The risks and benefits of Combining Control and Business LANs


Thread Starter

Robert Antonishen

I am trying to get some feedback from other Control System users/providers. What is your opinion on interconnecting or not interconnecting Control System LANs with Business LANs? From a control point of view I personally would like to seem them physically separated for security of the Control System, with routers/firewalls to connect to the business LAN for Database/SQL type applications. Does anyone have experience with combining the two? Either using the same physical network with different protocols, domains and/or sub-nets?
On a similar note, what about having business application on the same workstation as the HMI software for the Control System? Is it reasonable to claim two separate boxes are required and that business software should no co-exist on the HMI box?
Thanks in advance for any comments.

Robert Antonishen
P&C Engineer/Specialist
Project Management Division
Ontario Power Generation Inc.

Bob Dannenfelser

Ethernet LANs as Factory Floor Networks are growing rapidly and many (most) people I speak with believe it will take over (if not already there) as the Network-of-Choice. BUT...there is the assumption that ONLY automation equipment is using that network for exchange of manufacturing/production data. Start putting the joke-of-the-day, company newsletters, etc. on that same network and your production efficiency will quickly become the joke of the day! Keep those networks separate, but connected, so that production day can be exchanged with IS people and equipment.
Regarding having business apps on the same PC as the HMI, my feeling is, on the HMI SERVER: NO, never; if you talk about an HMI CLIENT: maybe, depending on the interaction required from the HMI user on that node. But any PC that is acting as the CONTROL window into my process should not be cluttered up with anything else.
That is my humble opinion!
Bob Dannenfelser
Advent Electric

Mike Boudreaux

This is a good topic. I have been going back and forth with the IT people in my organization on this one. I would like to see the business LAN separated from the control system LAN by a router. A router is supposed to keep broadcast traffic on the plant network from flooding the process network hub, and can also be configured to block specific network protocols and source and destination addresses, as a means of security. I have not had any luck convincing my network administrators that this is necessary.
I have several Intellution FIX nodes connected to our DCS through a network interface. The Ethernet network is connected directly to our plant LAN, and I haven’t had any problems as a result of this. We don’t use sub-nets, and the FIX machines are part of our regular domain for printer sharing and security. No ill effects have resulted from this configuration, and it has made NetDDE and other connections easier to set up.
As for your question about business applications - the HMI machines should only have applications installed on them that are recommended (and tested) by the control software vendor. Doing otherwise may be possible, but can also get you into trouble because of conflicts. I would not recommend mixing the two on the same machine unless you have a spare box to test it out on first.

Anthony Kerstens

Security is a problem. Especially when all one has to do is download a password utility from one of the many hacker sites.
The other problem is traffic. With business networks, especially with network based internet access, fax and printer services, traffic is barely predictable. The is not desirable for control systems.
As for the co-existence of business software with HMI’s, this has a major problem: DLL versions. Apps such as word processors may be compiled with newer versions of C++ or VB and install newer DLL’s into the system that might cause problems for lesser up-to-date HMI’s.
Anthony Kerstens P.Eng.
Here are some of the problems I have run into regarding connecting factory LANs to office LANs.

Our company has the policy that anything attached to the "network" has to conform to a certain set of standards that were developed with Lotus Notes, Microsoft Office product, and other business software users in mind.

I no instance has anyone at corporate IT even considered that such a thing as a plant automation LAN exists, therefore, the policies developed simply frustrate the attempt to connect to the office LAN to the point that we find it impossible to carry out at this time.

Some of the policies we have for connection to the office LAN are as follows:

1. All computers must be on a 3 year lease.
2. All computers must be running the currently sanctioned operating system and network software. This can and has changed frequently.

As a Control Engineer, I am responsible for the control equipment that enables us to manufacture our end product. I have had much trouble in the past when using different versions of the same HMI software, much less changing operating systems and/or machines when the lease runs out.

My time is much more valuable to the company when used to install new equipment to enable us to manufacture new products, and to make existing processes better.

I'm sure many companies have similiar policies, and as such, there are many obstacles to overcome until IT departments realize that there is a world outside the server room, and that that world is much different than the one with which they know or are comfortable in.