Strategies for secure automation, Ethernet networks

Ethernet networks provide plants with an open environment that connects local and remote plant devices with management tools, but open networks come at a cost: security. Several strategies can foster openness while promoting safety and cyber security.


The introduction of Ethernet to the plant floor provides an open architecture, connecting plant devices and management tools from most anywhere. But there is a trade-off: network security.

Control Engineering - HMI - networking security

Ethernet networks function much like home Web connections, relying on the Internet to operate properly. Plants must take steps to protect connected automation systems from the same threats that face personal computers, such as hackers, worms, and Trojans.

To overcome these challenges, the plant environment should employ the same cyber security tools that its IT counterparts use. Such tactics must maintain network security while allowing local and remote authenticated access. Doing so enables even faraway administrators to handle tasks such as configuration and diagnostics, initialization of nodes, and gaining access to on-board Web and FTP servers.

Finding balance between openness and security, the following strategies can help create an automation environment that can communicate with other networks and be managed locally and remotely while, at the same time, remaining safe and secure.

First line of defense: Firewalls

Firewalls—one of the oldest cyber security tools—are still a crucial piece of the network puzzle. A firewall sits between the internal and external networks, ensuring only legitimate traffic passes between them.

In an industrial environment, firewalls protect cells that often include several Ethernet-attached automation devices, such as Industrial PCs and PLCs. To protect them, companies can install one security module with one Ethernet connection that traffics between the automation and larger networks according to the firewall rules established for the device.

To ensure all traffic is legitimate, stateful packet inspection firewalls protect the network using pre-determined filter rules. For example, if an internal node sends data to an external target device, the firewall will dynamically allow the response packet for a limited period. After the time window has expired, the firewall will block the traffic again.


Network address translation (NAT) is an automation security technology that is implemented in devices rather than the network. NAT hides the device’s IP address on the internal network from those on external networks. Instead, it presents a generic public IP address to external-facing nodes, translating that address to the established internal network address.

More complicated yet, network address and port translation (NAPT) further encrypts NAT by adding a port number. Only one IP address is presented to public networks. Behind that, packets are addressed to particular devices by adding port numbers. A NAPT table, typically residing on a router, maps private IP address ports to the public IP address ports.

If a device from the external network wants to send a packet to an internal device, it uses the security device’s public address with a specified port as the destination. This IP address is then translated by the router to the assigned private IP address and its appropriate port. The source address in the data packet’s IP header remains unchanged. But since the sending address is in a different subnet than the receiving address, responses must go through the router, which forwards it to the external device, protecting the internal device’s actual IP address from public view.

Building secure tunnels with VPNs

Virtual private networks (VPNs) are another way to secure networks. A VPN is an encrypted tunnel formed by security devices at each end of the connection. To connect with one another, the remote devices generate digital certificates that act as identification. The certificates also permit the devices to share encrypted data over the established network.

In a VPN environment, security modules use digital certificates to create VPNs with two basic configurations: bridging and routing.

Bridging mode enables devices to communicate securely in a flat network—one in which all devices are directly connected to one another. This configuration can be advantageous when the connections are physically distant or when data must pass through an unsecure network section. Bridging is often used for communication types that cannot be routed and that may not necessarily be in the same subnet.

Routing mode creates a VPN between devices on separate subnets. Much like NAPT, the router, operating at Layer 3 of the open systems interconnection (OSI) model, sends packets to the appropriate destination address. The packet travels over an encrypted VPN tunnel, making the communications secure even over a public network such as the Internet.

Sample cases

These security tools can be configured to plant-specific environments, taking both open access and security into account. Here are some examples in practice:

User-specific firewall: When automation contractors, for example, are away from the plant, user-specific firewall rules can enable remote access, allowing for administration and troubleshooting. By establishing different levels of authorization, plant managers can also use the firewall to establish device-specific access for remote users, limiting users only to the device for which they are authorized.

To connect to the module’s IP address, the contractor creates a username and password and logs in under those credentials. According to established permissions, the network will be available for a specific amount of time before the connection is lost. The user can renew the connection at any time according to the plant’s firewall rules.

Site-to-site VPN: If a company has a central site and a number of satellite facilities, a site-to-site VPN might be more appropriate. A site-to-site VPN is a secure encrypted connection between two sites that, depending on configuration, allows users at each site to access resources at another.

This setup requires a module at each location to create the encrypted VPN tunnel. A firewall can also be used to provide access control, enabling access to certain users but not to others.

Point-to-point VPN: A point-to-point VPN allows users access to plant devices from any Internet connection. This could be advantageous for working-from-home administrators who must troubleshoot a device, for example.

This setup requires a module at the target location and security client software, which runs on the administrator’s laptop or desktop. The client allows the administrator to establish an encrypted VPN connection with any site that has the module. With the proper permissions, the administrator can log in to whatever device is necessary.

Multipoint VPN connections: If administrators are responsible for more than one site, plants can establish a central module that connects each of the remote sites over a VPN. Instead of establishing many individual VPN connections, the administrator can then piggyback the connection from the central module.

This can benefit service engineers, for example, who spend much of their time traveling. With one connection to the central site, they can now easily and securely access any other site as needed, saving valuable time in the process.

-Tim Pitterling, product marketing manager, Siemens Industry Sector. Edited by Jordan M. Schultz, CFE Media, Control Engineering,

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Pipe fabrication and IIoT; 2017 Product of the Year finalists
The future of electrical safety; Four keys to RPM success; Picking the right weld fume option
A new approach to the Skills Gap; Community colleges may hold the key for manufacturing; 2017 Engineering Leaders Under 40
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Power system design for high-performance buildings; mitigating arc flash hazards
VFDs improving motion control applications; Powering automation and IIoT wirelessly; Connecting the dots
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me