gateway icon  PRODUCT SELECTOR:

Connect Your:

To:

RTA's Blog

Network Address Translation: What You Don’t Know Can Hurt You!

Posted on by John S Rinaldi
22
Jun

There is little in automation that is used more often and is less difficult to implement than NAT (Network Address Translation). A NAT makes a device in a control network available to applications outside the control network.

NATs are important because many control engineers construct a production system from a number of identical machines with identical Ethernet sub-networks. The device addresses are identical on every subnet. That’s not a problem unless you want to expose data from one of those devices on the main network. In that case, you‘ll need to translate the internal address on the subnet to some other address accessible on the main network.

You can find any number of devices that can do this translation (NAT). You can get a really inexpensive switch that supports NAT, and you can get a big, complicated managed switch that supports NAT. There are an almost infinite number of options, but almost every implementation has one fatal flaw: it’s insecure.

The problem with the vast majority of these devices is that there is no limitation on who can use that external NAT address. On the diagram below, anyone on the company network (BLUE) can access the PLC using address 10.10.5.50. A team member looking for some fun, a rogue employee looking to do some damage, or, in the worst case, an attacker, can easily see that NAT address in network traffic and then use it to do anything they want with your PLC.

In the following diagram, the maintenance application is using 10.10.5.50 to reading values from a ControlLogix PLC using something like RTA’s EtherNet/IP Tag Client. But since messages to 10.10.5.50 are on the network, anyone can detect that address and easily determine it’s a PLC. With that information, anyone on the network can access the PLC and read values, write values, or worse.

NAT blog chart 1

The ICS-Defender NAT/RA solves this problem by providing a secure, single-entry point to a control network for remote (or local) users. With the Defender, you can add firewall rules to control who can access the end device and, with its Deep Packet inspection engine, limit the access they have to what you have authorized.

For more information, contact one of our application engineers at sales@rtautomation.com or call 262-436-9292.

Avatar photo
John S Rinaldi

John Rinaldi is Chief Strategist, Business Development Manager and CEO of Real Time Automation (RTA). After escaping from Marquette University with a degree in Electrical Engineering, John worked in various jobs in the Automation Industry before once again fleeing back into the comfortable halls of academia. At the University of Connecticut, he once again talked his way into a degree, this time in Computer Science (MS CS). John is a recognized expert in industrial networks and the author of six books: Modbus: The Everyman’s Guide to Modbus, OPC UA – Unified Architecture: The Everyman’s Guide to OPC UA, EtherNet/IP: The Everyman’s Guide to EtherNet/IP, The Smart Product Manager’s Guide to Industrial Automation Connectivity, The Smart Product Manager’s Guide to Connectivity in the Packaging Industry, and his latest, The Everyman’s Guide to Properly Architecting Ethernet/IP Networks.