Control Network seperation from Business Network

All,
Following this week with the Sasser virus we had to shut out plant down as out process control work stations, Rockwell's RSView32 and
RSViewSE terminals were infected. Currently all the PLC's at my plant and RSView terminals are connected on the same network as the business network. The RSview terminals are connected no differently as a normal desktop PC network connection. Following the downtime caused this week due to this virus I have been asked to separate the two networks. However there are some applications that need to access the business network such as SQL queries. I am no IT expert and want to know is there is a way of some how adding additional security to the network so these terminals are separated from normal network traffic but still allow certain applications be allowed to pass through the network?
Thanks,
Kim
snipped-for-privacy@austarent.com.au
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Hello,

Double firewalling with explicit port management. Everything else should be disabled.
Andrey
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
We put the PC's, PLC's, barcode scanners and other devices on their own physical network. Any PC's that need access to the "business network" are equipped with a second NIC. The addressing schemes of the two networks are completely different (we use 192.168.x.x for the process control network).

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

The problem is that this still leaves your control network open to virus attack and other nasties by being able to "tunnel" from one NIC to the other using an infected PC as a gateway.
I would never recommend that anyone physically connect a control network to a business network, especially not an Internet-connected one, although if you must do so, use a Cisco (or similar) router with a hardware firewall and lock it down real tight...
The best option is still to keep the networks physically separate. If you need SQL and other connections to the business side, set up a dedicated point-to-point comms link (eg. high-speed RS232, ISDN, or E1) to do it. It's *far* better to be safe than sorry..
JMHO, Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Thu, 6 May 2004 10:03:16 +1000, "Cameron Dorrough"

I don't claim to be the world's greatest expert on this but it's my understanding that, unless the PC with the dual NICs is specifically set up to forward packets from one NIC to the other, it is physically impossible for anything to cross between them. Another way of looking at it is, one NIC doesn't even know the other one exists. It would seem to me that this even better than a router (which could be compromised by someone who knew or could crack the password).
If I'm wrong on this, I would appreciate someone enlightening me.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

other
I'm no expert either, but I can readily imagine that if the PC with the two NICs gets infected, then the virus has two possible ways to travel...
Proper routers (with hardware firewall, and the rest of it) usually don't run Windows OS and so are pretty difficult to "infect". There are so many Windows PC's around the world plugged straight into the Internet that no schoolkid in his right mind would waste his time writing a virus that targets one particular brand/model router and nothing else.
Hacking (cracking passwords) is a different issue again.. and yet another very good reason for physical segregation.
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
A question I still have and I am reasearching and laring much about routres and firwalls. If I have two computers connected to each other through a router and firwall with permissions granted for their communication. Lets say one of them gets infected with a virus the other PC will also be infeted as the communcation path is open. Am I correct in assuming this?
On Thu, 6 May 2004 14:39:01 +1000, "Cameron Dorrough"

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Consider a simplified network:
Host A, Control Network | firewall | "Buffer" network | firewall | Business network, Host B | firewall | Internet
Suppose, also, that the only destination TCP/IP port on which, a connection between hosts A and B is possible, is 502 (openmodbus). Then, even host B is infected, there will be no communication means that would propagate the virus/worm to host A except the allowed port 502. This doesn't preclude infection/exploit if the software running on this port is buggy. However, genegic exploits targeting operating system vulnerabilities are more common than those targeting specific control software. It is quite desirable to disable port 502 as well as other unused port on the firewall between the Internet and the business network. Any technical security measures should not be considered as a panacea for viruses and other type of disruptions. Just think of a situation when an employee plugs a laptop into the control network and establishes a dial-up connection elsewhere or simply brings a CD with an infected game to play on the DCS host computer.
Andrey
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Martin wrote:

Yo Martin,
you are DEAD_WRONG. When windoz machines get hacked, the perps can do whatever they want with windoz

The best thing is to use a firewall(or two, that are DIFFERENT than the firewall technology used by your MIS dept on the internet/WAN side or your operation. Otherwise hackers, once inside, know exactly how to get past your defenses, if you use identical firewall technology.

YEP, I alway recommend a separate network for machines. If fact when I design and build networks for machines, no stupid human stuff, like DNS, is used. Machines do not need DNS, humans use DNS. DNS is a HUGE security hole, on ALL Microsoft networks, and even many unix based networks.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Martin,
From what I understadn youinstall two network cards into a PC , one connected to a business network and the otehr connected to the process controls network. Does this still leave the network open to virus treats if infected? How is this better than a router?
wrote:

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Yes, it leaves it open to a virus and, no, it's no better than a router. I didn't fully undersatnd that before reading this thread.
The reason we put two NICS in is to isolate the traffic on the two networks from one another - much the same as a router does but cheaper (one less piece of hardware).
But, if a virus comes in on either network, it going to be able to propagate on to "other" network. Anti-virus software is probably the best thing to fight that with.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Kim wrote:

The point is that this PC with two NIC's in it should be set up only as a Firewall and Router and nothing else. For a business setting you may as well buy firewall router boxes unless you happen to be overflowing at the ears with unwanted PC's and NIC's.
Go read up on networking topologies and routing strategies in the book I reccommended a few posts back.
--
********************************************************************
Paul E. Bennett ....................<email://peb@a...>
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Kim wrote:

Cisco and Netgear (and probably a number of others) do Routers that, when configured properly, may have helped to prevent the spread of the virus to the whole network (mainly by limiting the portals traffic to specified users only).
--
********************************************************************
Paul E. Bennett ....................<email://peb@a...>
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
@austarnet.com.au says...

Microsoft issued the patch for the hole exploited by Sasser on 12-April. While I agree with all of the other replies that the networks should be physically separated, it is also your (and Rockwell's) responsibility to be proactive at installing these patches on any system using a vulnerable operating system.
--Gene
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

With due respect, this fails to acknowledge the difficult reality of keeping up with these unpredictable patches on a 24 hours/day process control environment where a significant disturbance can cost millions of dollars and any significant outage is unthinkable.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
This raises a concern. I have been getting notices from MS on a daily basis lately (XP). Are these really valid or is this some new kind of scam? If they are valid, how can my segregated control network keep up since we won't be on the 'net? And if there is a safe way of keeping up, how do I KNOW this won't cause a system crash? If it happened immediately and we staged the updates of the units, this wouldn't; be so bad, but what if were a delayed crash?
This is getting kind of scary.
Walter.

keeping
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

basis
won't
It's a scam.
The bottom line is that, if your network is not connected to the internet in any way, then you are unlikely to have the security issues these "patches" fix - and indeed sometimes installing these patches can actually *cause* problems.
Short of installing the usual Service Packs for system stability, you should not need to touch your Control PCs.
"If It Works, Don't Fix It!" still holds true...
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Sorry, I wasn't clear. My home PC gets daily MS updates. Is that a scam?
If not, how can I keep a control, non-connected PC updated? Not all of these patches are virus related. You can't keep skipping them forever. How can you keep a control PC up-to-date?
Walter.

If
staged
in
should
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
says...

You have allowed Windows Update to run as a service. It checks in with the mothership in Redmond periodically looking for updates. You can configure W/U to simply inform you of updates, rather than going ahead and installing them without asking.
Any patch is available for download from the MS web site. It helps to know the "KB", or Knowledge Base, number for the patch you want. Download necessary patches on a web-connected machine, burn them to a CD-R, and walk them over to the unconnected PC.
--Gene

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

scam?
How
Walter, the daily updates from MS (the "Windows Update" thingy) are mostly security patches and have little to do with reliable operation of the PC. If you have a specific problem fixed by a patch you can install that one as a fix, but otherwise if your Control PC is not connected to the Internet and working happily you should not need them.
Every so often (on a roughly yearly basis with XP) M$ release "Service Packs" which contain all the major bugfixes they've found - and these are the only "patches" you need to keep your PC "up-to-date".
The best reason *not* to install these "patches" on a Control PC is that the HMI software you are likely running has not been tested with these updates - only with the Service Packs - so it is quite possible to stuff your Control PC just trying to keep it "up to date". (Hey, you don't install new HMI software every day do you?)
You should be running the latest Service Packs, but you don't need the updates. If they find a major bug that will crash your PC, M$ will release another Service Pack containing all the required patches.
The first thing I do (even with the computers here in the office) is turn off the Windows Update features from the XP Control Panel. That way, at least I have some control over what was loaded the instant the PC crashed.
Hope this helps, Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here. All logos and trade names are the property of their respective owners.