Protect control networks from office network problems

Industrial Networking, Control Design
07/05/2006

Three techniques—overlapped VLANs, rate limiting, and port security—can help safeguard control networks from problems with office networks or equipment such as Windows PCs.

 

 

	PROTECTING PLANT NETWORKS
	Overtapped VLANs, rate limiting, and port security can help protect control networks from problems with office networks.

Bennet Levine, R&D manager at Contemporary Controls, says an overlapped VLAN is a special type of virtual local area network (VLAN) provided by managed switches, which can allow one or multiple devices to have access to more than one VLAN. “That is, one or several devices can exist in multiple VLANs,” says Levine. “All other communications between the VLANs is blocked. For example, such an arrangement can allow a SCADA system to be shared between the office network VLAN and the control network VLAN, while blocking all other access between these VLANs. This enables SCADA communication with control network devices, and allows office network devices to determine the control network status, while protecting the rest of the control network from office network problems.”

Rate limiting is a managed-switch feature that can limit the bandwidth consumed by devices connected to specific ports of the switch. Users can specify a maximum bandwidth for each port of the switch. This can be used, for example, to limit the level of traffic sent to a sensitive piece of equipment. Another use of this feature is to limit traffic sent to the control network from the office network. “In this way excessive traffic problems created by the office network, such as broadcast or directed-message storms, can be controlled by rate limiting,” explains Levine. “It’s recommended that rate limiting be used on all switch ports that connect to any Windows PCs. Rate limiting can also control the level of multicast messages.”

Port security can be used to control which devices can communicate through specific ports of a managed switch. This can determine which office network devices can communicate with the control network. For example, port security can be used to only allow the plant manager and the engineering manager to have access to the control network from their computers on the office network.