Securing network security

Industrial network security is increasingly focusing on networks as they continue to evolve beyond their historical isolation. Networks are making themselves and their data accessible via Ethernet TCP/IP, IT-related systems, and/or the Internet, and are facing the inherent vulnerabilities of these technologies.


Industrial network security is increasingly focusing on networks as they continue to evolve beyond their historical isolation. Networks are making themselves and their data accessible via Ethernet TCP/IP, IT-related systems, and/or the Internet, and are facing the inherent vulnerabilities of these technologies. The question is how can users access their networks remotely without exposing themselves to unauthorized intrusions?

To begin improving security, managers, control engineers and system administrators must first think of their network as a whole, and become aware of their company-wide infrastructures. It's useful to literally sketch out the entire network; take an inventory of everything connected to the network; and then ask "Is this network linked to a company intranet or to the Internet?" and "Is the network completely hardwired or are there wireless components?" Next, managers should check what security measures are presently available, and make sure they're enabled and operating.

Routers rule

Undoubtedly the most important tool for increasing security is having a router/firewall between local networks and larger systems, especially those tied to the Internet. While switches operate at the data link layer (layer 2), routers generally operate at the network layer (layer 3) with most routers handling TCP/IP messages. A router/firewall matches private Internet addresses with data requests, allowing through only specified messages. Very few unauthorized messages get through routers.

Another security question is: "Will the highly repeatable communications on the plant floor be able to handle corporate-level data transfer sizes and bandwidth? To manage these communications, many users employ switches with broadcast storm control capabilities, which block broadcasts from overly noisy ports.

Also, these switches assign slightly different bandwidths for accessing each port on a network. This ensures that each device gets only the messages it's supposed to receive.

VLANs vital

Beyond basic routing, some users implement virtual local area networks (VLANs) between their plant-floor networks and office systems. Located in the switches' hardware, VLANs block unauthorized messages between network ports.

In fact, two VLANs overlapping to a specific degree can share data if, for example, a device on the factory floor also sits on the corporate VLAN. This exposes only one device to potential vulnerabilities, and leaves other devices protected.

Yet another option is to simply install an additional router between two locations, which can be dedicated solely to sending data between them. This security strategy doesn't mask addresses, but it too allows only specific traffic between plant-floor addresses and office addresses. This method is similar to a VLAN, but instead uses the added router to do its job.

Check connected PCs

Back on the infrastructure side, network managers must also be cautious about what devices might be using up available bandwidth on the plant-floor. Ethernet switches are designed to be very inviting, and someone plugging into an available RJ-45 port can potentially hinder or damage manufacturing processes with unauthorized or untested network traffic.

So, besides checking the security of one's own network, managers also must be careful about the protocols used on PCs and laptops that may connect to switches on their plant-floor network. Managers can test new software or devices by running a plant-floor network in safe mode or by setting up small test networks.

Bennet Levine, R&D manager Contemporary Controls,

Locking in security to-do list

Think of network as a whole, and sketch it out—literally

Inventory what network is connected to—Internet? Wireless?

Check for existing security features, and make sure they're enabled

Install router switch/firewall between plant-floor network and other networks

Enable router's broadcast storm control capability

Use virtual local area networks (VLANs) to block unauthorized messages between ports

Overlap two VLANs to allow specific data sharing

Use additional dedicated router to allow only authorized traffic between two networks

Test PCs and laptops plugging into plant-floor network

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Motor specification guidelines; Understanding multivariable control; Improving a safety instrumented system; 2017 Engineers' Choice Award Winners
Selecting the best controller from several viewpoints; System integrator advice for the IIoT; TSN and real-time Ethernet; Questions to ask when selecting a VFD; Action items for an aging PLC/DCS
Robot advances in connectivity, collaboration, and programming; Advanced process control; Industrial wireless developments; Multiplatform system integration
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
click me