Factory owners are terrified of their machines getting infected by the IT network, or the IT network getting infected by the OT network. To prevent this from happening, strict conditions must be met for connected machines.
As a machine builder, you have an important role in securely connecting a machine in the factory network. Therefore you have to know what decisions and settings could reduce potential security risks.
Network architecture in a factory
A factory has multiple networks. The Information Technology (IT) network includes all computers, Wi-Fi, MES and ERP systems. The Operational Technology (OT) network includes all machines and the SCADA system to monitor those machines. Machines themselves consist of industrial components like the PLC, HMI and robots which are connected in a local ‘machine network’. When allowed, the networks are connected to the public internet.
When the IT, OT, and machine network are not properly separated and secured, intruders entering one network can easily penetrate into the other networks and infect the whole factory system. This constitutes a major security risk, as everything is interconnected.
Separating networks with a router
A router is made to separate two networks from each other and to enable secure communication between both. As a machine builder, you are responsible for the segmentation of your machines. In order to safely separate them from other networks, you must install a router. However, a number of things must be clearly aligned with your customer before the router can be configured correctly.
Defining the required machine communication
Configuring the router is critical since it opens or restricts access to other networks. You have to discuss with your customer which internal and external communication is needed to integrate your machine into the factory and have the right access to monitor or troubleshoot your machines. It is best to discuss this in an early stage in the process so all parties can prepare.
These are the most used forms of network connections:
- MES system
A MES system is an information system that connects, monitors and controls complex manufacturing systems and data flows on the factory floor. The MES system can be connected to the SCADA system to get access to data from all machinery or can directly communicate with PLCs. - SCADA system
When the factory is using a SCADA system, the operator can monitor all machines and their status. The SCADA then communicates with the PLC system to inform about its status and alarm states. - Cloud connection
For remote service purposes or data analyses in an IIoT platform, the machine needs to communicate over a public internet connection to transmit data. This can be either directly from the router (over 4G) or via the factory's internet connection.
Once you both agree on the wishes and restrictions, you can think of the right configuration in the router and firewall.
Limit connection options to what is strictly necessary
Depending on the communication form needed for your machine, you can configure the router and firewalls to grant access to certain networks. You also have to think about what IP address you are going to use.
Strict firewall settings
A modern router has a certain form of firewall in which you can allow or disallow certain connections. Some routers have additional services running to allow certain incoming connections, for example VPN. It’s important to configure the firewall settings as strictly as possible, so only the necessary connections are allowed. Decide on the following:
- Ports: which ports should you open in the OT and IT network and in the firewall to allow connection?
- Protocol: what kind of traffic is coming in and out? Do you need HTTP or MQTT?
- IP address: where is traffic going? From the machine to the SCADA system or from the cloud to the machine?
You can set up firewall rules using all three properties. For example: only HTTP traffic from IP address X via port Y is allowed. This way you explicitly grant access for certain connections.
Choose a fixed IP address
Each network consists of a range of IP addresses. When using a dynamic IP address for the machine, the IP address might change which could obstruct communication from other systems. Therefore, a fixed IP address in the router for your machine is recommended when other systems need to communicate with each other as well.