Even though many wireless standards like Wi-Fi’s IEEE 802.11 have built-in security and encryption, other multiplying and mixed-in methods may present more risk and concerns, especially when antennas and access points get into closer proximity—along with potential intruders. Fortunately, more useful protections are also emerging, and applying them logically gives users their best chance at staying safe.
For instance, when Florence, Ariz., decided to upgrade the SCADA system for its water-distribution operations in 2023-24, it chose to deploy Apple’s industrial-grade servers because they’re reportedly less vulnerable. This residential water district sources mainly from a series of 350- to 800-foot deep wells, and its managers understandably wanted to isolate and protect the network monitoring and managing them. They also planned to use Inductive Automation’s web-based SCADA software on their new servers, and wanted to add a heavy-duty, wireless, microwave-backhaul network.
Get your subscription to Control's tri-weekly newsletter.
Florence enlisted local system integrator Ripple Industries to assist with the upgrade because it previously helped the district revamp its wastewater plant’s radios and Allen-Bradley SLC 5/05 PLCs. This facility’s headworks and filtering area consists of three sequential batch reactors (SBR) and one digester, which treat about 2 million gallons of water per day, and rely on 2,000-2,500 I/O points controlled by 10 PLCs. The plant’s aerobic and anaerobic digesters, clarification tanks, sludge disinfection and drying and effluent-decanting systems use additional PLCs.
“Florence may be a small town, but size doesn’t matter when it comes to being vulnerable to cyber-intrusions and incidents. Plus, it’s growing quickly, and wanted to secure its networks against the types of attacks we’ve all seen in the media,” says Jeromy Peterson, president and owner of Ripple, an end-to-end system integrator, also in Florence, and a member of the Control System Integrators Association (CSIA). “Many of the town’s water/wastewater networks and I/O were already isolated, but it also replaced some wireless links with in-ground cabling, gathered all its I/Os onto their own Ethernet network with managed switches, and used separate network interface cards (NIC) where possible.”
NICs help secure the I/Os
To further manage its segregated I/Os, Florence’s water distribution network also expanded by implementing Rockwell Automation’s CompactLogix PLCs and 1768 ENBT network modules, which meant the I/Os wouldn’t have to touch or interact directly with any external networks. In this case, CompactLogix is used as a communications backplane, which still lets Ethernet-based I/Os talk to a PLC, but makes sure they only address the controller for which they’re intended.
“By nature and design, Ethernet-based I/O is universally accessible. While this is incredibly convenient, it can also increase security risks—especially given that unsecured network applications are common. At Florence, we mitigated these risks by isolating all I/O networks with 1768 networking modules,” explains Peterson.
“Over time, communication protocols steadily evolved toward faster and more open data structures, such as the shift from RS232 to Data Highway Plus. When Ethernet arrived in the controls world, it was revolutionary—you could plug in anywhere and access any device on the network. One way to reduce the associated risks is to separate and isolate networks across the ControlLogix backplanes. While this isn’t a silver bullet for security, it does add another layer of protection. It’s not the same as whitelisting or using a data diode strategy, but it serves as an important first step.”
Read more about wireless systems from Control: Untethered mobility
Likewise, Peterson reports the water utility also maintains secure, remote access to its operations via separate NICs running on PCs located on the other side of the firewall between its servers. This prevents the SCADA system with Ignition from ever connecting to the business network, and only gives external PCs and users remote data via an authorized link. The first firewall in this system is a software-based version that protects the server in its interactions with the remote PC, which uses a hardware firewall for protection from the rest of the world. This lets users regulate traffic between the server and the remote PC and between the PC and the larger, mainstream Internet.
“In this situation, the remote PC functions like a managed Ethernet switch, which could be hacked and attacked, but the firewall between it and the server is the protection point,” adds Peterson. “This is an old-school method that can eliminate a lot of convenience. However, if a firewall if the only protection, then an unauthorized smart phone might be able to access the VPN and log on, so users must still fight to keep their firewalls secure. We want to say that only this authorized list of users can access the remote PC, and say that only this PC can use this particular network to work with the servers. We could get rid of this remote PC, and let users go right to the servers, which would allow more, new capabilities. However, we only need a few, basic functions, and we only want to grant limited access for the one or two operators the need it.”
