Networking two PLCs on different LANs

[marcius]

Hello,

Need some help.

Lets say we have

LAN1: PLC1, PLC2
LAN2: PLC3

PLC1 accessing data on PLC2, now PLC3 needs to access PLC2 data too, but without LAN1 devices access to LAN2 devices.
LAN1 and LAN2 belongs to two different companies LAN2 owner needs to read data from PLC2, but they don't want LAN1 owner to have access to their network.
Is this possible to achieve? How?

Thanks for suggestions.

 

[RussB]

Look up "Sneaker Net".

 

[The Plc Kid]

It can be done a number of ways but I would not say they would not have access to their network because to communicate they must be connected in some fashion.

You need controlled access. You need get a plan in place first.

Where are the 2 companies? How far apart are they

How will they connect? Who will Imitate the connection? Who will receive the connection?

What security measures are needed ?

A VPN between the 2 companies could be put in place with data diodes on each end so both parties have peace of mind.

Maybe a mediator like you? Do you work directly for either company or are you a contractor /consultant? You could setup a data collector that you control to read and write to each other. The data collector would talk to both companies but they would not talk directly to each other.

There are a hundred ways to skin this cat. You will have to define your needs in a more granular and detailed answer before you find your final solution.

 

[mk42]

The PLC Kid had some good solutions, though I've never been sure what a data diode is, unless it's a fancy name for firewall.

Another way to do this would be to add an additional network card to you PLC rack, if your PLC type allows it. This would allow plc1 and plc2 to share LAN 1, and PLC2 and PLC3 to share LAN 2.

 

[osmanmom]

can we call this SCADA system ?

 

[The Plc Kid]

The PLC Kid had some good solutions, though I've never been sure what a data diode is, unless it's a fancy name for firewall.

Another way to do this would be to add an additional network card to you PLC rack, if your PLC type allows it. This would allow plc1 and plc2 to share LAN 1, and PLC2 and PLC3 to share LAN 2.

A data Diode is a pure hardware firewall. Can't be configured to allow traffic in the wrong direction. The only config is to specify the traffic you want to flow but the flow direction is fixed in hardware.

I like these http://www.owlcti.com/products/products_hardware.html

 

[marcius]

It can be done a number of ways but I would not say they would not have access to their network because to communicate they must be connected in some fashion.

You need controlled access. You need get a plan in place first.

Where are the 2 companies? How far apart are they

One site is a CHP palnt in a factory and the other is medium voltage substation.
Distance is ~200m

How will they connect? Who will Imitate the connection? Who will receive the connection?

There is a fiber cable between locations.
Connection should be constant utility PLC should be master and and plc located at CHP plant should be slave.

What security measures are needed ?

Utility needs some signals/measurements from CHP plant, but they don't like the idea that someone from outside will have access to their scada.

I'm wondering if simple(or not) router with proper configuration could do the job?

 

[The Plc Kid]

A router can work but just a router does not give much security. If it's a firewall also that will be better. But firewalls can be hacked and configs can me messed up by various methods.

Data Diodes ensure directional flow without these issues. You may want to implement 1 or more of these solutions depending on how sensitive the utility is about their network and that would depend on what else is on their end of the network and security measure are in place.

As I said there is 100 way to skin this cat. Just depends on your needs and how critical your network and it's assets are. I can't answer that for you and the utility will have to decide what is acceptable risk

 

[cphelps79]

use some cheap serial to fiber modems. and use the serial ports on each processor to establish the comms. I am assuming of coarse that these PLC's have serial ports that are available for use. Doing it this way will limit the network access for both sides and ensure that only the data needed is accessed. but everyone is right there are a million ways to do this and be safe or wide open so be careful in your method.

 

[mk42]

A data Diode is a pure hardware firewall. Can't be configured to allow traffic in the wrong direction. The only config is to specify the traffic you want to flow but the flow direction is fixed in hardware.

I like these http://www.owlcti.com/products/products_hardware.html

I looked at the website, seems like an intruiging product. The data sheet that really explained it for me was this one. I understood about passing data/files one way only, but most protocols require an acknowledgement. They handle this by, essentially, introducing a Man in the Middle type of situation. Device A has a connection with one side of the Diode, and Device B has a connection with the other side of the Diode. It acts as a proxy, instead of a network device.

Looks like a great solution for when you have a defined data set that needs to be transferred. Does it defeat the purpose to have one diode going one way, and one going the other, pass only allowed data each direction, but two devices still have true communication? I don't see many projects where true security paranoia is needed, usually I'm lucky to convince them to implement passwords.

A little off topic, but I've been meaning to ask about these for awhile.

 

[harryting]

Huh, those data diode seems interesting. Would it work for AB Etherent/IP?

Another solution is to use a gateway from Prosoft or Anybus.