BRKIOT-2108.pdf

#CLUS
Arun Siddeswaran, Sr. Manager, IoT Solutions
Frank Baro, Sr. Solution Architect, Customer
Experience
BRKIOT 2108
Connected Factory
Architecture Theory
and Practice

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CLUS Source: http://photographyblogger.net

#CLUS
Agenda
BRKIOT 2108 4
• Connected Factory Architecture
• Cisco Reference Architecture
• Factory Network
• Factory Wireless
• Factory Security
• Connected Factory in Practice
• Achieving Business Outcomes
• Factory Security
• Enabling Analytics
• Factory Wireless – AGV Roaming
• Conclusion

#CLUS
Market pressures are putting productivity and
profitability for industrial operations at risk
BRKIOT 2108 5

Connected Factory
Reference
Architectures

#CLUS
CPwE, a holistic blueprint for reliable and secure
digital transformation
7
BRKIOT 2108

#CLUS
Built on Industry Standards
Purdue/IE62443 Reference Model
8
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Remote Gateway
Services
Patch Management AV
Server
Application Mirror Web Services Operations Application
Server
Enterprise Network
Site Business Planning and Logistics Network
E-Mail, Intranet, etc.
FactoryTalk
Application
Server
FactoryTalk
Directory
Engineering
Workstation
Remote Access
Server
FactoryTalk
Client
Operator
Interface
FactoryTalk
Client
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete Control Drive Control Continuous
Process Control
Safety
Control
Sensors Drives Actuators Robots
Enterprise
Security
Zone
Industrial
DMZ
Industrial
Zone
Cell/Area
Zone
Firewall
Firewall
Site Operations
and Control
Area
Supervisory
Control
Basic Control
Process
BRKIOT 2108

#CLUS
Converged Plantwide Ethernet (CPwE)
Reference Architecture
Physical or Virtualized Servers
• FactoryTalk Application Servers and
Services Platform
• Network & Security Services – IND, DNS,
AD, DHCP, Identity Services (AAA), MSE
• Storage Array
Industrial
Network
Director
Stealthwatch
• Patch Management
• AV Server
• Application Mirror
• Remote Desktop Gateway Server
Distribution
Switch Stack
HMI
Cell/Area Zone - Levels 0–2
Redundant Star Topology - Flex Links Resiliency
Unified Wireless LAN
(Lines, Machines, Skids, Equipment)
Linear/Bus/Star Topology
Autonomous Wireless LAN
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4-5
Industrial Ethernet
Switch (IE2K,IE3X / IE4K)
Industrial Zone
Levels 0–3
(Plant-wide Network)
Phone
Controller
Camera
Safety
Controller
Robot
Soft
Starter
Ring Topology - Unified Wireless LAN
I/O
Plant Firewalls
• Active/Standby
• Inter-zone traffic segmentation
• ACLs, IPS and IDS
• VPN Services
• Portal and Remote Desktop Services proxy
Safety
I/O
Servo
Drive
IE-1K
Level 3 - Site Operations
(Control Room)
HMI
Active
AP
SSID
5 GHz
Safety
I/O
Controller
IW3700
(WGB)
LWAP
SSID
5 GHz
LWAP
Controller
LWAP
SSID
2.4 GHz
Standby
Wireless
LAN Controller
(WLC)
Cell/Area Zone
Levels 0–2
Cell/Area Zone
Levels 0–2
Drive
IE 5K
(Distribution
Switch)
Wide Area Network (WAN)
Data Center - Virtualized Servers
• ERP - Business Systems
• Email, Web Services
• Security Services - Active Directory (AD),
Identity Services (AAA)
• Network Services – DNS, DHCP
• Call Manager
Enterprise
Identity Services
Identity Services
External DMZ/
Firewall
Internet
Access
Sw itches
Access
Sw itches
ASA 5500
Core
ASA 5500
IFW
IFW
IFW
2.4 GHz
Cisco
Kinetic (IoT
Platform)
IW3700
(WGB)
IE2K / IE3X,
IE4K
IE2K / IE3K / IE4K IE2K / IE3X / IE4K
IW3700
(WGB)
IE-1K
IE2K / IE3X / IE4K
9

#CLUS
Connected Factory - Designed for Digital
Manufacturing
10
BRKIOT 2108

#CLUS
Cell/Area Zone Overview
Cell/Area Zone - Functional Area of a Production Facility.
Considerations Include:
• Environmental constraints
• Range of device intelligence
• Time-sensitive applications
VFD
HMI
Controller
Controller
Distributed IO
Controller
Controller
HMI
Cell/Area Zone
Cell/Area Zone
Media and
Connectors
Layer 3
Distribution
Switch
Layer 2 Access
Switch
Level 2
HMI
Level 0
Device (Drive)
Layer 2 Interswitch
Uplink-VLAN Trunk,
Layer 2 Resiliency
Layer 2 Access
Link-Single VLAN
Assigned to Port
Legend:
Level 1
Controller
IE5K
IE2K / IE3X /
IE4K
IE2K / IE3X /
IE4K
IE2K / IE3X /
IE4K
IE2K / IE3X /
IE4K
12
BRKIOT 2108

#CLUS
Typical Cell/Area Zone Traffic Flows
13
Engineering Laptop
Network
Management
HMI
HMI
Drive Cell/Area Zone Cell/Area Zone
Manufacturing Zone
IDMZ
Controller
CIP Explicit - Informational control and
administration
Intra- and inter-cell/area zone traffic flow
Non-critical administrative or data traffic using
TCP
~1500 Bytes, infrequent
Above 500 ms
CIP Implicit - Producers & Consumer
>80% local
Cyclical I/O traffic, UDP unicast and multicast
<500 Bytes, Frequent
0.5 to 10’s of ms, typically 20 ms
IE2K /IE3X/ IE4K
IE2K /IE3X/ IE4K
IE2K /IE3X/ IE4K
IE2K /IE3X/ IE4K
IE5K
BRKIOT 2108

#CLUS
Benefits of Managed Infrastructure
14
Benefits Considerations
Managed Switches Loop prevention and resiliency
Security services
Management services (Multicast and
DHCP per port)
Diagnostic information
Segmentation services (VLANs)
Prioritization services (QoS)
More expensive
Requires some level of support and
configuration to start up
Unmanaged Switches Inexpensive
Simple to set up
No loop prevention or resiliency
No security services
No diagnostic information
No segmentation or prioritization
services
Difficult to troubleshoot, no
management services
BRKIOT 2108

#CLUS
Industrial Network Topologies
Cell/Area Zone Topology Options
Linear Ring Redundant Star
Cabling Requirements
Ease of Configuration
Implementation Costs
Bandwidth
Redundancy and Convergence
Disruption During Network Upgrade
Readiness for Network Convergence
Overall in Network TCO and Performance Worst OK Best
15
Star/Bus Linear
Cell/Area Zone
Controllers, Drives, and Distributed I/O
HMI
Controllers
IE5K (Distribution
Switch)
HMI
Cisco
Catalyst 2955
Cell/Area Zone
Cell/Area Zone
HMI
Controller
Redundant Star
Flex Links
EtherChannel
Cell/Area Zone
HMI
Controllers
Ring
Resilient Ethernet
Protocol (REP)
IE5K (Distribution
Switch) IE5K (Distribution
Switch)
Access IE2K / IE3X / IE4K Access IE2K / IE3X / IE4K
Access IE2K / IE3X / IE4K
BRKIOT 2108 15

#CLUS
Performance Requirements
Industrial Automation & Control System Applications
Source: ARC Advisory Group
Loss Critical
Multi-axis Motion Control
Hardware and Software solutions,
e.g. CIP Motion, PTP
Life/equipment safety,
Synchronization of multiple axes:
printing presses, wire drawing, web
making, picking and placing
Utilities
Subset of Discrete automation
100 µs to 10 ms
Loss Critical
Discrete Automation
Industrial Protocols, CIP, Profinet
1 ms to 100 ms
Material handling, filling, labeling,
palletizing, packaging; welding,
stamping, cutting,metal forming,
soldering, sorting
Auto, food and bev, electrical
assembly, semiconductor, metals,
pharmaceutical
Process Automation
Information Integration,
Slower Process Automation
.Net, DCOM, TCP/IP
1 second or longer
Pumps, compressors, mixers;
monitoring of temperature,
pressure, flow
Oil & Gas, chemicals,
energy, water
Process Automation
Function
Comm. Technology
Period
Applications
Industries
Time-critical
Factory Automation
Discrete Automation
16
BRKIOT 2108

#CLUS
Network Resiliency Protocols
Selection is Application Driven
* Not part of CPwE
Resiliency
Protocol
Mixed
Vendor
Ring
Redundant
Star
Net Conv
>250 ms
Net Conv
50-100 ms
Net Conv
< 0~10 ms
Layer 3 Layer 2
STP (802.1D)
RSTP (802.1w)
MSTP (802.1s)
PVST+
REP
EtherChannel
(LACP 802.3ad)
MRP (IEC 62439-2)*
Flex Links
PRP/HSR (IEC 62439)*
DLR
(IEC & ODVA)
StackWise
HSRP
VRRP
(IETF RFC 3768)
Process and Information
Time Critical
Loss Critical
17
BRKIOT 2108

#CLUS
Industrial IoT Networking Portfolio
Industrial Switching
IE 1K,2K,3K,4K,5K, CGS, 3x00
Low Power
Wide Area Wireless
LoRaWAN
IXM Gateway
IoT Gateways
819-MNA, IR807, IR809,
IR829, IR1101
Industrial Routing
ASR 902U/903U/920U,
CGR 1000, CGR 2000
Cisco Resilient Mesh
IR500, DevNet
Industrial Wireless
AP1552, IW3702
Management &
Automation
Field Network Director
Industrial Network Director
Industrial Security
ISA 3000
Embedded IoT
ESS, ESR
Edge Computing
IOx
IC 3000
18
BRKIOT 2108

#CLUS
Industrial Ethernet Switch Characteristics
Features Cisco Industrial Ethernet (IE) Typical Non-Industrial Ethernet Switch
Form Factor / Mounting Options Din Rail, Panel and Rack Mount Rack Mount
Interface Options Port density 6-28 High port density
PoE Density / Max Power Port density 6-28 High port density
Power Supply Options
AC and DC
DC input voltage range = 10 to 300
AC and DC
DC input voltage range = 36 to 72
Converged Access
(Wired plus Wireless)
No
Yes,
Mobility agent and Mobility controller
Environmental Design
• Fanless (no moving parts) vs
Fans
• Operating Temperature Range
• Ingress Protection (IP) Rating
• Industry Certifications
Fanless
-40c to +60c
IP30 (models up to IP67)
Hardened for vibration, shock,
surge, and noise immunity
Fans
-5c to +45c
IP XX (Not Specified, IP20 or less)
Enterprise class certifications
“Swap Drive” – Removable Flash Yes No
Dying Gasp - Upon loss of input
power
Yes No
Alarm Ports Yes No
Deterministic Ethernet
IEEE 802.1 TSN
Yes – Supported by IE 4000 and
5000
No
BRKIOT 2108 19

Features Cisco Industrial Ethernet (IE) Typical Non-Industrial Ethernet Switch
Industrial Protocols - Management
EtherNet/IP CIP, Profinet, Modbus
TCP
Not available
Industrial Protocols –
High Availability
REP, MRP, Flexlink, PRP, HSR REP (slower convergence time), Flexlink
Smart-port Macros
IE Smart-port macros (Qty 32):
QoS policies, IED, PTP, CIP, HMI
etc…
Enterprise (qty 6): global, desktop,
phone, switch, router, wireless
No IE Smart-port macros
Enterprise (qty 6) : global, desktop,
phone, switch, router, wireless
Device Manager
Ease of use on device web server
for device management
On device web server for device
management
Network Management
Industrial Network Director (IND)
Prime Infrastructure / DNA-C
Prime Infrastructure/DNA-C
Typical Boot Time 30sec – 2 min,20 sec 5 mins (single switch)
L2 and L3 Images Yes, same hardware Yes, same hardware
Precise Timing
IEEE 1588 PTP
IEEE C37.238-2011 (Power Profile)
Yes
IEEE 1588, inc. Power Profile level
of accuracy (50ns per hop)
Option for GPS and IRIG-B on IE
5000, including Grand Master with
Stratum 3E on board oscillator
No
Industrial Ethernet Switch Characteristics Cont.

#CLUS
Challenge - Ethernet Growing Pains
• Ethernet networks continue to grow:
• Each machine adds another 5 - 50 EtherNet/IP enabled devices
• Every line adds another 250 - 1,000 EtherNet/IP enabled devices
How do I connect all these machines into a plant
network to gain the advantages?
22
BRKIOT 2108

#CLUS
Solution- Layer 2 Network Address Translation
(NAT)
23
One to One (1:1) NAT
Outside Subnet
(ex. 10.0.0.x)
NAT Enabled Device
Inside Subnet
(ex. 192.168.1.x)
Many Outside IP addresses
(One per device wishing to be accessible from the Outside Subnet
Many Inside IP addresses
(One per connected device)
BRKIOT 2108

BRKIOT-2108
Why use Layer 2 NAT?
• Helps simplify integration of IP address mapping from a machine level IP
addresses to the plant network
• Allows Machine Builders to develop standard machines and eliminate the
need for unique IP addressing and code modifications
• Allows End Users to more easily integrate machines into their larger plant
network without extensive coordination with machine builders
• Provides better maintainability at the machines as they remain standard
• Allows for reuse of IP addresses allowing for more connected devices in a
limited address pool.
Allows a single device to act as an agent between the Plant
(Outside) network and the Machine (Inside) network
24

#CLUS
Layer 3 vs Layer 2 NAT
• Typically a software implementation
• NAT device acts as the default gateway
(router) for the devices on the inside
network
• NAT device will intercept traffic, perform
translation, and route traffic
• Translations are handled by the NAT
CPU
• Performance of translation directly tied to
the loading of the NAT CPU
• Hardware based implementation
• NAT device does not act as a router and
utilizes 2 translations tables – inside to
outside & outside to inside
• Performance is at wire speed throughout
switch loading
• Supports multiple VLANs through NAT
boundary enhancing segmentation
flexibility (Communication between
VLANS requires a separate layer 3
device)
Layer 3 Layer 2
25
BRKIOT 2108

#CLUS
Layer 2 NAT Design Scenarios
Single-Cell, Single VLAN per Switch
26
Machine
Inside Address
192.168.1.10
IE 5K
(Distribution
Switch)
VLAN10
INSIDE
OUTSIDE
VLAN10
Line Controller
10.10.10.30
Trunk
Inside Outside
192.168.1.10 10.10.10.10
Outside Inside
10.10.10.30 192.168.1.30
Inside to Outside
NAT Table
Outside to inside
NAT Table
IE2K / IE4K
BRKIOT 2108

#CLUS
Layer 2 NAT Design Scenarios Cont.
Multi-Cell, Single VLAN per Switch
27
Machine 1
.4
.3
Work Station
10.10.30.10
VLAN10 VLAN20
VLAN30
.7
INSIDE
OUTSIDE
Machine 2
.4
.3
.7
VLAN30
Line Controller
10.10.30.12
IP Address: 192.168.1.X
INSIDE
IE2K/IE4K (Access
switch NAT)
IE2K/IE4K (Access
switch NAT)
IE 5K
(Distribution Switch)
Inside Outside
192.168.1.3 10.10.10.3
192.168.1.4 10.10.10.4
192.168.1.7 10.10.10.7
Machine 1 NAT
Table
Inside Outside
192.168.1.3 10.10.20.3
192.168.1.4 10.10.20.4
192.168.1.7 10.10.20.7
Machine 2NAT
Table
BRKIOT 2108

#CLUS
Layer 2 NAT Design Scenarios Cont.
Multi-Cell, Single Switch, Multi-VLAN
28
INSIDE
1
.2
.7
.3
NAT
1
.4
.7
.3
1
.4
.7
.3
OUTSIDE
.4
Work Station
10.10.40.10
VLAN40
VLAN10
VLAN20
VLAN30
VLAN40
Line Controller
10.10.40.12
INSIDE
INSIDE
IE 5K
(Distribution Switch)
Inside Outside
192.168.1.3 10.10.10.3
192.168.1.4 10.10.10.4
192.168.1.7 10.10.10.7
Machine 1
NAT Table
Inside Outside
192.168.1.3 10.10.20.3
192.168.1.4 10.10.20.4
192.168.1.7 10.10.20.7
Machine 2
NAT Table
Inside Outside
192.168.1.3 10.10.30.3
192.168.1.4 10.10.30.4
192.168.1.7 10.10.30.7
Machine 3
NAT Table
Multiple Instance
of NAT per VLAN
IE2K /
IE4K
IE2K /
IE4K
IE2K /
IE4K
IE2K /
IE4K
BRKIOT 2108

Factory Network
Network
Management for
OT

#CLUS
Current Challenges
30
Operations
IT
IT Staff Supporting OT
Line Operator/
Technician
Network experts Lack tools that provide network visibility in an operations context
Control Systems/
Design Engineer
Plant/
Facility Manager
IT or a person with
hybrid IT and OT talents
Day to day operations of
control system
Designs and maintains the
automation and control system
Plant/Facility uptime
is top of mind
Operations  IND Target Users
BRKIOT 2108

#CLUS
Cisco Industrial Network Director
Network Management, Simplified & Automated
31
Network Troubleshooting with
Automation Context
Improved Industrial
Asset Visibility
APIs for Integration with
Automation Systems
Plug-and-Play for Zero-Touch
Switch Commissioning
Native industrial
protocol support
Plug-and-Play Day-0
configuration
Dashboard for monitoring
system health, metrics,
and traffic statistics
Alarm management
with real-time alerts of
network events
BRKIOT 2108

#CLUS
Cisco Plug and Play
Zero-Touch Commissioning and
Replacement
 Pre-provision configuration and software for
automated network commissioning
 Help ensure consistent network design and
security policy
 Swap hardware when switch fails and recover
with automated configuration and software
image replacement
Switch
Configuration
Cisco® Industrial
Network Director
Cisco Industrial Ethernet
Switch
PnP-Agent
PnP
Protocol
XML Software
Image
PnP-Server
Open protocol based on XMPP and HTTP
with publically available schema
32
BRKIOT 2108

#CLUS
Plug and Play Implementation on IND
Simplify and Automate with Plug and Play
 Lightweight – Can run on a laptop
 Workflow tailored for industrial use cases such as
machine builders
 Profiles can be exported across instances for
multi-party provisioning scenarios
 Technicians commissioning switches do not need
to understand networking
Experts pre-define configuration through templates
Technicians commission switches onsite with laptop
Export
33
BRKIOT 2108

#CLUS
Feature Highlights
Real-time monitoring of system health, metrics, and traffic statistics
CIP, PROFINET, Modbus, BACnet industrial device discovery
Dynamic topology of Industrial and Network assets
Optimized alarm management with real-time network alerts
Detailed audit trails to track adds, moves, and changes
Group-based dashboard for summary of system status
Rich APIs for rapid integration with industrial applications
Plug-and-play server for zero-touch switch commissioning
PnP
34
BRKIOT 2108

#CLUS
Wireless Overview
Benefits of industrial wireless network
36
• Connection to hard-to-reach and
restricted areas
• Integration of machines / skids
• Remote diagnostics
• Intelligent assets
• Lower installation and operational costs
• Cabling reduction, elimination of cable
failures
• Equipment mobility
• New and more efficient machine designs
BRKIOT 2108

#CLUS
Wireless Overview
Benefits of industrial wireless network
37
• Workforce mobility improves effectiveness
• Operators can trend/write back from a mobile device when
they step away from machine
• Engineering and Maintenance can see and react to system
alarming and production data from anywhere, anytime
• Industrial IT provide secure infrastructure and multi-platform
support
• Equipment wireless
• IEEE 802.11 Wireless connectivity for critical Industrial
Automation and Control System (IACS) applications
• Asset Tracking
• Track assets to optimize cost and for safety
BRKIOT 2108

#CLUS
Wireless Overview
Challenges of wireless communication
38
• Half-duplex shared medium:
• Only one radio can transmit on a particular wireless
channel
• A radio cannot transmit and receive at the same time
on the same channel
• Higher latency, jitter and packet loss compared to
wired Ethernet
• Media contention, collisions and interference
• Can be minimized but not eliminated
AP/WGB - IW3702
IW3702
BRKIOT 2108

#CLUS
Wireless Overview
Challenges of wireless communication
39
• Wireless coverage area cannot be precisely defined
• Site survey is required
• Spectrum sharing and security concerns
• Signal quality may change over time
• Interference sources and obstructions
• Unauthorized transmissions
Wireless advantages > challenges when
• WLAN is designed and maintained properly
• Used for appropriate applications
BRKIOT 2108

Factory Wireless
Equipment to
Equipment

#CLUS
Wireless Overview
Wireless Client Types
41
AP
Workgroup Bridge is the main method of connecting industrial devices
Bridge
External adapter
(wireless bridge)
WGB
WGB
Workgroup Bridge (WGB)
Embedded wireless adapter
AP/WGB - IW3702
BRKIOT 2108

#CLUS
Equipment to Equipment – Use Cases
Wireless Mobility Types
• Static equipment
• Permanent location
• Wire replacement for hard-to-reach places
• Examples: process control, condition monitoring,
standalone OEM machines
42
AP
WGB
IW3702
AP/WGB - IW3702
BRKIOT 2108

#CLUS
• Nomadic equipment
• Stays in place while operating
• Moves to a new location in the shutdown
state
• Examples: process skids, storage tanks,
reactors, portable manufacturing equipment
43
AP AP
WGB
AP/WGB - IW3702
BRKIOT 2108

#CLUS
• Mobile equipment (no roaming)
• Changes position while operating
• Remains connected to the same AP
• Examples: rotary platforms,
manufacturing machines with tracks,
overhead cranes with small spans
44
AP
WGB
AP/WGB - IW3702
BRKIOT 2108

#CLUS
Mobile equipment (fast roaming)
• Connects to multiple APs while operating
• Does not drop application connections
• Examples: AGVs, ASRS, overhead cranes, train cars,
entertainment ride vehicles
45
AP
WGB
Site survey and architecture
selection are critical
AP/WGB - IW3702
BRKIOT 2108

#CLUS
Unified WLAN Architecture
Overview
46
Identity Services Engine (ISE)
WGB
LWAP
…
SSID1
5 GHz
SSID2
5 GHz
WLC
LWAP
…
WGB
LWAP
LWAP
WGB
(Roaming)
WGB
SSID3
2.4 GHz
Access IE2K / IE3X / IE4K Access IE2K / IE3X / IE4K
AP/WGB - IW3702
BRKIOT 2108

Wireless Access
Asset Tracking

#CLUS
Location Based Asset Tracking
48
Asset Utilization
• Track supplies in transit
• Inventory accuracy of receivables
• Retrieve misplaced components,
subassemblies, etc.
• Locate missing tools, test harnesses, etc.
• Vehicle location for smarter dispatch
Material Flow Efficiency
• Wireless restocking trigger
• Choke point recording
• The right supplies get to the right place
• In-line rework
• Bar Code replacement
Business Value
 Production throughput increase
 Improved equipment utilization
 Reduced scrap
 Labor efficiency
 “82% improvement in retrieval time
results in increased throughput, and “on
time delivery” was improved 13%” – Ops
Manager, Semiconductor
BRKIOT 2108

#CLUS
Real Time Location Services (RTLS) Architecture
 Open Ecosystem
 Scalable
Infrastructure
 Leverage Common
Wireless
Infrastructure
 Track Any Wi-Fi
Device or Tag
 Chokepoint
Integration
Applications
and
Management
Wireless
Infrastructure
Device
Access
Point Access
Point
Access
Point
Wireless LAN
Controller
Mobility Services
Engine
Enterprise
Network
Cisco® Identity
Services Engine (ISE)/
Cisco PrimeTM Network
Chokepoint
Business
Intelligence
Partner
Applications
 Single Pane of
Glass for Cockpit
Dashboard
49
BRKIOT 2108

Wireless Access
Recommendations

#CLUS
Application Recommendations
Choosing an Appropriate Application
51
IACS Traffic Type CIP Standard
Use with
Wireless
Considerations
Supervisory information
and diagnostics, peer-
to-peer messaging
CIP Class 3 (HMI)
CIP Class 3 (MSG)
Yes Need to control bandwidth if combined
with CIP Class 1 Standard and Safety
traffic
Peer-to-peer Control
I/O Control
CIP Class 1
Produced/Consumed
Distributed I/O
Yes Application should tolerate occasional
high latency, jitter and dropped packets;
Packet rate restrictions
Safety Control CIP Safety Yes Fast safety reaction times may not be
supported
Time synchronization CIP Sync Applicatio
n
Dependen
t
Accuracy and reliability can be optimized
in specific configurations
Motion Control Integrated Motion on the
EtherNet/IP™ network
(direct drive control)
No Not feasible due to higher latency and
jitter and limited CIP Sync accuracy
BRKIOT 2108

#CLUS
WLAN Recommendations
Radio Spectrum
• 5 GHz frequency band is recommended
• Regulations vary by country
• Need spectrum survey and monitoring
• Avoid DFS channels (Dynamic Frequency Selection)
• Weather / military radars cause disruption of service in DFS channels
• If DFS channels are used, RF survey and monitoring are required
• Reserve a channel exclusively for the application, if possible
Country
examples*
5 GHz
Channels
(20 MHz wide)
No DFS DFS
U.S.,
Canada,
Australia
9 12
Europe 4 15
China 5 0
*Regulations change over
time
Wireless spectrum management policy is critical!
52
BRKIOT 2108

#CLUS
Site Survey
53
• Do not rely on predictive software results, must test at location
• RF spectrum survey:
• Monitoring for interference and existing traffic
• Extended period throughout the site
• Active survey:
• Verify performance, not just coverage
• Verify cell overlap for roaming (if needed)
• More strict criteria than enterprise WLAN
RSSI -67 dBm
SNR 25 dB
RSSI -73 dBm (1/4 less in mW)
SNR 19 dB
Can associate and pass data but
poor EtherNet/IP performance
Acceptable for
EtherNet/IP
BRKIOT 2108

#CLUS
Site Survey
54
• Survey conditions should match production environment
• Wireless hardware, RF channels, transmit power
• Installed equipment, moving obstacles
• Installation restrictions, WGB placement
• Complete walk-through of the coverage area
• Site survey helps to select or validate antenna type and placement
• Changes in the environment may require a follow-up survey
BRKIOT 2108

#CLUS
Controlling Access to the Industrial Zone
IEC62443- Industrial Network Security
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Remote
Gateway
Services
Patch
Management
AV
Server
Application
Mirror
Web Services
Operations
Application
Server
Enterprise Network
Site Business Planning and Logistics Network
E-Mail, Intranet, etc.
Application
Server
Directory Engineering
Workstation
Remote
Access
Server
Client
Operator
Interface
Client
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
Sensors Drives Actuators Robots
Enterprise
Security
Zone
Industrial
DMZ
Industrial
Security
Zone
Cell/Area
Zone
Web
E-Mail
CIP
Firewall
Firewall
Site Operations
and Control
Area
Supervisory
Control
Basic Control
Process
Logical Model – Industrial Automation and Control System (IACS)
Converged Multi-discipline Industrial Network
No Direct Traffic Flow between Enterprise and Industrial Zone
56
BRKIOT 2108

#CLUS
Industrial Demilitarized Zone (IDMZ)
Controlling Access to the Industrial Zone
TRUSTED?
UNTRUSTED?
TRUSTED
BROKER
Enterprise
Security
Zone
Industrial
DMZ
Industrial
Security
Zone
57
BRKIOT 2108

#CLUS
Best practices
58
• All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not
directly traverse the IDMZ
• Only path between zones
• No common protocols in each logical firewall
• No control traffic into the IDMZ, CIP stays home
• No primary services are permanently
housed in the IDMZ
• IDMZ shall not permanently house data
• Application data mirror to move data
into and out of the Industrial Zone
• Limit outbound connections from the IDMZ
• Be prepared to “turn-off” access
via the firewall
No Direct
Traffic
Enterprise
Security
Zone
Industrial
Security
Zone
Disconnect Point
Disconnect Point
IDMZ
Replicated
Services
Trusted? Untrusted?
Trusted
BRKIOT 2108

#CLUS
IDMZ – Replicated Data and Services
Firewalls
(Active/Standby)
MCC
Enterprise Zone
Levels 4-5
IO
Level 3
Site Operations
Drive
Industrial
Demilitarized Zone
(IDMZ)
Industrial Zone
Levels 0-3
FactoryTalk Client
WGB
WLC
(Active)
ISE
WLC
(Standby)
LWAP
PAC
PAC
PAC
Levels 0-2
Cell/Area Zone
Core
switches
Distribution
switch
Core
switches
WLC (Enterprise)
ISE (Enterprise)
• FactoryTalk Application Servers &
Services
• Network Services – e.g. DNS, AD,
DHCP, AAA
• Call Manager
• Storage Array
Remote
Access Server
VantagePoint
Plant Manager
Remote
Access
Untrusted
Untrusted
Block
Block
Permit
Remote
Desktop
Gateway
Permit
Web
Reports
Web
Proxy
Firewall (Inspect Traffic)
Physical or Virtualized
Servers
• AV Server
• Remote Desktop
Gateway Server
Wide Area Network (WAN)
Physical or Virtualized
Servers
• ERP, Email
• Active Directory (AD),
AAA – Radius
• Call Manager
Firewall (Inspect Traffic)
Permit Secure
Remote Access
to Industrial
Assets
Permit Data
from the
Industrial Zone
to Enterprise
Stakeholders
Block Untrusted Access to
Industrial Zone
Block Untrusted Access to
Enterprise Zone
Engineer
59
BRKIOT 2108

Factory Security
Industrial Firewall –
ISA 3000

#CLUS
FireSIGHT Management
Center
FirePOWER
ISA 3000 Hardware
FirePOWER
Application & Threat Control
Adaptive Security Appliance
(ASA)
Firewall, ACL, NAT & VPN
Cisco Security
Manager (CSM)
Firewall
Adaptive Security Device Manager (ASDM)
Firewall & FirePOWER Management
Centralized
Management
Local
Management
Firewall, ACL,
NAT & VPN
IPS - Application
& Threat control
On Board the ISA 3000
Industrial Firewall – ISA 3000
Architecture & Management software
61
BRKIOT 2108

#CLUS
MCC
Enterprise Zone: Levels 4-5
Soft
Starter
I/O
• AV Server
Level 0 - Process
Level 1 - Controller
Level 3 – Site Operations
Controller
Drive
Level 2:
Area Supervisory Control
FactoryTalk
Client
Industrial
Firewall
Controller
Industrial Zone: Levels 0-3
Authentication, Authorization and Accounting (AAA)
LWAP
SSID
2.4 GHz
SSID
5 GHz WGB
I/O
Active
Wireless LAN
Controller (WLC)
Standby
Core
Switches
Distribution
Switch Stack
Enterprise
External DMZ/
Firewall
Internet
IDMZ Firewalls create a security boundary between the
Enterprise and Industrial Zone
Industrial Firewall – ISA 3000
Architecture Positioning
62
BRKIOT 2108

Factory Security
OT Intent-based
Security for
Industrial Networks

#CLUS
NETWORK / USER
CONTEXT
How
What
Who
Where
When
DEVICE PROFILING
FEED SERVICE
REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF
SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN
Employee
Access
Contractor +
Vendor
(e.g. RBAC)
Guest
Access
Cisco Identity Services Engine (ISE)
Delivering Visibility, Context, and Control to Secure Network Access
64
BRKIOT 2108

#CLUS
Who? Employee Attacker Guest
What? Personal Device Company Asset
Where? @ plant 1, zone 2 Headquarters
When? Weekends (8:00am – 5:00pm) PST
How? Wired Wireless VPN
Secure Access
Consolidating access for employee/contractors/vendors
65
BRKIOT 2108

#CLUS
Operational challenges due to IT-OT dependency
66
VISIBILITY INTENT
Enforcing security in the process network
requires Security systems to have visibility
to plant floor Assets with the Context of
observed behaviors
Maintaining it effectively, requires dynamic
security policy application triggered by OT
intent without dependency on IT for day to
day operations
BRKIOT 2108

#CLUS
Defining security policies without visibility is
complex
67
Security Platforms
C a m e r a
P r i n t e r
L a p t o p
P h o n e
?
? ?
? ? ?
? ? ? ?
Enterprise Assets Industrial Assets
BRKIOT 2108

#CLUS
Operational challenges due to IT-OT dependency
68
Plant-1 Plant-2 Plant-n
Enterprise
….
OT OT OT
IT
• Centralized IT team
• OT engineers to make adds, moves, and changes to
the control system for day-to-day operations
• Dependency on a centralized IT team to modify
security policies
Centralized IT
OT distributed across plants
BRKIOT 2108

#CLUS
IoT Threat Defense
69
IND
V I S I B I L I T Y
OT Platform
ISE
pxGrid
IT Platform
I N T E N T
IE Switching
NGFW
StealthWatch
C O N T E X T
C O N T E X T
C O N T E X T
SXP
SGT
dACL
pxGrid
Quarantine
BRKIOT 2108

#CLUS
Identity
Services
Engine
Who
What
When
Vulnerability
Threat
Compliance
How
Where
Context Enhances Security
Bob
Rockwell PLC
11:00 AM EST on April 10th
Extrusion, Zone-2, Cell-1
Wired Access
Yes
None
CVSS score of 6
pxGrid
Industrial
Network
Director
Discover Industrial Assets
using CIP, PROFINET,
Modbus, BACNet
Protocols
Visualize connectivity
between automation and
networking assets
Security starts with Visibility
IND shares industrial asset identity with ISE over pxGrid
… this Visibility combined with Context, becomes a force-multiplier for Security
Visibility in Industrial Networks
70
BRKIOT 2108

#CLUS
IND Asset Inventory
iotIpAddress
iotMacAddress
ISE Profiler Attributes
iotName
iotVendor
iotProductId
iotSerialNumber
iotDeviceType
iotSwRevision
iotHwRevision
iotProtocol
iotConnectedLinks
iotCustomAttributes
pxGrid
Identity
Services
Engine
ISE profiling rules based on attributes like Make, Model, Serial Number, Device Type etc. instead of just IP address
Custom Attributes allows IND to signal higher order information that is common to a group of assets
Industrial Asset Visibility with IND
71
BRKIOT 2108

#CLUS
Cell-1
OT User
Tag
assets as
Cell-1
ISE
IND Topology UI
pxGrid
Update
PxGrid attribute “Cell-1”
matches profiling
policy-X and triggers
Authorization policy-Y
SGT
dACL
VLAN
N E W
N E W
N E W
OT personnel use with IND UI to express intent pxGrid update results in automatic policy update
IT manages ISE. OT uses IND to express intent to influence the IT owned Security Policy
OT user intent driven policy updates
Putting OT in the driver’s seat
72
BRKIOT 2108

#CLUS
Level 0-2
Level 3
ISE
MES
OT User
IT User
1 2
SGT 200
SGT 33
SGT 100
SGT 33
4
IND
pxGrid
C O N T E X T
3
Segmentation Requirement
• Segment the industrial network
• OT user have the ability classify the assets into
segments
Security Policy Pre-Staging
• IT and OT decide on the segmentation policy
• IT configures ISE with Secure Group Tags (SGT), TrustSec
policy to match rules
Workflow during Asset Classification
1. OT user selects assets and groups them in IND as Cell-1 and
Cell-2
2. OT user assigns a tag to C2-PLC
3. IND sends OT user intent and asset details to ISE in pxGrid
4. Profiling policy match in ISE results TrustSec policy
distribution
✓ ✓ ✓
✓ ✓ ✘
✓ ✘ ✓
SGT 33 SGT 100 SGT 200
SGT 33
SGT 100
SGT 200
Use Case#1 - Cell Segmentation
73
BRKIOT 2108

#CLUS
Level 0-2
Level 3
DMZ
ISE
IND
ASA
AnyConnect to check security
posture, establish VPN, and
collect application telemetry info –
Track user session in ISE along
with SGT role.
AnyConnect
Remote Access Requirement
• Only specific asset in the machine must be accessible
• No dependency on IT
IT User
OT User
C O N T E X T
2
RDP
S X P
SGT 777
SGT 777
3
1
1. IT user pre-defines profiling rules in ISE to match custom
attributes
2. IT user pre-defines SGT firewall rules in ASA to allow
remote Access
Workflow during Maintenance Window
1. During machine maintenance, OT user changes asset
attribute tag in IND which denotes intent to allow remote
access
2. IND sends OT user intent and asset details to ISE in
pxGrid, which results in asset reauthorization
3. ISE distributes new TrustSec policy to Firewall and access
switches to enable remote access
OEM
Use Case#2 On-Demand Remote Access
74
BRKIOT 2108

#CLUS
Level 0-2
Level 3
Cell-1 Cell-2
OT User
ISE
Stealth
Watch
N E T F L O W
C O N T E X T
H O S T G R O U P S
IND
Requirement
• Group assets in communication trust zones and detect
anomalous traffic behavior
• Easily detect the source of anomaly
• Assets grouped in IND by OT user, automatically creates Host
Groups in StealthWatch
• IT defines Alarms in StealthWatch for Host Group zone map
violations
• IT configures policies in ISE to quarantine devices on violations
Workflow
1. Compromised Camera in Cell-2 initiates Port Scan
2. StealthWatch raises Recon Alarm, and zone map violation
alarm
3. StealthWatch sends quarantine request to ISE
4. ISE moves camera access port to isolated VLAN to quarantine
Port
Scan 1
2
Q u a r a n t i n e
3
C o A
4
IT User
Use Case#3 Flow Based Anomaly Detection
75
BRKIOT 2108

#CLUS
Industrial Network Security Framework
CPwE - Holistic Defense-in-Depth
76
MCC
Soft
Starter
I/O
• AV Server
Level 0 - Process
Controller
Drive
Level 2 – Area Supervisory Control
FactoryTalk
Client
Controller
LWAP
SSID
2.4 GHz
SSID
5 GHz WGB
I/O
Active
Wireless LAN
Controller (WLC)
Standby
Core
Switches
Distribution
Switch Stack
Control System Engineers
Control System Engineers
in Collaboration with IT
Network Engineers
(Industrial IT)
IT Security Architects in
Collaboration with
Control Systems
Engineers
Enterprise
Identity Services
External DMZ/
Firewall
Internet
IFW
BRKIOT 2108

Connected Factory
in Practice
Achieving Business
Outcomes

BRKIOT-2108
Drivers for the Connected Factory
• Becoming an Insight-Driven Manufacturer
• Have the Ability to Accurately Track Machine Utilization (e.g. OEE)
• Facilitate the Use of Advanced Sensor Technologies and Enabling
Predictive Maintenance
• Continuously Innovating Products, Services, and Relationships
• Create Connected Environments Inclusive of Partners (Internal and
External ones)
• Becoming Agile While Maintaining Control of the Business
• We Want New Operational and Business Models
78

#CLUS
Automation Network Management Network
Sensors Robots
Supply
Chain
Applications
Networks
Devices
Collaboration Network (IT)
Tracking
Unified Network Management Layer (Deployment + Service Management)
Unified Application Layer (Any Device - Any Application)
ReduceCosts
(Optimize Operations)
Increase Revenues
(More Capabilities)
Meet Responsibilities
(Environmental, Safety, Regulatory)
Production
Automation
Energy Voice Video
Inventory
Management
Quality
Control
Cost
Management
Workforce
Enablement
Personal
Devices
Building
Management
Facilities
Management
SCADA
Ind. Access &
Control
Manu. Execution
Systems
Ent. Resource
Planning
Reports
Analytics Collab.
Internet
Safety Security
Real Time
Location Services
Product
Enhancement
Connected Factory - Achieving Business Outcomes
79
“The right information to the right place at the right time…securely”
BRKIOT 2108

#CLUS
Industry 4.0
80
18th Century
Steam
20th Century
Mass Production
70’s
Robots
Today
Digitization/Cyber-Physical
Technology
Progress
Smart
Devices
• Cyber-physical systems monitor physical processes, create a virtual copy (“Digital Twin”) of
the physical world, and make decision decentralized decisions
• Cyber-physical systems communicate and cooperate with each other and with humans in real
time
• Internal and cross-organizational services are offered and used by participants of the value
chain
• Includes “soft” topics like work/life balance
BRKIOT 2108

#CLUS
IoT, IIoT, Industrie 4.0 and the Connected Factory
Connected
Factory
81
BRKIOT 2108

Connected Factory
in Practice
Factory Security

BRKIOT-2108
Cyber Attacks Continue…
• One of the Latest - Norsk Hydro
Cyber Attack Cost It Nearly $52M in
First Quarter 2019
83

BRKIOT-2108
Hope is NOT a Strategy
84
• 40 percent of manufacturing
companies ended up affected by cyber
incidents in the past 12 months,
• 38 percent of those that felt the
effects indicated cyber breaches
resulted in damages in excess of $1
million,
www.isssource.com
Manufacturing is the most targeted
category…and small to medium
manufacturers are the most
targeted.

#CLUS
Industry 4.0 Driving the Connected Factory
85
Material
Handling
Processing
Batching/
Blending
Receiving
Packaging
Shipping
Control
Room
Utilities
Corporate
Headquarters
OEM
Supplier
Other
Plant
Customer
Enterprise-wide Systems
Plant-wide Systems
Lower Total Cost of Ownership | Faster Time to Market | Better Asset
Optimization | Broader Risk Management
West East
North
South
Connect
Protect &
Detect Collect
BRKIOT 2108

#CLUS
Security is NOT a Product but a Process
86
Where do I Begin?
NIST Cybersecurity Framework – MFG Profile
People, Process and Technology
BRKIOT 2108

#CLUS
NIST Framework Core Functions and Categories
FUNCTION CATEGORIES
IDENTIFY
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
PROTECT
- Access Control
- Awareness and Training
- Data Security
- Information Protection Processes and Procedures
- Maintenance
- Protective Technology
DETECT
- Anomalies and Events
- Security Continuos Monitoring
- Detection Processes
RESPOND
- Response Planning
- Communications
- Analysis
- Migration
- Improvements
RECOVER - Recovery Planning
- Improvements
- Communications
Know what you have & How
critical it is to your org.
Secure what you have
Spot threats quickly
Take action immediately
Restore operations
People, Process and Technology
BRKIOT 2108 87

#CLUS
Technology Doesn´t Cover Everything
88
FUNCTION CATEGORIES People Process Technology
IDENTIFY
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
- Applies
- Applies
- Applies
- Applies
- Apples
- Applies
- Applies
- Applies
- Applies
- Apples
- Applies
- Applies
PROTECT
- Access Control
- Awareness and Training
- Data Security
- Information Protection
Processes and Procedures
- Maintenance
- Protective Technology
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
DETECT
- Anomalies and Events
- Security Continuos Monitoring
- Detection Processes
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
RESPOND
- Response Planning
- Communications
- Analysis
- Migration
- Improvements
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
RECOVER - Recovery Planning
- Improvements
- Communications
- Applies
- Applies
- Applies
- Applies
- Applies
- Applies
Only half of
the
framework´s
categories are
addressed by
technology
Highlights the
importance of
both People
and Process
in
cybersecurity
BRKIOT 2108

#CLUS
Enterprise Network
IDMZ
Supervisory Network
Control System
Network
Web
Server
App
Server
SCADA
Databas
e
Histor
ian
HM
I
PLCs
Remote Facility
VP
N
Field Network
PLCs
Cloud
Systems
Internet
Threats
through
Remote
Access
Threats from
Infected HMI’s or
PLC’s
Threats from
Unauthorized Control
Threats from Cloud Services
and Internet
Threats from
Unauthorized Control
Uncontrolled Access
Exfiltration attacks
Historian
Assess the Threats and Vulnerabilities
89
Targeted or Not
• Asset Discovery and
Inventory
• Employee
carelessness
• Employee(&former
employee sabotage
• Internet
• Phishing email
• Infected CD
• Infected PDF file
• Infected memory
stick
• A printer
Core cybersecurity principle is “that which is not visible cannot be protected”
BRKIOT 2108

#CLUS
Structured and Hardened
IACS Network Infrastructure
Flat and Open
Flat and Open
Future State
Develop the Transformation
90
Current State
Security through Obscurity
BRKIOT 2108

#CLUS
Strategic Factory Security Approach
Phase 2
Phase 1
Secure Network
Environment
Advanced
Industrial
Security
OT Identity Base
Network (ISE)
OT Dedicated
Security Appliances
at Major
Demarcation
OT Network
Security
Monitoring
Enhance
Protections
Phase 3
Factory(OT)
Architecture
IDMZ (IT – OT
Separation)
Secure Remote
Access to OT
OT Network
Segmentation
Secure Visibility
& Control
Convergence of IT
and OT Network
Security
Cyber-Security
Overlays
Content
Phased Factory Security Maturity
91
BRKIOT 2108

#CLUS
Challenge
Need to connect machines from the
factory floor for visibility, but have
“Security by Obscurity” posture. Need
protect IT from OT and OT from IT.
Solution
Factory Cyber Security Assessment
Industrial DMZ
Defense in Depth Framework
Business Outcomes
Reduced downtime
Protect brand reputation
Minimize cyber theft
Increase Visibility to Factory Floor
Reduced
Downtime
Reduced
Risk
Factory Security

#CLUS
Protecting IoT and OT devices
93
Detect malicious
behavior
No endpoint agents
Segmentation
BRKIOT 2108

#CLUS
Why Segmentation?
manages attacks
Segment infrastructure – Protect inbound
and outbound communications and each
other
Scalable software defined segmentation
– Separate systems and users based on
role and policy. Reducing security
complexity
Identity based access – Restrict
connection to known systems and
devices
Profiling IoT – Evaluate and determine
characteristics and posture to see if a
device is Misbehaving
Securing Environment
94
BRKIOT 2108

#CLUS
• Requirements for the
network services and
application data flow
• Applications and protocols
may have to be allowed
• A certain network services
may be allowed to
communicate directly while
ICS applications use IDMZ
assets to exchange data.
Map out IDMZ Traffic Flow
95
BRKIOT 2108

#CLUS
IDMZ Implementation- Current State
Connected Factory - Holistic Defense-in-Depth
96
MCC
Soft
Starter
I/O
Level 0 - Process
Controller Controller
Distribution
Switch Stack
Enterprise
External DMZ/
Firewall
Internet
• Implement Purdue model
with level segmentation via
firewall with routing
controls
–Proper configuration and
maintenance on Firewalls
and ACL’s
• Build and commission a
DMZ at level 3.5 for IT
services, agents, patch
management etc.
Layer 2
Layer 3
BRKIOT 2108

#CLUS
IDMZ Implementation- Interim
97
MCC
Soft
Starter
I/O
Level 0 - Process
Core
Switches
Distribution
Switch Stack
Enterprise
Identity Services
External DMZ/
Firewall
Internet
Layer 2
Layer 3
Layer 2
Layer 3
• Build the New IDMZ and the
Factory Core
BRKIOT 2108

#CLUS
IDMZ Implementation- Access Migration
98
MCC
Soft
Starter
I/O
Level 0 - Process
Core
Switches
Distribution
Switch Stack
Enterprise
Identity Services
External DMZ/
Firewall
Internet
Layer 2
Layer 3
• Migrate Access/Distribution
Factory Floor Switch to New Core
• Add Static Routes on Enterprise
Core to Factory Floor Subnets and
Redistribute into Enterprise IGP
• IDMZ FW Permit Any/Any and
Logging
BRKIOT 2108

#CLUS
IDMZ Implementation- Server Migration
99
MCC
Soft
Starter
I/O
• AV Server
Level 0 - Process
Core
Switches
Distribution
Switch Stack
Enterprise
Identity Services
External DMZ/
Firewall
Internet
• Migrate Servers in to their
proper zones
• IDMZ FW build policy and
enforce
BRKIOT 2108

#CLUS
Protect Critical Infrastructure:
Through Network Segmentation – Zone Definition
100

#CLUS
How TrustSec Simplifies Network Segmentation
Access Layer
Factory
Network
Machine
VLAN
Machine
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on Topology
High cost and complex maintenance
Data
VLAN
Employee Supplier BYOD
Non-Compliant
Use existing topology and automate
security policy to reduce OpEx
ISE
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Employee Tag
Supplier Tag
Non-Compliant Tag
Access Layer
IDMZ Firewall / Switch
IDC Servers
Policy
TrustSec
Traditional Segmentation
Machine
Machine
VLAN
Factory
Network
101
BRKIOT 2108

#CLUS
Extensible - Scalable Segmentation
Easily Separate Devices and Data Using the Network
102
Conveyor system 1 Conveyor system 2
Utilize a controller to support group
design
Get up and running quickly
Assign business-based groupings to
provide consistent policy and access
independent of network topology
Assign role-based groups SGT_Contractor SGT_Factory Floor SGT_Employee
Guest 1
Guest 2
Guest 3 Guest 4
Employee 1 Employee 2 Employee 3
Employee 4
Leverage attributes such as location and
device type to define group assignments
Establish context-aware groups
SGT_ERP SGT_Cell
ERP 1 ERP 2
Temperature
Device 1
Temperature
Device 2
IP Camera
IP Camera
50°
50°
BRKIOT 2108

#CLUS
Factory Device Segmentation – Example
Software-Defined Segmentation- TrustSec
103
Factory
Backbone
SW 1
SW 2
(SGACL)
Data Center
DC FW
Vendor /
Contractor
Historian
ISE
MES
Server
Engineering
Workstation
Switch automatically downloads
all policies from ISE
for only devices connected
TrustSec Policy
(SGACL) configured
and provisioned by
ISE
Traffic filtered even
in same VLAN
Factory FW
SGACL
Policy
SF Operator
SF Development
Vendor/Contactor
SF Device
SF
Operator
Vendor/Con
SF
Development
SF
Device
SF Operator
SF Development
Vendor/Contactor
SF Device
SF
Operator
Vendor/Con
SF
Development
SF
Device
Shop Floor Device
BRKIOT 2108

#CLUS
Factory Data Access Control using TrustSec
Software-Defined Segmentation- TrustSec
104
Factory
Backbone
SW 1
SW 2
Data Center
DC FW
Vendor /
Contractor
Historian
ISE
MES
Server
Engineering
Workstation
OS Type: Windows XP Embedded
User: Frank
AD Group: Shop Floor
Device Group: Eng Workstation
Security Group = Shop Flr Device
OS Type: Windows 8.1
User: contractor123@acme.com
AD Group: None
Device Group: BYOD Laptop
Security Group = Contractor
Access Privilege
Authorization with
Security Group
ASA Firewall Policy
Factory FW
(SGFW)
MES
SF Operator
MES Server
MES Server
Historian
Eng Work Stn
SF Device
SF Operator
MES Server
BRKIOT 2108

BRKIOT-2108
Why Visibility
Communication in both IT and OT Monitor Infrastructure communications –
Identify and alert on abnormal traffic
flows
Threat intelligence – Knowledge of
existing attacks and communication
vectors
Intrusion Prevention - Block attacks,
exploitation and intelligence gathering
Monitoring & Analysis
105

#CLUS
You have already made a lot of investment
in network and security
…yet threats are getting through.
Have you been compromised?
How and when would you know?
106
BRKIOT 2108

#CLUS
Datacenter
Identify every asset on
the network
Set policies based on hosts
as well as applications
Model policies before
enforcing them
Manufacturing
Enterprise
IoT Devices
SEE
every conversation
Understand what
is NORMAL
Be alerted to
CHANGE
KNOW
every host
Respond to
THREATS quickly
Effective security depends on total visibility
107
BRKIOT 2108

#CLUS
Data collection
Rich telemetry from the existing
network infrastructure
Security Analytics with Stealthwatch
108
Global threat
intelligence
(powered by Talos)
Intelligence of global threat campaigns
mapped to local alarms for faster mitigation
Behavioral modeling
Behavioral analysis of every activity within
the network to pinpoint anomalies
Multilayered machine learning
Combination of supervised and unsupervised
techniques to convict advanced threats with high
fidelity
Encrypted Traffic Analytics
Malware detection without any decryption using
enhanced telemetry from the new Cisco
devices
Stealthwatch
BRKIOT 2108

Introduction into Data
and Analytics:
Insight Driven Operations

#CLUS
Data in Manufacturing - Two Distinct Viewpoints
110
• “Manufacturing has always had
Big Data. We have been
collecting data with historians,
and MES systems for
decades.”
• “Manufacturing is an untapped
market for Big Data. There is
lots of data, lots of different
types of data, and hardly any
of it is being used for analysis
today.”
Cisco Kinetic
Edge Compute
Big Data
Analytics
Selected data
with modeling &
logic applied
Data with
context &
quality flag
Ethernet Switch
Edge Compute
Data
PLC
I/O
BRKIOT 2108

#CLUS
Data Opportunities and Challenges in Manufacturing
111
Opportunities
 Improve quality and
increase throughput
 Better insights into root
cause of manufacturing
issues
 Reduce machine failure
and downtime
Intelligence
Challenges
 Extreme composition of data require new
approaches, infrastructure, and tools
 Data scientist nor business analysts required
 Little time to for refining data models,
massaging analytical tools, and teasing out
insight
 Need simple intuitive analytical tools and
dashboards
 Lack of expertise derive algorithm to
predictively models.
BRKIOT 2108

#CLUS
“Can analytics system answer questions we
didn’t know to ask?”
112
• Data and Analytics can bring together:
• Structured
• Time series
• Unstructured data
• Artificial intelligence (AI)
• based analytics on top these are the
solutions answering unasked
questions to drive real and
unexpected value
Analytics
Data
Old
Answers to
Old
Questions
New
Answers to
Old
Questions
New
Answers to
New
Questions
New
Answers to
Old
Questions
Big Data
Data
Analytics Machine Learning
Analytics
BRKIOT 2108

#CLUS
Data Driving Decision Making – Analytics
113
MEASURE ANALYZE DECIDE ACT
STREAMING DATA
BRKIOT 2108

#CLUS
Decision Action
Human Input Required
Analytics
Descriptive
What happened?
Diagnostic
Why did it happen?
Predictive
What will happen?
Prescriptive
What should I do?
Decision Support
Decision Automation
Data
Data analytics applied to factory equipment and sensors can bring operational
efficiencies and cost savings to manufacturing processes.
Analytics Maturity – Data into Action
114
BRKIOT 2108

#CLUS
Data and Decision Time within the Purdue Model
115
Planning
Decision: Month/Year Network: Enterprise
Business Systems
Decision: Days/Weeks Network: Enterprise
Manufacturing Operation Management
Decision: Seconds/Minutes/Hours Network: Plant/Enterprise
Equipment and Process Control
Decision: Sub-second Network: Plant
Sensors, Instrumentation, and Data Collection
Decision: Sub-second Network: Plant
Production Assets
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Kinetic
Edge (IE
w/ IOx
Fog
Enterprise
Cloud
BRKIOT 2108

#CLUS
Data Driving Design and Digital Twin – Analytics
116
DESIGN SIMULATE &
OPTIMIZE
PRODUCE REACT
STREAMING DATA
Physical
Digital
BRKIOT 2108

#CLUS
Manufacturing Data Examples
117
• Data is
characterized by
huge data sets
with varied data
types, which can
be classified as
structured, real-
time structured,
or unstructured
Real-Time
Structured Data
Unstructured Data
Structured Data
• Sensors(vibration,
pressure, value,
and acoustics),
Relays
• RFID
• Direct from PLCs,
Motor and Drives
• Direct from
motion
controllers, robot
arm
• Manufacturing
historians(time
series data
structure)
• Operator shift
reports
• Machine logs
• Error logs
• Texts
• Vision Images
• Audio/Video
• Manufacturing
collaboration
social platforms
• RDBMS
database
• NoSQL
• Enterprise data
warehouse
• Files stored in
manufacturing
PC
• Spreadsheets
BRKIOT 2108

#CLUS
Data Types and Sizes
118
• Manufacturing generate
massive data files
• Limits the ability to store,
analyze, and extract useful
information from them using
conventional methods.
• Extremely hard to even
visualize the information in
large data sets from various
sources
DATA TYPES
DATA
SIZE
(per
week)
EXAMPLES
Machine
Parameters
and error logs
~5 GB per
machine
Used to monitor machine
performance: dispense height,
placement(x,y,z),belt speed,
flow rate, over temperature,
laser power, etc
Machine
events
~10 GB
per
machine
Used to measure process
time: start dispense ,end
dispense, start setup, and end
setup
Defect
images from
vision
equipment
~50 GB
per unit or
750 GB
per lot
Used to identify root cause of
failure modes, defect
commonality, defect mapping
BRKIOT 2108

#CLUS
What problems are we solving for customers?
119
Environmental
Sensing
• Plant Hazard Awareness
• Pollution
• Security
• Safety
• Compliance
Remote Visibility
• Condition Monitoring
• Preventive & Predictive
Maintenance
• Asset Health
• Cost Avoidance
• Reliability
Efficiency through
Process Automation
• Cost Reduction
• Efficiency
• Consistency
• Increased up time
• Faster and accurate decision
Business Outcomes Business Outcomes Business Outcomes
BRKIOT 2108

BRKIOT-2108
Key Takeaways
• The power of big data technology stems from the ability to merge and
correlate these data set types to create business value through newfound
insights.
• New Big data technology allows manufacturers to aggregate and centralize
various types of data in a cost-effective, scalable manner.
• Process variability drives a real business need for manufacturers to turn to
a big data solution based on a scalable platform that can grow with their
businesses and manufacturing requirements.
• Machine data is strongly correlated to yield, quality, and output, thereby
providing valuable information to proactively detect processes that
are getting out of control
120

Factory Wireless
Autonomous
Guided
Vehicle(AGV)
Roaming

#CLUS
Use Cases
•Wireless tooling
•Monitoring hard-to-reach and restricted areas
•PLCs and automated guided vehicles (AGVs)
Key Enabling IW3702 Features
•Seamless roaming at low to moderate speeds
•Supports prioritized PROFINET traffic for industrial
applications
•PRP (Parallel Redundancy Protocol) over wireless
for high resilience
Factory Wireless
BRKIOT 2108 122

#CLUS
Factory Wireless WGB Roaming Evolution
123
Basic WGB roaming Fast WGB roaming PRP enhanced roaming
Low to moderate
speed
• Limited Scanning of
channels
High speed
• 802.11v BSS Fast
Transition on WGB
• RSSI smoothing
filter
• Optimized rate-
shifting algorithm
Highest speed
• PRP over wireless
• Dual radios enables
always-best-
connected
• Roaming
coordination
prevents two radios
from roaming at the
same time
BRKIOT 2108

#CLUS
Parallel Redundancy Protocol (PRP) over Wireless
RF interference, hand off results in packet loss
PRP Enabled Wireless Network
PRP over wireless creates redundant
radio path for data transmission
Zero recovery time in event of temporary failure
Each data transmission goes through
single radio path
Wireless Network Without PRP
PRP RedBox
PRP RedBox
Data Frame
Data Frame
PRP is defined in the International Standard IEC 62439-3 and designed to provide
hitless redundancy (zero recovery time after failures) in networks
124
BRKIOT 2108

#CLUS
PRP over Wireless Redundancy Options
Single WGB, Dual Radios - WLC 8.5
Dual WGBs, Dual Radios - WLC 8.4
• External PRP switch as RedBox
(redundancy box) performs packet
duplication/duplication discard
function
• Application examples: Industrial
automation and AGV applications
5GHz 5GHz
PRP Switch as RedBox
2.4GHz 5GHz
WGB as RedBox
• WGB as RedBox (redundancy box)
performs packet
duplication/duplication discard
function
• Application examples: Autonomous
vehicles and straddle carriers and
mission critical applications etc.
WGB WGB
125
BRKIOT 2108

#CLUS
Roaming Coordination
Gi1.51
Gi1.51
VLAN
51
Direct Wired Connection
or through a Switch
Gi0/1
Gi0/2
WGB1 WGB2
Switch
AP1 AP2
WGB
5GHz
2.4GHz
• WGB sends an indication to the other WGB indicating it wants to start roam
• Other WGB shall wait for 100ms (configurable) by default if it also needs to
roam
• Once the roam event on the WGB is complete or if the timeout expires, the
other WGB is free to roam
126
BRKIOT 2108

#CLUS
Sample Topology for Dual WGBs PRP Function
• Infrastructure Side
• An aggregate switch in the infrastructure side carries
the duplicated packets
• APs in flex connect mode
• The APs transmits/receives the redundant data
traffic over different SSIDs, tag with different VLANs
• Mobile Client Side
• Each WGB associates to different SSIDs and locates
in different VLANs
• Roaming Coordination
• WGBs are connected to provide roaming
coordination function, preventing both WGBs from
roaming at the same time
Client
VLAN
SSID A
(LAN_A)
Client
VLAN
PRP Switch
Aggregate Switch
AP1 AP2
WGB1 WGB2
SSID B
(LAN_B)
WLC
PRP Switch
Infrastructure Side
Mobile Client Side
Client VLAN: 800
LAN_A: 801
LAN_B: 802
Data frame
Data frame
Data frame
Data frame Data frame
Data frame
802
Data frame
801
Data frame
801 Data frame
802
Data frame
Data frame
Data frame
5GHz
5GHz
127
BRKIOT 2108

#CLUS
Sample Topology for Single WGB PRP Function
Client
VLAN
SSID A
(LAN_A)
Client
VLAN
PRP Switch
Aggregate Switch
AP1 AP2
WGB
WLC
Infrastructure Side
Mobile Client Side
Client VLAN: 800
LAN_A: 801
LAN_B: 802
Data frame
Data frame
Data frame Data frame
802
Data frame
801
Data frame
801 Data frame
802
Data frame
Data frame
Data frame
SSID B
(LAN_B)
2.4GHz 5GHz
• Infrastructure Side
• An aggregate switch in the infrastructure side carries
the duplicated packets
• APs in flex connect mode
• The APs transmits/receives the redundant data
traffic over different SSIDs, tag with different VLANs
• Mobile Client Side
• WGB associates to different SSIDs and locates in
different VLANs
• Roaming Coordination
• WGBs are connected to provide roaming
coordination function, preventing both WGBs from
roaming at the same time
128
BRKIOT 2108

#CLUS
Accelerate time to value with Cisco Validated
Designs and Cisco CX solutions
Fixed SKUs built on CVDs
Lab validation, field pilots, edge services
New!
Cisco Validated Designs
Validated Blueprints for Industry Solutions
New and
updated
versions!
Simplify adoption with services
from pilots to scale
Updated!
Lifecycle Solutions
Solution
Support
On-demand expertise
for complex problems
BRKIOT 2108 129

#CLUS
Conclusion: Measure Twice, Cut Once
• Connected Factories reference architectures - Simplified
design, quicker deployment, reduced risk in deploying new
technology to achieve business outcomes
• Factory Network: Secure, scalable and resilient network
infrastructure
• Factory Wireless: Enables mobility, secure personnel access,
equipment to equipment communication and asset tracking
• Factory Security: Defense-in-depth security for multiple layers
of threat detection and prevention
130
BRKIOT 2108

#CLUS
For your
reference
• Websites
• Design Zone Industry Solutions
• https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-industry-solutions/index.html
Recommended Resources
Reference Architectures
131
BRKIOT 2108

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
Find this session in the Cisco Live Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
Webex Teams will be moderated
by the speaker until June 16, 2019.
1
2
3
4
#CLUS
Cisco Webex Teams
cs.co/ciscolivebot#
132
BRKIOT 2108

Complete your
online session
evaluation
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS BRKIOT 2108 133

#CLUS
Continue your education
134
BRKIOT 2108
Related sessions
Walk-in labs
Demos in the
Cisco campus
Meet the engineer
1:1 meetings

#CLUS
Wireless Cisco education offerings
Course Description Cisco Certification
• Designing Cisco Wireless Enterprise
Networks
• Deploying Cisco Wireless Enterprise
Networks
• Troubleshooting Cisco Wireless Enterprise
Networks
• Securing Cisco Wireless Enterprise Networks
Professional level instructor led trainings to prepare candidates to
conduct site surveys, implement, configure and support APs and
controllers in converged Enterprise networks. Focused on 802.11 and
related technologies to design, deploy, troubleshoot as well as secure
Wireless infrastructure. Course also provide details around Cisco
mobility services Engine, Prime Infrastructure and wireless security.
CCNP® Wireless
Implementing Cisco Unified Wireless Network
Essential
Prepares candidates to design, install, configure, monitor and conduct
basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.
CCNA® Wireless
Deploying Basic Cisco Wireless LANs (WDBWL)
Understanding of the Cisco Unified Wireless Networking for enterprise
deployment scenarios. In this course, you will learn the basics of how to
install, configure, operate, and maintain a wireless network, both as an
add-on to an existing wireless LAN (WLAN) and as a new Cisco Unified
Wireless Networking solution.
1.2
Deploying Advanced Cisco Wireless LANs
(WDAWL)
The WDAWL advanced course is designed with the goal of providing
learners with the knowledge and skills to successfully plan, install,
configure, troubleshoot, monitor, and maintain advanced Cisco wireless
LAN solutions such as QoS, “salt and pepper” mobility, high density
deployments, and outdoor mesh deployments in an enterprise customer
environment.
1.2
Deploying Cisco Connected Mobile Experiences
(WCMX)
WCMX will prepare professionals to use the Cisco Unified Wireless
Network to configure, administer, manage, troubleshoot, and optimize
utilization of mobile content while gaining meaningful client analytics.
2.0
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
135
BRKIOT 2108

#CLUS
Cybersecurity Cisco education offerings
Understanding Cisco Cybersecurity
Fundamentals (SFUND)
The SECFND course provides understanding of
cybersecurity’s basic principles, foundational knowledge,
and core skills needed to build a foundation for
understanding more advanced cybersecurity material &
skills.
CCNA® Cyber Ops
Implementing Cisco Cybersecurity
Operations (SECOPS)
This course prepares candidates to begin a career within a
Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
CCNA® Cyber Ops
Cisco Security Product Training
Courses
Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and much more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
136
BRKIOT 2108

#CLUS
Internet of Things (IoT) Cisco education offerings
Managing Industrial Networks for
Manufacturing (IMINS2)
An associate level instructor led lab based training
focuses on common industrial application protocols,
security, wireless and troubleshooting designed to
prepare you for the CCNA Industrial certification
CCNA® Industrial
Managing Industrial Networks with
Cisco Networking Technologies (IMINS)
This instructor led lab based training addresses
foundational skills needed to manage and administer
networked industrial control systems for today's
connected plants and enterprises. It helps prepare plant
administrators, control system engineers and traditional
network engineers for the Cisco Industrial Networking
Specialist certification.
Cisco Industrial
Networking Specialist
Control Systems Fundamentals
for Industrial Networking (ICINS)
For IT and Network Engineers, provides an introduction to
industry IoT verticals, automation environment and an
overview of industrial control networks (E-Learning)
Pre-learning for IMINS,
IMINS2 training &
certifications
Networking Fundamentals
for Industrial Control Systems (INICS)
For Industrial Engineers and Control System Technicians,
covers basic IP and networking concepts, and
introductory overview of Automation industry Protocols.
Pre-learning for IMINS,
IMINS2 training &
certifications
137
BRKIOT 2108

#CLUS
Data and Analytics Cisco education offerings
Course Description
ANDMB – Data Management, Architecture and Applications Provides hands on training with a technical mix of application, compute, storage and
networking topics concerning the deployment of Big Data clusters.
ANDMA – Advanced Data Management, Architecture and
Applications
Covers major architecture design to cater to different needs of the application, data center
or deployment requirements. It provides architectural designs and advanced hands-on
training on topics covering Scaling of cluster to thousands of nodes and management, Data
Life Cycle management with HDFS tiered storage, and different approaches for Multi-tenant
Hadoop cluster deployments with Openstack
Data and Analytics training page: http://www.cisco.com/c/en/us/training-events/resources/learning-services/technology/data-analytics.html
138
BRKIOT 2108

#CLUS
Cybersecurity Cisco education offerings
CCIE Security 5.0 CCIE® Security
Implementing Cisco Edge Network
Security Solutions (SENSS)
Implementing Cisco Threat Control
Solutions (SITCS) v1.5
Implementing Cisco Secure Access
Solutions (SISAS)
Implementing Cisco Secure Mobility
Solutions (SIMOS)
Configure Cisco perimeter edge security solutions utilizing Cisco
Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure
network access
Protect data traversing a public or shared infrastructure such as
the Internet by implementing and maintaining Cisco VPN
solutions
CCNP® Security
Implementing Cisco Network Security
(IINS 3.0)
Focuses on the design, implementation, and monitoring of a
comprehensive security policy, using Cisco IOS security features
CCNA® Security
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
139
BRKIOT 2108

#CLUS
Digital Business Transformation
Cisco education offerings
For Technology Sellers:
Adopting the Cisco Business Architecture
Approach
Builds skills to discover and address technology needs using a
business-focused, consultative sales approach, broadly applicable and
targeted to prepare for the digital transformation journey that is
demanded across the business world.
Cisco Business Architecture
Analyst
Applying Cisco Business Architecture
Techniques
Provides tools and skills training to prepare the learner to use a business
led approach to technology solutions sales and deployments. This
continues the journey begun with the Adopting the Cisco Business
Architecture Approach above
Specialist
Mastering the Cisco Business Architecture
Discipline
Builds skills, and proven, real-world techniques to prepare for a
Business architect leadership role in the sales and deployment of
transformative technology solutions.
Practitioner
Cisco Customer Success Manager Specialist Prepares for the crucial role that drives adoption and enablement,
ensuring that customers achieve their expected business outcomes, and
reduces churn/increases renewal for services and subscription based
products.
Cisco Certified Customer
Success Manager
140
BRKIOT 2108

BRKIOT-2108.pdf

Recommended

Recommended

More Related Content

Similar to BRKIOT-2108.pdf

Similar to BRKIOT-2108.pdf (20)

Recently uploaded

Recently uploaded (20)

BRKIOT-2108.pdf