Control Network seperation from Business Network

I use XP auto update, but critical updates are far from daily. Looking at my Installation History it's about 3 weeks or so, the last was 18 April 2004. Francis

Reply to
Francis
Loading thread data ...

I use Linux with custom apps on a few pilot plants in R&D. No virus problems whatsoever.

Besides, there are plenty of free and open source applications for automation and control available. Check out

formatting link
and the links therein.

There are industrial grade commercial solutions, too. For example, (and I am not affiliated with them) take a look at

formatting link

Andrey

Reply to
Andrey Romanenko

Until the day comes when someone inadvertantly plugs an infected laptop into the control network or otherwise crosses the two networks . . .

My control system doesn't rely on any MS products (which I think is the best protection against these sorts of thing), but even so, now that digital 'scopes, etc. are coming out running Windows, the Windows exploit of the day can still be a major hassle.

-- Steve

Reply to
despammed

If you must have the connectivity between the control and the business end of the network then look at segmenting your network with a few fire-wall routers. Netgear and Cisco Systems do suitable units for the average situation. A few hundred dollars worth of boxes will soon begin to provide better protection.

You will need a firewall-router for your link to the outside world (internet) and a firewall-router for each segment of your network. Keep the control stuff on segments away from the business segments.

It is a good idea to look for segmenting opportunities and closing the holes in the firewalls down to the absolute minimum needed to maintain communicability. Use NAT to hide the details of segment addressing from other segments and the internet.

There is a really excellent book by Cisco called "Internet Routing Arcghitectures". I suggest that the System Architect for your enterprise gets themselves aquainted very soon.

Naturally, all your systems should also run anti-virus measures as well (especially if you are using PC's in the control side.

Reply to
Paul E. Bennett

I couldn't find where to do that.

Walter.

Reply to
Walter Driedger

It really is DAILY. I had a look into 'Start/settings/control panel/add or remove' and found 42 (!) entries with the name Windows XP Hotfix KBnnnnn. The reason I'm asking is with the wide variety of disguises viruses take these days, I was wondering if this is a new one.

Walter

Reply to
Walter Driedger

The lack of applications and support for Linux is closely linked to the lack of viruses for Linux. If enough people switch to Linux to attract a proper application and support industry, it will also attract a virus 'industry'.

Or is there some way in which Linux is inherently virus resistant? Historical low attack rates don't mean a thing.

Walter.

Reply to
Walter Driedger

Serge,

I used to think so too but those times are past. Here is an example: The client is a large refinery. Across the street is a commercial plant supplying us with hydrogen. It is owned and operated by a third party. Our guys want to know immediate pressure, flow, temp and purity of H2 being supplied. Solution -- they put their data on the web, we connect and open the page whenever we need it.

Another example: A natural gas gathering pipeline is supplied from many sources owned by many operators and coming on and off stream more or less at random. Central control wants to know what is going on. The old way was to build your own communications infrastructure. Now everybody within twenty miles of a cell tower connects direct to the internet and the material is gathered onto a web page.

Just like the Joy of Sex overcomes the fear of clap so the joys of open communications overcome the fear of Sasser. Our job now is to reduce the risks.

Walter.

Reply to
Walter Driedger

No problem by connecting both networks together, but then it's best to have a router with firewall installed.

Process Control Network Security is another subject....

regards:

-Serge-

Reply to
Serge Simon

What I have typically seen done in the process industries is to create separate networks linked by a firewall that block all traffic except that which is explicitly required for the business sytsem interface. Included in the list of blocked traffic is HTTP, SMTP and POP3 traffice which eliminated about 95% of the virus sources out there. We also employ SecurID tokens as an authentication methodology to gain access to the process control network segments. What this means is that in addition to having a valid password you have to be in possession of the SecurID token in order to be authenticated.

Best Regards,

Greg Potter

Azimuth Solutions Inc.

Tel: 403.288.7513

Fax: 403.288.7532

Cell: 403.510.8667

Email: snipped-for-privacy@azimuth-solutions.ab.ca

Reply to
Greg Potter

I would agree that a sensibly locked down firewall/router is provided to provide a degree of separation and manageability. Dual NIC are a stop-gap or trial/beta solution not best suited for the long haul. We've previously started out on this as lowest cost (using the hardware only yardstick !) and found it required more knowledge, sometimes easy to setup other times difficult. It is also like software barriers ie very easily forgotten or overridden and not re-activated.

In addition if you have a control network of any size the patch and virus management issue is a serious one and we should all take leaf out of the IT guys book for looking after it.

Corporate deployment packages for anti-virus are readily available and are actually very suitable for control networks, once some basic research is done. There are lots of leaks and holes inside, perimeter fencing is NOT enough.

On the windows OS patch front, there again are very good tools out there freely available from MS, assuming you can run them somewhere, which is not an issue. The SUS update server (to be improved further by WUS I think) is a god send. Anyone, who says its a hassle or has no time to update patches needs shot, these tools are great and you can set up whatever level of automatic/approval you want - look into it. This covers a range of OS w2k onwards and includes patch management for SQL as well ! This alone for me justifies upgrading to W2k/XP.

Another gripe/worry I had for years was how the AV/Patches could co-exist with the myraid of automation packages. These concerns have not been realised. In fact I am sorry to say that it is actually automation vendor version upgrades that remain a much more serious undertaking ! (IMHO)

Someelse, which has worked nicely is rolling out the AV/SUS solution. We actually carry a small Vmware W2K image with the AV/SUS which can be deployed rapidly on any available server/pc and be done very quickly.

As for complete separation, this is of course a solution, but doing this loses out on so many important benefits, there is no need to list in this thread.

Alistair.

Reply to
aross

Start|Settings|Control Panel|System|Automatic Updates tab.

Select "Turn off automatic updating; I want to update my computer manually"

BTW: If your PC is part of an Active Directory domain and you don't have the Automatic Updates tab, ask your System Admin to let you have it back! ;-)

Cameron:-)

Reply to
Cameron Dorrough

Yes.. that is a problem - and, like all security issues, if someone inside deliberately wants to stuff things up there is not a great deal you can do about it.

One way to *minimise* the chance of this happening is to:

  1. Disable DHCP, DNS, WINS (on a Control network you should, anyway)
  2. Run a non-"standard" IP address range (ie. anything other than
192.168.0.x) and
  1. Password-protect server shares so that the only people who can get access to anything are those who know what they are doing or have been told what IP settings to use on that network.

Quarantine them.. that's about the only thing that will work.

Cameron:-)

Reply to
Cameron Dorrough

Yo Martin,

you are DEAD_WRONG. When windoz machines get hacked, the perps can do whatever they want with windoz

The best thing is to use a firewall(or two, that are DIFFERENT than the firewall technology used by your MIS dept on the internet/WAN side or your operation. Otherwise hackers, once inside, know exactly how to get past your defenses, if you use identical firewall technology.

YEP, I alway recommend a separate network for machines. If fact when I design and build networks for machines, no stupid human stuff, like DNS, is used. Machines do not need DNS, humans use DNS. DNS is a HUGE security hole, on ALL Microsoft networks, and even many unix based networks.

Reply to
James

Excellent prose Alistair. Many good suggestions. However, let me point out a few things. There have been numerous cases of people using wireless devices, such as phones/modems with CDPD, GRPS, CDMA, etc etc, that have been infected with malignant code. This can easily happen when these sorts of devices get software off the net, from the manufacturer or elsewhere. The FBI has several ongoing investigations into COTS (Commercial Off The Shelf) devices that have malignant software from the overseas manufacture. No they are not going to go public with these stories, at this time.

Also, If any use inside a network runs the wrong software, inside of a network that is connected to the internet, or a wireless grid, chances are that malignate software will find it's way into your network. There are solutions, but, they are not for the faint-at-heart.

First, install and run a good intrusion detection software package. These sorts of software monitor the internal network for issues. They are very complex to install, collect data, analyze data, and make modifications to networks, but it works. Second, if at all possible, use linux or BSD servers on your control network. Microsoft has a very long way to go to even remotely have a secure server.

Before everyone begins throwing stones at me, please look at a few web sites, that may enlighten yourself about real network security. Oh, and all of those vendor protocols, are clear text, and are easier to hack that a loaf of white bread. The US military is moving to embedded linux in the battle space for a variety of reasons, but, security is first and foremost:

Some sites of enlightenment:

formatting link

Just to mention a few

James

Reply to
James

Dual NIC. What does NIC stand for Network Information Centre?? Is this a firwall or router or both?

Kim

Reply to
Kim

Fair enough, but we've gotto 'pee with what we've got' which is the likes of DeltaV/OsiPi/Rockwell/Intellution/non-unix batch systems.. all windows based stuff, non of which is going to get replaced.

So the diversion off to unix is not really an option, we are looking at tightening up the obvious holes, push up the security rating and not get caught out by the likes of the high profile recent worms/etc.

Hopefully, microsoft continues to tighten up things, over time and with enough effort and money..... things will get better.

On the telecoms/wireless front there is still great reluctance from a security point to authorise these technologies and I can see/agree with the logic, so for now in the process control industrial sector the wireless LAN/bluetooth/SMS/mobile has not been embraced to a high degree. We only seem to use this stuff in our home/hotels !

From the extreme security point of view, I thought/read that the biggest threat was disgruntled employees/control engr/admins,.... another topic I guess.

Regards Alistair.

Reply to
aross

NIC = Network Interface Card

It's simply the socket >Dual NIC. What does NIC stand for Network Information Centre?? Is this

Reply to
Martin

It seems that the control software companies aren't offering Linux or Unix solutions since they feel there isn't enough market interest to justify the effort. But then, there isn't much market interest because

*nix based control products aren't commonly available.

I would suspect that if a company were to come out with quality software which runs under Linux, the interest would be there. The robustness, scalability and ease of remote management would justify its use over Windows based systems. Security would also be a plus. While Linux is by no means immune to remote compromise, it is much more resistant then Windows has proven to be.

Reply to
despammed

Not correct. DKI's "AutomationX" is one that has a large customer base world-wide (and currently increasing) and there are others if you take the time to look.

I would guess that the Linux control developers out there might be insulted by your "quality software" comment.

The interest is there - but as I stated earlier, the support is not.

Cameron:-)

Reply to
Cameron Dorrough

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.