Byres saw a Midwest food plant network go down because a technician thought he was programming an off-line, test-programmable controller (PLC), but was actually affecting a plant PLC, shutting down the line. In a bakery, the IT staff conducted a port-scanning test, not realizing the test pings also hit 20 PLCs, shutting down the entire plant for a day and costing a million dollars in lost production.
Virtual private networks (VPNs) coupled with firewalls are often seen as a panacea for network ills. Providing a secure connection, VPNs help ensure a technician is connected to the right equipment, but they don’t necessarily prevent human error, nor do they stop the propagation of viruses.
VPN systems designed for the office and IT staff are not appropriate for industrial use on two counts, says Byres. First, when VPNs are used in conjunction with PLCs and other automation equipment, they physically must be able to withstand harsh plant floor environments. Second, VPNs-especially servers-have been notoriously difficult to configure for control engineers who are not necessarily network security experts. Improperly configured VPNs and firewalls provide a false sense of security, but according to Byres, industrial firewalls and VPNs have been designed with control engineers in mind, often providing simple drag-and-drop configuration while checking for security faux pas.
While secure VPN technology can make networks safer, plant engineers still need to know the identities of their network users and what they’re doing, especially when extranets are used by suppliers and customers. “An analogy I like to use,” says Byres, “is that we build these complex networks, and we don’t always know who’s on them. If they were steam pipes, we’d be very sure who’s plugged into them.”