Legacy Network Migration Using Siemens SCALANCE S615

Project Summary

This month, we are reviewing a recent cybersecurity project at a manufacturing customer. The customer approached Patti Engineering saying that their IT department had identified a concern that their legacy factory floor network was deemed a red level (severe) threat because the PLCs and other floor-level devices were exposed to vulnerabilities in the current network architecture. These threats could infiltrate the corporate network where competitive information resides. The project’s goal was to improve network security while causing minimal downtime during installation.

The controls network consists of approximately 4000 devices, with roughly 100 PLCs on the plant floor. The pre-migration layout was a typical zone layout. To minimize downtime, the chosen solution was to insert Siemens SCALANCE S615 security modules. The new architecture allowed for the continued use of legacy devices that are unable to comply with the corporate security standards, isolating them on a separate network layer.

The S615s were installed over each PLC network. This allowed each PLC network to stay intact, and we did not have to change all of the IPs. Only NAT the IP Addresses that need to talk out, which requires only IPs on layer 1 for those devices, and included the PLCs, HMIs, and peripherals. We included firewall rules, which only allow our approved “whitelisted” traffic to pass through.

There were many benefits to choosing this implementation strategy to upgrade the network security. We were able to migrate the legacy network into the corporate network with zero downtime within the customer’s production schedule. During implementation, we greatly reduced the number of IPs used on Layer 1 of the corporate network, only requiring enough virtual IPs for devices that needed to talk out. Additional security was added by creating a bridge between the two separate networks, with the firewall in between only allowing “whitelisted” traffic between the networks. We were also able to keep unwanted IT traffic out of the controls network with the firewall.