Today is...
Saturday, December 20, 2014
Welcome to Control.com, the global online
community of automation professionals.
Advertisement
Featured Video...
Featured Video
A quick introduction to EtherCAT for motion control and I/O...
Advertisement
Our Advertisers
Help keep our servers running...
Patronize our advertisers!
Visit our Post Archive
Networking PLC network to company network
Tips wanted on the best way to network PLC network to company network

Hi,

I would like to connect our PLC TCP/IP network to our company network so that I can monitor/backup PLC programs from my office. At the moment the compant has 3 SCADA PC's running XP Pro that have 2 network cards 1 for the PLC network and the other for the company network. Is it possible to set up XP Pro to act as router so that I don't have to buy a switch. If I have to go down the switch option does it have to be an industrial ethernet switch?

One thing I am worried about is the security of the PLC network. Should I have a sepearte firewall for the PLC network so that only PC's in my office have access to it?
Any help/tips you could give me would be gratefully appreciated. Thanks in advance.

By Anonymous on 21 May, 2005 - 1:52 pm

Hi,

Security wise i would not recommend connecting your PLC network to your company one. If you have to monitor it remotely setup a secure terminal server and firewall to only allow your company IP range.

By Jonas Berge on 23 May, 2005 - 6:41 pm

I agree. To learn about the measures you would need to take to do it, take a look at chapter 10 of the book "Software for Automation: Architecture, Integration, and Security". Preview, see contents, and buy online:
http://www.isa.org/autosoftware

Jonas Berge
SMAR
===========
jberge@smar.com.sg
www.smar.com
Learn fieldbus and Ethernet at your own pace: www.isa.org/fieldbuses
Learn OPC and automation software at your own pace: www.isa.org/autosoftware

If you have an old pc, check out the following site http://www.freesco.org/

I am running this on out network to acheive the same outcome that your are after. Security wise it will definately keey the prying eyes out of your PLC /Scada network.

P.S I also have our FREESCO Box running of a compact flash card, this work a treat..

Regards Matthew

By Jiri Baum on 22 May, 2005 - 2:33 pm

Hello RM,
Yeah, I definitely would recommend a firewall, but it won't fit into the layout as you described it; it should go between the office and PLC networks, but you already have multiple machines straddling that!

The firewall machine should probably use a different operating system, so that it's not susceptible to the same viruses as the rest of the office network... As well as the usual firewall settings (ports, IPs), I would also recommend rate-limiting, so that it won't flood your PLC network no matter what. (For instance, if a badly-written worm is scanning the network for hosts to infect...) Some firewalls can also filter based on Modbus command, so if you're using Modbus, you might want to restrict it to the read and status commands, and disallow write commands. That depends on your application.

Jiri
--
Jiri Baum <jiri@baum.com.au> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools

By Gustavo A. Valero P. on 23 May, 2005 - 11:22 pm

I think your options are these:

1) As you want... you could convert your PC to a router but, it's not possible using Windows XP, you must use Windows NT/2000/2003 instead. Later, configure RRAS option later and create/set some ACLs on the server.

The ACLs will act as your firewall very well. All this can take you some time!

2) Separate your networks by using different IP ranges (e.g. 192.168.x.x for PLCs network and/or 192.168.y.y for company network) and use a Switch for each network (to avoid collisions/traffic).

In this case, no PCs from company network will gain access in any way to PLCs network (and vice versa) due to there is no a gateway/router able to communicate/link both networks.

3) To use the other options that other users have given you.

I hope it helps.

Saludos.

Gustavo A. Valero P.
BIConsulting C.A.
Valencia - Venezuela
gustavo.valero@biconsulting.com

you can use an off-the-shelf router (Linksys, Netgear, etc.). give it a static IP address for the WAN/company network side, and make the LAN side participate in the PLC network (disable the DHCP server, and assign static IP addresses to the PLCs, or use BOOTP).

set the admin password in the router to something other than the default.

set up port forwarding in the router to for each PLC. check the default TCP port number for each, and modify the programming software interface to use different port numbers for each PLC, and forward these ports to the PLC IP addresses.

everyone will tell you that security is a big deal, but i've had my servers, workstations, and laptops sitting behind a $30 Netgear router at home for the last 10 years... never been hacked, infected, wormed, etc.

cpantusa@magnumengineering.com