ennl +31 88 52 25 000 Zandbreeweg 12, 7577 BZ Oldenzaal
PCS7, VMWare, Veeam, HPE
Best in class supplier and solutions expert
#1 Supplier in industrial automation and virtualization solutions

Cyber Security in process automation

Cyber Security in process automation

It had always been the case that process automation systems were not allow to go online. This was secure, and because the process automation system was there to control the process, there was no need for it to go online. But the current view to doing business, is changing this concept more and more. A modern plant manager want to be able to see some key metrics on his phone where ever he goes. And so begins a quest for cyber security and finding ways to make data available but only for the people you want to.

The internal network theorie

It is very easy to configure a site local WLAN that spans the site premise and does therefor not allow users to use the data connection outside of their working area. This is quite secure because you know there is no direct connection to the internet, and therefore you are not at risk. People who would like to use the easy access to the process automation system, should be onsite and only when they have come through those physical barriers, are they able to connect digitally.

But this is often not the way people would like to consume this service. When an employee has access to the data they need, on their smart phone at work and in a meeting. Within a couple of months the question will come up, why can we not see the data from anywhere? And this is often where the problems start. Now we will have to either ignore the people asking for the data, or give them access through the internet.

The internet connection

So in today’s world we cannot stop the internet connection to the process control system. Even service engineers need these connections to offer remote support, and people want to see key metrics from home, which means that an internet connection is no longer a nice to have. But how do we secure these dangerous connections to our data, and production environment?

It is easy enough to just install a firewall and make all  the requests go through this firewall. As a first step in considering how and where to connect the internet to a process control system, a firewall is not optional. But which firewall do we select? and can we just plug it in to the engineering system? Well, do not just plug it in is the simple answer to that. Think about the layout of your network, and optimize the network for an internet connection first. We will show you how….

HPE MSR 936W Router/Firewall

HPE MSR 3012 Router/Firewall

Preparing the network

To make sure the data and operation of the system is secure, the main process control system network and the internet should not be connected. It is always a good idea to separate the control system and the access layer through a data representation computer system and a network access server. This would mean that the process control system gives access to a central computer that can read the data and represent it. This computer would be in a separated network, or VLAN with a network access computer. The network access computer is the computer all the users that come through the internet have to log in to.

When setting up a firewall with VPN connection that creates a connection to a central network access server, you can feel really secure. Even if someone would break into the network from the internet, they will be restricted by VLAN to the 2 PC’s that can only show data. This way no data can be stolen or corrupted.

So the system is safe, secure and if someone tried to ransom your data, you can remove the access virtual server, and restore the backup. This makes sure you will be back online in a couple of minutes without having a risk of losing data. Because the data is physically on a server that is on a non accessible network to the remote user, it can not be ransomed, changed or corrupted.


iAUTOMATION is een automatiseringsspecialist die zich richt op industriële automatisering, ICT en de koppelingen tussen deze twee werkvelden. Met vele jaren ervaring in de industriële automatisering en ICT wereld is iAUTOMATION een volwassen partner waar u wat aan heeft.

iAUTOMATION verzorgt complete projecten voor de industriële automatiseringswereld met een specialiteit in PCS 7 consultancy en engineering. Maar ook andere systemen zijn bij ons bekend en kunnen door iAUTOMATION geïmplementeerd worden. 

Met kennis van virtualisatie, netwerken, domeinen en ICT beheer is iAUTOMATION ook een zeer geschikte partner voor al uw ICT vragen en projecten. Wij zullen u altijd met veel enthousiasme en kennis bijstaan in uw projecten, en proberen onze klant te ontzorgen door pro actief en positief uw project aan te pakken.

    About the author

    Dennis is Technical Director at iAUTOMATION, where he is responsible for all the technical queries and technical solutions that iAUTOMATION provide. Dennis also helps customers and the iAUTOMATION consultants with the technical side of projects and designs. Dennis has a lot of experience with process control systems and IT infrastructure, this is why his experience is key in projects that include both these areas of expertise like MES, virtualization and process automation projects.

    Leave a Reply