Security Issues Between PLC Networks

Depending on how much data you want to transfer and how close the properties actually are, one secure method would be to put a remote rack on the edge of your property and have them hard wire inputs/outputs into your remote rack from their PLC/remote rack.
 
How about a panelview HMI with the data you want from site B shown on a basic page then publish it through viewpoint.
Use a NAT to allow site A's corporate network to bridge across to site B's HMI and access to the viewpoint page as read only.
 
Modbus

Consider adding Prosoft ModbusTCP cards in each PLC rack. You can then map only tags of interest across the link. I don't think it's possible to reach the backplane through the modbus link, effectively isolating the 2 systems.
 
Consider adding Prosoft ModbusTCP cards in each PLC rack. You can then map only tags of interest across the link. I don't think it's possible to reach the backplane through the modbus link, effectively isolating the 2 systems.


surprised it took that long.
 
Thanks all for the suggestions

Am considering using DH+/RIO cards in both systems, as I have spare cards plus they are still on our Rockwell spares list. Ran a test system in our man cave, seems ok....

That would make the link between sites a DH+ network, as far as I can see, could make an isolation path.

Meantime we have asked IT about firewalls....could be a long wait.....o_O
 
Large corporate networks scare me.

I was at a plant that had a successful line, and so it was to be duplicated in Shanghai. They sent the PLC and HMI code, all the mechanical and electrical drawings over to the plant there.

Many months later, for no particular reason, a motor on our line started up, even though no one was anywhere near an HMI. As you can probably guess, the Shanghai plant duplicated the system, but didn't change all the IP address. From 7000 miles away, commands from their HMI was getting routed to our PLC, through the business network.
 
Consider adding Prosoft ModbusTCP cards in each PLC rack. You can then map only tags of interest across the link. I don't think it's possible to reach the backplane through the modbus link, effectively isolating the 2 systems.


This is exactly what i was going to suggest, and is what i currently use, as then each company can control what they send and done send to the other company.
 
Large corporate networks scare me.

I was at a plant that had a successful line, and so it was to be duplicated in Shanghai. They sent the PLC and HMI code, all the mechanical and electrical drawings over to the plant there.

Many months later, for no particular reason, a motor on our line started up, even though no one was anywhere near an HMI. As you can probably guess, the Shanghai plant duplicated the system, but didn't change all the IP address. From 7000 miles away, commands from their HMI was getting routed to our PLC, through the business network.

I've heard of similar on a VM, very scary!
 
I have solved this earlier by serial communication, find a PLC on each side that has a serial port, 2 serial to Ethernet converters and you are linked and very safe :)
 
Large corporate networks scare me.

I was at a plant that had a successful line, and so it was to be duplicated in Shanghai. They sent the PLC and HMI code, all the mechanical and electrical drawings over to the plant there.

Many months later, for no particular reason, a motor on our line started up, even though no one was anywhere near an HMI. As you can probably guess, the Shanghai plant duplicated the system, but didn't change all the IP address. From 7000 miles away, commands from their HMI was getting routed to our PLC, through the business network.


I haven't seen it that bad, but we have seen similar. We recommend customers do not add anything to our machine network, instead treat it like you would the electric wires in your dish washer at home: you do not open it up and connect cables through to random devices in your house.



Some customers just add the machine network to their own factory and/or office network. We have seen a hard-to-track failure where we found out that part of the machine not responding as expected was caused by a duplicate IP address - the other device with same IP address was an office telephone :ROFLMAO:
 
you do not open it up and connect cables through to random devices in your house.
o_O are you sure that is right?

I seem to recall being able to put in a routing table to the dh+ configuration using rslinx, allowing someone to drill down and access the rest of the network. Bit obscure by doable.

The only company to company data I have seen is either up at the web services level (restful API) or telemetry + hardwired signals.

How many signals are we talking? You could setup a remote rack "company B data transfer" with EN3T, IB16, OB16, IF8 OF16 etc
Have another rack called "company A data transfer" with EN3T, OB16, IB16, OF8, IF16 etc.
Connect one enbt to company B's plant network and one to company A's network. Wire the IB16 to he OF16 and so on.
Leave a couple spare signals because there is always "can we get this too?"
You might need a fibre switch, but it is nice and clean and easy to follow and hard to "woops".
 
I haven't done this myself but I believe this would be achievable using a ProSoft ICX35 4G LTE gateway at each site.

https://youtu.be/YDr4yfUbJZQ

This would still keep both site networks isolated whilst allowing data exchange between the two ProSoft gateways.

I'm thinking you could probably achieve a similar setup using a couple of eW@N Flexy's exchanging data through the eW@N T@lk2M cloud gateway as well.
 
Last edited:
Open a "Cloud" account.
Send the customer's data to the "Cloud" account.
Add customer to Cloud account, so they can see data.

You can also get messaging software to send reports on a scheduled time basis.

I see you want to send live data.
Site A = 1 PC running an HMI with ONLY data tags for Site B.
Granted access to PC to Site B personnel via Wireless VPN?
 
Last edited:

Similar Topics

Is anyone aware of any recent Rockwell Software security issues that require version upgrades to mitigate? I'm talking over the past 2 months.
Replies
1
Views
704
Has anyone on this site used the Automation Direct Sure Servo software? It is Sure servo Pro. Reason i ask is now the company i have been working...
Replies
2
Views
2,772
Good Evening everyone, I am new here but thought I would post this, perhaps it has been posted before, but has anyone been following the recent...
Replies
5
Views
4,367
Hello Friends I have a backup that I am trying t open in mi PC (RSLogix 17.01) and I get this message. I have read many posts and done many...
Replies
1
Views
137
After a recent revision of code in my system on both the HMI and the HC900 PLC, I now get a popup requesting me to login when I click on the...
Replies
2
Views
496
Back
Top Bottom