Control Network seperation from Business Network

hm. looks interesting. Especially since I'd like to 'retire' to australia and china and such...
But, it's microsoft-based, and I'm solidly a linux/gnu/unix partisan. As
is most of this shop, so I think I'll not bring this one up...8)
---------------------------
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

It seems that the control software companies aren't offering Linux or Unix solutions since they feel there isn't enough market interest to justify the effort. But then, there isn't much market interest because *nix based control products aren't commonly available.
I would suspect that if a company were to come out with quality software which runs under Linux, the interest would be there. The robustness, scalability and ease of remote management would justify its use over Windows based systems. Security would also be a plus. While Linux is by no means immune to remote compromise, it is much more resistant then Windows has proven to be.
--
Steve



Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Not correct. DKI's "AutomationX" is one that has a large customer base world-wide (and currently increasing) and there are others if you take the time to look.

I would guess that the Linux control developers out there might be insulted by your "quality software" comment.
The interest is there - but as I stated earlier, the support is not.
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
What I have typically seen done in the process industries is to create separate networks linked by a firewall that block all traffic except that which is explicitly required for the business sytsem interface. Included in the list of blocked traffic is HTTP, SMTP and POP3 traffice which eliminated about 95% of the virus sources out there. We also employ SecurID tokens as an authentication methodology to gain access to the process control network segments. What this means is that in addition to having a valid password you have to be in possession of the SecurID token in order to be authenticated.
Best Regards,
Greg Potter
Azimuth Solutions Inc.
Tel: 403.288.7513
Fax: 403.288.7532
Cell: 403.510.8667
Email: snipped-for-privacy@azimuth-solutions.ab.ca

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I would agree that a sensibly locked down firewall/router is provided to provide a degree of separation and manageability. Dual NIC are a stop-gap or trial/beta solution not best suited for the long haul. We've previously started out on this as lowest cost (using the hardware only yardstick !) and found it required more knowledge, sometimes easy to setup other times difficult. It is also like software barriers ie very easily forgotten or overridden and not re-activated.
In addition if you have a control network of any size the patch and virus management issue is a serious one and we should all take leaf out of the IT guys book for looking after it.
Corporate deployment packages for anti-virus are readily available and are actually very suitable for control networks, once some basic research is done. There are lots of leaks and holes inside, perimeter fencing is NOT enough.
On the windows OS patch front, there again are very good tools out there freely available from MS, assuming you can run them somewhere, which is not an issue. The SUS update server (to be improved further by WUS I think) is a god send. Anyone, who says its a hassle or has no time to update patches needs shot, these tools are great and you can set up whatever level of automatic/approval you want - look into it. This covers a range of OS w2k onwards and includes patch management for SQL as well ! This alone for me justifies upgrading to W2k/XP.
Another gripe/worry I had for years was how the AV/Patches could co-exist with the myraid of automation packages. These concerns have not been realised. In fact I am sorry to say that it is actually automation vendor version upgrades that remain a much more serious undertaking ! (IMHO)
Someelse, which has worked nicely is rolling out the AV/SUS solution. We actually carry a small Vmware W2K image with the AV/SUS which can be deployed rapidly on any available server/pc and be done very quickly.
As for complete separation, this is of course a solution, but doing this loses out on so many important benefits, there is no need to list in this thread.
Alistair.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
aross wrote:

Excellent prose Alistair. Many good suggestions. However, let me point out a few things. There have been numerous cases of people using wireless devices, such as phones/modems with CDPD, GRPS, CDMA, etc etc, that have been infected with malignant code. This can easily happen when these sorts of devices get software off the net, from the manufacturer or elsewhere. The FBI has several ongoing investigations into COTS (Commercial Off The Shelf) devices that have malignant software from the overseas manufacture. No they are not going to go public with these stories, at this time.
Also, If any use inside a network runs the wrong software, inside of a network that is connected to the internet, or a wireless grid, chances are that malignate software will find it's way into your network. There are solutions, but, they are not for the faint-at-heart.
First, install and run a good intrusion detection software package. These sorts of software monitor the internal network for issues. They are very complex to install, collect data, analyze data, and make modifications to networks, but it works. Second, if at all possible, use linux or BSD servers on your control network. Microsoft has a very long way to go to even remotely have a secure server.
Before everyone begins throwing stones at me, please look at a few web sites, that may enlighten yourself about real network security. Oh, and all of those vendor protocols, are clear text, and are easier to hack that a loaf of white bread. The US military is moving to embedded linux in the battle space for a variety of reasons, but, security is first and foremost:
Some sites of enlightenment: http://news.bbc.co.uk/1/hi/sci/tech/437967.stm www.nsa.gov/selinux http://openmosix.sourceforge.net / http://airsnort.shmoo.com / http://www.distributed.net / http://www.phrack.org / http://defcon.org /
Just to mention a few
James
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Fair enough, but we've gotto 'pee with what we've got' which is the likes of DeltaV/OsiPi/Rockwell/Intellution/non-unix batch systems.. all windows based stuff, non of which is going to get replaced.
So the diversion off to unix is not really an option, we are looking at tightening up the obvious holes, push up the security rating and not get caught out by the likes of the high profile recent worms/etc.
Hopefully, microsoft continues to tighten up things, over time and with enough effort and money..... things will get better.
On the telecoms/wireless front there is still great reluctance from a security point to authorise these technologies and I can see/agree with the logic, so for now in the process control industrial sector the wireless LAN/bluetooth/SMS/mobile has not been embraced to a high degree. We only seem to use this stuff in our home/hotels !
From the extreme security point of view, I thought/read that the biggest threat was disgruntled employees/control engr/admins,.... another topic I guess.
Regards Alistair.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Dual NIC. What does NIC stand for Network Information Centre?? Is this a firwall or router or both?
Kim
On 9 May 2004 14:36:09 -0700, snipped-for-privacy@hotmail.com (aross) wrote:

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
NIC = Network Interface Card
It's simply the socket on the back of the computer where the ethernet cable plugs in.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
@austarnet.com.au says...

Network Interface Card. The LAN/network card in your PC with the fat phone jack and two blinking lights.
You can install more than one, and assign them different IP addresses, which allows you to communicate with two separate networks, without, in theory, connecting the two together. Unfortunately, as an earlier post pointed out, there is software which allows complete and silent control of the PC it is installed on.
For example, the capabilities of Back Orifice 2000:
Keystroke logging HTTP filesystem browsing and transfer, with optional restrictions. Management of Microsoft Networking file sharing Direct registry editing Direct file browsing, transfer, and management Plugin extensibility Remote upgrading, installation, and uninstallation Network redirection of TCP/IP connections Access console programs such as command shells through Telnet Multimedia support for audio/video capture, and audio playback NT registry passwords and Win9x screensaver password dumping Process control, start, stop, list Multiple client connections over any medium GUI message prompts Proprietary file compression Remote reboot DNS name resolution
..all offered as a remote server, so that all these features could be controlled thousands of miles away via the business LAN connection.
--Gene
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here. All logos and trade names are the property of their respective owners.