Strategies for secure automation, Ethernet networks

Ethernet networks provide plants with an open environment that connects local and remote plant devices with management tools, but open networks come at a cost: security. Several strategies can foster openness while promoting safety and cyber security.


The introduction of Ethernet to the plant floor provides an open architecture, connecting plant devices and management tools from most anywhere. But there is a trade-off: network security.

Control Engineering - HMI - networking security

Ethernet networks function much like home Web connections, relying on the Internet to operate properly. Plants must take steps to protect connected automation systems from the same threats that face personal computers, such as hackers, worms, and Trojans.

To overcome these challenges, the plant environment should employ the same cyber security tools that its IT counterparts use. Such tactics must maintain network security while allowing local and remote authenticated access. Doing so enables even faraway administrators to handle tasks such as configuration and diagnostics, initialization of nodes, and gaining access to on-board Web and FTP servers.

Finding balance between openness and security, the following strategies can help create an automation environment that can communicate with other networks and be managed locally and remotely while, at the same time, remaining safe and secure.

First line of defense: Firewalls

Firewalls—one of the oldest cyber security tools—are still a crucial piece of the network puzzle. A firewall sits between the internal and external networks, ensuring only legitimate traffic passes between them.

In an industrial environment, firewalls protect cells that often include several Ethernet-attached automation devices, such as Industrial PCs and PLCs. To protect them, companies can install one security module with one Ethernet connection that traffics between the automation and larger networks according to the firewall rules established for the device.

To ensure all traffic is legitimate, stateful packet inspection firewalls protect the network using pre-determined filter rules. For example, if an internal node sends data to an external target device, the firewall will dynamically allow the response packet for a limited period. After the time window has expired, the firewall will block the traffic again.


Network address translation (NAT) is an automation security technology that is implemented in devices rather than the network. NAT hides the device’s IP address on the internal network from those on external networks. Instead, it presents a generic public IP address to external-facing nodes, translating that address to the established internal network address.

More complicated yet, network address and port translation (NAPT) further encrypts NAT by adding a port number. Only one IP address is presented to public networks. Behind that, packets are addressed to particular devices by adding port numbers. A NAPT table, typically residing on a router, maps private IP address ports to the public IP address ports.

If a device from the external network wants to send a packet to an internal device, it uses the security device’s public address with a specified port as the destination. This IP address is then translated by the router to the assigned private IP address and its appropriate port. The source address in the data packet’s IP header remains unchanged. But since the sending address is in a different subnet than the receiving address, responses must go through the router, which forwards it to the external device, protecting the internal device’s actual IP address from public view.

Building secure tunnels with VPNs

Virtual private networks (VPNs) are another way to secure networks. A VPN is an encrypted tunnel formed by security devices at each end of the connection. To connect with one another, the remote devices generate digital certificates that act as identification. The certificates also permit the devices to share encrypted data over the established network.

In a VPN environment, security modules use digital certificates to create VPNs with two basic configurations: bridging and routing.

Bridging mode enables devices to communicate securely in a flat network—one in which all devices are directly connected to one another. This configuration can be advantageous when the connections are physically distant or when data must pass through an unsecure network section. Bridging is often used for communication types that cannot be routed and that may not necessarily be in the same subnet.

Routing mode creates a VPN between devices on separate subnets. Much like NAPT, the router, operating at Layer 3 of the open systems interconnection (OSI) model, sends packets to the appropriate destination address. The packet travels over an encrypted VPN tunnel, making the communications secure even over a public network such as the Internet.

Sample cases

These security tools can be configured to plant-specific environments, taking both open access and security into account. Here are some examples in practice:

User-specific firewall: When automation contractors, for example, are away from the plant, user-specific firewall rules can enable remote access, allowing for administration and troubleshooting. By establishing different levels of authorization, plant managers can also use the firewall to establish device-specific access for remote users, limiting users only to the device for which they are authorized.

To connect to the module’s IP address, the contractor creates a username and password and logs in under those credentials. According to established permissions, the network will be available for a specific amount of time before the connection is lost. The user can renew the connection at any time according to the plant’s firewall rules.

Site-to-site VPN: If a company has a central site and a number of satellite facilities, a site-to-site VPN might be more appropriate. A site-to-site VPN is a secure encrypted connection between two sites that, depending on configuration, allows users at each site to access resources at another.

This setup requires a module at each location to create the encrypted VPN tunnel. A firewall can also be used to provide access control, enabling access to certain users but not to others.

Point-to-point VPN: A point-to-point VPN allows users access to plant devices from any Internet connection. This could be advantageous for working-from-home administrators who must troubleshoot a device, for example.

This setup requires a module at the target location and security client software, which runs on the administrator’s laptop or desktop. The client allows the administrator to establish an encrypted VPN connection with any site that has the module. With the proper permissions, the administrator can log in to whatever device is necessary.

Multipoint VPN connections: If administrators are responsible for more than one site, plants can establish a central module that connects each of the remote sites over a VPN. Instead of establishing many individual VPN connections, the administrator can then piggyback the connection from the central module.

This can benefit service engineers, for example, who spend much of their time traveling. With one connection to the central site, they can now easily and securely access any other site as needed, saving valuable time in the process.

-Tim Pitterling, product marketing manager, Siemens Industry Sector. Edited by Jordan M. Schultz, CFE Media, Control Engineering, jschultz(at)

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
The true cost of lubrication: Three keys to consider when evaluating oils; Plant Engineering Lubrication Guide; 11 ways to protect bearing assets; Is lubrication part of your KPIs?
Contract maintenance: 5 ways to keep things humming while keeping an eye on costs; Pneumatic systems; Energy monitoring; The sixth 'S' is safety
Transport your data: Supply chain information critical to operational excellence; High-voltage faults; Portable cooling; Safety automation isn't automatic
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Synchronizing industrial Ethernet networks; Selecting protocol conversion gateways; Integrating HMIs with PLCs and PACs
Why manufacturers need to see energy in a different light: Current approaches to energy management yield quick savings, but leave plant managers searching for ways of improving on those early gains.

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.