PUBLIC
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 1
T83 - Identity and Mobility in Converged Plantwide Ethernet (CPwE) Architectures
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2
IntroductionThis presentation is an overview of the joint solutions from Cisco Systems and Rockwell Automation: Deploying Identity Services within a Converged
Plantwide Ethernet Architecture Design and Implementation Guide: ENET-TD008
Deploying Wireless LAN Technology within a CPwE Architecture Design and Implementation Guide: ENET-TD006
Location Based Services within a Converged Plantwide Ethernet Architecture Whitepaper: ENET-WP012
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 3
Agenda
Additional Resources
Application Use Cases
Identity Services in CPwE
IoT Security Overview
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 4
Legacy OT “things” Visibilityof what’s out there
Device access restrictions
Controlling devicecommunications
Device connectivityand autonomous conditions
Simplifying IT/OT management for Unified view
Customer IoT Security Concerns
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 5
IoT Threat Defense Priorities
Visibility & Analysis Security ServicesSegmentation Remote Access
UmbrellaStealthwatch
ISE / TrustSecCognitive Threat Analytics
NGFWISE / TrustSec
Cognitive Threat Analytics
AnyConnect Risk Assessment Secure Operations Incident
Response
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 6
Cisco IoT Threat Defense Components
• Risk assessment for baseline • Deployment and Migration• Incident response Service for
breach situations
• AnyConnect - Secure Connection into OT network
• AnyConnect - Prevent threat into OT environment
• FP NGFW - Segment IT and OT environments
• TrustSec - Segment OT devices in the IT network
• CTA & ISE - Quarantine dangerous devices
• Switches – Dynamic segmentation enforcement
• ISE - Profile Devices• Stealthwatch- Visibility of data
and traffic• Umbrella - Visibility and blocking
of malicious traffic• CTA - Threat Analytics to assess
threatVisibility & Analysis
Segmented Access Control
IOT Security Services
Secure Remote Access
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 7
Convergence of IT and OT
IT • Helps protect IT
Assets• Confidentiality,
Integrity, Availability• Data, Voice, Video• Network
Authentication• Threat Detection
OT• Operations
uptime/Safety• High Availability,• Integrity, Confidentially• Control
Protocols/Motion• Physical Access• Process Anomalies
Cyber security IT/OT Convergence
Before: Rigid Silos between IT and OT
• Security Risk Assessment• Asset Visibility across IT/OT• Segmented Access Control• Evolving Security Regulations • Remote Access
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 8
Agenda
Additional Resources
Application Use Cases
Identity Services in CPwE
IoT Security Overview
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 9
Cisco Identity Services Engine (ISE)Delivering Visibility, Context, and Control to Secure Network Access
NETWORK / USER CONTEXT
How
WhatWho
WhereWhen
DEVICE PROFILING FEED SERVICE
REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN
EmployeeAccess
Contractor +Vendor
GuestAccess
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10
Secure AccessConsolidating Access for Employee/Contractors/Vendors
Who?
When?
Where?
How?
What?
Employee Attacker Guest
Personal Device Company Asset
Wired Wireless VPN
@ Plant 1, Zone 2 Headquarters
Weekends (8:00 a.m. – 5:00 p.m.) PST
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 11
Distributed ISE in CPwE Architecture
Remote AccessServer
DistributionSwitch
Cell/Area Zone - Levels 0–2Linear/Bus/Star Topology
Autonomous Wireless LAN
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4–5
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Safety Controller
Soft Starter
Cell/Area Zone - Levels 0–2Ring Topology - Device Level Ring (DLR)
Unified Wireless LAN
SafetyI/O
Instrumentation
Level 3 - Site Operations(Control Room)
HMI
APSSID5 GHz
WGB
SafetyI/OController
LWAP
SSID2.4 GHz
WirelessLAN Controller
(WLC)
Cell/Area ZoneLevels 0–2
Cell/Area ZoneLevels 0–2
Drive
DistributionSwitch
EnterpriseExternal DMZ/
Firewall
Cloud
AccessSwitches
AccessSwitches
IFW
IFW
I/O I/O I/O
RobotServoDrive
ISE PSN
ISE PAN / MnTISE PSN
FIRE FIRE
Distributed ISE roles:PAN – Policy Administration NodeMnT – Monitoring NodePSN – Policy Service Node
MDM – Mobile Device Management
MDM server
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 12
Mobile Device Policies Limited Access
Access exclusively for corporate-issued devices Authentication / authorization: user credentials, device certificate, whitelist
Enhanced Access Access for corporate-issued and personal devices (BYOD) On-boarding process, self-registration Authentication / authorization: user credentials, device certificate, device type, whitelist
Advanced Access Access for corporate-issued and personal devices (BYOD) Posture of the device through third-party Mobile Device Managers (MDMs)
Location Based Services Additional authorization based on device location Access to Industrial Zone only when on site
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 13
Limited Access
• Corporate devices have pre-installed digital certificates• ISE grants access to the network based on the device’s
certificate and the whitelist• Devices can further be provided access according to the
AD group• Devices can be denied access if:
• Missing / invalid certificate• User in the wrong group• User account disabled• Not a part of the whitelist• Device type / OS is not allowed (profiling)
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 14
Enhanced Access (BYOD)• Personal Devices are on-boarded using a self-
registration portal to receive digital certificates• The personal devices are provided different
access levels based on authentication and authorization rules
• Devices can be denied access if:• Missing / invalid certificate• User in the wrong group• User account disabled• Not a part of the whitelist / not registered• Device type / OS is not allowed (profiling)
www
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 15
Advanced Access – MDM Posture• And the Enhanced access use case, the
Mobile Device Manager (MDM) is used to manage and secure mobile endpoints.
• The integration between ISE and MDMs is through a REST API
• ISE queries the MDM for additional compliance and posture attributes:
• OS version / patches• Approved software• Malware detection / removal
www
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 16
Location Based Services (LBS) Architecture
Open Ecosystem Scalable
Infrastructure
Track Any Wi-Fi Device or Tag
Chokepoint Integration
App
licat
ions
an
d M
anag
emen
tW
irele
ss
Infra
stru
ctur
eD
evic
e
AccessPoint Access
Point
Access Point
Wireless LAN Controller
Mobility Services EngineEnterprise
NetworkCisco® Identity Services Engine (ISE)
Cisco PrimeTM Network
Chokepoint
Cisco Kinetic
PartnerApplications
Single Pane of Glass for Cockpit Dashboard
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 17
Location Based Services
Wireless LANControllers (WLC)
Cisco Prime
Mobility Service Engine
NMSP
Associated Client
LWAP LWAP
• Integration of MSE (Mobility Service Engine) with ISE for location-based authorization
• MSE is managed by Prime Infrastructure for configuration, maps creation, and WLC assignment
• MSE communicates with the WLC using NMSP Protocol
• WLC sends Received Signal Strength (RSSI) and other data from APs for connected clients
• MSE calculates the client’s location• Devices have access if a user is authorized and
located in range
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 18
Location Based ServicesHyperlocation
Modular Components What is Hyperlocation?• Indoor Wi-Fi Client Location
Solution• Accuracy of ≈ ±1–3 meters (50%
confidence) vs. RSSI ≈ ±5- 7 m• Data RSSI & Angle of Arrival
(AoA) vs. Probe RSSI• No client application needed• Clients MUST be associated to
the Access Point• Requires dense AP placement
and accurate maps
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 19
WLC
Identity Services in CPwEEmployee / Vendor Wireless Access – Industrial Zone
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4–5
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Cell/Area Zone - Levels 0–2
Level 3 - Site Operations(Control Room)
Controller
LWAP
DistributionSwitch
Enterprise
External DMZ/ Firewall
Cloud
IFW
ISE PSN
FIRE FIRE
AD / PKI
WLC
WLC
dACL
SSID Maintenance
• Access based on AD group and/or certificate
• Dynamic Access Control List (dACL) and VLAN
ISE PAN / MnTISE PSN
MDM server
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 20
WLC
Identity Services in CPwEEmployee Wireless Access – Enterprise Zone
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4–5
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Cell/Area Zone - Levels 0–2
Level 3 - Site Operations(Control Room)
Controller
LWAP
DistributionSwitch
Enterprise
External DMZ/ Firewall
Cloud
IFW
ISE PSN
FIRE FIRE
AD / PKI
WLC
WLC
dACL
SSID Corporate
• Access based on AD group and/or certificate
• Dynamic Access Control List (dACL) and VLAN
• Secure tunnel to Enterprise
ISE PAN / MnTISE PSN
MDM server
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 21
WLC
Identity Services in CPwEVendor / Guest Wireless Access – Guest DMZ
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4–5
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Cell/Area Zone - Levels 0–2
Level 3 - Site Operations(Control Room)
Controller
LWAP
DistributionSwitch
Enterprise
External DMZ/ Firewall
Cloud
IFW
ISE PSN
FIRE FIRE
AD / PKI
WLC
WLC
dACL
SSID Guest
• Access based on AD group and/or certificate
• Dynamic Access Control List (dACL) and VLAN
• Secure tunnel to Guest DMZ
ISE PAN / MnTISE PSN
MDM server
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 22
Identity Services in CPwEEmployee / Vendor Wireless Access – Autonomous WLAN
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4–5
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Cell/Area Zone - Levels 0–2
Level 3 - Site Operations(Control Room)
Controller
LWAP
DistributionSwitch
Enterprise
External DMZ/ Firewall
Cloud
IFW
RADIUS server(ex.: Cisco ISE, Microsoft NPS)
FIRE FIRE
AD / PKI
ACL1
SSID Maintenance
SSID OEMACL2
• Access based on AD group and/or certificate
• Static ACL and VLAN• More secure than WPA2-PSK
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 23
WLC
Identity Services in CPwEEmployee / Vendor Wired Access – Cell/Area Zone
RAS
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4–5
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Cell/Area Zone - Levels 0–2
Level 3 - Site Operations(Control Room)
Controller
LWAP
DistributionSwitch
Enterprise
External DMZ/ Firewall
Cloud
IFW
ISE PSN
FIRE FIRE
AD
WLC
WLC
dACL• Access based on AD group
and/or certificate• Dynamic Access Control List
(dACL) and VLAN
ISE PAN / MnTISE PSN
MDM server
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 24
Agenda
Additional Resources
Application Use Cases
Identity Services in CPwE
IoT Security Overview
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 25
Mobile HMI – Plant Personnel
Industrial Demilitarized Zone (IDMZ)
Enterprise Zone
Industrial Zone
Cell/Area Zone
Level 3 - Site Operations
LWAP
Enterprise
IFW
Cisco ISE
Cisco ISE
WLC
HMI TerminalFactoryTalk® View SE clientFactoryTalk® ViewPoint clientFactoryTalk® Batch MobileThin client (RDP)
FactoryTalk® ViewPoint clientVNC client
1
23
1. User connects to Industrial SSID, dynamic ACL / VLAN is applied
2. Access to the FactoryTalk®
servers and RDP server in Site Operations
3. Access to the HMI Terminal in Cell/Area ZoneFactoryTalk®
serversRDP server
• FactoryTalk® Security: application-level security to complement network security
• Restrict read-write access: dedicated on-premise devices, no cellular access
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 26
Mobile Analytics – Plant Personnel
Industrial Demilitarized Zone (IDMZ)
Enterprise Zone
Industrial Zone
Cell/Area Zone
Level 3 - Site Operations
LWAP
Enterprise
IFW
Cisco ISE
Cisco ISE
WLCFactoryTalk®
VantagePoint® server
FactoryTalk®
Analytics for Devices
FactoryTalk®
VantagePoint® client
Analytics user
InternetFactoryTalk®
Cloud
4
1
23
1. User connects to Industrial SSID, dynamic ACL / VLAN is applied
2. Access to FactoryTalk®
VantagePoint® server in Site Operations
3. Access to the FactoryTalk®
Analytics for Devices (“Shelby”)4. Access to the FactoryTalk® Cloud
analytics – web traffic must be inspected and/or proxied
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 27
ThinManager® Software for Mobile Devices
Industrial Demilitarized Zone (IDMZ)
Enterprise Zone
Industrial Zone
Cell/Area Zone
Level 3 - Site Operations
LWAP
Enterprise
IFW
Cisco ISE
Cisco ISE
WLC
Anchor WLC
ThinManager® server
HMI Terminal
Reverse Web Proxy
ThinManager®
client
1
24
RDP server3
5
ThinManager®
client
IP camera
1. User connects to Industrial SSID, dynamic ACL / VLAN is applied
2. Access to ThinManager® server in Site Operations
3. RDP content (for example, FactoryTalk® View SE application)
4. VNC server content (for example, HMI terminal)
5. Video streaming from IP camera
Right content to the right person at the right place with location-based mobility.
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 28
Mobile HMI – Corporate User
Industrial Demilitarized Zone (IDMZ)
Enterprise Zone
Industrial Zone
Cell/Area Zone
Level 3 - Site Operations
LWAP
Enterprise
IFW
Cisco ISE
Cisco ISE
WLC
Anchor WLC
FactoryTalk®
ViewPoint server
Reverse Web Proxy
FactoryTalk®
ViewPoint client
2
2
1
1. User connects to Corporate SSID, secure tunnel to Enterprise WLC
2. Access to FactoryTalk®
ViewPoint server via reverse web proxy
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 29
Mobile Analytics – Corporate User
Industrial Demilitarized Zone (IDMZ)
Enterprise Zone
Industrial Zone
Cell/Area Zone
Level 3 - Site Operations
LWAP
Enterprise
IFW
Cisco ISE
WLC
Anchor WLC
FactoryTalk®
VantagePoint® server
Reverse Web Proxy
FactoryTalk®
VantagePoint® client
Analytics user
InternetFactoryTalk®
Cloud
1
3
3
4FactoryTalk® VantagePoint®server (Enterprise)
2
1. User connects to Corporate SSID, secure tunnel to Enterprise WLC
2. Access to FactoryTalk®
VantagePoint® server (Enterprise)
3. Access to FactoryTalk®
VantagePoint® server (Industrial) via reverse web proxy
4. Access to the FactoryTalk® Cloud analytics – web traffic must be inspected and/or proxied
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 30
FactoryTalk® TeamONE™ – the App for Productivity
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 31
Diagnostic modules:• Connect• Device Health• Trend• Alarms• Shelby Action Cards (future)
FactoryTalk® TeamONE™ – Isolated IACS Network
Industrial Zone Network Enterprise Zone Network
IDMZ
Collaboration modules:• Chat• Incident• Pinboard / Teamboard• KnowledgebaseTeam join / switchApp updates
FactoryTalk®
Cloud
FactoryTalk®
Cloud
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 32
FactoryTalk® TeamONE™ – Converged Network
Industrial Zone Network
Enterprise Zone Network
IDMZ
Diagnostic modules:• Connect• Device Health• Trend• Alarms• Shelby Action Cards (future)
Collaboration modules:• Chat• Incident• Pinboard / Teamboard• KnowledgebaseTeam join / switchApp updates
FactoryTalk®
Cloud
Cloud traffic inspectionand proxy
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 33
FactoryTalk® TeamONE™ – Diagnostic Modules
Industrial Demilitarized Zone (IDMZ)
Enterprise Zone
Industrial Zone
Cell/Area Zone
Level 3 - Site Operations
LWAP
Enterprise
IFW
Cisco ISE
Cisco ISE
WLCFactoryTalk®
Alarms & Events server
FactoryTalk®
Analytics for Devices
FactoryTalk®
TeamONE™ user
InternetFactoryTalk®
Cloud
1
34
FactoryTalk®
TeamONE™ user
2
1. Client connects to Industrial SSID, dynamic ACL / VLAN is applied
2. Access to devices in Cell/Area Zone for diagnostics
3. Access to the FactoryTalk®
Alarms & Events server4. Access to the FactoryTalk®
Analytics for Devices
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 34
FactoryTalk® TeamONE™ – Collaboration Modules
Industrial Demilitarized Zone (IDMZ)
Enterprise Zone
Industrial Zone
Cell/Area Zone
Level 3 - Site Operations
LWAP
Enterprise
IFW
Cisco ISE
Cisco ISE
WLC
Anchor WLC
FactoryTalk®
Analytics for Devices
FactoryTalk®
TeamONE™ user
InternetFactoryTalk®
Cloud
2
1
FactoryTalk®
TeamONE™ user
3
4 Two scenarios:1, 2. User connects to Industrial SSID, direct access to FactoryTalk®
Cloud through IDMZ3, 4. User connects to Corporate SSID and Enterprise WLC via the tunnel (no access to Industrial Zone)Cloud traffic must be inspected and/or proxied
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 35
Conclusion Define your company security policies and understand risks Holistic Defense-in-Depth security to Connected Enterprise Identity Services for secure personnel access – wired, wireless & remote IoT threat defense enables Visibility, Segmentation, Remote access and
Security services
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 36
Please take a moment to complete the brief session survey on our mobile app and let us know how we’re doing!
Username: Last namePassword: Email address used to register
Locate the session in the “Schedule” icon
Click on the “Survey” icon in the lower right corner of the session details
Complete survey & submit
Download the ROKTechED app and login:
Thank you!
Complete A Survey
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 37
Agenda
Additional Resources
Application Use Cases
Identity Services in CPwE
IoT Security Overview
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 38
Additional Material Network Architecture Icon Key
Layer 2 Access Link (EtherNet/IP Device Connectivity) Layer 2 Interswitch Link/802.1Q TrunkLayer 3 Link
Layer 2 Access Switch, Catalyst 2960
Multi-Layer Switch - Layer 2 and Layer 3,Stratix® 8300, Stratix® 5700, Stratix® 5400, Stratix® 5410
Layer 3 Router, Stratix® 5900
Autonomous Wireless Access Point (AP),Stratix® 5100 as Autonomous AP
Layer 2 IES with NAT, Stratix® 5700, Stratix® 5400
Layer 2 IES with NAT and Connected Routing, Stratix® 5700, Stratix® 5400
NAT
NAT - CR
Layer 3 Distribution Switch Stack, Catalyst 3750-X, Catalyst 3850
Layer 3 Core Switch, Catalyst 4500, 4500-X, 6500, 6800
Layer 3 Core Switch with Virtual Switching System (VSS)Catalyst 4500-X, 6500, 6800
Firewall, Adaptive Security Appliance (ASA) 55xx
Wireless workgroup bridge (WGB),Stratix® 5100 as workgroup bridge (WGB)Unified Wireless Lightweight Access Point (LWAP),Catalyst 3602E LWAP
Unified Wireless LAN Controller (WLC), Cisco 5508 WLC
Unified Computing System (UCS), UCS-C series
Identity Services Engine (ISE) for Authentication,ISE - PAN/PSN/MnT
Layer 2 Access, Industrial Ethernet Switch (IES), Stratix® 2500, Stratix® 5700, Stratix® 5400, Stratix® 8000IES IFW
Layer 3 Router with Zone-based Firewall, Stratix® 5900
Industrial Firewall, Stratix® 5950
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 39
Website: http://www.odva.org/
EtherNet/IP https://www.odva.org/Technology-
Standards/EtherNet-IP/OverviewSecuring EtherNet/IP Networks
EtherNet/IP Network Infrastructure Guide https://www.odva.org/Portals/0/Lib
rary/Publications_Numbered/PUB00035R0_Infrastructure_Guide.pdf
Common Industrial Protocol (CIP™) https://www.odva.org/Technology-
Standards/Common-Industrial-Protocol-CIP/Overview
The Family of CIP™ Networks https://www.odva.org/Portals/0/Library/
Publications_Numbered/PUB00123R1_Common-Industrial_Protocol_and_Family_of_CIP_Networks.pdf
CIP Security https://www.odva.org/Technology-
Standards/Common-Industrial-Protocol-CIP/CIP-Security
Additional Material
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 40
Additional Material CPwE Architectures - Cisco and Rockwell Automation®
CPwE website Overview Documents
Alliance Profile
Top 10 Recommendations for plant-wide EtherNet/IP Deployments
Design Considerations for Securing Industrial Automation and Control System Networks
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 41
Additional Material CPwE Architectures - Cisco and Rockwell Automation®
Topic Design Guide WhitepaperDesign Considerations for Securing IACS Networks — ENET-WP031A-EN-P
Converged Plantwide Ethernet – Baseline Document ENET-TD001E-EN-P —
Resilient Ethernet Protocol in a CPwE Architecture ENET-TD005B-EN-P ENET-WP033A-EN-P
Deploying 802.11 Wireless LAN Technology within a CPwE Architecture ENET-TD006A-EN-P ENET-WP034A-EN-P
Deploying Identity Services within a CPwE Architecture ENET-TD008A-EN-P ENET-WP037A-EN-P
Securely Traversing IACS Data Across the Industrial Demilitarized Zone (IDMZ) ENET-TD009A-EN-P ENET-WP038A-EN-P
Deploying Network Address Translation within a CPwE Architecture ENET-TD007A-EN-P ENET-WP036A-EN-P
Migrating Legacy IACS Networks to a CPwE Architecture ENET-TD011A-EN-P ENET-WP040A-EN-P
Deploying A Resilient Converged Plantwide Ethernet Architecture ENET-TD010A-EN-P ENET-WP039B-EN-P
Site-to-site VPN to a CPwE Architecture ENET-TD012A-EN-P —
Deploying Industrial Firewalls within a CPwE Architecture ENET-TD002A-EN-P ENET-WP011B-EN-P
Deploying Device Level Ring within a CPwE Architecture ENET-TD015A-EN-P ENET-WP016A-EN-P
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 42
Ethernet Design Considerations Reference Manual ENET-RM002C-EN-P EtherNet/IP Overview, Ethernet
Infrastructure Components, EtherNet/IP Protocol
EtherNet/IP IntelliCENTER®
Reference Manual (MCC-RM001)
The OEM Guide to Networking ENET-RM001A-EN-P Intended to help OEMs understand
relevant technologies, networking capabilities and other considerations that could impact them as they develop EtherNet/IP solutions for the machines, skids or equipment they build
Segmentation Methods Within the Cell/Area Zone ENET-AT004B-EN-E
Additional Material
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 43
Integrated Architecture® Builder (IAB) Updates and additions to better-reflect
CPwE structure, hierarchy and best practices
Improved Switch Wizard for distribution (for example, Stratix® 5410) and access (for example, Stratix® 5700)
Easier to create a large EtherNet/IP network with many topologies
CIP™ traffic is measured per segment, not just controller scanner and adapter centric
EtherNet/IP Capacity Tool Popular Configuration Drawings (PCDs)
Updates and additions to better reflect CPwE recent enhancements
Additional Material
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 44
Training ResourcesEducation - Industrial IoT / Industrial IT (Bridging OT-IT)
A ‘go-to’ resource for training and educational information on standard Internet Protocol (IP), security, wireless and other emerging technologies for industrial applications
Led by Cisco, Panduit, and Rockwell Automation Receive monthly e-newsletters with
articles and videos on the latest trends Scenario-based training on topics such as: logical
topologies, protocols, switching, routing, wireless and physical cabling
Network Design eLearning course available at promotional price for TechEd Attendees! Earn PDHs by signing up today at www.industrial–ip.org with code “EVENTS2017”
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 45
Training ResourcesEducation - Industrial IoT / Industrial IT (Bridging OT-IT)
Four eLearning courses cover key aspects of implementing networked, industrial control systems. 20-30 minutes interactive, scenario-based courses cover automation controls and physical infrastructure considerations.
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 46
Training ResourcesEducation - Industrial IoT / Industrial IT (Bridging OT-IT)
Courses 1 and 2: Designing for the Cell/Area Zone Design secure, robust, future-ready networks for cells, machines, skids and other functional
units by implementing reference architectures and standard IP Course 3: Designing for the Industrial Zone
Learn design principles on line integration, high-availability networks and wireless architectures to optimize plant networks
Course 4: IT/OT Integration Understand how to effectively converge a smart manufacturing facility with IT and OT
stakeholders
EtherNet/IP Topologies Security Wireless
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 47
Training ResourcesTraining and Certification – Industrial IoT / Industrial IT (Bridging OT-IT)
• Cisco Industrial Networking Specialist Training and Certification– Classroom training
• Managing Industrial Networks with Cisco Networking Technologies (IMINS)
– Exam: 200–401 IMINS– CPwE Design Considerations
and Best Practices
• CCNA Industrial Training and Certification– Classroom training
• Managing Industrial Networks for Manufacturing with Cisco Technologies (IMINS2)
– Exam: 200–601 IMINS2– CPwE Design Considerations
and Best Practices
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 48
Training ResourcesTraining and Certification – Industrial IoT / Industrial IT (Bridging OT-IT)
Industrial Networking Specialist
Module 1 Industrial Networking Solutions and Products
Module 2 Industrial Network Documentation and Deployment Considerations
Module 3 Installing Industrial Network Switches, Routers, and Cabling
Module 4 Deploying Industrial Ethernet Devices
Module 5 Maintaining Industrial Ethernet Networks
Module 6 Troubleshooting Industrial Ethernet Networks
CCNA IndustrialModule 1 Industrial Networking Concepts and
Components
Module 2 General Troubleshooting Issues
Module 3 EtherNet/IP
Module 4 Troubleshooting EtherNet/IP
Module 5 PROFINET
Module 6 Configuring PROFINET
Module 7 Troubleshooting PROFINET
Module 8 Exploring Security Concerns
Module 9 802.11 Industrial Ethernet Wireless Networking
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 49
Training ResourcesRockwell Automation - Webinars
Industrial Automation Webinars On-Demand Webinars
Introduction to Building a Robust, Secure and Future-ready Network Infrastructure
Increase Business Agility by Converging Manufacturing and Business Systems
The Power of Building a Secure Network Infrastructure
Design Considerations for Building a Secure Network Infrastructure
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 50
Training ResourcesCisco Training & Certifications
ICND1 ICND2
Cisco Certification
Track
www.rockwellautomation.com
PUBLIC
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 51
Thank You!