VLAN som separationsmetod för industriella styrsystemsnät

Authors:

  • Arne Vidström
  • Tommy Gustafsson

Publish date: 2015-06-23

Report number: FOI-R--4070--SE

Pages: 15

Written in: Swedish

Keywords:

  • VLAN
  • SCADA
  • security
  • industrial control systems
  • switches

Abstract

Industrial control systems are sometimes separated from administrative networks by the utilization of VLAN (Virtual Local Area Network) technology. This way it is possible to have one physical network with two logically separated parts. There is however a potential risk if the separation between the logical networks is not sufficiently robust. At present there is a difference of opinion about using VLANs as a security technology. Central to our study was the question of exactly how robust the separation between VLANs really is. We were unable to unveil any actual risks of leakage between correctly configured VLANs. However, it should be pointed out that a correct configuration is of uttermost importance for this result. In addition, some switch models turned out to have quirks that are highly important to be aware of. Finally it should also be pointed out that at least in theory, the highest level of security is reached through physical separation of networks. It follows that physical separation should be used instead of VLAN separation whenever a maximum level of security is desired.

Share page on social media