Designing Secure Networks for Industrial Control

 With the evolution of data communications in process control, network problems have taken on new importance to process engineers. The data connections from DCS and PLC systems to the plant network are vital to production, yet can be an invitation to problems. This paper looks at several real-life network disasters and discusses strategies for avoiding them. Solutions, including the use of packet filter firewalls and VLANs (Virtual Local Area Networks), are discussed. A case history from a pulp and paper mill illustrates how a firewall can be implemented to protect process systems from business users. I. THE NEED FOR NETWORK PROTECTION Over the past ten years the process control field has seen a significant increase in the use of computer networks to transfer information from the plant floor to supervisory and business computer systems. For example, most industrial plants are now using networked process historian servers and expert systems servers to allow business users to access real-time data from the DCS and PLC systems. There are also many other possible business/process interfaces, such as using remote X-Windows sessions from the DCS, or direct file transfer from PLCs to users’ spreadsheets. Regardless of the method, each involves a network connection between the process and the business systems. At the same time, there has been an explosion in the use of Ethernet and TCP/IP in industry for both process control and business networks. Most distributed control systems (DCS) now use Ethernet networking as a critical component of their system architecture, rather than the traditional proprietary industrial networks such as Data Highway or Modbus. Thus networks are increasingly Ethernetbased for both business and process systems. The issue is that problems on the business network can be passed on to the process network through the business/process interface, and this can seriously impact production. Protecting the process system from external network problems is the focus of this paper. II. EXAMPLES OF NETWORK PROBLEMS IMPACTING PRODUCTION Many network designers divide the problems that can befall a process network into two general categories: accidental and deliberate. Accidental problems are typically caused by cabling and configuration errors or by user inexperience. Deliberate problems are those caused by individuals with malicious intent, such as disgruntled employees or network hackers. It has been our experience that accidental errors far out number the deliberate errors experienced in industrial environments but both should be addressed. Below we will look at a few examples of each type of error and how these errors have impacted process operations in North America. Noise or Bad Packets: The most common network problem is the propagation of noise or bad packets through a plant network. For example, in February of 1996, a West Coast pulp and paper mill lost use of its entire business network as a result of a faulty network card in a workstation. Due to grounding problems, the network card started generating 1000 runt packets per second on the network (runts are packets that are so short they violate Ethernet rules). The network repeaters simply transmitted the packets to every section of the mill network, flooding the network and preventing any network activity. Fortunately mill production was not affected, due to some limited network protection already in place. IP Address Duplication: As noted earlier, TCP/IP has become the most popular network protocol for industrial networks in the past five years. One of the requirements of TCP/IP is that every network device must have a unique IP network address. This address can either be manually entered into a computer's configuration or a central Dynamic Host Configuration Protocol (DHCP) server can automatically assign it. Either way, this number must be unique or problems will occur. An example of this problem occurred in July of 1996 at the same paper mill as the previous example. Approximately one year prior, the mill had upgraded the profile controller on the #1 Paper Machine. This system used Ethernet and TCP/IP to communicate between the scanners and the main controller. It was also connected to the main mill network through a bridge so that profile information could be accessed by business applications. Some time after the installation, a network printer in another area of the mill was accidentally given the same IP address as the controller. Initially this did not cause difficulties, but shortly after a routine maintenance shutdown, the scanners started directing their data to the printer rather than to the controller. As a result, the paper machine could not be started for over six hours. Broadcast Storms: Broadcast packets are messages that are directed to all the computers on a network rather than to a specific device. They may be generated by network servers advertising their services or by computers trying to locate other devices on the network. They are an important part of a properly functioning network and, in small quantities, have no negative impact. In large quantities (what is referred to as a Broadcast Storm) broadcast packets can stop normal network operations. Each packet is perfectly valid on an individual basis, but demands that all network devices devote some CPU resources to interpreting it. Many common computers simply become overwhelmed if they receive too many broadcast packets in a short time span [1]. Two years ago a Saskatchewan industrial facility lost communications to the operator consoles on a steam plant DCS. The problem was believed to be caused by an incorrectly configured Windows 95 workstation in another mill area that generated high levels of broadcast packets. The DCS had to be removed from the mill network and remains disconnected to this day, preventing process data from being transferred to the business systems. Deliberate Intrusion: Fortunately, deliberate intrusion of process control networks has been rare to date. However, as more mills attach to either the Internet or the corporate wide area network (WAN), the chances of being hacked are growing. Typically a hacker will attach to the mill network and attempt to locate possible