Live data security considerations

Live data security considerations

There are several features and strategies that you can use to get live data without compromising on the security of your DCS system.

DBDOC is read-only

DBDOC has been designed so that remote users cannot use it to make changes to your DCS system.

Getting data from the process network to the business network

Many DCS systems are isolated on a process network that cannot communicate with the outside world. However, there are strategies that you can use to get live data to the business network so that you can monitor your plant without having to connect to the process network.

  • Relay mode. You can set up a relay CIUMon on the business network and configure the firewall so that only this relay CIUMon is allowed to communicate with the process network.
  • Intermediate LAN. To add even more security, you can create an intermediate LAN that can communicate with both the business network and the process network. Then, you can set up one relay CIUMon on the intermediate LAN and a second relay CIUMon on the business network. Using this strategy, there is no direct communication between the business network and the process network.
  • Collector mode. You can set up a relay CIUMon in collector mode. In this mode, the relay CIUMon will not initiate any communication with the upstream CIUMon; instead, it waits for that CIUMon to ask for requests.

Can DBDOC work through a "data diode" where nothing can be sent from the business network to the process network?

Unfortunately, there is no way for DBDOC to work without any communication at all to the CIUMon that communicates with the CIU. DBDOC is designed so that you can get data for any block in your system, so CIUMon needs to know which blocks to request at any given time. Most systems have many thousands of blocks, so trying to request data for every block and then broadcast that data to the business network would not be viable.

Some historian systems do work with a data diode, but this is because they are configured to get data only for certain blocks which are defined and set up ahead of time. This approach would not work in DBDOC.