Recently I attended CCNA Security Quad Training by Cisco. We continue to look for opportunities to excel in industrial automation solutions. Security for SCADA and PLC systems is always a concern. It would seem that isolating the industrial network from the internet by “no physical connection” would be as safe as possible, but that is not absolute as we still need to be concerned about open Ethernet ports, USB drives, CDs, etc. Also, we all have been facing a new issue in recent years with industrial control software manufacturers and their push for “internet” connectivity. Using firewall appliances has been monumental in providing secure network solutions.
What about the health of the industrial network? Many solutions provide healthy network control schemes by physically isolating subnets. As an example, if a PLC is connected to a SCADA computer and a number of VFDs via Ethernet, it is a good practice to add a second Ethernet card in the PLC for the VFDs. The same applies for other critical I/O, and it is mandatory to implement Profinet.
Connecting those independent subnets with the common networking for troubleshooting, online configuration, etc., can be problematic in that many times you would have to work through a PLC program or connect directly with a local switch. In many cases, we write programs in the PLC to act as a traffic manager to make that interface available, but that is limited as to the capabilities of some of the Ethernet network devices.
The answer with today’s technology lies in the use of VLANs and routers. Routers connect networks together and switches connect users/devices. With the Cisco switches — also available in industrial products by Rockwell — VLANs are a default. Each VLAN is configured as a separate subnet which allows for segmentation of networks.
This can work as an advantage for control systems. In the examples above, a switch can allow specific traffic between the VLANs, which will improve data transfer times and allow for management of devices on all subnets without exposing I/O control or critical control to unnecessary traffic. Additionally, by using VLANs and even one router, the industrial Ethernet solution has a means of managing traffic between an office, or corporate, network.