Continue to Site

Eng-Tips is the largest engineering community on the Internet

Intelligent Work Forums for Engineering Professionals

  • Congratulations KootK on being selected by the Eng-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using Ethernet hubs in an ATC system 2

Status
Not open for further replies.

Benj107

Mechanical
Apr 13, 2019
15

I have a project where the IT department disallows field-installed Ethernet hubs for communication between devices on the automatic temperature control (ATC) system.

Instead, they insist on a dedicated cable from a switch in a room that is under the control of the IT department to each Ethernet drop for any ATC device.

This is expensive and requires more of the same for future changes in the ATC system.

The problem will worsen as more devices are manufactured to communicate via BACnet/IP.

The IT department already restricts the ATC traffic to a VLAN.

I have to believe network technology in the year 2020 has progressed beyond this antiquated policy that prohibits contractor-installed Ethernet hubs in the ATC system.

If so, it seems to me that the IT “experts” don’t understand their expensive toys and/or they are not willing to put forth the effort needed to prevent hackers from accessing other parts of the network via the VLAN.

Have others encountered and overcome this inflexible and behind-the-times policy when expanding an ATC system?

What hardware and/or training of IT staff is needed to overcome this obstacle to providing flexible, economical ATC systems?
 
Replies continue below

Recommended for you

Seems to me that you are asking for an arbitrary decision yourself. How critical is it to protect this information and to prevent intrusions from outsiders. Every day we learn of a new way people are breaking into wifi systems. A hard connection eliminates a truckload of possible intrusions.

If you must argue this, then you need to prove that the expense of the cabling is higher than the probability of intrusion multiplied by the potential cost of such an intrusion. If such an intrusion results in access to all your intranets, then you've got a hard row to hoe.

Large companies and countries are having difficulty maintaining security around data and networks. Not sure why you think your IT guys are lazy, given that there are people who spend 24/7 working on ways to cripple networks.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
so, as a point of reference:


Yes, this is 2020 and these articles were posted TODAY, and the world is a very scary place; I doubt that any individual IT department is going to be able to stop a dedicated and relentless attacker. We're a $5B company and our IT department has locked down everything in sight, and there are still tons of ways of infiltrating our networks.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
A system (operating system or network) that is as vulnerable as we hear about on the news has a fundamental flaw in its design. A system that accepts many signals sacrifices security by design.

For as much money as the IT industry has thrown at it and given the number of allegedly smart people working on secure connections between local computers, it is disappointing that people seem so ready to make excuses for those who so often act contrary to their sympathizers' interests.

See:
Forget about legacy support for protocols from 50 years ago. Allow one way in. Watch it carefully. Disable the connection if something unexpected happens.
 
I recommend remedial viewing of "hacker" presentations on these topics as found on, for example, the CCC.de conferences. One need only to watch a few of such ~40m presentations to begin to see the topic in an entirely different light.

It's like having someone that denies the existence of powered flight, and then taking them to an military airshow.

Once you see, you'll understand.

It'll take some digging to find the ones of most interest to you, but worth the effort.

 
Watch it carefully. Disable the connection if something unexpected happens.

You don't know what you don't know. You can limit your interface to RS-232 and see how productive you are. Nevertheless, RS-232 is absurdly secure, since it can only be point to point.

My company moves terabytes of data around their intranet every day; it would be nearly impossible to catch every illicit exfiltration of data and would certainly be impossible to support on RS-232. The only safe system is air-gapped, and even those can be compromised.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 

I don't want to move terabytes of data. I want one point of connection between an ATC head end and one VLAN that makes connections only to a few controllers from the same manufacture -- with Ethernet hubs that allow those controllers to talk to end devices.

IRstuff made my point: limit what can travel to/from the switch and making a secure connection to the larger network becomes doable.

When enabling a hundred protocols over thousands of ports for a throughput of terabytes, don't be surprised when there are holes to be exploited.

Missing from the quote of my previous post: "Forget about legacy support for protocols from 50 years ago."

Ask Microsoft how easy it is to kill backward-compatibility. In one move, they abandoned support for all the 16-bit software that had been developed over prior decades.

 
I doubt you can even buy a new Ethernet hub in 2020. They stopped making those years ago.
Ethernet hubs are not secure and will broadcast all packets to all connected devices causing lots of network congestion.
An Ethernet switch uses the host's MAC address to send the packets only to the correct devices.
I don't see any major security issues with using field installed network switches. However if one fails then you will lose all devices connected to it and it could be harder for the IT guys to troubleshoot.


abc_rgthhb.png
 
Benj107 said:
If so, it seems to me that the IT “experts” don’t understand their expensive toys and/or they are not willing to put forth the effort needed to prevent hackers from accessing other parts of the network via the VLAN.
Without putting too sharp a point on the stick, it seems to me that installer "experts" incorrectly feel they are experts in IT. It is a near impossibility to guarantee you're not adding another attack vector to the system when placing a WAP (of any sort) onto a LAN. Security research is one of my main fields, and to think what you're asking for is without major risk is naive, at best. Hardwired is safer by orders of magnitude.

Dan - Owner
Footwell%20Animation%20Tiny.gif
 
Some might nitpick at the terminology, but the wanted functionality is available here -- inexpensively:


NETGEAR 5-Port Fast Ethernet 10/100 Unmanaged Switch (FS105NA)
Price: $21.99​

I don't (necessarily) want a wireless connection.

Apologists for IT staffs who don't want to deliver keep moving the goal posts.

If a smart connection to the network through a switch, firewall, and an intervening PC (if necessary) can't communicate to another dedicated device over a virtual network (which is already supposed to be completely separated from all other traffic on the network) without making the supposed IT experts shake in their boots over what might come through the connection, then there is something seriously and fundamentally wrong with the multi-billion dollar IT industry.

IRstuff pegged it in his first response: I think the obstructionists involved in my situation are lazy and/or incompetent. If rebooting won't fix it, they are at a loss for what to do. They do what Microsoft tells them to do.

And notice how good Microsoft is at security. They have institutionalized the expectation that security holes are impossible to plug:
Patch Tuesday is an unofficial term used to refer to when Microsoft regularly releases software patches for its software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003.

... in 2003!

That is 16+ years of admitting defeat -- and/or not trying hard enough to actually fix things -- or creating job security for those who have convinced others that it can't be done.

An entire generation has grown up with the expectation that "it's too hard to do."

In 2020, some of us expect better from the wannabe experts who dictate to us what will and won't be allowed on a "personal" computer -- or over a virtual network ... because security.
 

Thank you, JG2828, for the voice of sanity:

I don't see any major security issues with using field installed network switches.

Far too many people seem to perceive of IT types as exalted wizards who speak ex cathedra when they invoke the S-word. Security is to be valued above motherhood, and anything an IT type says about security is to be believed without question.

Others have found the S-word being used to blow smoke when an IT type wanted to do something else (and easier) instead.
 
Well, you've made up your mind, both on what you think should be allowed as well as the dim view you obviously share about "IT professionals" (however you wish to define that term). Easy to do when you're not the one saying "I told you so" (and having to clean up the major breach afterwards) because clear warnings from those professionals were ignored. Not much else to do here, I'm out...

Dan - Owner
Footwell%20Animation%20Tiny.gif
 
I don't think the original poster is referring to wireless, at least I never seen that mentioned in his original post. I think the IT guys are more worried about having a switch, in an unsecured room, for anyone? to access. However, if someone wants too, they simply unplug the ATC device the cable is plugged into and use it. So, it really doesn't make a lot of sense to me. If they are using managed switches, there is lots you can do to lock down the switch (turn ports off, use MAC address authentication, etc.). If they are using unmanaged switches, that is a different story.
 
We've worked with very expensive famous brand Ethernet switches where the device management and settings were, by design, only available through an old fashioned serial port (only connected when setting up). Once such a switch is safely located in a secure room, the "exposed surface" gets very close to zero. No device Management IP addresses or ports.

Of course, someone can still attack the client device on the factory floor (perhaps with a hijacked bulldozer), but that's not really a concern to the IT department.

Their precautions are perfectly sensible.

It's disappointing that the IT department are unable to explain all this very clearly to those they work with. Clear communication isn't always a strong point in IT, but sometimes it's because of the sheer complexity of their domain. It's like, 'Go away and study Network Security for several years, and then we'll talk.'


 
Whether the connections are in a secured room or on the production floor, the risks are virtually the same...the one cable is always exposed whether the switch is in the locked room or on the floor. If the switch is set-up right, I don't see any more risk, other than more ports available to try to penetrate. Again, if the switch is setup right, there is no more risk. I wouldn't let the contractor install them though. I would want to set them up.
 
A lot of places have gone to the private network (industrial controls) and public network (IT network). IT people do not maintain the private network but is maintained by the maint team for the machines or whatever is in the building. This is very true today since every controls house is basically went to Ethernet devices and for the industrial protocol.

Industrial protocol (private network) in past was devicenet, controlnet, ASI, remote IO, profibus, etc....

If you can convince the IT group on this concept, it might make your life easier.

In past you never had IT demanding to access other industrial protocols. So why would it be different when its the industrial protocol?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor