laptop, plc and panelview only on it. He connected to what he thought was the plc in front of him but in turn without knowing, his wireless had connected and this allowed him to go through a couple of routers and end up changing the ip address of the plc undergound here which is 100 miles away from where he was working. Luckily that was all he did and didn't try to download a new program or it would have shutdown the belts for 2 units. In the end i had to go underground and reset the ip address so whe could access it outside on studio se as well as logix 5000. I realize it was an accident and he thought he was disconnected from all networks but something bad could have resulted. I contacted our IT guys and told them about the incident and they said there really isn't an easy way to password protect my underground network due to the amount of people who might need to access it remotely and the task required to manage it. Like i said we have a corparate network with locations in oklahoma, kentucky indiana, illinois and west virginia as well as underground networks in about 10 different mines spread over the above mentioned states. I don't want to have to password protect all processors simply due to the fact that others may need to access at some point for troubleshooting. What i am looking for is a way to use existing windows user ids and passwords to gain access to my underground network. Or some way to put a popup window saying that you are accessing a controller on a network are you sure you want to make these changes. Long story short, i need a way to block my network without using the IT guys with their routers and whatnots. I know they could do something they just don't want to spend the time on it. Any suggestions, and remember, i am not an IT guy. I know how to do the bare minimum to manage plcs and hmis on an ethernet network. These are all allen bradley plcs and hmis by the way. Maybe someone knows of a security tool or software that would be useful to me.

surferb · Jun 11, 2009

You need to elevate this issue above IT! In addition to being "accident prone", you have serious security vulnerabilities that could lead to significant company loss, and possibly injury or property damage. You have NO security and no auditing for accountability, even between physical sites! It is your responsibility to present the situation to management in terms they understand. What would they do if a malicious programmer "plays" with a live PLC from another site? Or an engineer inadvertently replaces one program with another? They alone can accept the risk of operating in such a manner. I doubt that anyone would in these terms.

To answer your direct question - there are ways of authenticating network access based on your Windows domain credentials, but this isn't simple and is more down IT's lane anyway.

The biggest problems I see are:
1. The open routed network between everyone. The critical equipment, multiple sites, engineers that may not know what they're doing, and #2 exacerbate this problem.
2. All the PLCs without passwords

To address #1: In your case (multiple sites) it might make sense to only allow nodes to communicate with their own network/subnet, and the Internet via request if you'd like. Communication between corporate networks should be "opened up" as necessary. That way you could only access a SCADA system or PLC from where you need to. This really shouldn't be hard to implement if the network was reasonably well designed. They could use access control lists (ACLs) on routers, firewalls or security devices, NAT (like home routers), etc, etc. You can isolate critical network segments or password protect critical devices.

For #2 - it's better practice to use passwords, but if you choose to accept the risk based on how you operate - so be it.

Bottom line - it's not hard to separate the networks or engineer an appropriate solution. However, this needs to be a supported policy decision, endorsed by management, that gets implemented by IT (and you). I doubt there's a viable quick fix from your position. There are stopgaps that could significantly mitigate risk. The most important thing is that you all get on the same page in recognizing the situation. This should transcend petty department rivalries.

careed_25 said:
First of all i am not an IT guy so some of the following might not be dead on but hopefully you can get the just of my need. I am in charge of the plcs and hmis at an underground coal mine that is one of several mines owned by a father ccmmpany. With that comes mutiple networks and mutiple technician and engineers access each network. Here is what happened the other day: An engineer testing a starting box at a remote office, had a controller with a loaded program in it that happen to be the program that was in a starting box in service underground here at my mine. He thought he was totally disconnected from all networks, except the switch that resides in the starting box which had his laptop, plc and panelview only on it. He connected to what he thought was the plc in front of him but in turn without knowing, his wireless had connected and this allowed him to go through a couple of routers and end up changing the ip address of the plc undergound here which is 100 miles away from where he was working. Luckily that was all he did and didn't try to download a new program or it would have shutdown the belts for 2 units. In the end i had to go underground and reset the ip address so whe could access it outside on studio se as well as logix 5000. I realize it was an accident and he thought he was disconnected from all networks but something bad could have resulted. I contacted our IT guys and told them about the incident and they said there really isn't an easy way to password protect my underground network due to the amount of people who might need to access it remotely and the task required to manage it. Like i said we have a corparate network with locations in oklahoma, kentucky indiana, illinois and west virginia as well as underground networks in about 10 different mines spread over the above mentioned states. I don't want to have to password protect all processors simply due to the fact that others may need to access at some point for troubleshooting. What i am looking for is a way to use existing windows user ids and passwords to gain access to my underground network. Or some way to put a popup window saying that you are accessing a controller on a network are you sure you want to make these changes. Long story short, i need a way to block my network without using the IT guys with their routers and whatnots. I know they could do something they just don't want to spend the time on it. Any suggestions, and remember, i am not an IT guy. I know how to do the bare minimum to manage plcs and hmis on an ethernet network. These are all allen bradley plcs and hmis by the way. Maybe someone knows of a security tool or software that would be useful to me.

Password Protect Network

careed_25

Member

surferb

Lifetime Supporting Member

Similar Topics