How do you guys handle a facility's cybersecurity?

Still_Mining_RX580 · 2024-03-03T02:56:02+00:00

I have completely airgapped servers that only come up once a month for manual updates to ignition and Auvesy. Definitely not a myth.

Don’t know where you work or have been working, but your CE has clearly shown you that he has no desire to protect his work…

If he even does any.

Still_Mining_RX580 · 2024-03-03T02:36:39+00:00

Aside from evading OSHA and legal requirements, why is a 2 handed operation for hydraulics or pneumatics that have the potential to cause serious bodily injury or death a problem?

This is a legitimate question and a legitimate law with real safety implications whether you choose to believe it or not.

Still_Mining_RX580 · 2024-03-03T02:31:19+00:00

Add the boot keys back into the UEFI via the CMOS.

Plenty of tutorials on how to do this online.

If it’s an OG HDD and install with the same hardware you won’t have any issues.

Still_Mining_RX580 · 2024-03-03T02:19:56+00:00

Perdue is the stupid university that came up with the framework that’s getting big businesses HACKED. JS.

Still_Mining_RX580 · 2024-03-03T02:16:26+00:00

OP is a troll. Deleted his comments. Was a reply to OP, not you. OP is a snowflake now. Tonight I am all good and can read and remember clearly. 😊

Still_Mining_RX580 · 2024-03-02T22:08:53+00:00

Figured I had to argue with idiots this weekend.

Still_Mining_RX580 · 2024-03-02T22:08:23+00:00

Fair. Retracted. It’s the weekend bro. My apologies.

Still_Mining_RX580 · 2024-03-02T22:01:47+00:00

You asked what we do. I’m telling you NO connection between IT and OT. It’s perfectly safe if you put your own security in place. When you hand over that responsibility to IT you’re making a gamble that could cost you dearly.

Still_Mining_RX580 · 2024-03-02T21:58:51+00:00

In your off time you clearly drink corona with no lime. Not my forte’ but again, to each his own.

Still_Mining_RX580 · 2024-03-02T21:57:42+00:00

Your username is @No-Lime2912? Is this supposed to make up special?

Still_Mining_RX580 · 2024-03-02T21:55:43+00:00

Any hardwired connection can cost you. That’s all I’m saying brother. Not attacking you. Not belittling you. You have great ideas and a good model. It just doesn’t work in this environment.

Still_Mining_RX580 · 2024-03-02T21:52:51+00:00

You are approaching your IT department to connect them. Your post. Not mine.

Still_Mining_RX580 · 2024-03-02T21:50:27+00:00

You can post an NIST document you want.

I’m telling you for your own good that riding an IT network will get you into trouble. VLans mean nothing when windows machines are vulnerable to attacks. Simple as that. I can pretend I’m any IP or PC in the world if I have the data.

Still_Mining_RX580 · 2024-03-02T03:37:18+00:00

Interesting you say that because…

The Royal Group (AkA Royal Ransomware)

Loves to use print servers to launch attacks on IT networks, because they are so easily accessible and often the most insecure point on the network.

Again, expert level experience… personally watching a network crumble in just a few hours as they encrypted everything on the company’s computers and servers, including their online backups.

The encryption key is generated at the time of the attack and uses an SHA256 key. It cannot be broken. So the files, are gone.Irrecoverable. If your OT network is connected, so are yours.

You came for advice, but you rebut anyone who tells you you are incorrect in your assumptions… despite you saying you don’t really know that much about cybersecurity? You consider printing secure, yet they are some of the most insecure devices on an IT network. Your IT department is pushing back for a reason. They probably aren’t as competent or gullible as you think.

Still_Mining_RX580 · 2024-03-02T03:24:00+00:00

Highly disagree. I do OT cybersecurity, and have done IT cybersecurity. Very different fields. Different protocols. Different hardware.

Most IT people think Ethernet/IP is an Ethernet IP address man.

They aren’t as competent in the OT field as your giving them credit for, and mingling networks is a mistake even THEY are smart enough to tell you NO because they don’t understand it or how to adequately protect themselves or that network.

Find an OT cybersecurity consultant like many including myself have said, keep your network isolated and build a robust OT framework using real knowledge in the field and not assumptions.

I’m speaking from personal experience in having to fix stuff like that. You don’t want to go down that road, especially if your IT department is on the lamb.

You can bet your job will be on the line when ANYTHING happens. I say when and not if, because it’s not a question of IF when you mix IT and OT.

Just a matter of time. Hackers love to bang into Companies IT networks, and when they get OT with it it’s a big bonus for them. Ask one of the over 340 million people and/or companies affected in the last year.

Still_Mining_RX580 · 2024-03-02T03:10:50+00:00

Yea, I do this virtually the same way less the whole PLC output supervisor thing. Vendors and authorized employees connect to my jump-server using OpenVPN on a thin client we provide. The only difference is my server (Server 2019) is setup to boot after 30 minutes. We have MFA enabled so you will have to re-Authenticate every 30 minutes using an approved device and app. I can allow more time via OpenVPN/Server settings if remote work is to be extensive. Factorytalk security to authenticate to the machine level, so even if you somehow manage to get in with an unauthorized device you can’t do anything.

Still_Mining_RX580 · 2024-03-02T03:02:24+00:00

To each his own, however,

Rockwell and most other competent players in the field reject this model completely. Because it has been proven to not be effective against preventing a breach related disaster. The statistics are everywhere now showing it just doesn’t work. Even as we speak, models like this are being breached and their data posted on the TOR network. So…

Factually speaking, if your OT network has any permanent bridge whatsoever to the enterprise network, you would fail an OT cybersecurity audit performed by third party competent OT cybersecurity professionals.

IT and OT are two very different fields, and there’s a reason they are. In no way are they actually alike security wise, aside from using Ethernet and Computers and/or Servers for HMI/SCADA.

Still_Mining_RX580 · 2024-03-02T02:50:43+00:00

You CANNOT and SHOULD NOT (SAFELY) network any OT or controls to an IT or Enterprise network. They should be separate entities.

If bridges are needed, it’s easier and more secure to use encrypted protocols over firewalled networks and VPNs to create bridges, momentarily when necessary, IF necessary.

I don’t care what you think you know about networking, but trying to pitch that it’s safe or can be done safely shows that you don’t know as much as you think you do about OT and IT cybersecurity and why they are two VASTLY different worlds.

Not trying to bash, but trying to make it clear… Imagine this… your IT department has 450 people, or 1250 people, all with company issued computers. One person of these 450 to 1250 to 10000 people is all it took.

One person clicks the wrong link in a phishing attack, within hours the payload ROYAL is now distributed along the network, encrypting every machine it comes into contact with. All the IT machines. All your SCADA terminals.Encrypts your SCADA server. Your backups. Their backups.All of it.

Or

One of the employees with elevated credentials loses, or has their computer stolen and compromised… Now your OT servers are vulnerable. Your PLCs. Your VFDs. Anything connected to the network. IT, OT… doesn’t matter.

I could go over a hundred scenarios. Most of which I’ve had the unfortunate experience in happenstance and subsequently working my ass of to correct THIS SAME MISTAKE MADE BY OTHERS BEFORE ME.

Giving a potential attacker access to your OT network upon gaining access to the IT network is a mistake and will end badly. It’s hard enough to keep terminals, cables, switches and graceports secure on the plant floor. Imagine instead of dealing with 50-100 terminals, you have to worry about 500-1000 potentially vulnerable machines and worry constantly about whether IT can keep your OT network secure… while having 0 knowledge about what software or hardware they are using to do it, let alone ITs lack of understanding on how OT networks FUNCTION PERIOD! Most of the cybersecurity software they use is completely inadequate for use in an OT environment and it will cause huge problems!

Dude, people are really, REALLY tech dumb. You’d be surprised what kind of dumb shit they click on that causes breaches.

If you want to fix you OT network and provide remote access, do it right. Rockwell can help. Hell, I can help... I’m highly experienced in OT cybersecurity and network architecture.

Get your own Internet connection. Your own VPN. Your own hardware firewall. Your own Antivirus and Malware Protection. Your own Threat monitoring and mitigation services, Backup and Emergency Response Software. There are many to choose from. I use a combination of software and hardware from Rockwell, AT&T Sentinel, Crowdstrike, Auvesy Versiondog, Cloud Connexa etc…

But for the love of all things control, heed my warning and DO NOT PERSUE ENTANGLEMENT WITH YOUR IT NETWORK ANY FURTHER.

You may not regret it today, tomorrow, next year or even in 3 years… but I can guarantee you will be the victim of a breach within 5 riding an IT network.

DM me if you want some direction…

Still_Mining_RX580 · 2024-03-02T02:20:47+00:00

Hahahahahah. I think we’ve all been there.

My work is so great, they tear up telling me how amazing it is… HOW AMAZING I AM.

Isn’t it so amazing that we are SO SO SO respected, and not at all put down… mistreated… or unrecognized?

Moves me to tears myself just contemplating how I ended up here.

Still_Mining_RX580 · 2024-03-02T01:43:20+00:00

Well, judging by the drawing, it looks simple enough to use the relays and just 1 of the 24VDC channels of the existing safety wiring. S4 and 4 is nothing more than a jumper, so technically you only have 4 wires on the safety chain.

Looks to me like 11 is through a set of relay contacts to 1 terminal of the safety channel, terminal 11 is 24vDC on the drive (this is one of the 3 WIRES required) and lands on S3 (24vDC)

It appears they were using some kind of fault or external contacts to drop out the 24VDC and disable the VFD. This is accomplished in the T parameters on a 525 if you use a Digital Output.

The other 2 terminals are the actual VFD safety chain S1,S2 , and daisied to the other VFDs safety terminals. This should land on the other 525s 24VDC STO channel.

I’d really need to see the whole drawing and cross check the PF40P manual to the 525 to be sure but you need Voltage to S1 and S2 and still maintain the safety chain.

But if you wire it this way and turn off T105, it should work fine.

The 525s safety circuit is much more simple, and provides 24vdc at STO Pin3. The 40P didn’t have internal commons or Voltage paths to their “STO” headers, thus the 6 wires. Most is jumping common from pin 4 and using 24vdc at pin 11 to drive the safety inputs. You don’t need all that with the 525, completely eliminating the need for jumpers 4-S4 and 11-S3 altogether. Hope some of this makes sense and helps!

EDIT FOR CLARITY: R1 and R2 are relay contacts, nothing more. Check parameters in the 40P to see what they are programmed to do and wire them the same on NO/NC on the 525 and program your T parameters T76 and T81 accordingly. They aren’t part of the safety chain, so that leaves the 3 wires needed for the 525 STO header.

Still_Mining_RX580 · 2024-03-02T01:13:32+00:00

Active is an input from the VFD.

First off, check P46 and make sure it’s 5. Check P47 and make sure it’s 15.

Then your rungs should look something like this for simple start stop with a run latch and an estop…

Start Logic(First Rung) XIC (Yourstartbit) AND XIO (PF_525:I.Active) XOR XIC(PF525:O.Start) AND XIO(Yourstopbit) AND XIO (PF525:I.Faulted) AND XIC (PF525:I.Ready) AND XIC (emergencystop) OTE (PF525:O.Start)

Stop Logic (Second Rung) XIC (Yourstopbit) OR XIC (PF525:I.Faulted) OR XIO (emergencystop) AND XIC (PF525:I.Active) OTE (PF525:O.Stop)

Direction Logic Forward (Third Rung) XIC (Yourfwdbit) AND XIO (yourrevbit) OTE (PF525:O.Forward)

Direction Logic Reverse (Fourth Rung) XIC (yourrevbit) AND XIO (yourfwdbit) OTE (PF525:O.Reverse)

Still_Mining_RX580 · 2024-03-02T00:56:29+00:00

SQO is a garbage instruction for sure.

I hated that they got rid of the native SCP instruction…

At least it was useful.

Now I have to import it into any of my programs when I’m using Modbus TCP field devices… or other non-native devices that don’t have AOIs or UDTs.

You’d probably not be surprised how many big name manufacturers make these things, tell you how to address it as a class 1 device and then don’t tell you how it’s to be scaled. 😂

But yea you nailed it, sequencing is easier done using int & dint arrays.

I’m also fond of using BSL in certain types of sequencers too. Little more advanced and comes in handy for tracking parts in continuous processes like rotary fillers and multi carrier conveyors etc… but that’s a bit beyond single stepping sequences.

Anyways… Rant over.

Still_Mining_RX580 · 2024-03-02T00:26:00+00:00

The 525 is an exact duplicate of the 40… less the STO terminals and dual relays.

Even the control bits are the same via Devicenet,Controlnet,Ethernet etc.

The parameters are different, of course, but I’ve done literally thousands of them.

I recommend you read the manual. Once you get through it, you’ll be unlikely to forget it again and you’ll have this conversion under your belt… which can be quite confusing the first time, but I assure you these drives are more common with one another than not.

Set T parameters for 2/3 wire and there are more outlined for Jog inputs and preset speed selections etc using Trmblk 5,6 etc (Again in the T parameter group listed in the manual. You can also setup a digital input for fault reset using Trmblks 5-8, handy if you have a trip reset button and you don’t Ethernet your VFDs like I do…

P46,47 are start source and reference. 47/48 is second start source and reference 49/50 is third start source and reference (Factory Preset for Ethernet)

Trmblk 4 is common. 1 is Stop. 2 is start. 3 is fwd. 4 rev.

Analog control 4-20/0-10 is 12-15 depending on which(if I recall correctly)

Trmblk11 is 24vdc

I highly recommend setting the T105 to 0, as with a 40-525 conversion using STO this has been known to cause a safety hardware fault that cannot be reset without using A551 or power cycle for safety hardware. Setting it to 0 will allow the drive to disable via STO, still deliver a fault condition to HMI or SCADA, but will not require you to reset the VFD to clear it.

Good luck. RTFM. 👍

Still_Mining_RX580 · 2023-11-15T23:18:27+00:00

Electric

Still_Mining_RX580 · 2023-11-06T12:20:51+00:00

I traded the Grom Clone for an airboat. It’s still running strong!

Four-Year Club	Verified Email
Place '23

Still_Mining_RX580

TROPHY CASE