Security Issues Between PLC Networks

Join Date
Feb 2014
Location
Stirling, Scotland
Posts
808
All, we have been given a proposed plan, but would be interested to know your views on potential security issues or otherwise.

There are 2 production sites, side by side. Site A is the Main producer and is a customer of Site B (Site B provides raw materials for Site A)

Each has its own Industrial Ethernet Network all with Rockwell ControlLogix PLCs.

Currently Site A gets a daily email update from Site B of raw materials delivered the previous day to use as comparison data for consumption.

Site A management wishes to get live data from Site B as to tank levels and flows between the sites, rather than wait on the daily email.

Proposal put forward is to add a new Ethernet Card to the main Site B CLX PLC, with an IP address from Site A's main Industrial Network, and cabled direct to a PLC on Site A's premises.

Site B will then give Site A a list of CLX Tags containing all the data they require and Site A intend to either read that using a MSG instruction from one of Site A's PLCs, or read directly from Site B's PLC using Site A's Rockwell Transaction Manager.

All clear as mud?

Are there any potential security issues in connecting the networks in this way, such as can Site A see all of Site B's PLCs or vice-versa?
Could Site A personnel connect to the Site B PLC and access/alter the PLC code therein, or could Site B people connect to any of Site A's PLCs and access/alter their PLC code?
If these are possible, is there a way of blocking such access capability?

Site A and Site B are different companies. Assume that there is capability of accessing the networks of both sites via external VPN links covered by firewall rules and involving corporate IT...

I would be interested in your viewpoints here.
Also if there are possible alternative ways of gathering the same information?

Thanks in advance
 
Last edited:
Site A and Site B are different companies.

At one time had something similar and I think a lot of companies in the automotive industries have the same thing going on as part of the six sigma "just in time" practices ... but if I owned one of the two I would not want them linked, just for the fact if anything ever goes wrong (virus on the network) they will be blaming the other

Since I dont think it would be a lot of data wonder if there is another way of sending it (IoT) ?
 
Thanks geniusintrainimg,

We talked about how we could do this, and the proposal seems do-able, but concerned about locking down the site networks. Subject to someone unplugging a network cable between the sites and accessing the other, and uploading the code and changing operations.
I know there is the possibility of CPU security/password protection, and Ken's favourite - put the key in run mode and take away the key....

There is also a way of splitting the signals of some devices and taking 4-20mA to both PLCs.

Not sure of any other way to send the information.

Still trying to evaluate this one at the moment.
 
That thought scares me, especially if they are different companies.

I would be concerned with the thought that if they have access to those tags, what other tags would they have access to? I'm admittedly not much of a Logix guy, but in most PLCs I've seen you have access to ALL of the data in the PLC if you have access to any of it. I've also heard that the logix comm modules allow you to route through them. Sounds like a cool feature normally, but could that allow access to the whole plant? Can it be turned off?

I would be looking at a solution that involves you pushing data to them or a server, vs a solution where they come and get the data from you. OPC UA could make a lot of sense, or possibly sending via Open Socket comms. There are a lot of protocol gateways that exist, you might be able to find one that can be EIP on both sides. There also might be a specific comm card (probably third party) to do limited comms.

If all they want is a display, then sczot's suggestion of a web page or (monitor only) SCADA page intended for their viewing could make sense as well.
 
Last edited:
I recommend you take at a look at the "Purdue" ICS security level model.

the way I see it, there are some data that need to be exchanged and that's fine. But the data need to travel to higher-level stage before going back down again. you also need to see if the data can stay at the high-level like the enterprise level or local supervisory level.

The model helps you to de-murk the thinking around implementing security.
 
John, once you 'bridge' the two systems via 1756-ENB(2, 3)Ts any Online copy of RSL5K/Studio5K will be able to access the 'other' side, Ethernet bridges present within the projects' I/O Trees or not; obviously, if the ENB(2, 3)Ts are not part of the Logix projects it will take some 'digging' to find out the IP Address of the corresponding bridge, however, since there will be implemented Explicit Messaging between the two controllers this cannot be kept 'secret'.

I'd suggest the usage of an OPC Server (such as RSLinx Classic) running on a 'neutral zone' PC (not belonging to any of the two systems' networking), however, connected to both using a Layer 2 Managed Ethernet switch. The OPC Server machine access could be made 'secure' via Windows and LAN access credentials; the OPC Server will transfer relevant data from one system's CPU to the other's HMI/SCADA and vice-versa (if needed).

This scenario could supply data to both systems, however, it will be impervious to mainstream automation software running on community usage machines.
 
I'd suggest the usage of an OPC Server (such as RSLinx Classic) running on a 'neutral zone' PC (not belonging to any of the two systems' networking), however, connected to both using a Layer 2 Managed Ethernet switch. The OPC Server machine access could be made 'secure' via Windows and LAN access credentials; the OPC Server will transfer relevant data from one system's CPU to the other's HMI/SCADA and vice-versa (if needed).

I like this idea, but I'd step this up a notch and call for a firewall/security device instead of a layer 2 switch.

Firewall is connected to Plant A, Plant B, and the server. The server is set up as a DMZ, where no data goes directly from A to B. The firewall allows only specific traffic (OPC UA) requests from Plant A to the OPC UA Server. The OPC UA server is only configured with the tags you want the other plant to have access to. The only access allowed from the server to Plant B is to grab the specific PLC it is grabbing the tag data from.

This ties back to the Purdue Model comment to some extent as well.
 
Isn't there a way to block the Ethernet card to only allow certain functions and therefore disable programming through it?
I was going to say that other brands can protect the PLC with a password... but that's too fancy for AB.

Would splitting the level signal (supposing it's 4-20mA) into a remote IO that would plug into your plant's PLC not be acceptable?

Considering that the tanks are unlikely to have fast changing levels (from my experience), you could instead consider a protocol converter that would block the programming access something like EthernetIP to Modbus and vice-versa, which is similar to what dmargineau mentioned.

A firewall on that connection could work depending on which ports RS Studio needs and the actual PLC uses for communication.

Lastly... how is the email generated? Is it a PLC function? Is it the SCADA? And therefore could there be a trigger for it?
 
Data Concentrator PLC

How about a "Data Concentrator" PLC. We do this regularly between production sites and HQ.

The production line PLCs have logic that messages all kinds and large amounts of data to a standalone "Data Concentrator" PLC, the data concentrator has logic in it to perform any calculations, filtering....etc. Consumers of the data can connect to to the Data Concentrator and do whatever without affecting the production line in any way.

This is a simplified description, but there are multipe network cards in the DC and it's on a seperate VLAN, it's not a simple set up. I think the idea is that anyone from outside the plant that crosses the DMZ only hs access to the DC data.
 
Last edited:
Thanks Guys,

Did not think it would be that simple....too much depending on trust between 2 companies, with various software subcontractors too...
I think all parties will need to go back to the drawing board if they want to pursue an Ethernet connection.

The tank levels are all on a devicenet network back to Site B's CLX PLC, but the flows are generated via flowmeters on an Ethernet Connection back to Site B's PLC.


cardosocea -
The email is not auto-generated, as far as I know (not been told).

onwards and upwards......
 
MQTT would be easy and cost effective to implement, something you might want to check into.

MQTT could be useful as part of a solution, but the actual protocol for the data only provides about 10% of the overall solution. The bigger issue is network isolation, and selecting an ethernet card (or some combination of gateway/firewall/server) that allows for the data to get out without other traffic getting in, or someone having access to the PLC.

In this situation, MQTT by itself wouldn't provide any real benefits over OPC UA, older OPC DA, EIP MSG commands, plain ol TCP messages, etc.
 
While the two networks are isolated and they are only used for the automation system you can place a routing device between them without losing security and the IPs of a network will be accessible from the other side.

The router can be a level 3 switch or a computer with two ethernet interfaces, preferably with linux.

A theorically experienced system administrator would know how to configure it without problems.
 

Similar Topics

Is anyone aware of any recent Rockwell Software security issues that require version upgrades to mitigate? I'm talking over the past 2 months.
Replies
1
Views
704
Has anyone on this site used the Automation Direct Sure Servo software? It is Sure servo Pro. Reason i ask is now the company i have been working...
Replies
2
Views
2,773
Good Evening everyone, I am new here but thought I would post this, perhaps it has been posted before, but has anyone been following the recent...
Replies
5
Views
4,367
Hello Friends I have a backup that I am trying t open in mi PC (RSLogix 17.01) and I get this message. I have read many posts and done many...
Replies
1
Views
137
After a recent revision of code in my system on both the HMI and the HC900 PLC, I now get a popup requesting me to login when I click on the...
Replies
2
Views
496
Back
Top Bottom