Date post: | 04-Dec-2014 |
Category: |
Engineering |
Upload: | routecomarketing |
View: | 370 times |
Download: | 0 times |
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Industrial IoT in ActionPhil George – Solution Architect
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Ethernet
SQL
Cloud
BIG DATA
Virtualization
MobilitySocial Media
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
PodcastChatroom
Inflection Point
“an event that changes the way we think and act” Andy Grove, Intel Co-founder
Infotainment
Sidebar
GeekLandline
Speed Dating
App
Buzzword
WidgetWebinar
Cyber grieving
ping
Blog
hashtag
BFF
LOL
phishing
Flash drive
Tagging
firewall
JPG
Flat screen
informationalize TweetGoogle
Unfriend
Wiki
IM
Cloud
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
SECURE
Connected Enterprise
Unprecedented
ValueDisruptive
Technologies
Faster Time-to-Market
Lower Total Cost of Ownership
Improved Asset Utilization
Enterprise Risk Management
INF
LE
CT
ION
Now!
$
Cloud
Ethernet
Mobility
Big Data
Business Analytics
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
$Faster Time
to Market
Improved Asset
Utilization
Enterprise Risk
Management
Lower Total Cost of
Ownership
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Will exceed 7.6 billion
More than 70 million annually will cross into the middle class
Middle class adding $8 trillion to consumer spend
Global POPULATIONtrends (2020)
11
Source: McKinsey
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
EMERGING MARKET CONSUMERISM RESOURCE PRODUCTIVITY
INVESTMENT
Increased Demand on Industrial Production
$1T
Source: McKinsey
150%More Energy
More Water30% 100%
More Vehicles
GLOBAL POPULATION TRENDS
INCREASE DEMAND FOR
Manufacturing
80%More Steel
Resources
Infrastructure
12
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 13
Supply
Chain
Optimized for Rapid Value Creation Supply Chain Integration
Collaborative, Demand Driven
Compliant and Sustainable
AGILITY
PRODUCTIVITY
Enterprise
Distribution
Center
Smart Grid
Customers
COMPANY CONFIDENTIAL
THE CONNECTED ENTERPRISE
SUSTAINABILITY
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Customer Demand
Industrial Processes Supply Chain
INDUSTRIALInternet of Things
Raw data > Contextualized Data >
Business System
14
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Actuators Intelligent Motor Control Terminals Audio VideoSensors
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Enterprise
InfrastructureAutomation
Infrastructure
One Common Environment
CONVENTIONAL: SEPARATE IT & AUTOMATION FUTURE: UNIFIED INFRASTRUCTURE
TRANSFORMATIONINTEGRATED CONTROL AND INFORMATION
16
ENABLER Common Secure Ethernet Infrastructure
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
2011 2012
# of ReCoats reduced due to real-time alerts
Oven temperatures accessed real-time
$302k/yr Eliminated by Contract Dispatch
Allows all to access EPA data
Visibility into loss of production faults lead to root cause identification
@ PAINT LAB
KENTUCKY FACILITY
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Fundamentals of Ethernet/IP
Designing the Physical Layer
Industrial & IT Network Convergence
Ethernet/IP Product Selection
Securing Automation Networks
Plant-wide Benefits of Ethernet/IP
18
Agenda
www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
www.rockwellautomation.com/connectedenterprise
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP OverviewBenefits of EtherNet/IP Seminar Series
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 2
Industrial Networks NeedsLong Term Trends
Open network
Converged network technologies (information sharing, common design)
Better asset utilization - lean initiatives (training, support, and inventory)
Future ready – to maximize investments and minimize risks
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Applications ConvergenceIndustrial Network Trends
3
InformationI/O
DriveControl
SafetyApplications
ProcessPower
Control
Multi-discipline Industrial Network Convergence
HighAvailability
EnergyManagement
Controller
Drive Network
Safety Network
I/O Network
Plant/Site Network
Disparate Network Technology
Safety I/O
Single IndustrialNetwork Technology
Camera
Controller
VFDDrive
HMI
I/OPlant/Site
Instrumentation
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP is the global leader: 5M+ nodes sold, 300+ vendors, 1000s product lines
Control System Engineer Enable future-ready, high performance Use an established, widely accepted
network technology supported by leading industry vendors
IT Network Engineer Use standard Ethernet and TCP/IP Utilize common network
infrastructure assets & tools
System Integrator Enable seamless plant-wide /
site-wide information sharing Converge industrial and non-
industrial traffic
Equipment Builder Enable convergence-ready
solutions Use a single multi-discipline
control and information platform
EtherNet/IP - One Standard Industrial Network Technology For….
4
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 5
EtherNet/IP: “IP” - Industrial ProtocolSingle Industrial Network Technology
ODVA Supported by global industry leaders such as Cisco Systems®,
Omron®, Schneider Electric®, Bosch Rexroth AG®,
Endress+Hauser and Rockwell Automation
Conformance & Performance Testing
Standard IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588)
IETF - Internet Engineering Task Force, standard Internet Protocol (IP)
ODVA - Common Industrial Protocol (CIP)
IEC - International Electrotechnical Commission – IEC 61158
IT Friendly and Future-Ready (Sustainable)
Multi-discipline control and information platform
Established - products, applications and vendors
www.odva.org
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI 7-Layer Reference ModelSingle Industrial Network Technology
6
Application
Presentation
Session
Transport
Network
Data Link
Physical
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1
Network Services to User App
Encryption/Other processing
Manage Multiple Applications
Reliable End-to-End DeliveryError Correction
Packet Delivery, Routing
Framing of Data, Error Checking
Signal type to transmit bits,pin-outs, cable type
CIPIEC 61158
IETF TCP/UDP
IETF IP
IEEE802.3/802.1
TIA - 1005
Routers
Switches
Cabling
Layer Name Layer No. Function Examples
What makes EtherNet/IP industrial?
Physical Layer
Hardening
Infrastructure Device
Hardening
Common Application
Layer Protocol
5-Layer TCP/IP Model
CIPIEC 61158
Open Systems Interconnection
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI Reference ModelProtocol Stack
7
Application
Presentation
Session
Transport
Network
Data Link
Physical
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1 TIA - 1005
Layer NameLayer No. Function
CIP
ApplicationLayers
Data TransportLayers
IETF TCP/UDP
IETF IP
IEEE802.3/802.1
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI Reference ModelOpen Systems Interconnection
8
Application
Presentation
Session
Transport
Network
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Vendor Specific
Vendor Specific
Layer NameLayer No. Function
Data Link
Physical
Layer 2
Layer 1
IEEE802.3/802.1
TIA - 1005
Limits Portability and Routability,
may require additional assets
to forward information throughout
the plant-wide / site-wide architecture
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI Reference ModelOpen Systems Interconnection
9
Vendor Specific
Vendor Specific
Function
Vendor Specific
TIA - 1005
Non standard Ethernet,
will require additional assets
to connect into
the plant-wide / site-wide architecture
Application
Presentation
Session
Transport
Network
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer NameLayer No.
Data Link
Physical
Layer 2
Layer 1
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI Reference ModelNetwork Independent
10
Layer 7
Layer 4
Layer 3
Layer 2
Layer 1
Layer No.
NetworkIndependent
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Applications ConvergenceIndustrial Network Trends
11
Safety I/O
Single IndustrialNetwork TechnologyCamera
Controller
VFDDrive
HMI
I/OPlant/Site
Instrumentation
Multiple Network Technologies
Topology Limits
Physical Segmentation
Data Duplication
Multiple 1 Network Technologies
Topology Limits
Physical Segmentation Options
Data Duplication
Disparate Network Technology
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
The Alternative“Islands of Automation”
12
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Micro Data Center
Racks
Patching
Cable Management
Copper/Fiber
Collaboration of PartnersNetwork Technology Convergence
13
Logical FrameworkPhysical Framework
Noise Mitigation
Control Panel
Network Zone
Catalyst 3750StackWise
Switch Stack
Gbps Linkfor Failover Detection
Firewall(Active)
Firewall(Standby)
MCC
Levels 0–2
HMI
Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency
Cell/Area Zone #3Bus/Star Topology
Cell/Area Zones
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4 and 5
Rockwell AutomationStratix 8000
Layer 2 Access Switch
CiscoASA 5500
Industrial Zone Site Operations and Control
Level 3
Remote AccessServer
Catalyst6500/4500
Phone
Controller
Camera
Safety Controller
RobotSoft
Starter
Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)
I/O
Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server
proxy
Physical or Virtualized Servers• Patch Management• Remote Gateway Services• Application Mirror• AV Server
Physical or Virtualized Servers• FactoryTalk Application Servers & Services Platform• Network Services – e.g. DNS, AD, DHCP, AAA• Remote Access Server (RAS)• Call Manager• Storage Array
Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email, Call Manager• Active Directory (AD)• AAA – Radius
EnterpriseWAN
SafetyI/O
ServoDrive
Instrumentation
Copper, Fiber,
Wireless Testers
Network Discovery
Protocol Statistics
Network Discovery
Protocol Statistics
Common Toolsets
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Enterprise
InfrastructureAutomation
Infrastructure
One Common
Environment
CONVENTIONAL: SEPARATE IT &
AUTOMATION
FUTURE: UNIFIED INFRASTRUCTURE
TRANSFORMATIONINTEGRATED CONTROL AND INFORMATION
14
ENABLER Common Secure Ethernet Infrastructure
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 15
Industrial Networks Summary
Open networks are in demand Broad availability of products, applications and vendor support for Industrial Automation
Network standards for coexistence and interoperability of industrial automation devices
Convergence of network technologies Reduce the number of disparate networks in an operation and create seamless
information sharing throughout the plant-wide / site-wide architecture
Use of common network design, deployment and troubleshooting tools across the plant-
wide / site-wide architecture; avoid special tools for each application
Better asset utilization to support lean initiatives Common network infrastructure assets, while accounting for environmental requirements
Reduce training, support, and inventory for different networking technologies
Future-ready – maximizing investments and minimizing risks Support new technologies and features without a network forklift upgrade
Reduce Risk Simplify Design Speed Deployment
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 16
A new ‘go-to’ resource for educational, technical and
thought leadership information about industrial
communications
Standard Internet Protocol (IP) for
Industrial Applications
Coalition of like-minded companies
www.industrialip.org
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Agenda Plant-wide Benefits of Ethernet/IP
17
Fundamentals of Ethernet/IP
Designing the Physical Layer
Industrial & IT Network Convergence
Ethernet/IP Product Selection
Securing Automation Networks
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.
EtherNet/IP OverviewBenefits of EtherNet/IP Seminar Series
Will your Physical Layer perform?
Plantwide EtherNet/IP Ecosystem Design and Deployment
Panduit’s Distributor Partner
Vision: Unified Physical Infrastructure
Office: Data Center Solution
Building: Connected Buildings Solution
Manufacturing:Industrial Automation Solution
Critical Manufacturing Assets are at Risk!
• Downtime
• Security lapses
• Performance degradation
3
Installation pitfalls
3. This makes it impossible to manage, maintain and troubleshoot
2. No matter the hardware, shoddy cable installation
will result in a poor network
1. Proper cable installation is critical
Importance of the Physical Layer
“A significant portion of network
downtime, approx. 80%, is attributed
to Physical Layer Connections.” Sage Research
Designing the Physical Layer for Ethernet/IP
What do Physical Layer Reference Architecture based best practices look like?
Physical Layer Design Considerations
• Design and implement arobust physical layer
• Environment Classification - MICE
• More than cable
– Connectors
– Patch panels
– Cable management
– Grounding, Bonding and Shielding(noise mitigation)
• Standard Physical Media
– Wired vs. Wireless
– Copper vs. Fiber
– UTP vs. STP
– Singlemode vs. Multimode
– SFP – LC vs. SC
• Standard Topology Choices
– Switch-Level & Device-Level
Cable Selection
ENET-WP007
LAN Troubleshooting Guide
Industrial Ethernet Physical
Infrastructure Reference
Architecture Design Guide
ODVA Guide
7
8
Rockwell/Cisco RA
Logical
De-Militarized Zone (DMZ)
Enterprise Zone (EZ)
De-Militarized Zone (DMZ)
Manufacturing Zone
Manufacturing Zone
Cell/Area Zone
FIREWALL(ACTIVE)
FIREWALL(STANDBY)
GE Link for Failover Detection
Windows 2003 Servers• Remote Desktop
Connection• VNC• PCAnywhere
LAYER 3 ROUTER
LAYER 3 ROUTER
LAYER 3 SWITCHLAYER 3
SWITCH
Automation Apps• Historian• Data Distribution• Asset Security• Engineering Applications• Databases
Network Services• DNS, DHCP, Syslog Server• Network & Security Management
(Redundant Star Topology) (Ring Topology) (Bus/Star Topology)
Enterprise Zone
FIREWALL(ACTIVE)
FIREWALL(STANDBY)
(Ring Topology) (Bus/Star Topology)
LAYER 3 ROUTER
LAYER 3 ROUTER
LAYER 3 SWITCHLAYER 3
SWITCH
Reference IN-SolutionIN-Frastructure
IN-Route
IN-Panel
HM
I
CTR
LR
DR
IVE
DIS
T i/
O
IN-Field
Enterprise Zone
FWA FWB
DMZ
IN-Room
L3R L3R
L3S L3SPaS
DB
Manufacturing Zone
Cell/Area Zones
Physical
L2S
L2S
L2S
L2S
Panduit Industrial Automation 5 Core Solutions
IN-ROOMTM
Control Room, Data Center,
Telco Closet
IN-PANELTM
Control Panels, Electrical
Panels and MCC
IN-FIELDTM
On the Machine, In the
Process Area, or Outdoors
IN-FRASTRUCTURETM
Power Distribution, Lighting,
HVAC Security, Safety
IN-ROUTETM
Industrial Pathways, Network
Zone Enclosures
Simplify with validated building blocksPhysical Layer Design Considerations
Micro Data Center
Zone Enclosures
Control Panel Solutions
Micro Data Center – IN-Room Solution
Enterprise/OfficePatchfield used to uplink switch
to level 4 & 5 Enterprise
Server PatchingCross connect between production
servers and switch
Firewall and DMZLogical buffer zone between theEnterprise and Manufacturing
Manufacturing ZonePatchfield used to connect layer 3 switch to layer 2 switches used on
plant floor
IN-ROOMTM
Physical Network Security
• Keyed solutions for copper and fiber
• USB Type A, B Ports• Lock-in, Blockout products
secure connections
IN-ROOMTM
IN-ROUTETM
IN-PANELTM
IN-FIELDTM
Micro Data Center Simplification - Organize, Secure, and Standardize
Challenges: • Disorganized • Network performance issues• Frequent moves, adds & changes
Solutions: • Structured approach• Media selection/security • Visual identification
BEFORE AFTER
Micro Data Center SolutionsPhysical Layer Design Considerations
15IN-ROOMTM
IN-Route - Getting from “Point A” to “Point B”
Built-In Failure Points
IN-ROUTETM
17Environmental Focus – M.I.C.E.
Office Industrial
Increased Environmental Severity
TIA/EIA
1005
Electromagnetic
Climatic
Chemical
Ingress• Water• Dust
Mechanical• Shock• Vibration
E1
C1
I1
M1
E2
C2
I2
M2
E3
C3
I3
M3
You can’t choose components without knowing the Environment
19IN-Route - Zone Cabling Methods
TR
Centralized Cabling – Home runs from each node back to the tele-communication room.
TR
Z
Z
Z
Zone Cabling – Provides for Reduced home-run wiring, easy moves / adds / changes and reduced size of tele-communication room
IN-ROUTETM
Pathways
• Overhead cable tray routing system
• Designed to route and manage copper, fiber optic, or power cables
IN-ROUTETM
Fiber PathwaysIN-ROUTETM
Dielectric Conduited Fiber Cable (DCF)22
KEY BENEFIT:
Easier to install fiber cable
(eliminates conduit & grounding) with rugged, crush resistant construction
SOLUTION COMPONENTS1. 12 part numbers.
• Fiber Counts: 2, 4, 8, & 12
• Fiber Types: OS1/OS2, OM1, OM2
2. Compatible with OptiCam connectors
IN-ROUTETM
Zone Enclosures – Pre-configured
Best way to structure manufacturing network
•Leverages Cisco/RA recommended architecture for best network performance
•Built for capability of rapid network expansion
•Touch-safe for Facility IT access
•Significantly reduces lead time to deploy
23IN-ROUTETM
Zone Enclosures – Optimized for StratixPhysical Layer Design Considerations
• Pre-configured, Pre-tested for Stratix 8300, 8000 and 5700 switches
• Safe, Secure, Thermally tested
• Save time/cost/risk:
– IT/controls convergence point
– Machine Builders
IN-ROUTETM
Robust, Secure, Future-Ready Network Distribution
Challenges: • Scalability issues• Diagnostics & troubleshooting• Evolving cable mgmt
Solutions: • Zone enclosure• Media selection & security• Cable routing
BEFORE AFTER
IN-Route: Network Distribution SimplificationPhysical Layer Design Considerations
25IN-ROUTETM
IN-Panel - Understanding the Problem
There are several market trends that are exerting pressure on the design and architecture of a Control Panel.
– Space Optimization
– Terminations
– Network Cabling
– Noise Mitigation
– Safety/Security
IN-PANELTM
EtherNet in the Control Panel
• Additional requirements and solutions are required with the addition of EtherNet into the Control Panel.
IN-PANELTM
Planning for networking in the panel
• What are common networking challenges in the panel?
– Overall concerns• Diagnostics/troubleshooting
• Maintenance
• Future system upgrades
– Performance in potentially high noise environment
• Zoned layouts
• Shielding
– Finding panel space for new components
Clean Noisy Very Noisy
N
IN-PANELTM
Noise Mitigation DemoIN-PANELTM
Panduit Confidential Information - not for Distribution
Polymer Coated Fiber (PCF) Cable, LC Connector, Termination Tool Kit
KEY BENEFITS: Ease of field termination (CRIMP, CLEAVE AND LEAVE), Performance, Noise Immunity
SOLUTION COMPONENTS
1. Polymer Coated Fiber (PCF) cable (zip cord and break-out cables)
2. Field-attached LC connector for 50/200/230µm & 62.5/200/230µm PCF fiber
3. Field termination tool kit
IN-PANELTM
IN-FIELDTM
Terminating Fiber Using PCF Crimp-On Connectors
No-Voiceover
IN-PANELTM
IN-FIELDTM
• Maximizes panel space utilization• Easier to design for future system upgrades• Provide up to 30% space savings
Panduit PanelMax™ Offering:
Space Optimization Increases Design FlexibilityPhysical Layer Design Considerations
Corner Wiring Duct
Utilizes space typically unusable in
enclosure corner
DIN Rail Wiring DuctUses enclosure depth to save
panel footprint space ;improve component access
Shielded Wiring DuctMitigates EMI noise to reduce
wire separation distance
Shielded Wiring Duct
Conventional
Wiring Duct
DesignFlexibility
All of these products contribute to cost savings
IN-PANELTM
Panduit Network Solutions for the Control PanelPhysical Layer Design Considerations
• Optimized solutions for Machine Builder Stratix 5700 deployments
DIN Rail Mount AdapterModular DIN rail mounting for
Copper or Fiber connectivity
Patch PanelFacilitate testing, and future Moves, Adds and Changes
Fiber, Cat6 Patch CordsPerformance guaranteed
Insert product photo
IN-PANELTM
IN-Panel: Optimized with PartnersPhysical Layer Design Considerations
• Leverage power of EtherNet/IP and eco-system partners
– Panduit Fiber, Patching, Noise Mitigation, Space Optimization, Grounding/Bonding
– RA Stratix 5700 for machine builder
– RA 1585 patch cords
– Test with Fluke Networks
• EtherNet/IP connects to Zone Enclosures and Micro Data Center for convergence aligned with Cisco/RA CPwE
IN-PANELTM
IN-Field Challenges
• High MICE levels
– Vibration
– Chemical
– Temperature
– Wash down
• Wire management rated for environment
• Food safety
ON Machine or Process areas
IN-FIELDTM
IN-Field Solutions: Manage and Protect
• Harsh rated cable management
and identification
• Abrasion protection
• Grounding/Bonding
Metal detectable wire management for Food industry
IN-FIELDTM
IN-Frastructure: Challenges
• Facility Grounding/Bonding, Power
• Costs of safety incidences
• Lockout/Tagout implementation
IN-FRASTRUCTURETM
IN-Frastructure: Solutions
• Grounding/Bonding components and solutions
• Safety labels and signage
• Lockout/Tagout systems
IN-FRASTRUCTURETM
SM
Application Guides
Network Security
SM
Control Panel Layout Whitepaper
• Best practices = reduced call backs, problems..greater solution sales
SM
Design your system using cost effective and easy to
troubleshoot Network Architectures
Micro Data Center Zone Enclosure Control Panel Solutions
Easy Building Block Approach
SM
43
Industry Level Thought Leadership
Enterprise
Functional
Design
Environmental
Requirements
(M.I.C.E.)
Logical Level
Shared
Architecture
Physical Level
Plant Floor
Design
All wrapped up in a 450 page, “How To” manual with contributions from Fluke and Rockwell Automation, on designing and installing the physical infrastructure for an Industrial Ethernet Network
Panduit: Physical Infrastructure Reference Architecture
SM
Design/Spec ToolsPhysical Layer Design Considerations
Design Micro Data Centers in Visio and paste BOM into Proposalworks!
SM
45Plant Floor - “Macro Architecture” summary
MICE 1-1-1-1
MICE 3-2-3-3
MICE 3-1-2-3
MICE 1-1-1-3
MICE 3-3-3-3
MICE 2-1-3-2
MICE 2-2-2-1
SM
5/1/2014
Fiber Optic Application Best Practices for EtherNet/IP
SM
Agenda
Saving Time/Cost with Fiber
Fiber Selection
Physical Infrastructure for Fiber Deployments
SM
Agenda
Saving Time/Cost with Fiber
Fiber Selection
Physical Infrastructure for Fiber Deployments
SM
• Industrial Networks Must take into consideration the physical challenges of the facilities environment.
• Location, routing and equipment choices should be based on the complete understanding of cause and effect conditions.
• Environmental Focus
– M.I.C.E. (TIA-1005)
Industrial Networks Live in the Real World
Sensor
Drive
I/O
Plant Ethernet
Controller
Switch
Ethernet
SM
Fiber that Fits Both the Environment and the ApplicationFiber is now being used in all areas of an Industrial Network Deployment
SM
Converged Ethernet
Manufacturing Network Model
Corporate Network
Sensors and otherInput/Output Devices
Motors, DrivesActuators
SupervisoryControl
Robotics
Back-Office Mainframes andServers (ERP, MES, etc.)
OfficeApplications,Internetworking,Data Servers,Storage
Human MachineInterface (HMI)
Controller
• Fiber is completely noise immune
• Fiber can be used in high M.I.C.E. environments
• Fiber can be rated for indoor, outdoor and transition spaces
• Armored Fiber (available in both metallic and all-dielectric) reduces the need for, and installations costs of, innerduct and conduits
• Smaller footprint of cables (one fiber cable vs. bundle copper (UTP))
• Reliability and speed of installation reduces the total cost of ownership
Benefits of Fiber in an Industrial Space
SM
Key Elements of a Successful EtherNet/IP Network Design
• Understanding application and functional requirements
• Developing a logical framework (roadmap)
• Developing a physical framework
• Determining security requirements and partnering with IT
• Using technology and industry standards, reference models and reference architectures
Catalyst 3750StackWise
Switch Stack
FactoryTalk Application Servers View Historian AssetCentre, Transaction Manager
FactoryTalk Services Platform Directory Security/Audit
Data Servers
Gbps Linkfor Failover Detection
Firewall(Active)
Firewall(Standby)
I/O
Levels 0–2
HMI
Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency
Cell/Area Zone #3Bus/Star Topology
Cell/Area Zones
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Rockwell AutomationStratix 8000
Layer 2 Access Switch
CiscoASA 5500
Industrial Zone Site Operations and Control
Level 3
Remote AccessServer
Catalyst6500/4500
ERP, Email,
Wide Area Network
(WAN)
Network Services DNS, DHCP, syslog server Network and security mgmt
Drive
Controller
HMI
I/O
Controller
Drive
Controller
Drive
HMI
Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)
I/OI/O
Patch ManagementRemote Gateway ServicesApplication MirrorAV Server Plant Firewall:
Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy
SM
Agenda
Saving Time/Cost with Fiber
Fiber Selection
Physical Infrastructure for Fiber Deployments
SM
Selecting the Right Fiber Requires
Knowing the Application Environment.
…
…
…
Knowing the Distance Requirements.
Knowing the Equipment you are connecting to.
SM
Let’s take a sample application and go thru it step-by-step.
Knowing the Capability of Your Equipment
The Equipment – The first step in choosing the right fiber is to look at the capability of your equipment.
• Look at the specifications of the equipment to determine the speed of the connections
• The Fiber you choose should at least be able to handle the fastest mode of the existing system
SM
SFP Stands for “Small Form Pluggable”
Module
Knowing the Capability of Your Equipment
The Stratix is a good switch to use as an example because it has both Uplink ports andData ports running at different speeds.
• The uplink port speed is determined by the use of copper or fiber. If it’s fiber the configuration of the “SFP” module determines the speed of the system.
SM
Knowing the Capability of Your Equipment
The Stratix is a good switch to use as an example because it has both Uplink ports andData ports running at different speeds.
SFP Stands for “Small Form Pluggable”
Module
SFP Stands for “Small Form Pluggable”
Module
SM
Understanding Your Expansion or Upgrade Path
The following is an example list of specifications for the fiber-optic SFP module connections. It’s IMPORTANT that each port must match the wave-length specifications on the other end of the cable, and for reliable communication, the cable must not exceed the rated maximum cable length.
SFP ModuleType
Cat. No. Wavelength(nm)
Fiber Type Core Size/CladdingSize (micron)
ModalBandwidth(MHz/km)(1)
Cable Distance
100BASE-FX 1783-SFP100FX
1310 MMF 50/12562.5/125
500500
2 km (6562 ft)2 km (6562 ft)
100BASE-LX 1783-SFP100LX
1310 SMF G.6522 10 km (32,810 ft)
1000BASE-SX 1783-SFP1GSX
850 MMF 62.5/12562.5/12550/12550/125
160200400500
220 m (722 ft)275 m (902 ft))500 m (1640 ft)550 m (1804 ft)
1000BASE-LX/LH
1783-SFP1GLX
1310 SMF G.6522 10 km (32,810 ft)
(1) Modal bandwidth applies only to multimode fiber. * Information comes from Stratix Users Manual
SM
Answers Always Lead to More Questions
The Equipment – The result of our equipment investigation is that we learned:
• The max speed for the uplink is 1GBase-T
• The max speed for the data port is 100Base-T
• There are several choices for SFP modulesthat can support both Single and Multimode.
“Is there an existing system of fiber, and what core size is being used?”
The next question:
Core size? ….yes, Core size?
SM
What Makes Up a Fiber Cable?
The Cable – There are two classes of Fiber in use today:• Single Mode – Long Distance Fiber, more expensive technology
• Multi Mode – Shorter Distance, more cost effective for inside plant use.
• To understand the differences between core sizes, and why they matter, you need to know what makes up a fiber cable.
SM
How Big is the Fiber, (relatively)?
9
230µm
All sizes expressed In Microns
50
62.5
125µm
200µm
Cladding
Core
Buffer
Core size will tell you the OMx of
the Fiber
SM
Single Mode Fiber
All sizes expressed In Microns
9µm
125µm
SM
Multi-Mode Fiber (50 and 62.5 micron)
50
62.5
125
All sizes expressed In Microns
SM
Polymer Coated Multi-mode Fiber (PCF)
All sizes expressed In Microns
23050
62.5 200
SM
What Do the OM Ratings Mean?
If you see OM in the Fiber grade it always means Multi-Mode. – The US Adopted a Grading System Invented By ISO, The International Standards
Organization in Geneva, Switzerland. The “Optical Multimode” Rating System
• “OM 1” --- 62.5 Micron (Mostly legacy systems)
• “OM 2” --- 50 Micron (plain vanilla variety)
• “OM 3” --- 50 Micron (Laser optimized to work with VCELS)
• “OM 4” --- 50 micron (Extended Bandwidth – Further refined to reduce pulse spreading and enable longer distances)
And just like with Copper Categories –A bigger number means better cable!
SM
What Do the OS Ratings Mean?
• If you see OS in the Fiber grade it always means Single-Mode.
• “OS 1” --- 9 Micron (Used with wavelengths of 1310 nm)
• “OS 2” --- 9 Micron (Used with wavelengths of 1550 nm)
Why does the core size make such a difference in Fiber performance?
• OS (single-mode) vs. OM (multi-mode).
Think of it like the difference between a rifle shot and a shotgun blast.
SM
A Fabry-Perot LASER
A Cheap, Slow LED
Singlemode – more efficient – goes FURTHER
Multimode – less efficient – doesn’t go as far
Example of Single-mode vs. Multi-mode
SM
• Some of the photons (light particles) go straight, some ricochet around the
outside, the further they travel the closer the leading edge from one pulse
gets to the trailing edge of the one before it.
• Eventually you can’t tell one pulse from another.
A Cheap Slow LED
Light Pulse Spreading (“Modal Dispersion”)The Enemy of Throughput
SM
What?
You can only go so far with a given grade of multimode fiber before light
pulses begin to overlap
The Further You Go, the Worse it Gets.
Hey, I
sent a
“1”
SM
ANSI/TIA-568-C.0 (D.3) Optical fiber cabling supportable distances table.
• Table 7 - lists maximum supportable distances and maximum channel attenuation for applications using optical fiber cabling
• The table is based on the minimum performance requirements of 62.5/125 µm, 50/125 µm, 850 nm laser-optimized 50/125 µm, and single-mode fiber established by ANSI/TIA-568-C.3
How the OM/OS Ratings Equate to Distance
SM
Remember the MICE Table?
Where you put the fiber, “The Environment”, determines the type of fiber you choose.
SM
• Indoor Opti-Core Fiber Distribution
• Indoor Opti-Core Interlocking Armor
• Indoor Industrial-Net (PCF) Polymer Clad Fiber
• Indoor Dielectric Conduited Fiber (DCF)
Applications for “Indoor” Fiber
Used when you have sufficient
protection for the fiber
Used when the fiber has to
protect itself
**NEW** Electrician Friendly crimp on connector for direct connect
node to node
**NEW** All the benefits of an armored fiber
without the metal. Use in area suspected of unequal
potential grounds
SM
Applications for “Indoor-Outdoor” Fiber
• Indoor/Outdoor Opti-Core All-Dielectric Fiber Cable
• Indoor/Outdoor Opti-Core Gel-Free Fiber Interlocking Aluminum Armored Cable
Used to transition from indoor to
outdoor in a protected area, tray
or conduit.
Used to transition from indoor to outdoor yet still
protect the cable from harsh mechanical
conditions
SM
Applications for “Outdoor” Fiber
• Opti-Core Gel-Free Fiber Optic Outside Plant All-Dielectric Cable
• Opti-Core Gel-Free Fiber Optic Outside Plant Armored Cable
Allows installation using loose tube
cable methods for aerial and duct
applications
Allows installation using loose tube cable methods for aerial, duct and direct
burial applications
SM
One Last Thought When Choosing a Fiber Type – Choosing the Connector
Traditional Puck and Polish type Connectors (5-7min.)
OptiCam Factory Polished Connectors
(2 - 3min.)
Industrial Strip & Crimp no-Polish Required Fiber
Connectors(aprox 1 min.)
SM
Choosing the Connector
OptiCam Connector
PCF Connector
SM
Agenda
Saving Time/Cost with Fiber
Fiber Selection
Physical Infrastructure for Fiber Deployments
SM
Choosing the Right Fiber Type For the Application Can Save Big $$$ in Materials and Labour
SM
Links From Field Switches to Control Rooms Should Support Higher Speeds and Greater Volume
SM
Electrician Friendly Fiber Can be Used to Install Long Distance Bus Systems
SM
Fiber Optic Infrastructure PlanningPhysical Layer Design Considerations
81 81
New joint application guide
Increase the integrity and availability of EtherNet/IP networks with fiber solutions from trusted partners!
Physical infrastructure
Integrated Architecture, Stratix Switches, ETAPs, more
Higher level switches
Fiber Guide
ENET-TD003
SM
Easy to follow Fiber best practices!Physical Layer Design Considerations
• Partner validated application guide
82
SM
Summary
Fiber Selection
Physical Infrastructure for Fiber Deployments
Saving Time/Cost with Fiber
Understanding the Environment and the Application
Knowing how to determine equipment and system requirements
Choosing the proper network design for application
SM
Thank You !
PCF
To Test is to Know.
How Good is your Layer 1 Infrastructure?
Fluke Networks @ Routeco plc: July 2014
A company
2Company Confidential
Enterprise Network Test Solutions ForDatacom Installers, Network Engineers
• Market leader in copper and fiber cable certification and testing
– Copper test solutions
– Fiber test solutions
– Wireless solutions
• Market leader in troubleshooting and portable
management
– Portable network test and analysis
– Wireless LAN troubleshooting and management
– Deep Packet Analysis and Capture
• Fluke Networks Solutions
– OptiView XG Network Analyzer tablet
– DTX CableAnalyzer
– Network Time Machine
– MicroScanner, NetTool, LinkRunner
3Company Confidential
So, Why Bother Testing?
• Confidence for your client.
• Assurance for yourself
• Evidence for a Cabling system Warranty
• Avoids potentially expensive delays in commissioning
• Uncovers ‘environmental’ issues
• Provides for future upgrades.
• End result of testing is Documentation!
• The Documentation provides for all above.
4Company Confidential
What’s the big deal? It’s cable, right?
• Right!
– You’ve used the best components (like building a Formula 1 car)
– Followed all the installation rules and guidance…
5Company Confidential
What you have, is a link from A to B….
A
B
6Company Confidential
Reference Points for Testing: Industry Standards….
• As for almost every other part of a major project, the
cabling industry has recognised, defined and understood
standards:
– EIA/TIA 568C.2 (American, contains the standards for Cat5e,
Cat6 and Cat6A and for MM and SM fibre installations)
– ISO 11801 (International, contains approximate equivalents
Class D, Class E and Class Ea, plus Class F and fibre)
– EN 10573 (European Norm, equivalent to ISO 11801.)
– Application-specific standards:
– TIA1005 (Industrial Ethernet-specific)
– 100MB/s Ethernet / 1GB/s Ethernet
– 40GB/s Ethernet (fibre only)
7Company Confidential
These standards require us to:
• Test (and Pass) a specified range of parameters, save the
result and provide documentation.
8Company Confidential
Permanent Link or Channel Test?
• Permanent Link: Patch panel to wall
outlet including max 1 Cross-connect.
• Channel: Permanent Link plus 1
additional patch panel, and user patch
cords. Maximum 4 connectors.
• Which standard? To be decided by
negotiation with your client as part of
contract.
• Which test model? Default to
Permanent Link. Channel is end-user
test.
9Company Confidential
Additional Considerations
• Is the cable Shielded or Unshielded?
– What type of shield is it? S/UTP or FTP or SSTP?
• Will the application include Power over Ethernet?
– PoE has a separate and specific set of specifications.
• Does the client or the warranty provider or the hardware
manufacturer have specific additional requirements?
– Balance measurements may be required.
10Company Confidential
The end result: 100% compliant documentation of the infrastructure
11Company Confidential
Power over Ethernet (PoE-specific test)
• New test limits with specific tests for PoE optimisation.
• New Shield Integrity test finds shield errors/damage.
12Company Confidential
What About the Fails?
• Real Diagnostics for complex NEXT and Return Loss Fails
13Company Confidential
Let’s talk about fibre…..
14Company Confidential
Enterprise Fiber: Growing Exponentially• 1.5 Billion new internet-connected
devices by 2015 (Intel)
• 57% annual growth in Enterprise
fiber ports: 2011 - 2015 (Dell’Oro,
2011)
• In 2015, the equivalent of every
movie ever made will transit IP
networks, every 5 minutes (Cisco
Systems)
15Company Confidential
Enterprise Fiber: Growing Exponentially
• 24% annual growth in storage
spending for cloud computing
(IDC)
• 54% growth in 10Gbps+ fiber LAN
transceivers (Finisar)
• One-hop fabrics replacing
traditional switch architecture in
datacentres
17Company Confidential
Four Steps to Determining Fibre link Performance
1. Inspect it - Clean it - Inspect it again
2. Polarity check
3. Performance Test
4. Extra Data and Troubleshooting
18Company Confidential
Inspect it – Clean it – Inspect it again.
• ALL end-faces have to be
clean and undamaged!
• Inspecting the fibre end-
faces is part of the BASIC
test regime according to
IEC 14763-3
• Cleaning the end-faces
each and every time is not
an option….it’s mandatory!
“Any connecting hardware adapters used
together with all connector end-faces on the test cords
comprising the cabling interface adapter, and the cabling
under test shall be cleaned according to the instructions
provided by the manufacturer of the connectors.
Cleaning shall be repeated every time a test cord is
connected to the cabling or component under test.”
19Company Confidential
What you can’t see CAN hurt your test result!
• Dirt migrates from a dirty to a clean connector
20Company Confidential
Check Polarity
• Visual Fault Locator (Laser light-pen)
• Uses high intensity visible light source
• Quick and Easy to use
• Relatively low cost
• Provides a go/no-go indication
• Can help find sources of loss.
21Company Confidential
Fibre Performance Certification
• Standards-based Two-Tier Testing (TIA TSB-140)
• Tier 1: OLTS (Optical Loss Test Set)
– Encircled Flux Compliance Required.
– Power Meter and Light Source with built-in
length measurement.
– Losses and lengths conform to industry
standards• Most closely simulates active system
– Verify polarity using OLTS
• Tier 2: Tier 1 plus OTDR trace
– Evidence that cable is installed without
degrading events (e.g. bends, connectors,
splices)
22Company Confidential
Loss/Length CertificationTest two fibers (a transmit/receive pair)
• Each fiber at two wavelengths
– Measure optical length
– Compute power budget and display Pass or Fail
– Standards-based Tier 1 certification• 2 power measurements in each direction, plus length
– Comprehensive Go/No-go result
23Company Confidential
Tier 2: Where fibre diagnostics reside.
• Tier 2: Tier 1 plus OTDR trace
– Evidence that cable is installed
without degrading events (e.g.
bends, connectors, splices)
24Company Confidential
A new type of OTDR Result that almost everyone can understand
• Alternative trace
presentation of link
topology
• Reduce need for OTDR
expertise
• Icons designate the type
of fiber event
• One-tap gives access to
all event details
25Company Confidential
Back to the Documentation:
26Company Confidential
IMPORTANT part of the fibre condition…
27Company Confidential
OTDR Traces are not for everyone…
EventMap provides an easily understood pictorial representation
of the fibre link, for many the end of ‘trace-psychosis’.
28Company Confidential
Every ‘PASS’ report includes a Compliant Network Standards List…
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial and IT Network ConvergenceEthernet/IP Enables Convergence
Name – Mike Loughran
Title – Solution Architect
Date – 29th April 2014
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Emerging Technologies in OperationsAll the BUZZ…
The Internet of Things (IoT)Intelligent devices start to communicate with each other
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
What does it all mean?
3
Big Data
Large amounts of information is available to
manage the supply chain & complex processes
Cloud Computing & Virtualization
Speed up deployment of production, add flexibility,
reduce capital investments & increase access
across global operations
Increase longevity, reliability & provide disaster
recovery
Mobility & BYOD (Bring Your Own Device)
Improve maintainability, uptime, asset longevity,
safety and cost control
Driven Largely by Information Technology
Most of it is buried on the
production floor in
historians or other
databases
Centers around Information
Technology (IT) more than
Operations/Production
management
Technicians, Supervisors,
Operators are all mobile
during their typical work day
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Why are Emerging Technologies soImportant?
4
Automated adaptable processes & decisions
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Why are Emerging Technologies so Important?
Empowers companies to grow faster, produce
better products and serve customers more
effectively
It connects a workforce, analyzes data and
allows for continuous improvements
Companies can leverage technological
advances as a competitive advantage and
must constantly seek newer, faster and better
technologies to improve their business
5
Early-adopters typically acknowledge the risk that comes with new technology
Keeping abreast of new developments is an ongoing job with
both risks and rewards
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Industrial Network ConvergenceIndustrial Network Trends
6
EtherNet/IP – Enabling & Driving
Multi-discipline Industrial Network Convergence
Process Control
Discrete Control
Information TechnologyIntelligent Motor Control
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
The Value in Bringing the Information Together
7
Control Systems
HMIs
Production
SchedulingAlarms/Events
Other Database Systems
Computerized Maintenance Management Systems
Performan
ce
Quality
Systems
Data Historians
Laboratory Information
ManagementSystems
You need a network technology that is STANDARD,
PROVEN and MORE than an FIELDBUS!
You need robust Infrastructure Solutions to deliver the
information fast, reliably and securely!
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
From Production to the Enterprise -Rockwell Automation & Cisco Alliance
8
Common Technology View Single system architecture, using open, industry
standard networking technologies – EtherNet/IP
Delivering Converged Plantwide Ethernet
(CPwE) Architectures for manufacturing and
industrial environments Best pathway to Operations/IT network convergence
with detailed design and implementation guidance
Joint Product and Solution Collaboration Creating an ideal networking environment for both IT
and controls professionals.
People and Process Optimization Education and services to facilitate Manufacturing and
IT convergence
Rockwell Automation and Cisco present the most valuable resource in the industry for deploying a converged network infrastructure
Leadership in IT and Plant Operations
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Risks and threats to networked systems
Security risks increase potential for disruption to
System uptime and Safe operation and a loss of IP
Unintended
employee actions
Theft
Unauthorized actions
by employees
Unauthorized
access
Denial of
Service
Application of
Security patches
Unauthorized
remote access
Natural or Man-made
disasters
Sabotage
Worms and
viruses
BusinessRisk
INFORMATION
OPERATIONS
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
A Vendor’s Perspective
Control System lifecycles are long (20+ years)
Products will have vulnerabilities
Security is a team sport
Vendors & Customers
IT & Engineering
Pick your teams (point don’t go it alone)
REMEMBER: Human beings are imperfect
Control System safety & security are closely linked
Control System security manages variables
Managing the security variables enhances uptime
10UPTIME = PROFITABILITY
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Our Approach to Industrial Security
Layered Security Model
Shield potential targets behind multiple levels of protection to reduce security risks
Defense in Depth
Use multiple security countermeasures to protect integrity of components or systems
Openness
Consideration for participation of a variety of vendors in our security solutions
Flexibility
Able to accommodate a customer’s needs, including policies & procedures
Consistency
Solutions that align with Government directives and Standards Bodies
A secure application depends on multiple layers of protection.
Industrial security must be implemented as a system.
ApplicationApplication
ComputerComputer
Device Device
PhysicalPhysical
NetworkNetwork
ApplicationApplication
ComputerComputer
Device Device
PhysicalPhysical
NetworkNetwork
11
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Evolving Global Standards
12
• Building Blocks •
ISA S99 and IEC 62443• Asset Owners • Vendors • Industry Consortia •
NIST 800 NERC-CIPISO 27002 RFC 2196
ISA Security Compliance Institute (ISCI)
Achilles™
Exida.com LLC
Achilles™ test platform
Wurldtech
BronzeSilver
Gold
© rockwell automation
Wurld
tech
L-1L-2
L-3
WIB
IndependentReq’s & Certifications
SAL 1SAL 2
SAL 3
WIB 2.0
OD
VA
Confrm
Test
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Design for Security approach
Specifications Audits & Gaps
Enhance &
Improve
Resiliency & Robustness13
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 14
Additional MaterialEducational - Cisco and Rockwell Automation Alliance
Education Series Webcasts
What every IT professional should know about Plant-Floor Networking
What every Plant-Floor Engineer should know about working with IT
Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access
for Plant-Floor Applications and Data Securing Architectures and Applications
for Network Convergence IT-Ready EtherNet/IP Solutions
Available Online
http://www.ab.com/networks/architectures.html
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 15
Additional MaterialSimplify Design - Rockwell Automation
Networks Website: http://www.ab.com/networks/
EtherNet/IP Toolkit:
http://www.rockwellautomation.com/rockwellautomation/products-
technologies/integrated-architecture/tools/overview.page#/tab4
Ethernet Tools
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 16
Additional MaterialSimplify Design - Cisco and Rockwell Automation Alliance
Websites
http://www.ab.com/networks/architectures.html
Design Guides
Converged plant-wide Ethernet (CPwE)
Application Guides
Fiber Optic Infrastructure Application Guide
Education Series
http://www.ab.com/networks/architectures.html
Whitepapers
Top 10 Recommendations for plant-wide
EtherNet/IP Deployments
Securing Manufacturing Computer and Controller
Assets
Production Software within Manufacturing
Reference Architectures
Achieving Secure Remote Access to Plant-Floor
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 17
Additional MaterialSimplify Design - Collaboration
Plant-wide EtherNet/IP Ecosystem Partners Website
Fiber Optic Infrastructure Application Guide
ENET-TD003
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 18
Additional MaterialSimplify Design and Speed Deployment - Panduit Corp
Panduit Corp. Website:
http://www.panduit.com/
Industrial Automation Solutions:
Industrial Automation Product Systems Brochure Industrial Communication Solutions – Interactive Roadmap
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 19
Additional MaterialSpeed Deployment - Fluke Networks
Fluke Networks Websites
www.flukenetworks.com www.flukenetworks.com\industrial www.flukenetworks.com\knowledgebase
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 20
Reduce design timeProcurement Specifications on-line
http://www.rockwellautomation.com/rockwellautomation/industries/procurement-
specifications/overview.page?
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATION
Questions?
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C
A family of high performance
Industrial Ethernet switches ideal
for the end user and equipment
builder
Stratix Ethernet Switch Family
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Stratix Portfolio Overview
• Security• Productivity• Safe Operations
• Remote Access• Time to Market• Protecting IP
Routers and switches for: Enabling security to new or existing
architectures
Applications for simple to complex networks
Monitoring and controlling distributed
devices
Plant floor and enterprise integration
Stratix 8000/8300Layer 2, Layer 3
Stratix 2000Unmanaged
Stratix 6000Layer 2
Stratix ETAPs
Stratix 5700Layer 2
Stratix 5100Wireless AP/WGB Stratix 5900
Security Appliance
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Family of industrial Ethernet switches that are:• Optimized for configuration, monitoring, security and maintenance• Modular and scalable• Designed for simple to complex Ethernet applications
• IT-ready and IT-friendly solutions• Simplified integration of machine systems in infrastructure• Integrated Architecture programming tools and features• Secure remote access for improved productivity and OEE
• Connected or isolated machine and Process control applications• Plant floor and enterprise integration• Distributed network devices that need to be monitored and controlled
24
The Stratix Family Overview
Integrating your enterprise and manufacturing environments
Overview
Key Benefits
Applications
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATION
Stratix 2000 Unmanaged SwitchesRefresh & Product Line Expansion
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Stratix 2000 Unmanaged Switches Overview
Low cost solutions designed for isolated control
networks
Recommended for Micro 850 & Micro 820
applications
Unmanaged switches are not recommended for
safety or motion applications
Simple “Plug & Play”
Automatically negotiates speed and duplex settings
(no configuration required)
Automatically detects cross-over cable
Expanded operating temperature from -20ºC to
70ºC to meet a wider variety of application
needs for most catalog numbers
Exception: 1783-US5T & 1783-US8T range 0 to
60ºC
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATION
Stratix 6000 Fixed Managed Switches
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION Copy
right
28
Stratix 6000™ Managed Switches
Fixed port managed switch
4 port or 8 port versions with optional fiber optic uplink (SFP)
Control system integrated
CIP communications for:
Diagnostics (tags)
Configuration (RSLogix 5000)
Security
DHCP persistence for automatic end device IP address assignment
Unauthorized User Identification
Traffic Level Monitor with Alarms
FactoryTalk View Faceplates
Integrated Tightly Into The Integrated Architecture
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATION
Stratix 5700Industrial Managed Switches
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
The Stratix 5700Layer 2 Managed Switches with Cisco Technology
Premiere Integration to the Integrated Architecture
CIP interface Studio 5000 AOP
ControlLogix tags
FactoryTalk View faceplates
Built with Cisco technology (IOS)
Common feature set with Stratix 8x00
Common IT development tools (CLI, CNA, DM, CiscoWorks)
Simple to Deploy & Maintain
Easy integration Default configurations
Common Smartports
DHCP per port IP addressing
Easy maintenance Secure Digital card for configuration backup
Diagnostics & network management tools
Compact & Scalable
Best of Rockwell Automation & Cisco in a compact size
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Stratix 5700 Configurations
3 base platforms offering 20 configurations
6, 10 & 20 port base units 6 copper & 4 copper + 2 SFP slots
8 copper + 2 combo*
16 copper + 2 combo* + 2 SFP slots
2 Gig port option
SFP slots support multi & single mode fiber
Wide variety of SFPs available
Compatible with other Cisco SFPs
Advanced feature set to address:
EtherNet/IP applications
Security
Resiliency & Redundancy
Two software packages to choose from
Lite & Full versions
Conformal coating option for harsh environments *Combo ports can be either copper or SFP
Ideal for simple to complex applications
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C
Stratix 8000 / 8300Industrial Managed Switches
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Stratix 8000/8300 - Modular Design
Base Module(6-port or 10-port)
Extension Module A (8-port Copper)
Extension Module B (8-port Fiber)
Data Ports10/100 Copper
Dual Purpose Uplink Ports10/100/1000 Copper or SFP
8 Extended Data Ports10/100 Copper
8 Extended Data Ports100 Fixed Fiber
SFP Fiber Transceiver100M and 1GMultimode and Singlemode
33
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION (Confi
dential
Stratix 8300 layer 3 Managed Switch
Layer 3 Routing Capabilities
Dynamic Routing Protocols such as RIP, EIGRP
and OSPF
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATION
Stratix 5900Industrial Services Router
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
The Stratix 5900 Security Appliance
Premiere Routing & Security Services
Firewall
Virtual Private Network (VPN)
Network Address Translation (NAT)
1GE WAN, 4 FE LAN, 1 Serial Port
Built with Cisco technology (IOS)
Common features of Stratix Switch
Common IT development tools (CLI, CNA, DM, CiscoWorks, CCP)
Ruggedized with Extended Temp, Shock & Vib
Compact Size with Din Rail Mount
Best of Rockwell & Cisco in a compact size
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATION
Embedded Switch Technology
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 383838
Embedded Switch Technology
Embedded Switch Technology enables LINEAR and RING topologies on EtherNet/IP
Network traffic is managed to ensure timely delivery of critical data (QoS, IGMP
supported)
Open standard (ODVA) allows 3rd party suppliers to develop compatible products
Linear
• Linear Ethernet segments greatly extend the length of the application
• No need to run cables from each device back to a centralized switch
Device-Level Ring (DLR)
• Single fault tolerant network provides resiliency
• Device level ring requires no additional hardware to implement
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 39(Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 39Copyright © 2008 Rockwell Automation, Inc. All rights reserved. 39
1783-ETAP
• The 1783-ETAP is a standalone device that allows devices (that do not support the Embedded Switch Technology) to join a linear or a DLR network.
• Other product features:- Capable of being a Ring Supervisor in a Device Level Ring
- Managed switch functions to help manage traffic on the network (i.e.: IGMP and QoS)
- Fiber versions available in the future for long distance applications
Device Port – used for connecting single-port Ethernet device
Network Ports (2) – used for connecting to neighboring devices to form a linear or a ring network
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
DLR Enabled Products
1756-ENT2R, Point, Flex, ArmorPoint, ETAP, CompactLogix, 193-DNENCATR, 1747-AENTR, ArmorBlock, ArmorStart
Copy
right
40
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATION
Stratix 5100Wireless Access Point
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Stratix Wireless Access Points
Product
Access Point / Work Group Bridge
Autonomous
Leveraging the latest 802.11N WiFi
technology
MIMO, Packet Aggregation & Spatial
Multiplexing• Higher performance
2.4GHz and 5Ghz radios• Flexibility and segmentation
Support for VLAN, QoS and RADIUS
Segmentation, priority handling and
authorization
Backward compliant to 802.11a/b/g
CIP enabled
Logix for system diagnostics
Profile & tags
Value Provides real-time performance
for mission critical applications Eliminates wire & cabling to
reducing installation costs Enables mobility and portability to
people and devices Seamless integration within a
Cisco wireless network
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Typical Configurations
Cell/Area Zone #3 Cell/Area Zone #4
FactoryTalk Applications and Services
Ring Topology
Cell/Area Zone #1 Cell/Area Zone #2
Manufacturing Zone
8000 ManagedLayer 2 Switch
ETAP - Embedded Layer 2 SwitchRing Topology
Enterprise ZoneEnterprise
Network
6000 ManagedLayer 2 SwitchStar Topology
Embedded Layer 2 Switch Linear
Topology
Mobile User
Lightweight AP (LWAP)
AP as WorkgroupBridge (WGB)
ERP, Email, Wide Area Network (WAN)
5100802.11n – Dual Band
Access point
8300 Managed Layer 3 Switch
5900 Industrial Services Router
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Stratix Family Quick Reference
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Stratix Family Quick Reference
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Thank you!
To learn more visit:
www.ab.com/networks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1
Invisible Cost to Visible Value
Rob PriceHead of Technical Strategy
Partner & Commercial Team
April 2014
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
“I cannot imagine a life without…”
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V., 2010
% of 14 – 29 year olds
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien
• A mobile phone: 97%
% of 14 – 29 year olds
“I cannot imagine a life without…”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• The 2 photos on the right are of St Peters Square during the announcement of the election of last 2 Popes
• In just 8 years mobile devices have become ubiquitous. Everyone carries the internet in their pocket
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien
• The Internet: 84%
% of 14 – 29 year olds
“I cannot imagine a life without…”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien
• A car: 64%
% of 14 – 29 year olds
“I cannot imagine a life without…”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien
• My current partner: 43%
% of 14 – 29 year olds
“I cannot imagine a life without…”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Digital Band-Aids
Smart Pill Bottle CapsAsthma inhalers
'Electronic Skin' Patches Monitor
Health Wirelessly
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Will gather 14 ExaBytes of data per day !!
• Will store over 1 PetaByte per day
• Transmit
• Store
• Analyse
*
*1 ExaByte = 1,000,000,000,000,000,000 Bytes
It took until 2004 for internet traffic to pass
1 Exabyte per month
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
XaaS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Thank you.
Control Network Security & Secure Remote Access
Guy Denis [email protected]
Rockwell Automation Alliance Manager Europe
29th April 2014
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3% Wireless System
7% VPN Connection
7% Dial-up Modem
7% Telco Network
10% Trusted Third-Party Connection
(Includes Infected Laptops)
17% Internet Directly
49% Via Corporate WAN and
Business Network
Source of IndustrialSecurity IncidentsSource: BCIT (2009)
Average Cost of Manufacturing Downtime = $210,000 per HourSource: Infonetics (2005)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
includes infected laptops
and is growing
from Eric Byres, BCIT
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
A breakdown of Stuxnet
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
Ralph Langner
German Control systems security
consultant
F-Secure wrap-up on Stuxnet
http://www.youtube.com/watch?v=gFzadFI7sco
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup
• Little or no device level authentication
• Poor network design – daisy chains, hubs
• Windows based IA servers – patching, legacy OS
• Unnecessary services running – FTP, HTTP
• Open environment, no port security, no physical security of switch, Ethernet ports
• Limited auditing and monitoring of access to IA devices
• Unauthorised use of HMI, IA systems for browsing, music/movie downloads
• Lack of IT expertise in IA networks, many blind spots
Defense in Depth Approach
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors
• Network Hardening – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers
• End-point Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services
• Application Security – authentication, authorization, and audit software
• Device Hardening – change management and restrictive access
Defensein Depth
Computer
Device
Physical
Network
Application
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Security is not a bolt-on component
• Comprehensive Network Security Model for Defense-in-Depth
• Industrial Security Policy
• DMZ Implementation
• Design Remote Partner Access Policy, with robust & secure implementation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• Comprehensive information here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Secure Network Architectures for Industrial Control Systems
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Panduit/RA Physical Layer Reference Architectures Design
Guide June ‘09
PSL-DCPL
PSL-DCJB
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Real–Time Control
Fast Convergence
Traffic Segmentation and Management
Ease of Use
Site Operations and Control
Multi-Service Networks
Network and Security Management
Routing
Application and Data share
Access Control
Threat Protection
Gbps Link for Failover Detection
Firewall(Active)
Firewall(Standby)
SCADA Application
and Services Servers
Cisco
ASA 5500
Cisco
Catalyst Switch
Network Services
Cisco Catalyst
6500/4500
Cisco Cat. 3750X
StackWiseSwitch Stack
Patch Management, Terminal Services, Application Mirrors,
AV Servers
Cell/Area #1(Redundant Star
Topology)
Drive
Controller
HMI Distributed I/O
Controller
DriveDrive
HMI
Distributed I/O
HMI
Cell/Area #2(Ring Topology)
Cell/Area #3(Linear Topology)
IE3000/3010/2000
Layer 2 Access Switch
Controller
Enterprise/IT Integration
Collaboration
Wireless
Application Optimization
Cell/Area Zone
Levels 0–2
Layer 2 Access
Manufacturing Zone
Level 3
Distribution and Core
Demilitarized Zone
(DMZ) Firewalls
Enterprise Network
Levels 4–5
Web Apps DNS FTP
Internet
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Defend the Industrial Edge
• Firewalling and remote access at levels 0-2 (L2 Transparent Mode) with Industrial IPS/IDS
• Use IT-Approved Access and Authentication
VPN for secure remote access
Enterprise Access and Authentication servers (e.g Active Directory, Radius, etc.)
• ICS Protocols Stay Home
• Control the Application
Remote Access (Terminal) Server
Application level security
• No direct traffic through the firewall
• Only one path in and out of industrial - the firewalls
DMZ and Secure Remote Access Guiding Principals
EnterpriseWAN
EnterpriseData Centre
IPSEC
VPN
SSL
VPN
Levels 0–2Cell/Area Zones
Demilitarized Zone (DMZ)
Manufacturing Zone Site Manufacturing
Operations and ControlLevel 3
Internet
Enterprise ZoneLevels 4 and 5
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
1
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management
AV Server
Application Mirror
Web Services Operations
Application Server
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
SCADAApp
Server
SCADADirectory
Engineering Workstation
Domain Controller
SCADAClient
Operator Interface
SCADAClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous
Process Control
Safety Control
Sensors Drives Actuators Robots
Enterprise Zone
DMZ
Process ControlDomain
ProcessControlNetwork
WebE-Mail
CIP
Firewall
Firewall
Site Manufacturing Operations and Control
Area Supervisory Control
Basic Control
ProcessPurd
ue R
efe
rence M
odel, I
SA
-95
Industr
ial S
ecurity
Sta
ndard
IS
A-9
9
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• All network traffic from either side of the DMZ terminates in the DMZ; network traffic does not directly traverse the DMZ
• Application Data Mirror
• No primary services are permanentlyhoused in the DMZ
• DMZ shall not permanentlyhouse data
• No control traffic into the DMZ
• Be prepared to “turn-off” accessvia the firewall
No Direct Traffic
EnterpriseSecurity
Zone
IndustrialSecurity
Zone
Disconnect Point
Disconnect Point
DMZReplicated Services
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
1.Firewall Services (Segmentation, Isolation)
2.Application Services (Behavior Enforcement, Application
Intelligence and Awareness, Gateway Capabilities)
3.Logging and Historical Services (Traffic, Event histories)
4.Encryption and Data Integrity Services (remote access, and
secure channels for data transfer)
5. IPS/IDS Services (deep packet inspection – Sourcefire and
Wurldtech Industrial Signatures
1.Malware Detection and Filtering (deep packet and URL
inspection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
I want to allow guests into the
network
I need to allow/deny iPADs in
my network (BYOD)
I want to allow only authorized
users access to my network
I need a scalable way of
authorizing users or devices in
the network
I need to ensure my endpoints
don’t become a threat vector
How can I set my firewall
policies based on identity
instead of IP addresses?
Guest Lifecycle
Management
Profiling Services
Posture Services
Authentication and
Authorization
Security Group Access
Management
Identity-based Firewall
Cisco
ISE
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
VPN
VDI
WSA
IPS
ASA-CX
ASA
ISE
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Level
3½
Enterprise Zone
DMZ
PCD /
Manufacturing Zone
PCN /
Cell / Area Zone
1783-SR
Secure Remote Access
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
De
fen
se
in
De
pth
Se
cu
rity
te
ch
no
logie
s a
pp
lied
Authentication, Authorization and Accounting
Access Control Lists (ACLs)
Secure Browsing (HTTPS)
Intrusion Protection and Detection
Remote Terminal Session
Application Security
VLANs
Remote Engineers and Partners
Plant Floor Applications and Data
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Typical Functions of Secure Routing Platform
© 2014 Cisco and/or its affiliates. All rights reserved.
NAT connecting machines with overlapping address space
Machine#1
Machine#2
Stra x5900 Stra x5900
192.168.1.0/24 192.168.1.0/24(overlapingaddressspace)
NAT NAT
© 2014 Cisco and/or its affiliates. All rights reserved.
Zone-based Policy Firewall (ZFW)
ZFW1
zoneTRUSTED zoneUNTRUSTED
Int 1
Int 3
Zone-Policy
OUTBOUND
INTERNET
Client1 Server
Int 4
Int 2
Client2
§ Zone: set of interfaces that share a certain “trust level”
§ Policies define rules between zones
ZFWpoliciesareUnidirec onal:Source>>Des na on
© 2014 Cisco and/or its affiliates. All rights reserved.
Virtual Private Networks (VPNs)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
1783-SR/ISR819 Software Features - Security
Secure Connectivity:
• Secure Sockets Layer (SSL) VPN for secure remote
access
• Hardware-accelerated DES, 3DES, AES 128, AES 192,
and AES 256
• Public-key-infrastructure (PKI) support
• 20 IPsec tunnels
• Cisco Easy VPN Client and Server
• Network Address Translation (NAT) transparency
• Dynamic Multipoint VPN (DMVPN)
• Tunnel-less Group Encrypted Transport VPN
• IPsec stateful failover
• VRF-aware IPsec
• IPsec over IPv6
• Adaptive control technology
• Session Initiation Protocol (SIP) application layer
gateway
Cisco IOS Firewall:
• Zone-Based Policy Firewall
• VRF-aware stateful inspection routing firewall
• Stateful inspection transparent firewall
• Advanced application inspection and control
• Secure HTTP (HTTPS), FTP, and Telnet Authentication
Proxy
• Dynamic and static port security
• Firewall stateful failover
• VRF-aware firewallContent Filtering:
• Subscription-based content filtering with Trend Micro
• Support for Websense and SmartFilter
• Cisco IOS Software black and white lists
Integrated Threat Control:
• Intrusion prevention system (IPS)
• Control Plane Policing
• Flexible Packet Matching
• Network foundation protection
These Features Allow:Highly SecureHighly Flexible Scaleable Remote Access SolutionsConfigurable via Web GUI WizardsFor Small to Medium Sized Deployments
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
WAN
Plant EngineerSkid Builder
System Integrator
Remote Site
WANRouter
Plant Site
WANRouter
• Stand-alone Remote Industrial Application
Example: remote site
Requirements
Connection out from the Plant, direct access
Little to no IT support, little to no alignment with Industrial Automation and Control System security standards
Potential Solution
IPSecVPN, DMVPN,FlexVPN – ASA5515 and/or ISR819
1783-SR/819 ISR
IPSec
X many
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• No VPN client needs to be installed on remote client
• Access to internal network through one point entry
• Uses a standard web browser, platform independent: Internet Explorer, Firefox
• Can access web applications http, https, Common Internet File Sharing (CIFS), File Transfer Protocol (FTP)
• Client-Server Plug-ins for Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), Secure Shell (SSH) access, Telnet and Citrix
• VPN appliance gives web-based look and feel for the application access (customizable) through content rewrite process
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Levels 0–2Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Manufacturing Zone Site ManufacturingOperations and ControlLevel 3
Internet
Enterprise ZoneLevels 4 and 5
EnterpriseWAN
EnterpriseData Center
Gbps Link Failover
Detection
Firewall(Active)
Firewall(Standby)
Patch ManagementTerminal ServicesApplication MirrorAV Server
CiscoASA 5500
Remote Access Server• RSLogix 5000• FactoryTalk View Studio
Catalyst6500/4500
Remote Engineeror Partner
EnterpriseConnectedEngineer
Enterprise EdgeFirewall
HTTPS
Cisco VPN Client
Remote Desktop Protocol (RDP)
Catalyst 3750StackWise
Switch Stack
EtherNet/IP
I PS
EC
VPN
SS
LVP
N
FactoryTalk Application Servers
• View
• Historian
• AssetCentre
• Transaction Manager
FactoryTalk Services Platform
• Directory
• Security/Audit
Data Servers
1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall
2. Portal on plant firewall enables access to IACS data, files and applications
– Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host
3. Firewall proxies a client session to remote access server
4. Access to applications on remote access server is restricted to specified plant floor IACS resources through IACSapplication security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the SCADA network
3. Evaluate and strengthen the security of any remaining connections to the SCADA network
4. Harden SCADA networks by removing or disabling unnecessary services
5. Do not rely on proprietary protocols to protect your system
6. Implement the security features provided by device and system vendors
7. Establish strong controls over any medium that is used as a backdoor into the SCADA network
8. Implement internal and external intrusion detection systems and establish 24-hour-a-day
incident monitoring
9. Perform technical audits of SCADA devices and networks, and any other connected
networks, to identify security concerns
10. Conduct physical security surveys and assess all remote sites connected to the
SCADA network to evaluate their security
11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
12. Clearly define cyber security roles, responsibilities, and authorities for managers,
system administrators, and users
13. Document network architecture and identify systems that serve critical functions
or contain sensitive information that require additional levels of protection
14. Establish a rigorous, ongoing risk management process
15. Establish a network protection strategy based on the principle of defense-in-depth
16. Clearly identify cyber security requirements
17. Establish effective configuration management processes
18. Conduct routine self-assessments
19. Establish system backups and disaster recovery plans
20. Senior organizational leadership should establish expectations for cyber security
performance and hold individuals accountable for their performance
21. Establish policies and conduct training to minimize the likelihood that organizational
personnel will inadvertently disclose sensitive information regarding SCADA system
design, operations, or security controls
21 Steps to securing a SCADA network
http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
www.shodanhq.com