I. Thou shalt place high priority on security, for hackers lurketh, thieves stealeth and employees bungleth
A Wi-Fi-enabled computer can connect to multiple networks at the same time. Your employees can give a hacker a pathway into your internal network simply by powering up a laptop. Imagine the mess an eco-terrorist could make if he didn’t like the look of your smokestack.
Even your well-intentioned employees can bring a network down, simply by blundering around in areas they shouldn’t. Don’t take chances with network security.
Most wireless systems employ industry-standard WEP (Wired Equivalent Privacy). A hacker can get around it within a few hours. Look into more powerful standards like Extensible Authentication Protocol and Tunneled Extensible Authentication Protocol.
Never assume that your industrial Ethernet products have built-in security features. At the very least, you should use inspection-type firewalls (such as packet filters) to control any access that is based on IP source address, destination address, and port number.
Don’t just talk about changing your passwords a regular basis. Do it. And don’t make them easy to guess.
Consumer plug and play devices can flood your network with traffic in a "broadcast storm" as they try to self-configure or advertise their presence to every other node on the network. Faulty devices can vomit zillions of “runts”, or abnormally short Ethernet frames. Using switches instead of hubs will take care of those problems.
Duplicate IP addresses can deactivate devices that otherwise appear to be perfectly functional.
II. Thou shalt document thine installation, so that even Homer Simpson mayest discern the system whither thou goest; for to write the IP address on your hand or your forehead shall not be deemed sufficient
Document your installation. When devices need to be replaced it needs to happen quickly. Things you need to know and document for every device:
- Replacement part numbers.
- IP addresses.
- Subnet masks.
- Gateway addresses.
- Menu settings of devices like Serial Servers, data collectors, routers and configurable switches.
- Functions like DHCP enabled/disabled, static vs. dynamic IP addresses.
III. Thou shalt execute a definite plan for assigning and re-assigning IP addresses, from the very opening of the box to the inheritance of future generations
There is no standardized way to set IP addresses in automation, but don’t just wing it. Have a plan in place.
- Whether you use DHCP or set IP addresses manually, IP assignments should be semi-permanent.
- Understand the client software IP address requirements as they relate to the hardware devices in a client/server application. Note that in a PLC-style control system, the PLC is a client and all of the I/O devices are servers, which is the exact opposite of the arrangement in an office LAN.
- Documentation should clearly indicate the mechanism by which the IP address of a replacement device should be set.
- You should cooperate with your IT department in choosing IP addresses so that conflicts do not arise in the future.