IT Dept vs Engineering

I work in the engineering group at a facility where we have complete control over our computers and network on the production line. Our network is isolated from the outside world and the workstations are only used to run RSView, nothing else.

For some reason, our corporate IT dept is eager to connect up to our plant network and install antivirus and IT management software among other things.

I am not happy about the idea especially since the people driving this have no knowledge of control systems. The head IT guy actually asked me what a PLC was. I fear that eventually we will have no control and will have to go through IT to change anything. Does anyone here have any experience with this issue?

start reading here ...

FIGHT this idea! ...

Someone said it on these forums.


Ask the IT guy if he wants to take responsibility when production goes down.

We have a service contract with a crematorium who are run by the local council.

The council have made it their policy that their IT department are the only people who can do anything with PCs (apart from their intended use), they've also made it policy to upgrade every PC owned by the council to the latest Dell model, running XP and connected to the council's intranet.

Each of the 4 cremators at the crematorium has its own PLC connected to its own PC used solely as an HMI running on WIN95, left alone they'll probably carry on running for another 10 years - clean environment, not used for anything else, etc.

Now the council has to pay for 4 new PCs, 4 new licences for the XP version of the HMI software, and pay us to configure the new HMI software and ensure everything works OK. On top of that the new PCs will be prone to virus attacks, crashes and whatever through the intranet.

Why!!!!!!

And people wonder why local taxes increase by double the inflation rate year on year.

As well as the thread that Ron has linked to, there is also this one.....


Click Here

Paul

You've got me wound up with this one!

Fight it (IT) tooth and nail.

Why is it, as control engineers we have to go through apprenticeships, years of toil, self-teaching, night school, hard learnt lessons, burning midnight oil, etc. before we're even remotely appreciated.
Some spotty faced kid comes fresh from college with an IT qualification under his arm and the organisation thinks he's the dog's b******s and pays him accordingly?

Rick Densing said:

Ask the IT guy if he wants to take responsibility when production goes down.

Click to expand...

Couldn't have said it any better than this. Also tell him that his home phone number will have to be accessible to the production and mainenance staff for those 2am calls.

You made me realize just how lucky I am to be working on the project that I am.

We're building a huge HMI application on a network that will span two facities and a SCADA system. Of course, everyone has their ideas as to how the network should be made secure. I think the major resaon that we're not having IT headaches is because the person in charge of IT and network security was also a controls engineer at one time.

Don't let the IT department touch your machine.

AK

how about a “put-up-or-shut-up” type demonstration? ...



basic idea: show the bo$$man a working computer and demonstrate how you’re able to make connections to the various types of PLCs in your plant ... be sure to include issues like changing RSLinx drivers, etc. ... make a checklist and cover it all ...



then ceremoniously hand the working computer over to the IT guys ...



tell them that when they’re finished putting their computer-geek voodoo on it, to bring it back and you’ll go through the same “let’s-see-it-work” type demonstration as before ... of course you’ll be using your own mere-mortal privileges - and NOT theirs ...



see if your bo$$man will join you in demanding this type of acceptance test on one sample computer - before everything starts getting crazy ...



as my old drill sergeant used to say:

Life is like a giant clipboard filled with little problems. You’ve got your column - and I’ve got mine. My main objective today is to transfer as many problems as possible out of MY column - and over into YOUR column.

Click to expand...

make sure that the IT guys know exactly what the problem is going to look like at 3:00 o’clock in the morning ... and that the problem is going to be located squarely in THEIR column ...



maybe then they’ll just go away and leave you alone ... good luck ... and please keep us posted on how this turns out ... we’re all looking for a “silver bullet” in this particular area ...

I have been burnt by this situation before so my comments are written with some agitation.

The company was bought out and my department’s computers were now being taken care of by an IT guy. The IT guy felt it necessary to not give adim rights to anyone in engineering, so we could not load new PLC software onto our computers, we had to get IT to do it. Why does a senior controls engineer need to get permission from a IT guy to do a job?? Anyways, I sent my head programmer out to a site 2 hours away, he uploaded a program made some changes then download the program back to the PLC, the PC crashed leaving the PLC dead. Of course with no admin rights the programmer was SOL, what a mess. I can’t even begin to think of what it cost in downtime!



So here is my suggestion, get full admin rights to the new PC’s and network since engineering is only people who can keep the plant running, if they are unwilling to give that to you throw the dollars/hour it cost when you are down and explain you are now paying two people to solve problems ie, an engineer and an IT guy. Make sure you CYA and blame every problem on them, even stuff outside there scope like leaks in a pipe, a pump failure, the company car not starting, your lawn mover not working whatever. They will eventually give in.



Some IT guys are good and down to earth, some stink worse then a sewage plant.

In my case I need the IT network for Remote Operation, therefore I have to co-exist with IT. We are creating a VLAN to seperate us from the rest of the network.
Just wait until SOX (Sarbanes & Oxley) comes to the process PC part of your organization, it's going to get uglier.

IT will be the first against the wall come the revolution...

Keep them off your systems, the last time an IT Idiot came near my laptop ,he removed my second ethernet card and the cable that connects it to the plant network and then told me my laptop would work much better now as all it's problems were being caused by having two connections to the same network.

At this point I informed him the second ethernet card actually connect to the plant network , ( and thanks for unplugging that it was monitoring the plant at the time, bang goes 2 hrs of data)and not the factory network ,and as for curing all the problems with my laptop ,I've had no problems with my laptop since I stopped IT going near it , we were however having problems with our desktop machine next to it (Since IT installed a thin client network now it takes 15 mins to log on instead of the 30 seconds it used to take that's IT progress for you ).

As I type this I can no longer print anything as IT are working on the print server (and have been all ****ing day) it worked much better when the printer just plugged into the back of the computer but no that's not good enough for IT they have to connect it to it's own server so it's better (IT speak for we can do it so it must be better) so now even though my printer is switch on at the end of my desk I still cant print .

Imagine the above scenario on your plant substituting some of your production equipment for the printer Scary Ehhh......

Shoot them now it'll save time in the long run

Two words x 2:

Process Validation

.DLL Hell

Production Isn't As Important as SAFETY...

Not knowing the application, is there any chance a corrupted PC/ HMI could effect safety of the personell?

The line I use to anyone interested in sticking their nose into dictating how I implement control is, "Are you going to show up at the operator's wake so I can introduce you to the widow and kids as being the one responsible for his untimely demise?" Though the system is probably designed hardware safe so this could not possibly happen, most IT/ managers/ suits/ etc. haven't a clue of this and quickly back down from their request.

Before allowing the network to be attached, at least perform a Risk Assessment to see what the implications are and be sure to play the Devil's Advocate.

I saw an article somewhere in the last week (can't locate it right now) of a demonstration at a control's group user meeting where a white hat hacker took remote control of of an actual process, including the HMI, through a "secure network" and proceeded to write one set of data on the HMI display while sending different commands to the PLC. His comment was "It's not a question of whether can it be done, it's more like how hard is it to do and do you want to be completely stealthy about it." The comment was made in the article about how most of the attendees jaws were wide open in disbelief.

Thanks for the input guys. Honestly I think the only reasons IT wants control of the process network is to satisify their own egos. I think they look at as it is territory to conquer and make their own.

At this point they are claiming that engineering will continue to have admin rights. The problem is that they will also have admin rights. I hate to think what could happen if they decide to push out a patch or make a change to a screen saver without telling us. Of course they said they will put a "policy" into place that they must notify engineering and schedule any changes. I believe once they have their foot in the door things will only get worse until we have no control over anything running Windows.

The production downtime, responsibility and safety aspects seem like the best ammo to fight this. I showed the IT guy our HMI screens and his reply was that he was completely surprised it was so complex. I then offered to show him the PLC's (since he didn't know what a PLC was) but he wasn't interested and took off to bs with his buddys about IT ****.