Segmenting control and automation networks from the business network
Plant facilities from the smallest to the largest should have their business networks separate from their automation or control networks on the production floor. ControlDesign writes about a common and frightening scenario of what could happen when plant networks are not segmented correctly.
Keep Controls Network Separate From Business Network
ControlDesign.com
July 10, 2010
All is quiet at a sprawling and highly automated production facility. Production lines are running smoothly, there have been no unexpected machine shutdowns, measurements are trending close to setpoints, and processes are in control. It's a good day.
At this particular facility, controllers—PLCs in this case—and graphical control stations are distributed everywhere, communicating with each other via an extensive and modern controls network, built using Ethernet, ControlNet and DeviceNet. Production uses this network to remotely monitor and adjust processes. One control room operator can control hundreds of machines located throughout this giant building remotely. Maintenance uses this network to access controllers remotely in order to troubleshoot and diagnose machine and production line issues.
The Ethernet portion of the controls network shares the same commercial-grade network switches and switch-to-switch cables as the business network, but controls-network traffic is isolated virtually from the business-network traffic using VLANs. With this shared network hardware configuration, most of the controller-to-controller communication and most of the controller-to-graphics-station communication is routed through the same Ethernet network switches that service office computers and servers and printers. Only controllers and graphics stations that are in close proximity to each other do not use the shared network hardware. These close neighbors typically use ControlNet to talk directly to each other.