Network Address Translation: What You Don’t Know Can Hurt You!

There is little in automation that is used more often and is less difficult to implement than NAT (Network Address Translation). A NAT makes a device in a control network available to applications outside the control network.

NATs are important because many control engineers construct a production system from a number of identical machines with identical Ethernet sub-networks. The device addresses are identical on every subnet. That’s not a problem unless you want to expose data from one of those devices on the main network. In that case, you‘ll need to translate the internal address on the subnet to some other address accessible on the main network.

You can find any number of devices that can do this translation (NAT). You can get a really inexpensive switch that supports NAT, and you can get a big, complicated managed switch that supports NAT. There are an almost infinite number of options, but almost every implementation has one fatal flaw: it’s insecure.

The problem with the vast majority of these devices is that there is no limitation on who can use that external NAT address. On the diagram below, anyone on the company network (BLUE) can access the PLC using address A team member looking for some fun, a rogue employee looking to do some damage, or, in the worst case, an attacker, can easily see that NAT address in network traffic and then use it to do anything they want with your PLC.

In the following diagram, the maintenance application is using to reading values from a ControlLogix PLC using something like RTA’s EtherNet/IP Tag Client. But since messages to are on the network, anyone can detect that address and easily determine it’s a PLC. With that information, anyone on the network can access the PLC and read values, write values, or worse.

NAT blog chart 1

The ICS-Defender NAT/RA solves this problem by providing a secure, single-entry point to a control network for remote (or local) users. With the Defender, you can add firewall rules to control who can access the end device and, with its Deep Packet inspection engine, limit the access they have to what you have authorized.

For more information, contact one of our application engineers at or call 262-436-9292.