The need to isolate control systems from corporate networks

The November/December 2012 issue of ISA's Intech magazine has an article "Selecting temperature measurement and control systems". The article states: "Network connectivity ties everything together. The goal of any DAS (data acquisition system) is to deliver sensor data for reporting and analysis. The ubiquitous Ethernet interface is a DAS requirement, connecting the DAS to the plant network and into the PC world. Multiple protocols are typically available, such as FTP for file transfer, Modbus TCP and Ethernet/IP, web browsing, email messaging, and OPC server support. When standard industry protocols are supported by the data acquisition equipment, data can be seamlessly exchanged with virtually any other control or computing system in the enterprise."

The article demonstrates the perceived value of control system information. The data can be shared, but needs to be done in a secure manner. There are several avenues that can be explored:
- Isolating the DAS from the control system network
- Implementing ISA99 Zones and Conduits recommendations
- Implementing one-way data diodes from the DAS to the corporate networks
- Implementing the latest OPC security recommendations for either OPC Classic or OPC UA
- Removing FTP, web services, and email messaging from the DAS and implementing those functions on a system isolated from the control network

Joe Weiss