In many of these articles, I’ve discussed the differences between IT and OT. They both use Ethernet, but that doesn’t mean that you should design them the same way, use the same monitoring tools and monitor the same diagnostics – and you definitely shouldn’t use the same security appliances.
IT operates enterprise networks like a utility, providing resources and services to an ever-changing set of customers with constantly changing service requirements. While IT end users are constantly coming and going, with changing needs and resource requirements, the infrastructure is typically composed of a small set of common components and common software. IT manages Microsoft Windows computers, Cisco switches, routers and firewalls, and the like.
The OT world is quite the opposite. Factory floor control networks are not only quite different from each other but are highly integrated with a specific manufacturing machine or production process. These much more static networks are composed of a very diverse infrastructure of controllers, actuators, and sensors developed by a broad base of vendors. In this more static but yet more diverse world, control engineers build custom networks with semi-open application layers (EtherNet/IP, PROFINET IO and Modbus TCP) that must meet specific operating requirements dictated by the product being manufactured.
Varying kinds of traffic
|Fixed set of traffic|
|Many different devices|
No remote management
Many different standards
|Operates as a utility|
Integrated into production
OT designs control networks in a fashion that is anathema to IT people. For example, OT people like consistency and uniformity across production lines. Identical product lines, for example, should use identical control programs and identical control networks. With three sorting machines, each with a bunch of I/O, some motors, and a display, it is much more efficient to use the same control program across all three machines. And you can only do that if the I/O devices all have the same addresses.
This kind of device organization drives an IT person nuts, but it is common for those of us in manufacturing. What’s important to control engineers in implementing device networking like this is to keep the EtherNet/IP (or PROFINET IO or Modbus TCP) control program in the PLC exactly the same on all three lines. The overriding objective is to make sure that the three machines operate identically and using the same control program with an identical network is how to do that.
In IT, every device needs to have access to the entire network and the internet. That’s not true in OT, so we can get away with reusing a subnet configuration in different places around the network.
But when we need to make data available, like energy data in the motor drive to some other application on the network, we use Network Address Translation (NAT). Network Address Translation (NAT) is one way of solving this problem. NAT devices “translate” one IP Address into a different IP address. A NAT device like ICS Defender NAT/RA can make the internal address of 192.168.100.100 available on the enterprise network using an enterprise-wide address.
For more information on the ICS Defender line of security appliances, visit security appliances on the RTA website.