VLAN as a method of isolation for industrial control system networks
Publish date: 2015-06-23
Report number: FOI-R--4070--SE
Pages: 15
Written in: Swedish
Keywords:
- VLAN
- SCADA
- security
- industrial control systems
- switches
Abstract
Industrial control systems are sometimes separated from administrative networks by the utilization of VLAN (Virtual Local Area Network) technology. This way it is possible to have one physical network with two logically separated parts. There is however a potential risk if the separation between the logical networks is not sufficiently robust. At present there is a difference of opinion about using VLANs as a security technology. Central to our study was the question of exactly how robust the separation between VLANs really is. We were unable to unveil any actual risks of leakage between correctly configured VLANs. However, it should be pointed out that a correct configuration is of uttermost importance for this result. In addition, some switch models turned out to have quirks that are highly important to be aware of. Finally it should also be pointed out that at least in theory, the highest level of security is reached through physical separation of networks. It follows that physical separation should be used instead of VLAN separation whenever a maximum level of security is desired.