Electric Automation Forum
Forum » General Discussion » Should SCADA PC, HMI, PLC, DCS be on the same existing IT NETWORK
Topics: Should SCADA PC, HMI, PLC, DCS be on the same existing IT NETWORK on General Discussion
Start by
gautom bose
07-28-2014 04:38 AM

Should SCADA PC, HMI, PLC, DCS be on the same existing IT NETWORK

Should SCADA PC(s), HMI(s), PLC(s), DCS be on the same existing IT NETWORK, which is used for Office Business. Does it makes sense to hang all devices on one Network and make them member of One Domain?

Please give your thoughts and share your experiences.
07-23-2014 06:45 AM
Top #2
Sarah Tapscott
07-23-2014 06:45 AM
If possible no! For network security it is best to at the least have a DMZ between the office network and the factory network if there is a requirement for the 2 parts to communicate with each other (e.g. for the ability to view data / reports etc from the SCADA system). This assists both the engineers using the SCADA system to be able to maintain their own system and allocate their IP addresses as required with the office IT department being able to deal with their side independently too. The use of NAT will allow the permitted areas to communicate with each other!
07-23-2014 09:06 AM
Top #3
René Swagerman (B Eng)
07-23-2014 09:06 AM
I agree with Sarah.
It is getting more difficult to have no connection at all between Office and Factory with the increasing demand for vertical integration and information exchange. But you need a well protected and monitored single connection and not put them together in one big system.

There are real threats on industrial systems, Stuxnet comes to mind, just because it was found and the media attention about it. But it is likely there are a lot more and there is a bigger focus on creating new attacks on industrial systems. All they needed was a USB sick to be plugged into a system connected to the sealed off production network to attack down to field level. And let's face it, in the office network USB sticks from anywhere get plugged in all the time. There is the Bring Your Own Device trend, devices connected to open Wifi hotspots are connected to the office network again without proper security checks etc. etc.
Securing the office network is a bit of a nightmare, but damages can be relatively limited. If you connect this security nightmare to the production core of your company, you are asking for trouble and will probably get it too.

There is a lot of work to be done in securing factory networks, but merging them with the office network is not the way to go in my opinion. And that's only security, you have the whole bandwidth, real-time communication, interference issue. People watching livestreams of the worldcup in the office and your production stops etc. etc. So from security standpoint, don't, for lots of other different reasons, don't.
07-23-2014 11:40 AM
Top #4
Paul Bennett IEng MIET
07-23-2014 11:40 AM
Absolutely not. You should at least segment the network into the different zones with suitable firewalling routers in between each segment. Even the wifi routers should be on separate segments. Partitioning assists in containing the spread of adverse activities. Even the plant-side networks should be segmented into searate activity cells.
07-23-2014 02:00 PM
Top #5
Diego Rodrigues Ferreira
07-23-2014 02:00 PM
Isolate physically, if you can, but never use the same logical network without the proper sanitations as Paul remarks.

Isolate them with Vlans, firewalled subnetworks or even VPN´s (for the viewer applications). Depending on the size of plant and polling rate you shall probably have a redundant network between SCADA servers and RTU´s. These should be dedicated.

You can start to consider using the same infrastructure from SCADA to Viewers/Controllers with proper logical isolation.
Reply to Thread