Experts say there are ways to handle those concerns, and that there are concerns you may never have thought of.
“When you connect your plant floor network to the office network, of course, you’re concerned about who should have access to the plant floor,” notes Jeremy Bryant, industrial networking specialist, Siemens Automation and Motion Division, Norcross, Ga. “Fortunately, there are ways to provide the needed security. For instance, you can use industrial firewall devices, which can simply be configured to control who is allowed to come in and out.”
This, he says, is the same proven technology used on the business level, simply in an industrial form factor. “You can not only control who can come in and out, but also where they can go on your network. You can get as strict as you want.”
Switches can be used to control unwanted broadcast traffic, says Bryant, “but make sure your switch has the proper functionality to handle multicast messaging. It’s not all that complex. You just have to make sure you have the right kind of switch.”
“There are ways to handle broadcast traffic with firewalls and routers,” agrees David Bauman, technical director for OMAC, the Open Modular Architecture Control Users Group, but he stresses the need to be diligent about effectively segregating the plant floor from the office. “Many control systems, especially legacy systems, don’t have the level of security that you typically get in your PC-type systems. Be aware that when you hook a controller up to Ethernet, it doesn’t necessarily have the level of options about creating user accounts and passwords and that type of thing, which you expect in an office system.”
Dave Chappell, OMAC Make2Pack chairman and head of Compete Manufacturing Automation Associates LLC, in West Chester, Ohio, notes that virtual local area networks (VLANs) can work very well in protecting plant floor systems if they are correctly implemented and maintained. But for him, that’s a big if. “If the switch that contains the virtual LAN configuration fails, you take it out and replace it with another, but you must also replace that configuration. We have seen instances where that did not get successfully done, and it took months to figure out why problems were starting to occur in the application on the factory floor. These sorts of problems are not necessarily obvious. They may be incredibly intermittent, very tough to pin down, and that’s one of the dangers of relying on a configured network—unless you have the proper safeguards in place for its maintenance.”
Chappell says he prefers to segregate the plant floor network with separate physical devices. “It costs a little more, but it is much more robust on the maintenance side, and the cost of those devices is negligible compared to the cost of interrupted production that occurs when you are trying to figure out intermittent and non-obvious disruptions to your network that have the appearance of a logic flaw in an application. The owners of the applications generally are not the same people who would have replaced the switch, and there often is a significant time between the replacement of the switch and problems becoming evident.”
Another mechanism that Chappell favors is the use of non-routable IP addresses for factory-floor equipment, that is, addresses that are never passed through a router but exist only within the factory-floor network. “There are differing views on this. The IT (information technology) organization wants everything to be routable and accessible from their corporate central data point. However, once you make something exposed to the network and people find they can get to it, oftentimes they will—excessively.”
Chappell cites an instance he observed where a manager discovered how to access factory floor data with his Excel program, and slowed processors to a crawl while doing it. “Again, this can create disruptions that are not easy to diagnose. Your packaging operator may say ‘I don’t know why, but every second Tuesday, the machine jams,’ and that turns out to be the day a particular manager runs all of his reports, sucking data out of the equipment at such a rate that it overloads. Diagnosing these things can be very difficult, so rather than creating environments where these sorts of things can occur, I prefer to put the production systems in a protected environment that is more manageable.”
