Come together

Hegrat adds that firewalls are more secure because they filter all data through one point, but routers and switches are less secure because they usually have multiple network connections. “One of our customers that makes heavy equipment in the Midwest had a virtual local area network (VLAN) with several access points, and last summer the Zotob worm virus found a hole in it,” says Hegrat. “This event brought down production for seven hours at dozen of plants, and cost millions of dollars in lost production time.” They had to scrub this virus the old-fashioned way and manually restore thousands of devices across the U.S.

“Today, intelligent firewalls can monitor network traffic, respond to network-based events like this by logically disconnecting themselves, and separating corporate/external networks from production,” says Hegrat.

To further help users safely integrate control and corporate networks, Bennet Levine, Contemporary Controls’ R&D manager, advises them to implement:

• Rate limiting to predetermine an adjustable ceiling for the maximum bandwidth on the ports on their network devices.
• Port locking that only allows certain media access control (MAC) addresses to be carried through on specific ports. This enables blocking of all but the one or two PCs that the user wants the network to be able to access.
• Overlapped VLANs that isolate corporate and plant-floor networks by allowing only one device to sit on each side, and then sharing data through it. This is similar to a DMZ strategy.

“Ethernet requires a little more awareness because it’s too flexible to some extent,” says Levine. “If you’re not careful, you easily can access an office network from the plant or vice-versa, and potentially flood the other with unwanted data.” To prevent these problems, Contemporary Controls supplies EIS8-100T and UL 864-rated Ethernet switches to segregate and direct network traffic.

In fact, system integrator ATS Automation recently used EIS8-100T switches to help implement an integrated Alerton distributed digital control (DDC) system at the new, combined 42-story Washington Mutual (WaMu) Bank and Seattle Art Museum. ATS senior sales engineer Pete Segall says this application shows how plant and corporate networks can be successfully integrated because it combines:

• HVAC and smoke control;
• Automatic transfer switches, emergency generators, and power monitoring for WaMu via Modbus;
• Variable frequency drives (VFDs) and lighting controls via BACnet Ethernet integration; and
• EST fire alarms via a field server driver.

	FIGURE 2: SWITCHES COMBINE CONTROL
	Two Ethernet switches are physically connected to an Alerton BACnet/Ethernet smoke control network to jointly run day-to-day HVAC, alarm-based smoke handling, and other equipment at the 42-story WaMu Bank and Seattle Art Museum.

Segall reports that two EIS8-100T switches helped ATS develop an integrated control that could jointly monitor and control HVAC, smoke, and other combined smoke-and-HVAC equipment both daily and on an alarm-event basis. “Pure smoke control systems don’t function on a day-to-day basis, but HVAC and combined systems do,” adds Segall.

The two Ethernet switches were physically connected to the Alerton BACnet/Ethernet smoke control network via Cat 5 cabling, so precise, required DDC logic routines could be carried out (See Figure 2). One switch is located in the central fire control room, and the other is in a telecom room on WaMu’s second floor. In addition, one switch is used as a gateway between the non-smoke control Global DDC logic boards and the building management system’s computer and user interface.

“Ten years ago, this kind of integration would have been extremely difficult because there were no open protocols, and we would have had to write proprietary system drivers to translate between the fire, control and security protocols,” says Segall. “Open protocols such as BACnet and Modbus make all of this easier, and having a single point of connection between the several hundred Ethernet devices in our dedicated HVAC and fire network and WaMu’s overall corporate network gives us secure flexibility.”

Cooperation Culture
Whatever technical methods are used to integrate industrial and business networks, everyone agrees none will be secure without plant and IT cooperation, jointly developed security policies, and training.

Jay Hardison, plant superintendent for Colorado Springs Utilities (CSU), says the utility has been using EtherNet/IP for its corporate backbone, and Profibus and DeviceNet for its plant-floor water/wastewater treatment plants for several years, and recently added Rockwell Software Maintenance Automation Control Center (RSMACC). RSMACC adds required security and offers supplemental authentication, auditing, archiving, and verification.

FIGURE 3: SPRINGS IN COLORADO
Northern Water Reclamation facility combines EtherNet/IP, Profibus, DeviceNet, and maintenance automation software at its water/wastewater treatment plant.