Control Network seperation from Business Network

Double firewalling with explicit port management. Everything else should be disabled.

Andrey

We put the PC's, PLC's, barcode scanners and other devices on their own physical network. Any PC's that need access to the "business network" are equipped with a second NIC. The addressing schemes of the two networks are completely different (we use 192.168.x.x for the process control network).

Cisco and Netgear (and probably a number of others) do Routers that, when configured properly, may have helped to prevent the spread of the virus to the whole network (mainly by limiting the portals traffic to specified users only).

The problem is that this still leaves your control network open to virus attack and other nasties by being able to "tunnel" from one NIC to the other using an infected PC as a gateway.

I would never recommend that anyone physically connect a control network to a business network, especially not an Internet-connected one, although if you must do so, use a Cisco (or similar) router with a hardware firewall and lock it down real tight...

The best option is still to keep the networks physically separate. If you need SQL and other connections to the business side, set up a dedicated point-to-point comms link (eg. high-speed RS232, ISDN, or E1) to do it. It's *far* better to be safe than sorry..

JMHO, Cameron:-)

I don't claim to be the world's greatest expert on this but it's my understanding that, unless the PC with the dual NICs is specifically set up to forward packets from one NIC to the other, it is physically impossible for anything to cross between them. Another way of looking at it is, one NIC doesn't even know the other one exists. It would seem to me that this even better than a router (which could be compromised by someone who knew or could crack the password).

If I'm wrong on this, I would appreciate someone enlightening me.

Microsoft issued the patch for the hole exploited by Sasser on 12-April. While I agree with all of the other replies that the networks should be physically separated, it is also your (and Rockwell's) responsibility to be proactive at installing these patches on any system using a vulnerable operating system.

--Gene

I'm no expert either, but I can readily imagine that if the PC with the two NICs gets infected, then the virus has two possible ways to travel...

Proper routers (with hardware firewall, and the rest of it) usually don't run Windows OS and so are pretty difficult to "infect". There are so many Windows PC's around the world plugged straight into the Internet that no schoolkid in his right mind would waste his time writing a virus that targets one particular brand/model router and nothing else.

Hacking (cracking passwords) is a different issue again.. and yet another very good reason for physical segregation.

Cameron:-)

With due respect, this fails to acknowledge the difficult reality of keeping up with these unpredictable patches on a 24 hours/day process control environment where a significant disturbance can cost millions of dollars and any significant outage is unthinkable.

This raises a concern. I have been getting notices from MS on a daily basis lately (XP). Are these really valid or is this some new kind of scam? If they are valid, how can my segregated control network keep up since we won't be on the 'net? And if there is a safe way of keeping up, how do I KNOW this won't cause a system crash? If it happened immediately and we staged the updates of the units, this wouldn't; be so bad, but what if were a delayed crash?

This is getting kind of scary.

Walter.

It's a scam.

The bottom line is that, if your network is not connected to the internet in any way, then you are unlikely to have the security issues these "patches" fix - and indeed sometimes installing these patches can actually *cause* problems.

Short of installing the usual Service Packs for system stability, you should not need to touch your Control PCs.

"If It Works, Don't Fix It!" still holds true...

Cameron:-)

Sorry, I wasn't clear. My home PC gets daily MS updates. Is that a scam?

If not, how can I keep a control, non-connected PC updated? Not all of these patches are virus related. You can't keep skipping them forever. How can you keep a control PC up-to-date?

Walter.

I've been reading this thread with interest, and I have a question:

Has there been any activity in using Linux on the process control side? The Linux freaks (er -- aficionados (er -- users)) would certainly tell you that it has potential for being a robust solution.

You have allowed Windows Update to run as a service. It checks in with the mothership in Redmond periodically looking for updates. You can configure W/U to simply inform you of updates, rather than going ahead and installing them without asking.

Any patch is available for download from the MS web site. It helps to know the "KB", or Knowledge Base, number for the patch you want. Download necessary patches on a web-connected machine, burn them to a CD-R, and walk them over to the unconnected PC.

--Gene

Walter, the daily updates from MS (the "Windows Update" thingy) are mostly security patches and have little to do with reliable operation of the PC. If you have a specific problem fixed by a patch you can install that one as a fix, but otherwise if your Control PC is not connected to the Internet and working happily you should not need them.

Every so often (on a roughly yearly basis with XP) M$ release "Service Packs" which contain all the major bugfixes they've found - and these are the only "patches" you need to keep your PC "up-to-date".

The best reason *not* to install these "patches" on a Control PC is that the HMI software you are likely running has not been tested with these updates - only with the Service Packs - so it is quite possible to stuff your Control PC just trying to keep it "up to date". (Hey, you don't install new HMI software every day do you?)

You should be running the latest Service Packs, but you don't need the updates. If they find a major bug that will crash your PC, M$ will release another Service Pack containing all the required patches.

The first thing I do (even with the computers here in the office) is turn off the Windows Update features from the XP Control Panel. That way, at least I have some control over what was loaded the instant the PC crashed.

Hope this helps, Cameron:-)

So, in this particular case, there WAS a disturbance AND a significant outage, due to a PREVENTABLE security hole.

Keeping up with difficult realities is the maintenance cost of using control systems based on consumer off-the-shelf hardware and software, in order to reduce up-front costs.

Millions of people check their stock portfolio every day at work; it isn't any more difficult to keep abreast of the latest vulnerabilities.

MS has been working harder lately to develop a patch as soon as a vulnerability is described, but before it is widely published. The Sasser worm appears to have been released AFTER the patch was. The virus writers keep up with the technology; so should the rest of us.

--Gene

I think AutomationX is still out there somewhere - and I'm sure there are others. "Freshwater Shark" was pushing it pretty hard here not that long ago. ;-)

The biggest hurdle with Linux has nothing at all to do with the robustness of the OS as such and more to do with getting people to support it. The fact that most everyone is familiar with Windows makes it pretty easy for HMI developers to sell software for it..

Linux used to have a bigger edge back when Windoze used to crash all the time - but Win2k and XP are pretty stable now, so Linux doesn't have as much going for it as it used to - but with so many people getting sick of M$, things may well change in the near future...

Cameron:-)

Hmmm, I really find it hard to believe/understand how one can mix up plant and process control networks. This is close to suicide... if I only think of how many times plant network was not available, due to worm and virus stuff (and also "selfmade" userfiddling....)

good luck:

-Serge-

I work for a large organization that has an IT department that were still testing the update for the Sasser virus when we were stuck. They would not let us put the update on their network without proper testing. Frustrating as it cause much more trouble than the patch.

The controls network is connected to the main network as the control system is fully integrated into the business network. Having a complete separate control network is not an option as many of the reports we generate communicate to the business systems. Ie. Material costs, recipes, bill of materials etc.

The system is connected directly to the business network with nor firewall or router and hence this is how the control system was shut down due to the sasser virus. I am looking into a firewall and or router but still not sure which is the best way to go.

Kim

You want both - combined.

Try the SnapGear SME530 from

Cameron:-)