You can imagine yourself being swimming in the clear ocean, where you can spot different fish, colorful plants and other animals. Every thing feels relaxed and seems peaceful. Or is it?
Lets think about little of need of using dynamic naming for reaching OT devices in over local networks.
Benefits of using dynamic naming for devices generally, brings flexibility and easier translation to manage devices. Using Fully Qualified Domain Name (FQDN) on a device requires connection to Dynamic Name Service (DNS). During a startup process device updates its IP address to DNS server. DNS server then hold records of hostnames versus IP.
In case of someone is trying to reaching the device with its name, a query to DNS server is sent first. The server then tells the IP address of that device.
So having a FQDN name for a devices makes it easier to maintain connectivity in case or if the IP address needs to be changed on the device e.g. device that changes locations or networks now and then.
DNS servers best buddies are Dynamic Host Configuration Protocol server (DHCP server). DHCP servers maintain and distribute IP addresses to different networks if a new devices requests IP from it (and also various other addresses). DHCP then tells to DNS that there is a device and IP.
Usually companies have only one DNS instance/namespace. This namespace then hold records of an IT devices and OT devices, makes things easy and costs reasonable.
Opening the DNS to OT
In companies where production networks are managed by traditional IT, same services and principles are usually used for OT and IT devices.
This means that same processes, services and technologies are used for all connected devices. Networks that are connected to IT hardware then gets the full set of services form IT; DNS, DHCP, NTP, Firewalling, Update servers, monitoring, proxies, etc.
The sharks can smell the blood
Let’s imagine that you connect a operator PC to network. You use DHCP with static IP and FQDN name.
Immediately computer boots up, its starts to look for updating services for time and applications. It send tens or even hundreds of requests towards gateway and internet. The computer is now registered and visible in services.
Our operator station is now happily connected to the network. The operating system shows everything green and everything is reachable. Operating system is living its cozy life without sense of danger.
Meanwhile in IT. Company is being infiltrated by a malware that sets its place in one of the printers (C2C). From there it starts to sniff and look into possible weak points where to spread and attack, like a shark looking for a prey in the ocean. Despite of a firewall malware finds a DNS server and starts to look for name tables and sending queries to the discovered clients. In this address space are also all the vulnerable OT devices available.
The sharks have picked the scent of blood.
Conclusions
Using a dynamic naming and DNS in a OT environments is not usually needed. In bigger DCS system where AD integration is also needed, a dedicated AD and DNS makes sense. In discrete industry not.
DNS in right way used helps to identify potential malwares or other data breaches that automatically tries to call home to the internet.
Otherwise I don’t personally see a lot of benefits of having a DNS in production.
DHCP is also luxury that doesn’t make sense in statically configured IP networks. In worst case DHCP is opened to a field bus network where it messes up the automation configurations.
How about you? Do you like to swim with the sharks?