GarrettCom Ethernet Networks and Web Management manual

Page 4

As Ethernet has expanded into outlying industrial facilities, two types of network structures emerge: Local and Remote. The Local Ethernet structure is within the walls of a single facility which can be closely watched, with the only serious security risk being from disgruntled employees or persons who have penetrated the physical security of the plant. Access to data running across this type of Local Ethernet network can be protected by segregating it with VLANs (Virtual Local Area Networks). VLANs can be configured to restrict points of access from the outside world and can employ password protection to provide authorization, authentication, and access control tethered to the Ethernet network itself. Telnet managed by the switch can be used for remote login to the switch manager software.

However, Ethernet’s benefits to industrial applications run far beyond such restricted local applications. Much Ethernet connectivity is deployed beyond a single plant and local-only networks would limit the ability to manage, monitor and collect data from remote operations. Ethernet, using fiber cabling for distance, noise-immunity and security, is deployed throughout widely distributed industrial applications. Interconnecting multiple water treatment plants or power substations within a metropolitan area are typical examples

Remote industrial Ethernet implementations are very popular applications for monitoring (the Data Acquisition (DA) part of SCADA). They are typically closed systems, which require in-facility access points for information review, as opposed to casual Internet access from the home or from the remote laptop of a maintenance supervisor. Within the closed system, remote monitoring may be possible, eliminating many routine maintenance visits to unmanned outlying operations, with concomitant reduction in costs. It is also easier to identify potential problems and dispatch maintenance or repair teams promptly – often avoiding down time or managing outages.

The only security risk in a closed system is a physical breach of the network, and even in the case of such an event, password protection goes a long way to providing data security. The downside is the lost opportunity for efficiencies and savings because of the limits placed on management and control of industrial operations from afar.

Management Supervision and Control – the SC part of SCADA - of remote sites over Ethernet has traditionally been used less often simply because of concerns regarding security. If these concerns can

3

Image 4
Contents GarrettCom, Inc 47823 Westinghouse Drive Fremont, CA INTRODUCTION SECURITY OVERVIEWETHERNET SECURITY - THE SWITCH VENDOR’S OPPORTUNITY INDUSTRIAL SECURITY INITIATIVESPage ETHERNET SECURITY STANDARDS BEYOND THE SWITCH REFERENCES BRIEF OVERVIEW OF SP99 AND PCSRF APPENDIX Asecurity vulnerabilities addressed by this technology typical deployment known issues and weaknessesassessment of use in the manufacturing and control system environment APPENDIX B SECURITY STANDARDS IN USE IN ETHERNET INSTALLATIONS SNMPSSL - Secure Socket Layer MAC Addressing TLS - Transport Layer SecurityRemote Security