ETHERNET. Process network vs office network.

[DamianInRochester]

Also ...... Anyone using E_W_O_N? That sounds like a good single point of contact.

 

[The Plc Kid]

I have some **** units and also Tofino units. The talk 2 M service is nice on the ****.

I have used the **** and tofino together in many cases.

The **** is good for machine builders/OEM's that wish to provide in warranty and after warranty remote support.

 

[The Plc Kid]

All the stars above are supposed to be E_W_O_N.

Don't know why this is blocked.

 

[The Plc Kid]

IMO any connections to the corporate network should be in a DMZ and on a seperate VLAN in the automation network with just the necessary connections.

I use 2 VLAN's in our DMZ 1 is for data collection and the other is for remote management services when I need to help bubba troubleshoot and I am at home or school.

 

[DamianInRochester]

Yes, I knew E_W_O_N was a four letter word, but not in that fashion. Bit of a head scratcher.

 

[curlyandshemp]

Yes, I knew E_W_O_N was a four letter word, but not in that fashion. Bit of a head scratcher.

Must be some male enhancement product out there that has those letters, perhaps that's why the filtering.

 

[JesperMP]

PS. Also they ask the possibility to change IP addresses of devices from the SCADA. The CPUs, we use, are from SIEMENS and they only this year have announced some new CPUs with feature to change IP from program, and OPs also are from SIEMENS and there are no chances to change from runtime.

It is possible to change the PLC CPU IP at runtime. But I havent heard the same possibility about the HMIs. And the connection between the HMI and PLC will be a problem. You can change the connection IPs during runtime, but I think there will be issues. Generally Siemens HMIs are not designed with dynamically changing IPs in mind.

Here is some ammunition to the argument that mixing office and plant networks is a very bad idea:

Until recently, serial fieldbuses such as Profibus and Devicenet were the only possibility for distributing i/o. Today ethernet-based fieldbuses such as Profinet, Ethenet/IP and Ethercat are rapidly replacing the older serial fieldbuses. Sooner rather than later, the serial fieldbuses will not be used apart from legacy projects.
The entry of the ethernet based fieldbuses means several things in case the fieldbus must be integrated into other LANs:
1. Absolutely no dynamic IP adressing. (*)
2. For the network part that spans the fieldbus part, the network components must fulfill additional requirements. Profinet: Ertec switches. Ethernet/IP: IGMP snooping.
3. The ethernet based fieldbuses have their own diagnostics systems, whose functionality require that the topology is setup in the fieldbus software - not in the IT departments regimen. If the topology is not managed by the fieldbus software, then there will be no fieldbus diagnostics, which will be a major deficiency.

*: I read somthing about that Ethernet/IP can have dynamic IP adressing, but that it requires that power is cycled, not a realistic scenario in many cases.

 

[JesperMP]

Here is another argument, one that cannot be overruled, at least in the EU.

All electronic equipment used in an industrial environment must conform to these two standards:
EN 61000-6-2 (immunity aginst noise)
EN 61000-6-4 (limit to amount of radiated noise).

The point is that office-grade equipment does not meet these requirements, as they must meet another CE standard (may emit less noise, but is also less tolerant to noise).

So if your IT department want to connect the office-LAN together with the plant-LAN, all the equipment must meet BOTH standards !

 

[FLAengineer]

IT vs. SCADA networks

Some more ammunition:
A. If you are running a process on the SCADA network that is time-critical, or with very short scan or update times, mixing in all the traffic on an IT network (web browsing, file downloading, backup operations, ect.) could affect the timing of the SCADA part.
B. Updates/patching. If you have a PC HMI SCADA client on the SCADA network, and IT forces a patch or a new anti-virus engine to the PC, it has a chance of causing the HMI software to crash.
C. See section 3.1 "Comparing ICS and IT Systems" of the docuement "Guide to Industrial Control Systems Security", June 2011 by NIST (US National Institute of Standards and Technology) Computer Security Division at:
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

 

[wimpiesplc]

So if your IT department want to connect the office-LAN together with the plant-LAN, all the equipment must meet BOTH standards !

I'm not sure about that, the office-LAN does not have to be in the industrial environment. then only that one line connecting them both has to meet the standards.

 

[JesperMP]

I'm not sure about that, the office-LAN does not have to be in the industrial environment. then only that one line connecting them both has to meet the standards.

If they are electrically connected together, then noise from one piece of equipment can spill over into the other piece of equipment.
So to my opnion, at least the two pieces of equipment that directly connect to each other must be fulfil both standards, not just the cable between them.

 

[wimpiesplc]

mhh, not really convinced yet. but then again I'm not that familiar with those regulations.
In our production environment we use a fiber network between the production lines (and also the office net) and in the lines go with ethernet to the different plc/hmi/whatever is needed. So that would solve our connection problem then.
But as I think of it we also use the office network in the same environment for other purposes so are probably not up to standard...

 

[Tom Jenkins]

Talk to the CFO or comptroller, or at least copy him on your correspondence with the IT weenie. Some points that will ring his chimes:

1) Latency on an office network means everybody gets another sip of coffee. Latency on the control network means everybody in the shop may get to make a full production run of scrap. The same applies if the network locks up.

2) A bug or virus can be transferred over the office network, or even an inadvertent message, that could lock up the PLCs. See above regardin a run of scrap.

3) If someone hacks into the office network and gets into the PLCs, the results could be, literally, a fatal accident. If the IT weenie questions this, ask him how the Iranian centrfuge operations are going!