“Today, intelligent firewalls can monitor network traffic, respond to network-based events like this by logically disconnecting themselves, and separating corporate/external networks from production,” says Hegrat.
To further help users safely integrate control and corporate networks, Bennet Levine, Contemporary Controls’ R&D manager, advises them to implement:
- Rate limiting to predetermine an adjustable ceiling for the maximum bandwidth on the ports on their network devices.
- Port locking that only allows certain media access control (MAC) addresses to be carried through on specific ports. This enables blocking of all but the one or two PCs that the user wants the network to be able to access.
- Overlapped VLANs that isolate corporate and plant-floor networks by allowing only one device to sit on each side, and then sharing data through it. This is similar to a DMZ strategy.
“Ethernet requires a little more awareness because it’s too flexible to some extent,” says Levine. “If you’re not careful, you easily can access an office network from the plant or vice-versa, and potentially flood the other with unwanted data.” To prevent these problems, Contemporary Controls supplies EIS8-100T and UL 864-rated Ethernet switches to segregate and direct network traffic.
In fact, system integrator ATS Automation recently used EIS8-100T switches to help implement an integrated Alerton distributed digital control (DDC) system at the new, combined 42-story Washington Mutual (WaMu) Bank and Seattle Art Museum. ATS senior sales engineer Pete Segall says this application shows how plant and corporate networks can be successfully integrated because it combines:
- HVAC and smoke control;
- Automatic transfer switches, emergency generators, and power monitoring for WaMu via Modbus;
- Variable frequency drives (VFDs) and lighting controls via BACnet Ethernet integration; and
- EST fire alarms via a field server driver.
|FIGURE 2: SWITCHES COMBINE CONTROL|
Two Ethernet switches are physically connected to an Alerton BACnet/Ethernet smoke control network to jointly run day-to-day HVAC, alarm-based smoke handling, and other equipment at the 42-story WaMu Bank and Seattle Art Museum.
Segall reports that two EIS8-100T switches helped ATS develop an integrated control that could jointly monitor and control HVAC, smoke, and other combined smoke-and-HVAC equipment both daily and on an alarm-event basis. “Pure smoke control systems don’t function on a day-to-day basis, but HVAC and combined systems do,” adds Segall.
The two Ethernet switches were physically connected to the Alerton BACnet/Ethernet smoke control network via Cat 5 cabling, so precise, required DDC logic routines could be carried out (See Figure 2). One switch is located in the central fire control room, and the other is in a telecom room on WaMu’s second floor. In addition, one switch is used as a gateway between the non-smoke control Global DDC logic boards and the building management system’s computer and user interface.
“Ten years ago, this kind of integration would have been extremely difficult because there were no open protocols, and we would have had to write proprietary system drivers to translate between the fire, control and security protocols,” says Segall. “Open protocols such as BACnet and Modbus make all of this easier, and having a single point of connection between the several hundred Ethernet devices in our dedicated HVAC and fire network and WaMu’s overall corporate network gives us secure flexibility.”
Whatever technical methods are used to integrate industrial and business networks, everyone agrees none will be secure without plant and IT cooperation, jointly developed security policies, and training.
Jay Hardison, plant superintendent for Colorado Springs Utilities (CSU), says the utility has been using EtherNet/IP for its corporate backbone, and Profibus and DeviceNet for its plant-floor water/wastewater treatment plants for several years, and recently added Rockwell Software Maintenance Automation Control Center (RSMACC). RSMACC adds required security and offers supplemental authentication, auditing, archiving, and verification.
|FIGURE 3: SPRINGS IN COLORADO|
|Northern Water Reclamation facility combines EtherNet/IP, Profibus, DeviceNet, and maintenance automation software at its water/wastewater treatment plant.|
Hardison explains that CSU is integrating its networks into an overall historical database, which it will use to drive its Maximo work management system and preventive, run-time-based maintenance program. He adds that subsequent reading and diagnostics will let CSU run its plant on a more unmanned basis using a VPN, and increase capacity to handle the 3,000 taps it’s added annually for the past several years without adding manpower.
“We’re able to do this because we have a good working relationship and a common vision with out IT department, “ says Hardison. “Our IT people participate on the plant-floor, learn about our controls, and even go to control conferences. Meanwhile, they’ve educated us about Ethernet, switches, routers, and firewalls. We usually meet twice each month to talk about security and how to marry different plant and business-level applications. If we had an adversarial relationship with IT, we’d never have been able to do what we’ve done.”