• Not Answered

MODBUS TCP Communications Across Level 2.5 Network/Firewall/DMZ

Hello,

I have a system that has the follows the recommended network architecture: Level 4 Network -> Corporate Firewall -> Level 3 DMZ -> Emerson Smart Firewall -> Level 2.5 Network -> DeltaV Workstations.

A 3rd party system exists on the L4 network that needs to communicate with DeltaV for SCADA control of a few devices. The catch is that the 3rd party system only communicates via MODBUS TCP, it has no capability for OPC. It is also a MODBUS master.

I have been trying to determine the best method to use when connecting the systems. I have come up with a few options but I don't really like any of them:

  1. Kepware Server: Use Kepware as the MODBUS slave to OPC converter. Then I would use OPC MIrror on the existing OPC server to complete the connection.
    1. Install in the DMZ
    2. Install in the L2.5 Network
    3. I'm not a fan of adding a server for communications; it is just one more server to manage as it provides a nice attack surface.
  2. A hardware device, such as a Red Lion. This device is capable of being a simple MODBUS Slave to OPC converter. Then I would use OPC MIrror on the existing OPC server to complete the connection. 
    1. Install in the DMZ
    2. Install in the L2.5 Network
    3. I like this a little better, but it's not really an integrated solution in my mind.
  3. Connect a dedicated VIM to the L2.5 Network
    1. Don't shoot me; it was just a thought!
    2. Could this be legitimate?
    3. I have no desire to connect the VIM network to the L2.5 network.
  4. ???

Thank you,

Dave

1 Reply

  • I think option 1 is the best among the 3. You can install the Kepware server to the application station where the OPC Mirror will be installed but make sure that the application station hardware has the capacity to handle the additional load. Take note if the Kepware version is compatible with the OS of the application station.

    Not sure if you may also need additional NIC to connect to the MODBUS TCP.

    Hope this helps.

    Regards,
    Neil Castro