Technological Advances, Better Designs Protect Networks

May 11, 2011
While standards bodies continue to devise new concepts, technology providers are also coming up with new ways to prevent this type of unexpected downtime. Some features can be built into servers and nodes.

Software is constantly being upgraded to close openings and react to new threats and network designers come up with new twists on architectural schemes. For example, breaking industrial networks into a number of small subnets limits potential damage if something hits the network.

Some features are built into basic networking architectures, as is the case with some of the real-time versions of Ethernet. When developers added determinism to EtherCAT, they also opted to prevent unauthorized data packets from causing problems.

“EtherCAT slave devices, by default, will destroy any non-EtherCAT frames they encounter, so injected non-EtherCAT frames in the local fieldbus network will not make their way back to the master controller as valid Ethernet frames,” says Joey Stubbs, North American representative for the EtherCAT Technology Group of Volente, Texas. EtherCAT frames are denoted by the EtherType of 0x88a4 in the frame header, he explained.

When networks are being installed or upgraded, most observers say that’s a good time to reexamine firewalls and other protective equipment. Firewalls play a critical role in isolating industrial networks without destroying the front office compatibility that’s a big attraction for Ethernet.

With firewalls and other equipment, plant managers must always be looking at ways to improve their protective schemes. “As we get the technology to build more secure networks, we want to put more safeguards into the infrastructure, especially for end points that can’t protect themselves,” says Brad Hegrat, senior principal security consultant for Rockwell Automation.

Another popular concept is to limit communications between devices. Most devices in a plant only need to communicate with a handful of other devices. Reducing connectivity so that these nodes can’t talk to any unauthorized equipment will eliminate many potential problems. “If devices on one level don’t need to talk to those on another level, don’t let them communicate,” Hegrat adds.

Security analysts also suggest breaking an industrial network into smaller segments that are isolated by firewalls. Controlling access between devices can be very effective. “We like the principal of least routes, which only provides the account credentials needed to perform a job function, and only provides network access to devices for the purpose of fulfilling their specific job functions,” Hegrat says.

May 2011, Related Feature – Doing All You Can to be Cyber Secure?
To read the feature article, visit
http://www.automationworld.com/feature-8782

Subscribe to Automation World's RSS Feeds for Feature Articles

Companies in this Article

Sponsored Recommendations

C2-08DR-4VC

CLICK PLUS discrete/analog combo module, Analog Input: 2-channel, current/voltage, Analog Output: 2-channel, current/voltage, Discrete Input: 4-point, sinking/sourcing, Discrete...

MSD-SLC16G

CLICK industrial memory card, 16GB microSD. For use with all products with microSD memory card slot.

C0-12DRE-D

CLICK Ethernet Analog PLC, 24 VDC required, Ethernet and serial ports, Discrete Input: 4-point, DC, Analog Input: 2-channel, current/voltage, Discrete Output: 4-point, relay, ...

C2-FILL

CLICK PLUS option slot cover.