Plantwide Benefits of EtherNet/IP Seminar Billingham 09.07.2014

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.

Industrial IoT in ActionPhil George – Solution Architect


Ethernet

SQL

Cloud

BIG DATA

Virtualization

MobilitySocial Media







PodcastChatroom

Inflection Point

“an event that changes the way we think and act” Andy Grove, Intel Co-founder

Infotainment

Sidebar

GeekLandline

Speed Dating

App

Buzzword

WidgetWebinar

Cyber grieving

ping

Blog

hashtag

BFF

LOL

phishing

Flash drive

Tagging

firewall

JPG

Flat screen

informationalize TweetGoogle

Unfriend

Wiki

IM

Cloud


SECURE

Connected Enterprise

Unprecedented

ValueDisruptive

Technologies

Faster Time-to-Market

Lower Total Cost of Ownership

Improved Asset Utilization

Enterprise Risk Management

INF

LE

CT

ION

Now!

$

Cloud

Ethernet

Mobility

Big Data

Business Analytics


$Faster Time

to Market

Improved Asset

Utilization

Enterprise Risk

Management

Lower Total Cost of

Ownership


Will exceed 7.6 billion

More than 70 million annually will cross into the middle class

Middle class adding $8 trillion to consumer spend

Global POPULATIONtrends (2020)

11

Source: McKinsey


EMERGING MARKET CONSUMERISM RESOURCE PRODUCTIVITY

INVESTMENT

Increased Demand on Industrial Production

$1T

Source: McKinsey

150%More Energy

More Water30% 100%

More Vehicles

GLOBAL POPULATION TRENDS

INCREASE DEMAND FOR

Manufacturing

80%More Steel

Resources

Infrastructure

12

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 13

Supply

Chain

Optimized for Rapid Value Creation Supply Chain Integration

Collaborative, Demand Driven

Compliant and Sustainable

AGILITY

PRODUCTIVITY

Enterprise

Distribution

Center

Smart Grid

Customers

COMPANY CONFIDENTIAL

THE CONNECTED ENTERPRISE

SUSTAINABILITY


Customer Demand

Industrial Processes Supply Chain

INDUSTRIALInternet of Things

Raw data > Contextualized Data >

Business System

14

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Actuators Intelligent Motor Control Terminals Audio VideoSensors


Enterprise

InfrastructureAutomation

Infrastructure

One Common Environment

CONVENTIONAL: SEPARATE IT & AUTOMATION FUTURE: UNIFIED INFRASTRUCTURE

TRANSFORMATIONINTEGRATED CONTROL AND INFORMATION

16

ENABLER Common Secure Ethernet Infrastructure


2011 2012

# of ReCoats reduced due to real-time alerts

Oven temperatures accessed real-time

$302k/yr Eliminated by Contract Dispatch

Allows all to access EPA data

Visibility into loss of production faults lead to root cause identification

@ PAINT LAB

KENTUCKY FACILITY


Fundamentals of Ethernet/IP

Designing the Physical Layer

Industrial & IT Network Convergence

Ethernet/IP Product Selection

Securing Automation Networks

Plant-wide Benefits of Ethernet/IP

18

Agenda

www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.


www.rockwellautomation.com/connectedenterprise

Fundamentals of EthernetIP OSI and CIP.pptx

Fundamentals of EthernetIP OSI and CIP.pptx

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

EtherNet/IP OverviewBenefits of EtherNet/IP Seminar Series

Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 2

Industrial Networks NeedsLong Term Trends

Open network

Converged network technologies (information sharing, common design)

Better asset utilization - lean initiatives (training, support, and inventory)

Future ready – to maximize investments and minimize risks


Industrial Applications ConvergenceIndustrial Network Trends

3

InformationI/O

DriveControl

SafetyApplications

ProcessPower

Control

Multi-discipline Industrial Network Convergence

HighAvailability

EnergyManagement

Controller

Drive Network

Safety Network

I/O Network

Plant/Site Network

Disparate Network Technology

Safety I/O

Single IndustrialNetwork Technology

Camera

Controller

VFDDrive

HMI

I/OPlant/Site

Instrumentation


EtherNet/IP is the global leader: 5M+ nodes sold, 300+ vendors, 1000s product lines

Control System Engineer Enable future-ready, high performance Use an established, widely accepted

network technology supported by leading industry vendors

IT Network Engineer Use standard Ethernet and TCP/IP Utilize common network

infrastructure assets & tools

System Integrator Enable seamless plant-wide /

site-wide information sharing Converge industrial and non-

industrial traffic

Equipment Builder Enable convergence-ready

solutions Use a single multi-discipline

control and information platform

EtherNet/IP - One Standard Industrial Network Technology For….

4


EtherNet/IP: “IP” - Industrial ProtocolSingle Industrial Network Technology

ODVA Supported by global industry leaders such as Cisco Systems®,

Omron®, Schneider Electric®, Bosch Rexroth AG®,

Endress+Hauser and Rockwell Automation

Conformance & Performance Testing

Standard IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588)

IETF - Internet Engineering Task Force, standard Internet Protocol (IP)

ODVA - Common Industrial Protocol (CIP)

IEC - International Electrotechnical Commission – IEC 61158

IT Friendly and Future-Ready (Sustainable)

Multi-discipline control and information platform

Established - products, applications and vendors

www.odva.org

http://www.odva.org/


OSI 7-Layer Reference ModelSingle Industrial Network Technology

6

Application

Presentation

Session

Transport

Network

Data Link

Physical

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer 2

Layer 1

Network Services to User App

Encryption/Other processing

Manage Multiple Applications

Reliable End-to-End DeliveryError Correction

Packet Delivery, Routing

Framing of Data, Error Checking

Signal type to transmit bits,pin-outs, cable type

CIPIEC 61158

IETF TCP/UDP

IETF IP

IEEE802.3/802.1

TIA - 1005

Routers

Switches

Cabling

Layer Name Layer No. Function Examples

What makes EtherNet/IP industrial?

Physical Layer

Hardening

Infrastructure Device

Hardening

Common Application

Layer Protocol

5-Layer TCP/IP Model

CIPIEC 61158

Open Systems Interconnection


OSI Reference ModelProtocol Stack

7

Application

Presentation

Session

Transport

Network

Data Link

Physical

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer 2

Layer 1 TIA - 1005

Layer NameLayer No. Function

CIP

ApplicationLayers

Data TransportLayers

IETF TCP/UDP

IETF IP

IEEE802.3/802.1


OSI Reference ModelOpen Systems Interconnection

8

Application

Presentation

Session

Transport

Network

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Vendor Specific

Vendor Specific

Layer NameLayer No. Function

Data Link

Physical

Layer 2

Layer 1

IEEE802.3/802.1

TIA - 1005

Limits Portability and Routability,

may require additional assets

to forward information throughout

the plant-wide / site-wide architecture


OSI Reference ModelOpen Systems Interconnection

9

Vendor Specific

Vendor Specific

Function

Vendor Specific

TIA - 1005

Non standard Ethernet,

will require additional assets

to connect into

the plant-wide / site-wide architecture

Application

Presentation

Session

Transport

Network

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer NameLayer No.

Data Link

Physical

Layer 2

Layer 1


OSI Reference ModelNetwork Independent

10

Layer 7

Layer 4

Layer 3

Layer 2

Layer 1

Layer No.

NetworkIndependent


Industrial Applications ConvergenceIndustrial Network Trends

11

Safety I/O

Single IndustrialNetwork TechnologyCamera

Controller

VFDDrive

HMI

I/OPlant/Site

Instrumentation

Multiple Network Technologies

Topology Limits

Physical Segmentation

Data Duplication

Multiple 1 Network Technologies

Topology Limits

Physical Segmentation Options

Data Duplication

Disparate Network Technology


The Alternative“Islands of Automation”

12


Micro Data Center

Racks

Patching

Cable Management

Copper/Fiber

Collaboration of PartnersNetwork Technology Convergence

13

Logical FrameworkPhysical Framework

Noise Mitigation

Control Panel

Network Zone

Catalyst 3750StackWise

Switch Stack

Gbps Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

MCC

Levels 0–2

HMI

Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency

Cell/Area Zone #3Bus/Star Topology

Cell/Area Zones

IndustrialDemilitarized Zone

(IDMZ)

Enterprise ZoneLevels 4 and 5

Rockwell AutomationStratix 8000

Layer 2 Access Switch

CiscoASA 5500

Industrial Zone Site Operations and Control

Level 3

Remote AccessServer

Catalyst6500/4500

Phone

Controller

Camera

Safety Controller

RobotSoft

Starter

Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)

I/O

Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server

proxy

Physical or Virtualized Servers• Patch Management• Remote Gateway Services• Application Mirror• AV Server

Physical or Virtualized Servers• FactoryTalk Application Servers & Services Platform• Network Services – e.g. DNS, AD, DHCP, AAA• Remote Access Server (RAS)• Call Manager• Storage Array

Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email, Call Manager• Active Directory (AD)• AAA – Radius

EnterpriseWAN

SafetyI/O

ServoDrive

Instrumentation

Copper, Fiber,

Wireless Testers

Network Discovery

Protocol Statistics

Network Discovery

Protocol Statistics

Common Toolsets


Enterprise

InfrastructureAutomation

Infrastructure

One Common

Environment

CONVENTIONAL: SEPARATE IT &

AUTOMATION

FUTURE: UNIFIED INFRASTRUCTURE

TRANSFORMATIONINTEGRATED CONTROL AND INFORMATION

14

ENABLER Common Secure Ethernet Infrastructure


Industrial Networks Summary

Open networks are in demand Broad availability of products, applications and vendor support for Industrial Automation

Network standards for coexistence and interoperability of industrial automation devices

Convergence of network technologies Reduce the number of disparate networks in an operation and create seamless

information sharing throughout the plant-wide / site-wide architecture

Use of common network design, deployment and troubleshooting tools across the plant-

wide / site-wide architecture; avoid special tools for each application

Better asset utilization to support lean initiatives Common network infrastructure assets, while accounting for environmental requirements

Reduce training, support, and inventory for different networking technologies

Future-ready – maximizing investments and minimizing risks Support new technologies and features without a network forklift upgrade

Reduce Risk Simplify Design Speed Deployment


A new ‘go-to’ resource for educational, technical and

thought leadership information about industrial

communications

Standard Internet Protocol (IP) for

Industrial Applications

Coalition of like-minded companies

www.industrialip.org

http://www.industrialip.org/


Agenda Plant-wide Benefits of Ethernet/IP

17

Fundamentals of Ethernet/IP

Designing the Physical Layer

Industrial & IT Network Convergence

Ethernet/IP Product Selection

Securing Automation Networks


www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.

EtherNet/IP OverviewBenefits of EtherNet/IP Seminar Series

Will your Physical Layer perform?

Plantwide EtherNet/IP Ecosystem Design and Deployment

Panduit’s Distributor Partner

Vision: Unified Physical Infrastructure

Office: Data Center Solution

Building: Connected Buildings Solution

Manufacturing:Industrial Automation Solution

Critical Manufacturing Assets are at Risk!

• Downtime

• Security lapses

• Performance degradation

3

Installation pitfalls

3. This makes it impossible to manage, maintain and troubleshoot

2. No matter the hardware, shoddy cable installation

will result in a poor network

1. Proper cable installation is critical

Importance of the Physical Layer

“A significant portion of network

downtime, approx. 80%, is attributed

to Physical Layer Connections.” Sage Research

Designing the Physical Layer for Ethernet/IP

What do Physical Layer Reference Architecture based best practices look like?

Physical Layer Design Considerations

• Design and implement arobust physical layer

• Environment Classification - MICE

• More than cable

– Connectors

– Patch panels

– Cable management

– Grounding, Bonding and Shielding(noise mitigation)

• Standard Physical Media

– Wired vs. Wireless

– Copper vs. Fiber

– UTP vs. STP

– Singlemode vs. Multimode

– SFP – LC vs. SC

• Standard Topology Choices

– Switch-Level & Device-Level

Cable Selection

ENET-WP007

LAN Troubleshooting Guide

Industrial Ethernet Physical

Infrastructure Reference

Architecture Design Guide

ODVA Guide

7

http://www.flukenetworks.com/fnet/en-us/search/searchresult.htm?mode=ShowAll&query=frontline

http://www.panduit.com/Solutions/IndustrialAutomation/index.htm

http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00148R0_EtherNetIP_Media_Planning_and_Installation_Manual.pdf

8

Rockwell/Cisco RA

Logical

De-Militarized Zone (DMZ)

Enterprise Zone (EZ)

De-Militarized Zone (DMZ)

Manufacturing Zone

Manufacturing Zone

Cell/Area Zone

FIREWALL(ACTIVE)

FIREWALL(STANDBY)

GE Link for Failover Detection

Windows 2003 Servers• Remote Desktop

Connection• VNC• PCAnywhere

LAYER 3 ROUTER

LAYER 3 ROUTER

LAYER 3 SWITCHLAYER 3

SWITCH

Automation Apps• Historian• Data Distribution• Asset Security• Engineering Applications• Databases

Network Services• DNS, DHCP, Syslog Server• Network & Security Management

(Redundant Star Topology) (Ring Topology) (Bus/Star Topology)

http://www.ab.com/drives/powerflex/images/PowerFlex4/Pflex4_0000.jpg


http://www.automationwestburnebc.com/ranews.htm


http://www.ioselect.com/ioSelect/Products - microPLCs.htm












Enterprise Zone

FIREWALL(ACTIVE)

FIREWALL(STANDBY)

(Ring Topology) (Bus/Star Topology)

LAYER 3 ROUTER

LAYER 3 ROUTER

LAYER 3 SWITCHLAYER 3

SWITCH











Reference IN-SolutionIN-Frastructure

IN-Route

IN-Panel

HM

I

CTR

LR

DR

IVE

DIS

T i/

O

IN-Field

Enterprise Zone

FWA FWB

DMZ

IN-Room

L3R L3R

L3S L3SPaS

DB

Manufacturing Zone

Cell/Area Zones

Physical

L2S

L2S

L2S

L2S

Panduit Industrial Automation 5 Core Solutions

IN-ROOMTM

Control Room, Data Center,

Telco Closet

IN-PANELTM

Control Panels, Electrical

Panels and MCC

IN-FIELDTM

On the Machine, In the

Process Area, or Outdoors

IN-FRASTRUCTURETM

Power Distribution, Lighting,

HVAC Security, Safety

IN-ROUTETM

Industrial Pathways, Network

Zone Enclosures

Simplify with validated building blocksPhysical Layer Design Considerations

Micro Data Center

Zone Enclosures

Control Panel Solutions

Micro Data Center – IN-Room Solution

Enterprise/OfficePatchfield used to uplink switch

to level 4 & 5 Enterprise

Server PatchingCross connect between production

servers and switch

Firewall and DMZLogical buffer zone between theEnterprise and Manufacturing

Manufacturing ZonePatchfield used to connect layer 3 switch to layer 2 switches used on

plant floor

IN-ROOMTM

Physical Network Security

• Keyed solutions for copper and fiber

• USB Type A, B Ports• Lock-in, Blockout products

secure connections

IN-ROOMTM

IN-ROUTETM

IN-PANELTM

IN-FIELDTM

Micro Data Center Simplification - Organize, Secure, and Standardize

Challenges: • Disorganized • Network performance issues• Frequent moves, adds & changes

Solutions: • Structured approach• Media selection/security • Visual identification

BEFORE AFTER

Micro Data Center SolutionsPhysical Layer Design Considerations

15IN-ROOMTM

IN-Route - Getting from “Point A” to “Point B”

Built-In Failure Points

IN-ROUTETM

17Environmental Focus – M.I.C.E.

Office Industrial

Increased Environmental Severity

TIA/EIA

1005

Electromagnetic

Climatic

Chemical

Ingress• Water• Dust

Mechanical• Shock• Vibration

E1

C1

I1

M1

E2

C2

I2

M2

E3

C3

I3

M3

You can’t choose components without knowing the Environment

19IN-Route - Zone Cabling Methods

TR

Centralized Cabling – Home runs from each node back to the tele-communication room.

TR

Z

Z

Z

Zone Cabling – Provides for Reduced home-run wiring, easy moves / adds / changes and reduced size of tele-communication room

IN-ROUTETM

Pathways

• Overhead cable tray routing system

• Designed to route and manage copper, fiber optic, or power cables

IN-ROUTETM

Fiber PathwaysIN-ROUTETM

Dielectric Conduited Fiber Cable (DCF)22

KEY BENEFIT:

Easier to install fiber cable

(eliminates conduit & grounding) with rugged, crush resistant construction

SOLUTION COMPONENTS1. 12 part numbers.

• Fiber Counts: 2, 4, 8, & 12

• Fiber Types: OS1/OS2, OM1, OM2

2. Compatible with OptiCam connectors

IN-ROUTETM

Zone Enclosures – Pre-configured

Best way to structure manufacturing network

•Leverages Cisco/RA recommended architecture for best network performance

•Built for capability of rapid network expansion

•Touch-safe for Facility IT access

•Significantly reduces lead time to deploy

23IN-ROUTETM

Zone Enclosures – Optimized for StratixPhysical Layer Design Considerations

• Pre-configured, Pre-tested for Stratix 8300, 8000 and 5700 switches

• Safe, Secure, Thermally tested

• Save time/cost/risk:

– IT/controls convergence point

– Machine Builders

IN-ROUTETM

Robust, Secure, Future-Ready Network Distribution

Challenges: • Scalability issues• Diagnostics & troubleshooting• Evolving cable mgmt

Solutions: • Zone enclosure• Media selection & security• Cable routing

BEFORE AFTER

IN-Route: Network Distribution SimplificationPhysical Layer Design Considerations

25IN-ROUTETM

IN-Panel - Understanding the Problem

There are several market trends that are exerting pressure on the design and architecture of a Control Panel.

– Space Optimization

– Terminations

– Network Cabling

– Noise Mitigation

– Safety/Security

IN-PANELTM

EtherNet in the Control Panel

• Additional requirements and solutions are required with the addition of EtherNet into the Control Panel.

IN-PANELTM

Planning for networking in the panel

• What are common networking challenges in the panel?

– Overall concerns• Diagnostics/troubleshooting

• Maintenance

• Future system upgrades

– Performance in potentially high noise environment

• Zoned layouts

• Shielding

– Finding panel space for new components

Clean Noisy Very Noisy

N

IN-PANELTM

Noise Mitigation DemoIN-PANELTM

Panduit Confidential Information - not for Distribution

Polymer Coated Fiber (PCF) Cable, LC Connector, Termination Tool Kit

KEY BENEFITS: Ease of field termination (CRIMP, CLEAVE AND LEAVE), Performance, Noise Immunity

SOLUTION COMPONENTS

1. Polymer Coated Fiber (PCF) cable (zip cord and break-out cables)

2. Field-attached LC connector for 50/200/230µm & 62.5/200/230µm PCF fiber

3. Field termination tool kit

IN-PANELTM

IN-FIELDTM

Terminating Fiber Using PCF Crimp-On Connectors

No-Voiceover

IN-PANELTM

IN-FIELDTM

• Maximizes panel space utilization• Easier to design for future system upgrades• Provide up to 30% space savings

Panduit PanelMax™ Offering:

Space Optimization Increases Design FlexibilityPhysical Layer Design Considerations

Corner Wiring Duct

Utilizes space typically unusable in

enclosure corner

DIN Rail Wiring DuctUses enclosure depth to save

panel footprint space ;improve component access

Shielded Wiring DuctMitigates EMI noise to reduce

wire separation distance

Shielded Wiring Duct

Conventional

Wiring Duct

DesignFlexibility

All of these products contribute to cost savings

IN-PANELTM

Panduit Network Solutions for the Control PanelPhysical Layer Design Considerations

• Optimized solutions for Machine Builder Stratix 5700 deployments

DIN Rail Mount AdapterModular DIN rail mounting for

Copper or Fiber connectivity

Patch PanelFacilitate testing, and future Moves, Adds and Changes

Fiber, Cat6 Patch CordsPerformance guaranteed

Insert product photo

IN-PANELTM

http://www.panduit.com/Support/Search/index.htm?Nao=5&D=fiber patch cord&Ntx=mode matchallpartial&Dx=mode matchallpartial&Ntk=All&Nty=1&sid=1336405F4E11&Ne=1&Ntt=fiber patch cord&N=5000001+3005866&recName=F6E10A-10AM1

http://www.panduit.com/Support/Search/index.htm?Nao=5&D=fiber patch cord&Ntx=mode matchallpartial&Dx=mode matchallpartial&Ntk=All&Nty=1&sid=1336405F4E11&Ne=1&Ntt=fiber patch cord&N=5000001+3005866&recName=F6E10A-10AM1

IN-Panel: Optimized with PartnersPhysical Layer Design Considerations

• Leverage power of EtherNet/IP and eco-system partners

– Panduit Fiber, Patching, Noise Mitigation, Space Optimization, Grounding/Bonding

– RA Stratix 5700 for machine builder

– RA 1585 patch cords

– Test with Fluke Networks

• EtherNet/IP connects to Zone Enclosures and Micro Data Center for convergence aligned with Cisco/RA CPwE

IN-PANELTM

IN-Field Challenges

• High MICE levels

– Vibration

– Chemical

– Temperature

– Wash down

• Wire management rated for environment

• Food safety

ON Machine or Process areas

IN-FIELDTM

IN-Field Solutions: Manage and Protect

• Harsh rated cable management

and identification

• Abrasion protection

• Grounding/Bonding

Metal detectable wire management for Food industry

IN-FIELDTM

IN-Frastructure: Challenges

• Facility Grounding/Bonding, Power

• Costs of safety incidences

• Lockout/Tagout implementation

IN-FRASTRUCTURETM

http://www.google.com/imgres?imgurl=http://www.uwec.edu/jolhm/EH3/Group2/Pictures/lightning.jpg&imgrefurl=http://www.uwec.edu/jolhm/EH3/Group2/background.html&usg=__K8cJNdxJHdBXiVTtyKl2Qsqyb7o=&h=600&w=800&sz=69&hl=en&start=3&um=1&itbs=1&tbnid=Z7FUmpMkVF71UM:&tbnh=107&tbnw=143&prev=/images?q=lightning&um=1&hl=en&sa=G&tbs=isch:1

http://www.google.com/imgres?imgurl=http://www.uwec.edu/jolhm/EH3/Group2/Pictures/lightning.jpg&imgrefurl=http://www.uwec.edu/jolhm/EH3/Group2/background.html&usg=__K8cJNdxJHdBXiVTtyKl2Qsqyb7o=&h=600&w=800&sz=69&hl=en&start=3&um=1&itbs=1&tbnid=Z7FUmpMkVF71UM:&tbnh=107&tbnw=143&prev=/images?q=lightning&um=1&hl=en&sa=G&tbs=isch:1

http://ohshub.com/wp-content/uploads/2009/11/arc_flash.jpg

http://ohshub.com/wp-content/uploads/2009/11/arc_flash.jpg

IN-Frastructure: Solutions

• Grounding/Bonding components and solutions

• Safety labels and signage

• Lockout/Tagout systems

IN-FRASTRUCTURETM

http://www.google.com/imgres?imgurl=http://www.premierautoworkers.com/images/warning-potential-arc-flash.jpg&imgrefurl=http://www.premierautoworkers.com/arc-flash.htm&usg=__0NeoeK7sweJFEQSnzxgQnm6gmL4=&h=344&w=462&sz=36&hl=en&start=2&itbs=1&tbnid=XC3oP6SecUxgwM:&tbnh=95&tbnw=128&prev=/images?q=arc+flash+safety&hl=en&sa=G&gbv=2&tbs=isch:1

http://www.google.com/imgres?imgurl=http://www.premierautoworkers.com/images/warning-potential-arc-flash.jpg&imgrefurl=http://www.premierautoworkers.com/arc-flash.htm&usg=__0NeoeK7sweJFEQSnzxgQnm6gmL4=&h=344&w=462&sz=36&hl=en&start=2&itbs=1&tbnid=XC3oP6SecUxgwM:&tbnh=95&tbnw=128&prev=/images?q=arc+flash+safety&hl=en&sa=G&gbv=2&tbs=isch:1

SM

Application Guides

Network Security

SM

Control Panel Layout Whitepaper

• Best practices = reduced call backs, problems..greater solution sales

SM

http://www.industrial-ip.org

41

http://www.industrial-ip.org/

SM

Design your system using cost effective and easy to

troubleshoot Network Architectures

Micro Data Center Zone Enclosure Control Panel Solutions

Easy Building Block Approach

SM

43

Industry Level Thought Leadership

Enterprise

Functional

Design

Environmental

Requirements

(M.I.C.E.)

Logical Level

Shared

Architecture

Physical Level

Plant Floor

Design

All wrapped up in a 450 page, “How To” manual with contributions from Fluke and Rockwell Automation, on designing and installing the physical infrastructure for an Industrial Ethernet Network

Panduit: Physical Infrastructure Reference Architecture

SM

Design/Spec ToolsPhysical Layer Design Considerations

Design Micro Data Centers in Visio and paste BOM into Proposalworks!

SM

45Plant Floor - “Macro Architecture” summary

MICE 1-1-1-1

MICE 3-2-3-3

MICE 3-1-2-3

MICE 1-1-1-3

MICE 3-3-3-3

MICE 2-1-3-2

MICE 2-2-2-1

SM

5/1/2014

Fiber Optic Application Best Practices for EtherNet/IP

SM

Agenda

Saving Time/Cost with Fiber

Fiber Selection

Physical Infrastructure for Fiber Deployments

SM

Agenda


Fiber Selection


SM

• Industrial Networks Must take into consideration the physical challenges of the facilities environment.

• Location, routing and equipment choices should be based on the complete understanding of cause and effect conditions.

• Environmental Focus

– M.I.C.E. (TIA-1005)

Industrial Networks Live in the Real World

Sensor

Drive

I/O

Plant Ethernet

Controller

Switch

Ethernet

SM

Fiber that Fits Both the Environment and the ApplicationFiber is now being used in all areas of an Industrial Network Deployment

SM

Converged Ethernet

Manufacturing Network Model

Corporate Network

Sensors and otherInput/Output Devices

Motors, DrivesActuators

SupervisoryControl

Robotics

Back-Office Mainframes andServers (ERP, MES, etc.)

OfficeApplications,Internetworking,Data Servers,Storage

Human MachineInterface (HMI)

Controller

• Fiber is completely noise immune

• Fiber can be used in high M.I.C.E. environments

• Fiber can be rated for indoor, outdoor and transition spaces

• Armored Fiber (available in both metallic and all-dielectric) reduces the need for, and installations costs of, innerduct and conduits

• Smaller footprint of cables (one fiber cable vs. bundle copper (UTP))

• Reliability and speed of installation reduces the total cost of ownership

Benefits of Fiber in an Industrial Space

SM

Key Elements of a Successful EtherNet/IP Network Design

• Understanding application and functional requirements

• Developing a logical framework (roadmap)

• Developing a physical framework

• Determining security requirements and partnering with IT

• Using technology and industry standards, reference models and reference architectures


Switch Stack

FactoryTalk Application Servers View Historian AssetCentre, Transaction Manager

FactoryTalk Services Platform Directory Security/Audit

Data Servers

Gbps Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

I/O

Levels 0–2

HMI

Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency

Cell/Area Zone #3Bus/Star Topology

Cell/Area Zones

Demilitarized Zone (DMZ)


Rockwell AutomationStratix 8000


CiscoASA 5500

Industrial Zone Site Operations and Control

Level 3

Remote AccessServer

Catalyst6500/4500

ERP, Email,

Wide Area Network

(WAN)

Network Services DNS, DHCP, syslog server Network and security mgmt

Drive

Controller

HMI

I/O

Controller

Drive

Controller

Drive

HMI

Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)

I/OI/O

Patch ManagementRemote Gateway ServicesApplication MirrorAV Server Plant Firewall:

Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy

SM

Agenda


Fiber Selection


SM

Selecting the Right Fiber Requires

Knowing the Application Environment.

…

…

…

Knowing the Distance Requirements.

Knowing the Equipment you are connecting to.

SM

Let’s take a sample application and go thru it step-by-step.

Knowing the Capability of Your Equipment

The Equipment – The first step in choosing the right fiber is to look at the capability of your equipment.

• Look at the specifications of the equipment to determine the speed of the connections

• The Fiber you choose should at least be able to handle the fastest mode of the existing system

SM

SFP Stands for “Small Form Pluggable”

Module


The Stratix is a good switch to use as an example because it has both Uplink ports andData ports running at different speeds.

• The uplink port speed is determined by the use of copper or fiber. If it’s fiber the configuration of the “SFP” module determines the speed of the system.

SM


The Stratix is a good switch to use as an example because it has both Uplink ports andData ports running at different speeds.


Module


Module

SM

Understanding Your Expansion or Upgrade Path

The following is an example list of specifications for the fiber-optic SFP module connections. It’s IMPORTANT that each port must match the wave-length specifications on the other end of the cable, and for reliable communication, the cable must not exceed the rated maximum cable length.

SFP ModuleType

Cat. No. Wavelength(nm)

Fiber Type Core Size/CladdingSize (micron)

ModalBandwidth(MHz/km)(1)

Cable Distance

100BASE-FX 1783-SFP100FX

1310 MMF 50/12562.5/125

500500

2 km (6562 ft)2 km (6562 ft)

100BASE-LX 1783-SFP100LX

1310 SMF G.6522 10 km (32,810 ft)

1000BASE-SX 1783-SFP1GSX

850 MMF 62.5/12562.5/12550/12550/125

160200400500

220 m (722 ft)275 m (902 ft))500 m (1640 ft)550 m (1804 ft)

1000BASE-LX/LH

1783-SFP1GLX

1310 SMF G.6522 10 km (32,810 ft)

(1) Modal bandwidth applies only to multimode fiber. * Information comes from Stratix Users Manual

SM

Answers Always Lead to More Questions

The Equipment – The result of our equipment investigation is that we learned:

• The max speed for the uplink is 1GBase-T

• The max speed for the data port is 100Base-T

• There are several choices for SFP modulesthat can support both Single and Multimode.

“Is there an existing system of fiber, and what core size is being used?”

The next question:

Core size? ….yes, Core size?

SM

What Makes Up a Fiber Cable?

The Cable – There are two classes of Fiber in use today:• Single Mode – Long Distance Fiber, more expensive technology

• Multi Mode – Shorter Distance, more cost effective for inside plant use.

• To understand the differences between core sizes, and why they matter, you need to know what makes up a fiber cable.

SM

How Big is the Fiber, (relatively)?

9

230µm

All sizes expressed In Microns

50

62.5

125µm

200µm

Cladding

Core

Buffer

Core size will tell you the OMx of

the Fiber

SM

Single Mode Fiber


9µm

125µm

SM

Multi-Mode Fiber (50 and 62.5 micron)

50

62.5

125


SM

Polymer Coated Multi-mode Fiber (PCF)


23050

62.5 200

SM

What Do the OM Ratings Mean?

If you see OM in the Fiber grade it always means Multi-Mode. – The US Adopted a Grading System Invented By ISO, The International Standards

Organization in Geneva, Switzerland. The “Optical Multimode” Rating System

• “OM 1” --- 62.5 Micron (Mostly legacy systems)

• “OM 2” --- 50 Micron (plain vanilla variety)

• “OM 3” --- 50 Micron (Laser optimized to work with VCELS)

• “OM 4” --- 50 micron (Extended Bandwidth – Further refined to reduce pulse spreading and enable longer distances)

And just like with Copper Categories –A bigger number means better cable!

SM

What Do the OS Ratings Mean?

• If you see OS in the Fiber grade it always means Single-Mode.

• “OS 1” --- 9 Micron (Used with wavelengths of 1310 nm)

• “OS 2” --- 9 Micron (Used with wavelengths of 1550 nm)

Why does the core size make such a difference in Fiber performance?

• OS (single-mode) vs. OM (multi-mode).

Think of it like the difference between a rifle shot and a shotgun blast.

SM

A Fabry-Perot LASER

A Cheap, Slow LED

Singlemode – more efficient – goes FURTHER

Multimode – less efficient – doesn’t go as far

Example of Single-mode vs. Multi-mode

SM

• Some of the photons (light particles) go straight, some ricochet around the

outside, the further they travel the closer the leading edge from one pulse

gets to the trailing edge of the one before it.

• Eventually you can’t tell one pulse from another.

A Cheap Slow LED

Light Pulse Spreading (“Modal Dispersion”)The Enemy of Throughput

SM

What?

You can only go so far with a given grade of multimode fiber before light

pulses begin to overlap

The Further You Go, the Worse it Gets.

Hey, I

sent a

“1”

SM

ANSI/TIA-568-C.0 (D.3) Optical fiber cabling supportable distances table.

• Table 7 - lists maximum supportable distances and maximum channel attenuation for applications using optical fiber cabling

• The table is based on the minimum performance requirements of 62.5/125 µm, 50/125 µm, 850 nm laser-optimized 50/125 µm, and single-mode fiber established by ANSI/TIA-568-C.3

How the OM/OS Ratings Equate to Distance

SM

Remember the MICE Table?

Where you put the fiber, “The Environment”, determines the type of fiber you choose.

SM

• Indoor Opti-Core Fiber Distribution

• Indoor Opti-Core Interlocking Armor

• Indoor Industrial-Net (PCF) Polymer Clad Fiber

• Indoor Dielectric Conduited Fiber (DCF)

Applications for “Indoor” Fiber

Used when you have sufficient

protection for the fiber

Used when the fiber has to

protect itself

**NEW** Electrician Friendly crimp on connector for direct connect

node to node

**NEW** All the benefits of an armored fiber

without the metal. Use in area suspected of unequal

potential grounds

SM

Applications for “Indoor-Outdoor” Fiber

• Indoor/Outdoor Opti-Core All-Dielectric Fiber Cable

• Indoor/Outdoor Opti-Core Gel-Free Fiber Interlocking Aluminum Armored Cable

Used to transition from indoor to

outdoor in a protected area, tray

or conduit.

Used to transition from indoor to outdoor yet still

protect the cable from harsh mechanical

conditions

SM

Applications for “Outdoor” Fiber

• Opti-Core Gel-Free Fiber Optic Outside Plant All-Dielectric Cable

• Opti-Core Gel-Free Fiber Optic Outside Plant Armored Cable

Allows installation using loose tube

cable methods for aerial and duct

applications

Allows installation using loose tube cable methods for aerial, duct and direct

burial applications

SM

One Last Thought When Choosing a Fiber Type – Choosing the Connector

Traditional Puck and Polish type Connectors (5-7min.)

OptiCam Factory Polished Connectors

(2 - 3min.)

Industrial Strip & Crimp no-Polish Required Fiber

Connectors(aprox 1 min.)

SM

Choosing the Connector

OptiCam Connector

PCF Connector

SM

Agenda


Fiber Selection


SM

Choosing the Right Fiber Type For the Application Can Save Big $$$ in Materials and Labour

SM

Links From Field Switches to Control Rooms Should Support Higher Speeds and Greater Volume

SM

Electrician Friendly Fiber Can be Used to Install Long Distance Bus Systems

SM

Fiber Optic Infrastructure PlanningPhysical Layer Design Considerations

81 81

New joint application guide

Increase the integrity and availability of EtherNet/IP networks with fiber solutions from trusted partners!

Physical infrastructure

Integrated Architecture, Stratix Switches, ETAPs, more

Higher level switches

Fiber Guide

ENET-TD003

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td003_-en-e.pdf



SM

Easy to follow Fiber best practices!Physical Layer Design Considerations

• Partner validated application guide

82

SM

Summary

Fiber Selection



Understanding the Environment and the Application

Knowing how to determine equipment and system requirements

Choosing the proper network design for application

SM

Thank You !

PCF

To Test is to Know.

How Good is your Layer 1 Infrastructure?

Fluke Networks @ Routeco plc: July 2014

A company

2Company Confidential

Enterprise Network Test Solutions ForDatacom Installers, Network Engineers

• Market leader in copper and fiber cable certification and testing

– Copper test solutions

– Fiber test solutions

– Wireless solutions

• Market leader in troubleshooting and portable

management

– Portable network test and analysis

– Wireless LAN troubleshooting and management

– Deep Packet Analysis and Capture

• Fluke Networks Solutions

– OptiView XG Network Analyzer tablet

– DTX CableAnalyzer

– Network Time Machine

– MicroScanner, NetTool, LinkRunner


So, Why Bother Testing?

• Confidence for your client.

• Assurance for yourself

• Evidence for a Cabling system Warranty

• Avoids potentially expensive delays in commissioning

• Uncovers ‘environmental’ issues

• Provides for future upgrades.

• End result of testing is Documentation!

• The Documentation provides for all above.


What’s the big deal? It’s cable, right?

• Right!

– You’ve used the best components (like building a Formula 1 car)

– Followed all the installation rules and guidance…


What you have, is a link from A to B….

A

B


Reference Points for Testing: Industry Standards….

• As for almost every other part of a major project, the

cabling industry has recognised, defined and understood

standards:

– EIA/TIA 568C.2 (American, contains the standards for Cat5e,

Cat6 and Cat6A and for MM and SM fibre installations)

– ISO 11801 (International, contains approximate equivalents

Class D, Class E and Class Ea, plus Class F and fibre)

– EN 10573 (European Norm, equivalent to ISO 11801.)

– Application-specific standards:

– TIA1005 (Industrial Ethernet-specific)

– 100MB/s Ethernet / 1GB/s Ethernet

– 40GB/s Ethernet (fibre only)


These standards require us to:

• Test (and Pass) a specified range of parameters, save the

result and provide documentation.


Permanent Link or Channel Test?

• Permanent Link: Patch panel to wall

outlet including max 1 Cross-connect.

• Channel: Permanent Link plus 1

additional patch panel, and user patch

cords. Maximum 4 connectors.

• Which standard? To be decided by

negotiation with your client as part of

contract.

• Which test model? Default to

Permanent Link. Channel is end-user

test.


Additional Considerations

• Is the cable Shielded or Unshielded?

– What type of shield is it? S/UTP or FTP or SSTP?

• Will the application include Power over Ethernet?

– PoE has a separate and specific set of specifications.

• Does the client or the warranty provider or the hardware

manufacturer have specific additional requirements?

– Balance measurements may be required.


The end result: 100% compliant documentation of the infrastructure


Power over Ethernet (PoE-specific test)

• New test limits with specific tests for PoE optimisation.

• New Shield Integrity test finds shield errors/damage.


What About the Fails?

• Real Diagnostics for complex NEXT and Return Loss Fails


Let’s talk about fibre…..


Enterprise Fiber: Growing Exponentially• 1.5 Billion new internet-connected

devices by 2015 (Intel)

• 57% annual growth in Enterprise

fiber ports: 2011 - 2015 (Dell’Oro,

2011)

• In 2015, the equivalent of every

movie ever made will transit IP

networks, every 5 minutes (Cisco

Systems)


Enterprise Fiber: Growing Exponentially

• 24% annual growth in storage

spending for cloud computing

(IDC)

• 54% growth in 10Gbps+ fiber LAN

transceivers (Finisar)

• One-hop fabrics replacing

traditional switch architecture in

datacentres


Four Steps to Determining Fibre link Performance

1. Inspect it - Clean it - Inspect it again

2. Polarity check

3. Performance Test

4. Extra Data and Troubleshooting


Inspect it – Clean it – Inspect it again.

• ALL end-faces have to be

clean and undamaged!

• Inspecting the fibre end-

faces is part of the BASIC

test regime according to

IEC 14763-3

• Cleaning the end-faces

each and every time is not

an option….it’s mandatory!

“Any connecting hardware adapters used

together with all connector end-faces on the test cords

comprising the cabling interface adapter, and the cabling

under test shall be cleaned according to the instructions

provided by the manufacturer of the connectors.

Cleaning shall be repeated every time a test cord is

connected to the cabling or component under test.”


What you can’t see CAN hurt your test result!

• Dirt migrates from a dirty to a clean connector


Check Polarity

• Visual Fault Locator (Laser light-pen)

• Uses high intensity visible light source

• Quick and Easy to use

• Relatively low cost

• Provides a go/no-go indication

• Can help find sources of loss.


Fibre Performance Certification

• Standards-based Two-Tier Testing (TIA TSB-140)

• Tier 1: OLTS (Optical Loss Test Set)

– Encircled Flux Compliance Required.

– Power Meter and Light Source with built-in

length measurement.

– Losses and lengths conform to industry

standards• Most closely simulates active system

– Verify polarity using OLTS

• Tier 2: Tier 1 plus OTDR trace

– Evidence that cable is installed without

degrading events (e.g. bends, connectors,

splices)


Loss/Length CertificationTest two fibers (a transmit/receive pair)

• Each fiber at two wavelengths

– Measure optical length

– Compute power budget and display Pass or Fail

– Standards-based Tier 1 certification• 2 power measurements in each direction, plus length

– Comprehensive Go/No-go result


Tier 2: Where fibre diagnostics reside.

• Tier 2: Tier 1 plus OTDR trace

– Evidence that cable is installed

without degrading events (e.g.

bends, connectors, splices)


A new type of OTDR Result that almost everyone can understand

• Alternative trace

presentation of link

topology

• Reduce need for OTDR

expertise

• Icons designate the type

of fiber event

• One-tap gives access to

all event details


Back to the Documentation:


IMPORTANT part of the fibre condition…


OTDR Traces are not for everyone…

EventMap provides an easily understood pictorial representation

of the fibre link, for many the end of ‘trace-psychosis’.


Every ‘PASS’ report includes a Compliant Network Standards List…


Thank you

CMS Wrap Up - November 2012.pptx

CMS Wrap Up - November 2012.pptx


Industrial and IT Network ConvergenceEthernet/IP Enables Convergence

Name – Mike Loughran

Title – Solution Architect

Date – 29th April 2014

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only

Emerging Technologies in OperationsAll the BUZZ…

The Internet of Things (IoT)Intelligent devices start to communicate with each other


What does it all mean?

3

Big Data

Large amounts of information is available to

manage the supply chain & complex processes

Cloud Computing & Virtualization

Speed up deployment of production, add flexibility,

reduce capital investments & increase access

across global operations

Increase longevity, reliability & provide disaster

recovery

Mobility & BYOD (Bring Your Own Device)

Improve maintainability, uptime, asset longevity,

safety and cost control

Driven Largely by Information Technology

Most of it is buried on the

production floor in

historians or other

databases

Centers around Information

Technology (IT) more than

Operations/Production

management

Technicians, Supervisors,

Operators are all mobile

during their typical work day


Why are Emerging Technologies soImportant?

4

Automated adaptable processes & decisions


Why are Emerging Technologies so Important?

Empowers companies to grow faster, produce

better products and serve customers more

effectively

It connects a workforce, analyzes data and

allows for continuous improvements

Companies can leverage technological

advances as a competitive advantage and

must constantly seek newer, faster and better

technologies to improve their business

5

Early-adopters typically acknowledge the risk that comes with new technology

Keeping abreast of new developments is an ongoing job with

both risks and rewards


Industrial Network ConvergenceIndustrial Network Trends

6

EtherNet/IP – Enabling & Driving

Multi-discipline Industrial Network Convergence

Process Control

Discrete Control

Information TechnologyIntelligent Motor Control


The Value in Bringing the Information Together

7

Control Systems

HMIs

Production

SchedulingAlarms/Events

Other Database Systems

Computerized Maintenance Management Systems

Performan

ce

Quality

Systems

Data Historians

Laboratory Information

ManagementSystems

You need a network technology that is STANDARD,

PROVEN and MORE than an FIELDBUS!

You need robust Infrastructure Solutions to deliver the

information fast, reliably and securely!


From Production to the Enterprise -Rockwell Automation & Cisco Alliance

8

Common Technology View Single system architecture, using open, industry

standard networking technologies – EtherNet/IP

Delivering Converged Plantwide Ethernet

(CPwE) Architectures for manufacturing and

industrial environments Best pathway to Operations/IT network convergence

with detailed design and implementation guidance

Joint Product and Solution Collaboration Creating an ideal networking environment for both IT

and controls professionals.

People and Process Optimization Education and services to facilitate Manufacturing and

IT convergence

Rockwell Automation and Cisco present the most valuable resource in the industry for deploying a converged network infrastructure

Leadership in IT and Plant Operations


Risks and threats to networked systems

Security risks increase potential for disruption to

System uptime and Safe operation and a loss of IP

Unintended

employee actions

Theft

Unauthorized actions

by employees

Unauthorized

access

Denial of

Service

Application of

Security patches

Unauthorized

remote access

Natural or Man-made

disasters

Sabotage

Worms and

viruses

BusinessRisk

INFORMATION

OPERATIONS


A Vendor’s Perspective

Control System lifecycles are long (20+ years)

Products will have vulnerabilities

Security is a team sport

Vendors & Customers

IT & Engineering

Pick your teams (point don’t go it alone)

REMEMBER: Human beings are imperfect

Control System safety & security are closely linked

Control System security manages variables

Managing the security variables enhances uptime

10UPTIME = PROFITABILITY


Our Approach to Industrial Security

Layered Security Model

Shield potential targets behind multiple levels of protection to reduce security risks

Defense in Depth

Use multiple security countermeasures to protect integrity of components or systems

Openness

Consideration for participation of a variety of vendors in our security solutions

Flexibility

Able to accommodate a customer’s needs, including policies & procedures

Consistency

Solutions that align with Government directives and Standards Bodies

A secure application depends on multiple layers of protection.

Industrial security must be implemented as a system.

ApplicationApplication

ComputerComputer

Device Device

PhysicalPhysical

NetworkNetwork

ApplicationApplication

ComputerComputer

Device Device

PhysicalPhysical

NetworkNetwork

11

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en



Evolving Global Standards

12

• Building Blocks •

ISA S99 and IEC 62443• Asset Owners • Vendors • Industry Consortia •

NIST 800 NERC-CIPISO 27002 RFC 2196

ISA Security Compliance Institute (ISCI)

Achilles™

Exida.com LLC

Achilles™ test platform

Wurldtech

BronzeSilver

Gold

© rockwell automation

Wurld

tech

L-1L-2

L-3

WIB

IndependentReq’s & Certifications

SAL 1SAL 2

SAL 3

WIB 2.0

OD

VA

Confrm

Test

http://www.isasecure.org/Home.aspx

http://www.isasecure.org/Home.aspx

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=dLMVh_xsMwWvXM&tbnid=kQznUZyRpSFO7M:&ved=0CAUQjRw&url=http://www.mrplc.com/kb/index.php?print=89&ei=b_ZGUYr7F-HWygHxnoGABA&bvm=bv.43828540,d.aWc&psig=AFQjCNGsCOBMAF4cCzX_bssmdhRVocDuMw&ust=1363691498106922

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=dLMVh_xsMwWvXM&tbnid=kQznUZyRpSFO7M:&ved=0CAUQjRw&url=http://www.mrplc.com/kb/index.php?print=89&ei=b_ZGUYr7F-HWygHxnoGABA&bvm=bv.43828540,d.aWc&psig=AFQjCNGsCOBMAF4cCzX_bssmdhRVocDuMw&ust=1363691498106922

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=ZCfksqaWg0SkRM&tbnid=bhnKbh43laQu5M:&ved=0CAUQjRw&url=http://www.securecrossing.com/about/associations/&ei=yvZGUcatEIWMyQGpr4CQAw&bvm=bv.43828540,d.aWc&psig=AFQjCNHQbb7rDHZhNDxwCnwaw84SyCthJQ&ust=1363691584075660

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=ZCfksqaWg0SkRM&tbnid=bhnKbh43laQu5M:&ved=0CAUQjRw&url=http://www.securecrossing.com/about/associations/&ei=yvZGUcatEIWMyQGpr4CQAw&bvm=bv.43828540,d.aWc&psig=AFQjCNHQbb7rDHZhNDxwCnwaw84SyCthJQ&ust=1363691584075660


Design for Security approach

Specifications Audits & Gaps

Enhance &

Improve

Resiliency & Robustness13


Additional MaterialEducational - Cisco and Rockwell Automation Alliance

Education Series Webcasts

What every IT professional should know about Plant-Floor Networking

What every Plant-Floor Engineer should know about working with IT

Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access

for Plant-Floor Applications and Data Securing Architectures and Applications

for Network Convergence IT-Ready EtherNet/IP Solutions

Available Online

http://www.ab.com/networks/architectures.html



Additional MaterialSimplify Design - Rockwell Automation

Networks Website: http://www.ab.com/networks/

EtherNet/IP Toolkit:

http://www.rockwellautomation.com/rockwellautomation/products-

technologies/integrated-architecture/tools/overview.page#/tab4

Ethernet Tools

http://www.ab.com/networks/

http://www.rockwellautomation.com/rockwellautomation/products-technologies/integrated-architecture/tools/overview.page

../IET/Ethernet Tools


Additional MaterialSimplify Design - Cisco and Rockwell Automation Alliance

Websites


Design Guides

Converged plant-wide Ethernet (CPwE)

Application Guides

Fiber Optic Infrastructure Application Guide

Education Series


Whitepapers

Top 10 Recommendations for plant-wide

EtherNet/IP Deployments

Securing Manufacturing Computer and Controller

Assets

Production Software within Manufacturing

Reference Architectures

Achieving Secure Remote Access to Plant-Floor


http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf



http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp022_-en-e.pdf





Additional MaterialSimplify Design - Collaboration

Plant-wide EtherNet/IP Ecosystem Partners Website

Fiber Optic Infrastructure Application Guide

ENET-TD003

http://www.ethernetippartners.net/





Additional MaterialSimplify Design and Speed Deployment - Panduit Corp

Panduit Corp. Website:

http://www.panduit.com/

Industrial Automation Solutions:

Industrial Automation Product Systems Brochure Industrial Communication Solutions – Interactive Roadmap

http://www.panduit.com/

http://www.panduit.com/stellent/groups/marketing-corp/documents/brochures/cmscont_038270.pdf

http://www.panduit.com/Solutions/IndustrialAutomation/098750


Additional MaterialSpeed Deployment - Fluke Networks

Fluke Networks Websites

www.flukenetworks.com www.flukenetworks.com\industrial www.flukenetworks.com\knowledgebase

http://www.flukenetworks.com/

http://www.flukenetworks.com/industrial

http://www.flukenetworks.com/knowledgebase


Reduce design timeProcurement Specifications on-line

http://www.rockwellautomation.com/rockwellautomation/industries/procurement-

specifications/overview.page?

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E

PUBLIC INFORMATION

Questions?

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C

A family of high performance

Industrial Ethernet switches ideal

for the end user and equipment

builder

Stratix Ethernet Switch Family

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION

Stratix Portfolio Overview

• Security• Productivity• Safe Operations

• Remote Access• Time to Market• Protecting IP

Routers and switches for: Enabling security to new or existing

architectures

Applications for simple to complex networks

Monitoring and controlling distributed

devices

Plant floor and enterprise integration

Stratix 8000/8300Layer 2, Layer 3

Stratix 2000Unmanaged

Stratix 6000Layer 2

Stratix ETAPs

Stratix 5700Layer 2

Stratix 5100Wireless AP/WGB Stratix 5900

Security Appliance


Family of industrial Ethernet switches that are:• Optimized for configuration, monitoring, security and maintenance• Modular and scalable• Designed for simple to complex Ethernet applications

• IT-ready and IT-friendly solutions• Simplified integration of machine systems in infrastructure• Integrated Architecture programming tools and features• Secure remote access for improved productivity and OEE

• Connected or isolated machine and Process control applications• Plant floor and enterprise integration• Distributed network devices that need to be monitored and controlled

24

The Stratix Family Overview

Integrating your enterprise and manufacturing environments

Overview

Key Benefits

Applications


PUBLIC INFORMATION

Stratix 2000 Unmanaged SwitchesRefresh & Product Line Expansion


Stratix 2000 Unmanaged Switches Overview

Low cost solutions designed for isolated control

networks

Recommended for Micro 850 & Micro 820

applications

Unmanaged switches are not recommended for

safety or motion applications

Simple “Plug & Play”

Automatically negotiates speed and duplex settings

(no configuration required)

Automatically detects cross-over cable

Expanded operating temperature from -20ºC to

70ºC to meet a wider variety of application

needs for most catalog numbers

Exception: 1783-US5T & 1783-US8T range 0 to

60ºC


PUBLIC INFORMATION

Stratix 6000 Fixed Managed Switches

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION Copy

right

28

Stratix 6000™ Managed Switches

Fixed port managed switch

4 port or 8 port versions with optional fiber optic uplink (SFP)

Control system integrated

CIP communications for:

Diagnostics (tags)

Configuration (RSLogix 5000)

Security

DHCP persistence for automatic end device IP address assignment

Unauthorized User Identification

Traffic Level Monitor with Alarms

FactoryTalk View Faceplates

Integrated Tightly Into The Integrated Architecture


PUBLIC INFORMATION

Stratix 5700Industrial Managed Switches


The Stratix 5700Layer 2 Managed Switches with Cisco Technology

Premiere Integration to the Integrated Architecture

CIP interface Studio 5000 AOP

ControlLogix tags

FactoryTalk View faceplates

Built with Cisco technology (IOS)

Common feature set with Stratix 8x00

Common IT development tools (CLI, CNA, DM, CiscoWorks)

Simple to Deploy & Maintain

Easy integration Default configurations

Common Smartports

DHCP per port IP addressing

Easy maintenance Secure Digital card for configuration backup

Diagnostics & network management tools

Compact & Scalable

Best of Rockwell Automation & Cisco in a compact size


Stratix 5700 Configurations

3 base platforms offering 20 configurations

6, 10 & 20 port base units 6 copper & 4 copper + 2 SFP slots

8 copper + 2 combo*

16 copper + 2 combo* + 2 SFP slots

2 Gig port option

SFP slots support multi & single mode fiber

Wide variety of SFPs available

Compatible with other Cisco SFPs

Advanced feature set to address:

EtherNet/IP applications

Security

Resiliency & Redundancy

Two software packages to choose from

Lite & Full versions

Conformal coating option for harsh environments *Combo ports can be either copper or SFP

Ideal for simple to complex applications

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C

Stratix 8000 / 8300Industrial Managed Switches

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

Stratix 8000/8300 - Modular Design

Base Module(6-port or 10-port)

Extension Module A (8-port Copper)

Extension Module B (8-port Fiber)

Data Ports10/100 Copper

Dual Purpose Uplink Ports10/100/1000 Copper or SFP

8 Extended Data Ports10/100 Copper

8 Extended Data Ports100 Fixed Fiber

SFP Fiber Transceiver100M and 1GMultimode and Singlemode

33

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION (Confi

dential

Stratix 8300 layer 3 Managed Switch

Layer 3 Routing Capabilities

Dynamic Routing Protocols such as RIP, EIGRP

and OSPF


PUBLIC INFORMATION

Stratix 5900Industrial Services Router


The Stratix 5900 Security Appliance

Premiere Routing & Security Services

Firewall

Virtual Private Network (VPN)

Network Address Translation (NAT)

1GE WAN, 4 FE LAN, 1 Serial Port

Built with Cisco technology (IOS)

Common features of Stratix Switch

Common IT development tools (CLI, CNA, DM, CiscoWorks, CCP)

Ruggedized with Extended Temp, Shock & Vib

Compact Size with Din Rail Mount

Best of Rockwell & Cisco in a compact size


PUBLIC INFORMATION

Embedded Switch Technology

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 383838

Embedded Switch Technology

Embedded Switch Technology enables LINEAR and RING topologies on EtherNet/IP

Network traffic is managed to ensure timely delivery of critical data (QoS, IGMP

supported)

Open standard (ODVA) allows 3rd party suppliers to develop compatible products

Linear

• Linear Ethernet segments greatly extend the length of the application

• No need to run cables from each device back to a centralized switch

Device-Level Ring (DLR)

• Single fault tolerant network provides resiliency

• Device level ring requires no additional hardware to implement

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 39(Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 39Copyright © 2008 Rockwell Automation, Inc. All rights reserved. 39

1783-ETAP

• The 1783-ETAP is a standalone device that allows devices (that do not support the Embedded Switch Technology) to join a linear or a DLR network.

• Other product features:- Capable of being a Ring Supervisor in a Device Level Ring

- Managed switch functions to help manage traffic on the network (i.e.: IGMP and QoS)

- Fiber versions available in the future for long distance applications

Device Port – used for connecting single-port Ethernet device

Network Ports (2) – used for connecting to neighboring devices to form a linear or a ring network


DLR Enabled Products

1756-ENT2R, Point, Flex, ArmorPoint, ETAP, CompactLogix, 193-DNENCATR, 1747-AENTR, ArmorBlock, ArmorStart

Copy

right

40


PUBLIC INFORMATION

Stratix 5100Wireless Access Point


Stratix Wireless Access Points

Product

Access Point / Work Group Bridge

Autonomous

Leveraging the latest 802.11N WiFi

technology

MIMO, Packet Aggregation & Spatial

Multiplexing• Higher performance

2.4GHz and 5Ghz radios• Flexibility and segmentation

Support for VLAN, QoS and RADIUS

Segmentation, priority handling and

authorization

Backward compliant to 802.11a/b/g

CIP enabled

Logix for system diagnostics

Profile & tags

Value Provides real-time performance

for mission critical applications Eliminates wire & cabling to

reducing installation costs Enables mobility and portability to

people and devices Seamless integration within a

Cisco wireless network


Typical Configurations

Cell/Area Zone #3 Cell/Area Zone #4

FactoryTalk Applications and Services

Ring Topology

Cell/Area Zone #1 Cell/Area Zone #2

Manufacturing Zone

8000 ManagedLayer 2 Switch

ETAP - Embedded Layer 2 SwitchRing Topology

Enterprise ZoneEnterprise

Network

6000 ManagedLayer 2 SwitchStar Topology

Embedded Layer 2 Switch Linear

Topology

Mobile User

Lightweight AP (LWAP)

AP as WorkgroupBridge (WGB)

ERP, Email, Wide Area Network (WAN)

5100802.11n – Dual Band

Access point

8300 Managed Layer 3 Switch

5900 Industrial Services Router


Stratix Family Quick Reference


Stratix Family Quick Reference


Thank you!

To learn more visit:

www.ab.com/networks

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1

Invisible Cost to Visible Value

Rob PriceHead of Technical Strategy

Partner & Commercial Team

[email protected]

April 2014

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

“I cannot imagine a life without…”

Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V., 2010

% of 14 – 29 year olds


Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien

• A mobile phone: 97%




• The 2 photos on the right are of St Peters Square during the announcement of the election of last 2 Popes

• In just 8 years mobile devices have become ubiquitous. Everyone carries the internet in their pocket



• The Internet: 84%





• A car: 64%





• My current partner: 43%





http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAQQjRw&url=http://www.tomsguide.com/us/google-glass,news-17711.html&ei=cgZZU4DEA4avO_PvgBg&bvm=bv.65397613,d.ZWU&psig=AFQjCNHDQoh6K2vTVHS3NmWszsQ3pqNLTQ&ust=1398429682090876

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAQQjRw&url=http://www.tomsguide.com/us/google-glass,news-17711.html&ei=cgZZU4DEA4avO_PvgBg&bvm=bv.65397613,d.ZWU&psig=AFQjCNHDQoh6K2vTVHS3NmWszsQ3pqNLTQ&ust=1398429682090876

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=5S0PHxaq2CglsM&tbnid=4rdgoVNHOefptM:&ved=0CAUQjRw&url=http://bonjourlife.com/gnomio-smart-watch-for-windows-phone/&ei=qAZZU6WSIojOtQb1-4C4BA&bvm=bv.65397613,d.ZWU&psig=AFQjCNFjN6pCpkmve5qsg_s-vmvxBSPwAQ&ust=1398429715063736

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=5S0PHxaq2CglsM&tbnid=4rdgoVNHOefptM:&ved=0CAUQjRw&url=http://bonjourlife.com/gnomio-smart-watch-for-windows-phone/&ei=qAZZU6WSIojOtQb1-4C4BA&bvm=bv.65397613,d.ZWU&psig=AFQjCNFjN6pCpkmve5qsg_s-vmvxBSPwAQ&ust=1398429715063736


Digital Band-Aids

Smart Pill Bottle CapsAsthma inhalers

'Electronic Skin' Patches Monitor

Health Wirelessly





• Will gather 14 ExaBytes of data per day !!

• Will store over 1 PetaByte per day

• Transmit

• Store

• Analyse

*

*1 ExaByte = 1,000,000,000,000,000,000 Bytes

It took until 2004 for internet traffic to pass

1 Exabyte per month

http://www.google.co.uk/url?sa=i&source=images&cd=&cad=rja&docid=FSlS8RqBq4n30M&tbnid=w3PPKNwD2tcLjM:&ved=0CAgQjRwwAA&url=http://www.theaustralian.com.au/news/health-science/australia-must-wait-to-find-out-if-it-has-won-the-rights-to-host-the-square-kilometre-array-radio-telescope/story-e6frg8y6-1226319423772&ei=0at8UvXzIYHcswbpkoHgAQ&psig=AFQjCNFFKANqYlIJaT3PtO_ARYAdvuDbAg&ust=1383988561603680

http://www.google.co.uk/url?sa=i&source=images&cd=&cad=rja&docid=FSlS8RqBq4n30M&tbnid=w3PPKNwD2tcLjM:&ved=0CAgQjRwwAA&url=http://www.theaustralian.com.au/news/health-science/australia-must-wait-to-find-out-if-it-has-won-the-rights-to-host-the-square-kilometre-array-radio-telescope/story-e6frg8y6-1226319423772&ei=0at8UvXzIYHcswbpkoHgAQ&psig=AFQjCNFFKANqYlIJaT3PtO_ARYAdvuDbAg&ust=1383988561603680

//upload.wikimedia.org/wikipedia/commons/1/15/SKA_cores_big.jpg

//upload.wikimedia.org/wikipedia/commons/1/15/SKA_cores_big.jpg


XaaS

http://www.google.co.uk/url?sa=i&rct=j&q=cloud+computing+images&source=images&cd=&cad=rja&docid=KaJbuS_VgYvdRM&tbnid=b5OBxmAIcrf96M:&ved=0CAUQjRw&url=http://www.blog.qarea.com/cloud-computing/core-features-of-cloud-computing-strategy/&ei=0bd3UeKaJ8vTPNn-gPAG&bvm=bv.45580626,d.ZWU&psig=AFQjCNEqY-1p6s7ohyMQYWZhImumL37ECA&ust=1366886656752104

http://www.google.co.uk/url?sa=i&rct=j&q=cloud+computing+images&source=images&cd=&cad=rja&docid=KaJbuS_VgYvdRM&tbnid=b5OBxmAIcrf96M:&ved=0CAUQjRw&url=http://www.blog.qarea.com/cloud-computing/core-features-of-cloud-computing-strategy/&ei=0bd3UeKaJ8vTPNn-gPAG&bvm=bv.45580626,d.ZWU&psig=AFQjCNEqY-1p6s7ohyMQYWZhImumL37ECA&ust=1366886656752104


Thank you.

Control Network Security & Secure Remote Access

Guy Denis [email protected]

Rockwell Automation Alliance Manager Europe

29th April 2014


3% Wireless System

7% VPN Connection

7% Dial-up Modem

7% Telco Network

10% Trusted Third-Party Connection

(Includes Infected Laptops)

17% Internet Directly

49% Via Corporate WAN and

Business Network

Source of IndustrialSecurity IncidentsSource: BCIT (2009)

Average Cost of Manufacturing Downtime = $210,000 per HourSource: Infonetics (2005)


includes infected laptops

and is growing

from Eric Byres, BCIT


A breakdown of Stuxnet

http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html

Ralph Langner

German Control systems security

consultant

F-Secure wrap-up on Stuxnet

http://www.youtube.com/watch?v=gFzadFI7sco

http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html





• Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup

• Little or no device level authentication

• Poor network design – daisy chains, hubs

• Windows based IA servers – patching, legacy OS

• Unnecessary services running – FTP, HTTP

• Open environment, no port security, no physical security of switch, Ethernet ports

• Limited auditing and monitoring of access to IA devices

• Unauthorised use of HMI, IA systems for browsing, music/movie downloads

• Lack of IT expertise in IA networks, many blind spots

Defense in Depth Approach


• Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors

• Network Hardening – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers

• End-point Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services

• Application Security – authentication, authorization, and audit software

• Device Hardening – change management and restrictive access

Defensein Depth

Computer

Device

Physical

Network

Application




• Security is not a bolt-on component

• Comprehensive Network Security Model for Defense-in-Depth

• Industrial Security Policy

• DMZ Implementation

• Design Remote Partner Access Policy, with robust & secure implementation


• Comprehensive information here:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Secure Network Architectures for Industrial Control Systems


Panduit/RA Physical Layer Reference Architectures Design

Guide June ‘09

PSL-DCPL

PSL-DCJB


Real–Time Control

Fast Convergence

Traffic Segmentation and Management

Ease of Use

Site Operations and Control

Multi-Service Networks

Network and Security Management

Routing

Application and Data share

Access Control

Threat Protection

Gbps Link for Failover Detection

Firewall(Active)

Firewall(Standby)

SCADA Application

and Services Servers

Cisco

ASA 5500

Cisco

Catalyst Switch

Network Services

Cisco Catalyst

6500/4500

Cisco Cat. 3750X

StackWiseSwitch Stack

Patch Management, Terminal Services, Application Mirrors,

AV Servers

Cell/Area #1(Redundant Star

Topology)

Drive

Controller

HMI Distributed I/O

Controller

DriveDrive

HMI

Distributed I/O

HMI

Cell/Area #2(Ring Topology)

Cell/Area #3(Linear Topology)

IE3000/3010/2000


Controller

Enterprise/IT Integration

Collaboration

Wireless

Application Optimization

Cell/Area Zone

Levels 0–2

Layer 2 Access

Manufacturing Zone

Level 3

Distribution and Core

Demilitarized Zone

(DMZ) Firewalls

Enterprise Network

Levels 4–5

Web Apps DNS FTP

Internet


Defend the Industrial Edge

• Firewalling and remote access at levels 0-2 (L2 Transparent Mode) with Industrial IPS/IDS

• Use IT-Approved Access and Authentication

VPN for secure remote access

Enterprise Access and Authentication servers (e.g Active Directory, Radius, etc.)

• ICS Protocols Stay Home

• Control the Application

Remote Access (Terminal) Server

Application level security

• No direct traffic through the firewall

• Only one path in and out of industrial - the firewalls

DMZ and Secure Remote Access Guiding Principals

EnterpriseWAN

EnterpriseData Centre

IPSEC

VPN

SSL

VPN

Levels 0–2Cell/Area Zones


Manufacturing Zone Site Manufacturing

Operations and ControlLevel 3

Internet



1

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management

AV Server

Application Mirror

Web Services Operations

Application Server

Enterprise Network

Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.

SCADAApp

Server

SCADADirectory

Engineering Workstation

Domain Controller

SCADAClient

Operator Interface

SCADAClient

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

Continuous

Process Control

Safety Control

Sensors Drives Actuators Robots

Enterprise Zone

DMZ

Process ControlDomain

ProcessControlNetwork

WebE-Mail

CIP

Firewall

Firewall

Site Manufacturing Operations and Control

Area Supervisory Control

Basic Control

ProcessPurd

ue R

efe

rence M

odel, I

SA

-95

Industr

ial S

ecurity

Sta

ndard

IS

A-9

9


• All network traffic from either side of the DMZ terminates in the DMZ; network traffic does not directly traverse the DMZ

• Application Data Mirror

• No primary services are permanentlyhoused in the DMZ

• DMZ shall not permanentlyhouse data

• No control traffic into the DMZ

• Be prepared to “turn-off” accessvia the firewall

No Direct Traffic

EnterpriseSecurity

Zone

IndustrialSecurity

Zone

Disconnect Point

Disconnect Point

DMZReplicated Services


1.Firewall Services (Segmentation, Isolation)

2.Application Services (Behavior Enforcement, Application

Intelligence and Awareness, Gateway Capabilities)

3.Logging and Historical Services (Traffic, Event histories)

4.Encryption and Data Integrity Services (remote access, and

secure channels for data transfer)

5. IPS/IDS Services (deep packet inspection – Sourcefire and

Wurldtech Industrial Signatures

1.Malware Detection and Filtering (deep packet and URL

inspection


I want to allow guests into the

network

I need to allow/deny iPADs in

my network (BYOD)

I want to allow only authorized

users access to my network

I need a scalable way of

authorizing users or devices in

the network

I need to ensure my endpoints

don’t become a threat vector

How can I set my firewall

policies based on identity

instead of IP addresses?

Guest Lifecycle

Management

Profiling Services

Posture Services

Authentication and

Authorization

Security Group Access

Management

Identity-based Firewall

Cisco

ISE


VPN

VDI

WSA

IPS

ASA-CX

ASA

ISE

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Level

3½

Enterprise Zone

DMZ

PCD /

Manufacturing Zone

PCN /

Cell / Area Zone

1783-SR

Secure Remote Access


De

fen

se

in

De

pth

Se

cu

rity

te

ch

no

logie

s a

pp

lied

Authentication, Authorization and Accounting

Access Control Lists (ACLs)

Secure Browsing (HTTPS)

Intrusion Protection and Detection

Remote Terminal Session

Application Security

VLANs

Remote Engineers and Partners

Plant Floor Applications and Data


Typical Functions of Secure Routing Platform

© 2014 Cisco and/or its affiliates. All rights reserved.

NAT connecting machines with overlapping address space

Machine#1

Machine#2

Stra x5900 Stra x5900

192.168.1.0/24 192.168.1.0/24(overlapingaddressspace)

NAT NAT


Zone-based Policy Firewall (ZFW)

ZFW1

zoneTRUSTED zoneUNTRUSTED

Int 1

Int 3

Zone-Policy

OUTBOUND

INTERNET

Client1 Server

Int 4

Int 2

Client2

§ Zone: set of interfaces that share a certain “trust level”

§ Policies define rules between zones

ZFWpoliciesareUnidirec onal:Source>>Des na on


Virtual Private Networks (VPNs)


1783-SR/ISR819 Software Features - Security

Secure Connectivity:

• Secure Sockets Layer (SSL) VPN for secure remote

access

• Hardware-accelerated DES, 3DES, AES 128, AES 192,

and AES 256

• Public-key-infrastructure (PKI) support

• 20 IPsec tunnels

• Cisco Easy VPN Client and Server

• Network Address Translation (NAT) transparency

• Dynamic Multipoint VPN (DMVPN)

• Tunnel-less Group Encrypted Transport VPN

• IPsec stateful failover

• VRF-aware IPsec

• IPsec over IPv6

• Adaptive control technology

• Session Initiation Protocol (SIP) application layer

gateway

Cisco IOS Firewall:

• Zone-Based Policy Firewall

• VRF-aware stateful inspection routing firewall

• Stateful inspection transparent firewall

• Advanced application inspection and control

• Secure HTTP (HTTPS), FTP, and Telnet Authentication

Proxy

• Dynamic and static port security

• Firewall stateful failover

• VRF-aware firewallContent Filtering:

• Subscription-based content filtering with Trend Micro

• Support for Websense and SmartFilter

• Cisco IOS Software black and white lists

Integrated Threat Control:

• Intrusion prevention system (IPS)

• Control Plane Policing

• Flexible Packet Matching

• Network foundation protection

These Features Allow:Highly SecureHighly Flexible Scaleable Remote Access SolutionsConfigurable via Web GUI WizardsFor Small to Medium Sized Deployments


WAN

Plant EngineerSkid Builder

System Integrator

Remote Site

WANRouter

Plant Site

WANRouter

• Stand-alone Remote Industrial Application

Example: remote site

Requirements

Connection out from the Plant, direct access

Little to no IT support, little to no alignment with Industrial Automation and Control System security standards

Potential Solution

IPSecVPN, DMVPN,FlexVPN – ASA5515 and/or ISR819

1783-SR/819 ISR

IPSec

X many


• No VPN client needs to be installed on remote client

• Access to internal network through one point entry

• Uses a standard web browser, platform independent: Internet Explorer, Firefox

• Can access web applications http, https, Common Internet File Sharing (CIFS), File Transfer Protocol (FTP)

• Client-Server Plug-ins for Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), Secure Shell (SSH) access, Telnet and Citrix

• VPN appliance gives web-based look and feel for the application access (customizable) through content rewrite process


Levels 0–2Cell/Area Zones




Manufacturing Zone Site ManufacturingOperations and ControlLevel 3

Internet


EnterpriseWAN

EnterpriseData Center

Gbps Link Failover

Detection

Firewall(Active)

Firewall(Standby)

Patch ManagementTerminal ServicesApplication MirrorAV Server

CiscoASA 5500

Remote Access Server• RSLogix 5000• FactoryTalk View Studio

Catalyst6500/4500

Remote Engineeror Partner

EnterpriseConnectedEngineer

Enterprise EdgeFirewall

HTTPS

Cisco VPN Client

Remote Desktop Protocol (RDP)


Switch Stack

EtherNet/IP

I PS

EC

VPN

SS

LVP

N

FactoryTalk Application Servers

• View

• Historian

• AssetCentre

• Transaction Manager

FactoryTalk Services Platform

• Directory

• Security/Audit

Data Servers

1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall

2. Portal on plant firewall enables access to IACS data, files and applications

– Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host

3. Firewall proxies a client session to remote access server

4. Access to applications on remote access server is restricted to specified plant floor IACS resources through IACSapplication security


1. Identify all connections to SCADA networks

2. Disconnect unnecessary connections to the SCADA network

3. Evaluate and strengthen the security of any remaining connections to the SCADA network

4. Harden SCADA networks by removing or disabling unnecessary services

5. Do not rely on proprietary protocols to protect your system

6. Implement the security features provided by device and system vendors

7. Establish strong controls over any medium that is used as a backdoor into the SCADA network

8. Implement internal and external intrusion detection systems and establish 24-hour-a-day

incident monitoring

9. Perform technical audits of SCADA devices and networks, and any other connected

networks, to identify security concerns

10. Conduct physical security surveys and assess all remote sites connected to the

SCADA network to evaluate their security

11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios

12. Clearly define cyber security roles, responsibilities, and authorities for managers,

system administrators, and users

13. Document network architecture and identify systems that serve critical functions

or contain sensitive information that require additional levels of protection

14. Establish a rigorous, ongoing risk management process

15. Establish a network protection strategy based on the principle of defense-in-depth

16. Clearly identify cyber security requirements

17. Establish effective configuration management processes

18. Conduct routine self-assessments

19. Establish system backups and disaster recovery plans

20. Senior organizational leadership should establish expectations for cyber security

performance and hold individuals accountable for their performance

21. Establish policies and conduct training to minimize the likelihood that organizational

personnel will inadvertently disclose sensitive information regarding SCADA system

design, operations, or security controls

21 Steps to securing a SCADA network

http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf


www.shodanhq.com

http://www.shodanhq.com/

Date post:	04-Dec-2014
Category:	Engineering
Upload:	routecomarketing
View:	370 times
Download:	0 times