We have two networks to connect for Modbus TCP using a router/firewall.

One is GE's PDH (192...) for the controllers to act as a slave.

The other is a Telvent RTU residing on our Energy Management network that has strict guidelines and multiple layers of approval before the slightest change can be made due to NERC. Changes in that gateway are almost out of the question.

So we NAT'd the GE's IP addresses to the Energy Management network so the RTU can send the requests to an IP on it's network. We had to add a default gateway in the GE controllers so they could respond and pings work.

However, the controllers do not seem to respond to the requests at all. Do the GE controllers have default Modbus TCP security so that they will only respond to an IP address that is on the GE network? I know the translation is normally done the other way for GE netorks (The RTU would be nat'd to the GE network)

For instance GE is a 192.201.x.x something but the requests are coming from 172.x.x.x something. Thanks... just wanting to rule that out.

 

I know this is an old post, but I just had to comment....

More than likely, your IT and NERC Compliance folks did exactly what they were supposed to do, and restricted traffic from entering or leaving the Energy Management network per NERC CIP-005, despite your best efforts to circumvent those protections.

I hope that you haven't plugged your GE devices, firewall, or router into the Energy Management network switches, and given them IP addresses on that network. Cause, well, that's likely a high level finding per NERC CIP rules, and the fines for a willful violation are a pretty big deal.

Follow the NERC process, submit a request to your compliance folks for a firewall change, and stop trying to short cut the security and regulations.

Mike Toecker, PE