Limiting remote access to network

basleigh

Member
Join Date
Jun 2010
Location
uk
Posts
3
I am after some advice.
My employers plc network is seperate from the corporate IT network.
Our main plc system is AB ranging from ML/SLC/CL/Logix5000.
The factory has increased in size from a single plant to several
I have recently started to network previously non networked devices, putting in HP Procurve network switches.( my background is primarily electrical but starting to learn networking slowly, so be gentle).
To provide OEM's with remote access through the sepearte IT network & Firewall to plant ab network,the company is using **** as the preferred vehicle for the external remote access.
My issue is security of my plant network, a OEM who has **** access to his own panel,which is turn part of my plant network can then see all other slc/cl's in that ip range.
Is there a way to limit how far his remote access can see, for example if his project incorporates 2 plc's. and they are in series with a dedicated port on one of hp managed switches, can i stop his access into my domain past this port, but still allow full access from inside the plant network.
Look forward to any advice.
thanks
 
Well, yes there are ways.

The best way would be to isolate those machines from the rest of your process network. Since that's probably not ideal, You could re-ip everything on the OEM panels to a different range than the rest of your process gear and put it on its own VLAN. Use an ACL to block that VLAN from accessing any of your others as needed.
 
I assume you are using "e w o n" devices. Isn't there built-in functionality to allow access based on user? I would ask "e w o n" about that.
 
Thanks for your replies.
I dont think i can re ip as our centrally based disaster recovery software may not work,although i can look into that.
also for the " E W O N " unit's i dont have any connection details from the original installation by the oem's. I have thought about fitting some kind of stratix unit with NATS in it but wondered if i could do at the HP Switch. ( sounds expensive & probably wont do it)
I have a few ideas but not enough knowledge about IT to back it up, so i figured ask before i break something learning. :)
 
One of my customers uses Cisco Anyconnect which allows them to set up what they call partner connections. When I connect to their network remotely I am only able to see IP addresses that are included in my partner connection set up. It sounds like you need something like this.
 
Well, You would allow your Backup Servers access to the isolated VLAN through ACLs.

Other thing you could do, If the OEM gear is on its own switch, just throw a firewall between that switch and the rest of your network.
Setup the rules to allow only what needs to talk in(backup, data collection perhaps) and block most of what's inside from talking out.
 
I have a HMI that is accessible immediately from our VPN. On the HMI I have a hidden, password-protected button that toggles a bit in serial-connected PLC. The bit energizes a timer. The /TT bit of the timer is tied to an output that supplies power to a network switch that bridges the plant network and the VPN connection. To make things even more secure, I located the network switch in a ceiling cavity.

The PLC that closes the bridge is not connected to the ethernet network and the HMI does not have serial pass-though capability.

The timer defaults to 3600 seconds, but I can extend the time using a numeric entry triggered by another hidden, password-protected button on the HMI.

You should be able to adopt a similar security scheme using multiple network switches so vendors can access their PLCs only.
 

Similar Topics

Hi all, I'm looking at an application with a Powerflex 755 with encoder feedback, being run as a standard VSD (as opposed to a motion axis), with...
Replies
5
Views
1,675
Has someone tried MC_TorqueLimiting along with MC_GearIn , on a Siemens S120 axis , controlled by an S7-1500T plc ? If we limit the torque ...
Replies
7
Views
1,546
I have two 24VDC motors that draw a little under 10A nominal, but the in-rush is over 20A. They are driven with a 20A power supply but on initial...
Replies
6
Views
1,652
We have tasked with developing a crowd/backing gate for a dairy where cows need to be gently pushed from waiting area into the milking parlor...
Replies
20
Views
6,618
I have an application that requires control of the pressure in a pumped line but with flow rate limiting. The pump is inverter-controlled and the...
Replies
9
Views
2,952
Back
Top Bottom