classic | mobile


SA Instrumentation & Control Buyers' Guide

Technews Industry Guide - IIoT 2018

Technews Industry Guide - Maintenance, Reliability & Asset Optimisation


Sharing data in the unified enterprise
December 2012, IT in Manufacturing

Ideally, manufacturing and mining enterprises are unified entities with business goals and priorities, which can only be realised through the efficiency and performance of their operational or wealth-creating processes. History bears ample witness to the foolishness of trying to divorce business from operational systems. So, when it comes to sharing information, it is clear that transparency is the key.

But transparency is vulnerable to risks and threats from both inside and outside the enterprise, which makes the provision of information to those who need it more challenging than ever – especially when considering the different needs of process control and enterprise networks.

Deon van Aardt, MD Invensys Wonderware Southern Africa.
Deon van Aardt, MD Invensys Wonderware Southern Africa.

Control system industry LAN security recommendations

The best practice recommendation for an industrial control system (ICS) is to separate the process control from the enterprise network, mainly because the nature of traffic on these two is different:

* Internet access, FTP, e-mail and remote access will typically be permitted on the enterprise network but not on the process control network.

* Rigorous change control procedures for network equipment, configuration and software changes may not be in place on the enterprise network.

* If process control network traffic is carried on the enterprise network, it could be intercepted. By having separate networks, security and performance problems on the enterprise network should not be able to affect the process control network.

However, practical considerations often mean that a connection is required between the networks. This connection is a significant security risk and careful consideration should be given to its design.

If the networks must be connected, it is strongly recommended that only a single connection is allowed and that the connection be through a firewall, or better yet, an active intrusion prevention (IPS) appliance. It is also important to establish a demilitarised zone (DMZ) for any data warehouse or data warehouse proxy (recommended for a very secure configuration).

A DMZ is a separate network segment that connects directly to the firewall. Servers containing data from the process control system, which need to be accessed from the enterprise network, are placed on this network segment. Only these systems should be accessible from the enterprise network. With any external connections, the minimum access should be permitted through the firewall. Only the ports required for specific communication should be opened to the external environment.

Network firewalls

These are devices or systems that control the flow of traffic between networks employing differing security approaches. In most modern applications, firewalls and firewall environments are discussed in the context of Internet connectivity and the TCP/IP protocol suite.

Firewalls can be applied to network environments that have nothing to do with Internet connectivity. For example, many corporate enterprise networks use firewalls to restrict connectivity to and from internal networks servicing more sensitive functions such as those found in the accounting or personnel departments.

In an ICS environment, firewalls are most often deployed between the ICS domain and the corporate LAN. Properly configured, they can greatly restrict undesired access to and from control system host computers and controllers, thereby improving security. They can also potentially improve a control system’s responsiveness by removing non-essential traffic from the network.

Once the firewall is in place, the next problem is determining exactly what traffic should be allowed. Configuring the firewall to deny all except for pinholes absolutely required for business is every company’s basic premise, but the reality is much more complex. Exactly what does ‘absolutely required for business’ mean and what are the security consequences of allowing those pinholes?

DMZ network

Implementing an intermediate DMZ network is an acceptable approach to enabling communications between a process control network and a business domain network. The DMZ should be connected to the firewall so that specific (restricted) communication can take place only between the enterprise network and the DMZ and between the process control network and the DMZ so that the enterprise and process networks cannot communicate directly with one another. Data warehouse proxies are usually placed in this environment.

Defining the secure process control environment

Looking at what the control system is (what it does, what its intrinsic value is and what its requirements are), we can easily see that traditional IT security techniques imposed on the system impede operability and functionality. The cumulative effect is that continual problems arise in keeping the control system running reliably.

Standard IT security techniques and strategies are not only minimally effective, but can be reckless and dangerous when applied to control systems. This is because IT practitioners apply standard techniques and strategies in the production environment.

The machine functionality between a standard IT business network and a control system network is virtually 180° in opposition. Elements of the two network types look virtually identical, (machine hardware also looks identical when viewing from a high level), but that is where the similarity ends.

The functionality and operation between the two network types are different and not directly or desirably compatible without appropriate security and/or proxy interfaces.

When implementing security for the control system environment, the following should be determined:

* What the total environment accomplishes.

* How it accomplishes the tasks it is assigned.

* What might be done to protect the system, while assisting or improving system and process efficiency?

Defining the layered security model

Industry guidance and policies state that machines have to be buried in layers of security, and this statement is essentially correct. However, implementing traditional security guidance policies in a control system environment is difficult and ultimately counterproductive.

Current industry guidance shows several areas of high security with lessened security requirements in areas that might break the functionality of the system. This guidance is highly fragmented and completely discounts the operation of tile process control or scada system functionality in favour of a belief about what might be secure.

Additionally, there is one outstanding problem with this approach that makes it almost completely and uniformly undesirable and it is that control system networks are seldom laid out so neatly. Normally, parts of a control system may reside in a remote location across a sub-domain, an unsecured WAN or an Internet connection, which leaves it more vulnerable to attack and infection.

Therefore, a systemic approach should be used when reviewing process control networks and scada system environments. The ArchestrA secure architecture reference recommends layered security through multiple firewalls to multiple functional blocks as required. We can no longer look at individual machines needing a particular security profile without it affecting the entire enterprise. To accomplish adding security to such an environment, it is necessary to apply security as experts recommend, but with an additional requirement: only one point of ingress/egress to/from the control system.


Information is an enterprise-wide necessity which follows natural tiers of granularity. And so it makes sense to separate the real-time world of the production floor from the transactional environment of business processes because they each have their own and very different network and access needs. Today, we know a great deal about the structuring of firewalls and DMZs in such a way as to provide effective security while allowing the unimpeded flow of bidirectional information for effective decision support at all levels of the organisation.

For more information contact Jaco Markwat, Invensys Operations Management, +27 (0)11 607 8100,,

Supplied By: IS³ - Industry Software, Solutions & Support
Tel: +27 11 607 8100
Fax: +27 11 607 8478
Share via email     Share via LinkedIn   Print this page

Further reading:

  • Key digital transformation IT concepts for operations
    December 2018, IT in Manufacturing
    Rather than focus on the digital transformation IT concepts through a technical lens, this article looks at them in terms of their implication on industrial operations.
  • Data centre management as a service
    December 2018, IT in Manufacturing
    DMaaS aggregates and analyses large sets of anonymised customer data that can be enhanced with machine learning.
  • Operator guided solutions
    December 2018, Adroit Technologies, IT in Manufacturing
    At parts assembly production sites, where parts are picked from stock, it is almost inevitable that picking mistakes will occur. As parts become more complex and their component types increase, the problem ...
  • Software for low voltage distribution planning
    November 2018, ElectroMechanica, IT in Manufacturing
    New software from Hager facilitates planning and configuration of low voltage switchgear.
  • SKF ups the digital ante at ­Göteborg plant
    November 2018, SKF South Africa, IT in Manufacturing
    Swedish group, SKF, has been implementing digital transformation since 2015, investing close to €19 million to carry out its digital revolution at the Göteborg plant which has, for over a century, been ...
  • 3D software eliminates ­programming
    November 2018, ASSTech Process Electronics + Instrumentation, IT in Manufacturing
    More and more industrial users are discovering the potential of three dimensional software-aided object measurement. With the VisionApp 360 software, Wenglor now offers a smart tool that makes 3D object ...
  • Advanced data management from Siemens
    November 2018, Siemens Digital Factory & Process Indust. & Drives, IT in Manufacturing
    Siemens is innovating its data management software for process analytical technology (PAT) with Simatic Sipat version 5.1, which allows users to monitor and control the quality of their products in real-time ...
  • The 5 stages of cybersecurity awareness
    October 2018, IT in Manufacturing
    Before any of these recommendations can be implemented, managers must first understand and accept the risks they face and the potential consequences. An understanding of human behaviour can help. The ...
  • How adding services to products could start your journey towards an Industry 4.0 solution
    October 2018, Absolute Perspectives, This Week's Editor's Pick, IT in Manufacturing
    For manufacturers, digital transformation involves understanding a range of new technologies and applying these to both create new business and to improve the current operation. Industry 4.0 provides ...
  • Energy management software
    October 2018, Yokogawa South Africa, IT in Manufacturing
    Energy management solutions from KBC, a subsidiary of Yokogawa Electric Corp.
  • Using IIoT analytics to build customer solutions
    October 2018, Parker Hannifin Sales Company South, IT in Manufacturing
    Parker’s Voice of the Machine platform contextualises the data collected from machines.
  • Key considerations when designing IIoT networks for smart businesses
    October 2018, RJ Connect, IT in Manufacturing
    In the era of the IIoT, industries have opportunities to become more productive, more efficient and more dynamic. For example, the IIoT provides businesses with new capabilities such as dashboards that ...

Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Terms & conditions of use, including privacy policy
PAIA Manual


    classic | mobile

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.