1. Home
  2. ⧑ Industrial Control Group
  3. Control Network seperation from Business Network
  4. Page 3

Control Network seperation from Business Network

Network Interface Card. The LAN/network card in your PC with the fat phone jack and two blinking lights.

You can install more than one, and assign them different IP addresses, which allows you to communicate with two separate networks, without, in theory, connecting the two together. Unfortunately, as an earlier post pointed out, there is software which allows complete and silent control of the PC it is installed on.

For example, the capabilities of Back Orifice 2000:

Keystroke logging HTTP filesystem browsing and transfer, with optional restrictions. Management of Microsoft Networking file sharing Direct registry editing Direct file browsing, transfer, and management Plugin extensibility Remote upgrading, installation, and uninstallation Network redirection of TCP/IP connections Access console programs such as command shells through Telnet Multimedia support for audio/video capture, and audio playback NT registry passwords and Win9x screensaver password dumping Process control, start, stop, list Multiple client connections over any medium GUI message prompts Proprietary file compression Remote reboot DNS name resolution

..all offered as a remote server, so that all these features could be controlled thousands of miles away via the business LAN connection.

--Gene

Reply to
Gene S. Berkowitz
Loading thread data ...

has anyone worked with osi for linux?

formatting link

the website is pretty lame, lots of flash and press releases, not much meat. But if someone's worked with it, I'd be interested in the impressions

Reply to
joeblow

Interesting stuff! - Sorry, I haven't used it because it is not much use to someone (like me) who spends most of their time outside the EMS/Utilities sector.

The list of supported communication protocols is a good indication of the applicabililty of a SCADA package - after all, that is basically what a SCADA system is for.

OSII list "Harris/H-series, Boeing, Leeds & Northrup, Landis & Gyr, Westinghouse, and Control Data" - that is not even the full spectrum of EMS out there, but at least it's the major players.

If you have one of those systems in place, I'm sure it's probably pretty good, but in contrast, something like CitectFacilities

formatting link
whilst a Windows package and not Linux, is making enormous inroads into the EMS/Utilities markets in Australia and China purely on the strength of their communications and support base.

Cameron:-)

Reply to
Cameron Dorrough

hm. looks interesting. Especially since I'd like to 'retire' to australia and china and such...

But, it's microsoft-based, and I'm solidly a linux/gnu/unix partisan. As is most of this shop, so I think I'll not bring this one up...8)

---------------------------

Reply to
joeblow

Martin,

From what I understadn youinstall two network cards into a PC , one connected to a business network and the otehr connected to the process controls network. Does this still leave the network open to virus treats if infected? How is this better than a router?

Reply to
Kim

A question I still have and I am reasearching and laring much about routres and firwalls. If I have two computers connected to each other through a router and firwall with permissions granted for their communication. Lets say one of them gets infected with a virus the other PC will also be infeted as the communcation path is open. Am I correct in assuming this?

Reply to
Kim

I want both combined with some security. Currently they are both combined but I am looking into segregating the control items from the business network but what I'm not sure about is the best method. I need to be able to communicate to the business network and remain secure. Currently our IT department are working on a solution, I just want to ensure that their solution is the best solution.

Thanks all for the responses.

Reply to
Kim

Consider a simplified network:

Host A, Control Network | firewall | "Buffer" network | firewall | Business network, Host B | firewall | Internet

Suppose, also, that the only destination TCP/IP port on which, a connection between hosts A and B is possible, is 502 (openmodbus). Then, even host B is infected, there will be no communication means that would propagate the virus/worm to host A except the allowed port 502. This doesn't preclude infection/exploit if the software running on this port is buggy. However, genegic exploits targeting operating system vulnerabilities are more common than those targeting specific control software. It is quite desirable to disable port 502 as well as other unused port on the firewall between the Internet and the business network. Any technical security measures should not be considered as a panacea for viruses and other type of disruptions. Just think of a situation when an employee plugs a laptop into the control network and establishes a dial-up connection elsewhere or simply brings a CD with an infected game to play on the DCS host computer.

Andrey

Reply to
Andrey Romanenko

Yes, it leaves it open to a virus and, no, it's no better than a router. I didn't fully undersatnd that before reading this thread.

The reason we put two NICS in is to isolate the traffic on the two networks from one another - much the same as a router does but cheaper (one less piece of hardware).

But, if a virus comes >Martin,

Reply to
Martin

The point is that this PC with two NIC's in it should be set up only as a Firewall and Router and nothing else. For a business setting you may as well buy firewall router boxes unless you happen to be overflowing at the ears with unwanted PC's and NIC's.

Go read up on networking topologies and routing strategies in the book I reccommended a few posts back.

Reply to
Paul E. Bennett

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.