Overcoming network obfuscation

Some simple design guidelines and a little planning ahead can result in more straightforward communication system architecture.

By Karl Schrader October 29, 2012

Within the field of manufacturing automation, we face hurdles unique to the ways industrial control systems communicate. This often leads to piecemeal approaches to communication architecture development and installation. With a careful approach, legacy communication systems can be converted to higher performing systems, capable of providing connectivity without sacrificing security.

With the ever growing need for real-time data related to manufacturing, two of the largest concerns are accessibility and security. While these two requirements, at first glance, appear to be at odds with each other, cues can be taken from existing IT technologies which can lead to successful communication architectures.

Hurdles

In many cases (especially in discrete manufacturing) there will exist many independent networks, resident on individual machines or production lines. In a case where these independent networks are not configured to be compatible with each other, additional care will need to be taken and production downtime may be required to allow for reconfiguration of devices on the network.

With control systems, each device or control system will require proprietary software to implement the configuration changes required for the network. Knowledge and training on these individual pieces of software and hardware are required to ensure all communication configuration changes will not affect the performance of the devices on the networks.

It is important to evaluate the network you are joining to ensure the new components fit properly into the existing network architecture. Often times, the introduction of new or replacement control systems cannot be completed without integrating into these existing (sometimes legacy) systems. These systems range in complexity and performance from simple unmanaged switches and a handful of devices, to large distributed networks employing various network management protocols. It is not uncommon to find architectures that have evolved over time, employing components from various vendors and a host of layers.

In systems where no IT direction is provided by the manufacturing facility, connectivity to the production line can become obfuscated. While this obfuscation itself can provide security through difficulty of discovery, it often creates complexities in accessing the communication networks for systems and individuals requiring access. Overly complex systems can also create instabilities in connectivity, reducing the consistency of information flow to and from the production lines.

Solutions

Several security and communications companies are focusing more on the unique needs of industrial production. Several methodologies are being put forth, but ultimately it is up to the control systems engineers and IT staff to implement the right technologies for a given facility(s).

There are a few basic performance criteria that need to be considered to ensure the proper technologies are implemented.  These are not listed in order of importance.

• Throughput per segment
• Fault tolerance
• Accessibility
• User authorization/licensing
• Remote connectivity/routing
• Segmentation
• Diagnostic coverage
• Network protocol requirements
• Software patching
• Antivirus coverage
• Expandability
• Physical environment
• Power requirements, and
• On-site support requirements.

Through the application of appropriate network architecture features, a balanced approach to network architecture can be achieved. The proper planning of such systems can reduce downtime, improve control system performance, and reduce support costs for manufacturing facilities. 

Any opportunity to ease the learning curve of understanding a network architecture should be taken. Many vendors are now providing solutions which can integrate into domain structures, providing single-point management of user authorization, as well as many other security features of a network. Many tools are now available to provide visual representations and point-and-click management for network appliances.

Secure networks do not necessarily need to be complex networks. Try to avoid creating multiple access paths between networks and don’t construct tiers of networks where they are not necessary. Avoid appliances which do not integrate user management with a domain structure, as this typically leads to simplified security, leaving vulnerabilities to intrusion either accidental or malicious. Try to stay with a single family of appliances as this will shorten the learning curve for IT personnel.

In the end, there is no magic-bullet solution for architectural design of networks. Common sense plays a large role as well as familiarity with the components. Calculations will need to be made on the front end, with an eye to expandability and reliability. Communication networks are no longer simple structures with simple components. Robust communication solutions require careful planning, which will ultimately provide more simplified and higher performing results.

This post was written by Karl Schrader. Karl is a senior engineer at MAVERICK Technologies, a leading system integrator providing industrial automation, operational support and control systems engineering services in the manufacturing and process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, and business process optimization. The company provides a full range of automation and controls services – ranging from PID controller tuning and HMI programming to serving as a main automation contractor. Additionally MAVERICK offers industrial and technical staffing services, placing on-site automation, instrumentation and controls engineers.