Secure Local Networks
The majority of installations we have been involved in, have had secure local networks for production lines. These were connected to the internet or corporate network through a gateway computer with TLS/SSL Encryption. The connections between production devices, gateways and the processing & analytics services in the cloud or on corporate networks, must, therefore, have Confidentiality, Integrity and Availability (CIA).
By following the key rules of CIA, a system will have:
Confidentiality – the ability to hide information to those who are not authorized to view it. Cryptographic encryption must be used to ensure confidentiality.
Integrity – ensures that the data received is an accurate representation of the data transmitted from the source. Devices should use cryptographic hashing to ensure data is not corrupted.
Availability – ensures that the data is available to be accessed by the authorized viewer at any time. Devices must use cryptographic certificates to prove who they are.
The benefits of this are that the reliability of the production line is not reliant on the internet or corporate network connection. It also has security benefits that each machine network connection requires lower security standards, as they are not directly connected to the internet.
Configuring Networks
Custom machinery may be using industrial protocols like Modbus or OPC to connect to the Gateway. Therefore, ensuring the Gateway to Cloud / Corporate Network is the main focus of secure local networks.
When configuring a network like this, the Gateway Hub computer will need 2 network ports, one for the local network using a fixed IP address, and a second for connection to the internet or corporate network using a TLS / SSL Encrypted connection.
The local network should then be connected with fixed IP addresses to all devices and machines in the production line. An example is shown below:
Machine Name | Device Type | Local IP Address |
---|---|---|
Gateway Hub | Windows PC | 192.168.0.90 |
CNC Machining Station | PLC > Windows PC HMI | 192.168.0.95 |
Sub Assembly Station | Windows PC | 192.168.0.100 |
Sub Assembly Inspection | Smart Camera | 192.168.0.105 |
Assembly Station | Windows PC | 192.168.0.110 |
Functional Test Station | PLC > Windows PC HMI | 192.168.0.115 |
Using this network configuration, the Gateway PC will manage to communicate with the wider factory network eg. for acquiring production order data. The local network will be used to guide and manage the production process.
Additionally, a local production database can be installed on the Gateway PC to store local production data. The Gateway PC will also poll each of the production devices to check on their status to ensure that they are capable of performing production operations.
Distributed Devices
Local networks are not an option when production equipment is located in remote locations. In this case, the only option is to directly connect machines and devices directly to the internet. This requires more stringent security procedures on the machine connection, to reduce the risk of attack onto production equipment.
In this case, an encrypted connection from the device to the hub is required, as the distributed devices are susceptible to attack from outside of the organization.
Building a secure, reliable network is a key foundation of all Industry 4.0 solutions and should not be overlooked.
Read the next part of the guide: Part 2 – Connecting Devices Throughout Your Factory