gateway icon  PRODUCT SELECTOR:

Connect Your:

To:

RTA's Blog

What is a Captive Portal?

Posted on by John S Rinaldi
captive portal
09
Mar

I’ve written many times about how every industry and every specialty has terms that everyone involved knows but are a mystery to the rest of us. “Au gratin” comes to mind. It’s used in the culinary world to mean sprinkled with breadcrumbs and cheese. They use that term because people like me would rather order chicken au gratin off a menu than chicken sprinkled with breadcrumbs and cheese. Au gratin just sounds tastier.

In automation, there’s a term that we haven’t used much in the past but in today’s everything-connected factory floor, it should be used more often. That term is Captive Portal. It’s a term that most of us are unfamiliar with even though we’ve used Captive Portals regularly.

A Captive Portal is simply an interface that requires a user to log in. It is a web page accessed with your web browser that is displayed prior to a new user being connected to a wired or wireless network. A Captive Portal is commonly used in hotels and fast-food restaurants. Some of you probably remember the early days of public Wi-Fi connectivity when it was common to have to log in to a Captive Portal and pay for internet service at McDonald’s, Starbucks, and other places. That’s still true today in most hotels. You have to log in to the Captive Portal and provide your room number to have access to the hotel’s Wi-Fi service.

And that’s the purpose of it on the factory floor. A Captive Portal is used when a manufacturer wants to ensure that the users accessing a control network are authorized to access it. It keeps unauthorized users out of the network. Alan the accountant, whose brother-in-law showed him how to write a PLC program, shouldn’t have access to the PLC or the control system.

The question, of course, becomes “Who is authorized?” The vast majority of manufacturing systems use a Microsoft Domain Controller to authenticate users. In some systems, the Captive Portal can be connected to the Domain Controller, and a user can use the same password to access the control system that is used to access the company’s network. In other cases, some security appliances maintain a local database that the Captive Portal uses to authorize user access to the control system.

A local database is particularly important if you are going to let a vendor access the control system. If you control the security appliance, you won’t have to go to IT or anyone else to provide access to your vendor. You can just edit the authorization list to add the vendor and then remove them after the task is completed.

If you are going to do that though, you will also want to know that this outside vendor is doing what you want them to do and nothing else. The vendor tuning up the welding system should have no reason to be accessing the web page for the ABB drive system or accessing the data table of the PLC. To control specifically what that vendor can do, you need not only the Captive Portal, but a Deep Packet Inspection (DPI) engine in that security appliance to prevent access to anything other than the welding controller.

ICS-Defender from Dynics is a security appliance with all these features. Unlike a lot of industrial security devices that are simply IT devices marketed for industrial use, the ICS-Defender is built from the ground up to meet the needs of an industrial control network, not a general IT network. ICS-Defender is a cybersecurity appliance built by control engineers for control engineers.

The Dynics ICS-Defender is a multifunctional security appliance for control systems, available with three licenses:

ICS-Defender NAT/RA is the entry-level product providing Network Address Translation, Remote Access using a VPN, and Captive Portal.

ICS-Defender LITE/DPI provides everything in the NAT/RA product plus an EtherNet/IP (CIP) Deep Packet Inspection (DPI) engine to restrict specific CIP messages from accessing EtherNet/IP devices.

ICS-Defender PRO provides everything in the LITE/DPI license plus scheduled access by user, multiple WAN support, NTP, DHCP, DNS, IGMP, application whitelisting, and more.

More information is available by calling 800-249-1612, emailing solutions@rtautomation.com, or by visiting our website.

Avatar photo
John S Rinaldi

John Rinaldi is Chief Strategist, Business Development Manager and CEO of Real Time Automation (RTA). After escaping from Marquette University with a degree in Electrical Engineering, John worked in various jobs in the Automation Industry before once again fleeing back into the comfortable halls of academia. At the University of Connecticut, he once again talked his way into a degree, this time in Computer Science (MS CS). John is a recognized expert in industrial networks and the author of six books: Modbus: The Everyman’s Guide to Modbus, OPC UA – Unified Architecture: The Everyman’s Guide to OPC UA, EtherNet/IP: The Everyman’s Guide to EtherNet/IP, The Smart Product Manager’s Guide to Industrial Automation Connectivity, The Smart Product Manager’s Guide to Connectivity in the Packaging Industry, and his latest, The Everyman’s Guide to Properly Architecting Ethernet/IP Networks.