We are going to implement APC through OPC in the plant, there are hot discussion between DCS group and APC group about network implication. DCS group insisted to put the APC inside the DMZ while APC group said it should be outside DMZ and inside the control domain.

The reason are the possible virus attack since sometimes during APC model update and modification someone might uses USB memory into the APC server. Of course we could put end of this use, but to put off the hot discussion we need a very solid reason.

Looking to HoneyweLL PKS experion document, there is layer 3, named as advanced control network. Is it the place for this APC application?

Honeywell PKS document mentioned also layer 3.5 (DMZ) named Advanced Enterprise application. Could it be the place?

We are trying to put many protection including Firewall and DMZ and also antivirus in the control side as well as in the DMZ.

Anyone having such experience before?

Thank you in advance

 

Hello,

First of all, I would suggest to try to eliminate or at least mitigate the risk of someone bringing a virus on a pen disk. It does not really matter whether the APC server is on the control network or in a DMZ. Since you are implementing APC, it means this control approach makes economic sense at your site and not using it (because of a disruption caused by a virus or else) should have a negative economic impact.

Regarding the networking, if the APC server is located in the control network, it is more likely that the DCS part might get infected. However, do not forget that to be able to use OPC DA in different networks and across a firewall, you will likely have to open up DCOM or use OPC tunneling products. In the former case, you make it easier for viruses to spread.

We have a nonlinear MPC system that runs under Linux and so Windows viruses stand no chance there. In order to address the OPC problem, we can configure it to use a different communication protocol, such as Modbus TCP. Please contact me if you need further information or help. Thank you.

Best Regards,
Andrey Romanenko
andrey(at)ciengis.com
Ciengis - Advanced Process Control and Optimization

 

Put the APC in the DMZ of ur firewall. The reason is perfect isolation.

For the OPC connectivity across firewall honeywell has well tested guidelines and procedures regarding firewall configurations.

I think you can trust honeywell and go ahead as they say.

For the sake of information, which APC are you implementing?

Good luck!