BRKIOT-2108.pdf
Report
JokaTekFollow
Mar. 20, 2023•0 likes•10 views
0 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Check these out next
BRKIOT-2108.pdf
Mar. 20, 2023•0 likes•10 views
0 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
Networking
JokaTekFollow
Recommended
Routeco cyber security and secure remote access 1 01RoutecoMarketing
Discrete MFG IoT Factory of the FutureMainstay
Manufacturing pov jeff green 2016 v2Jeff Green
Internet of thingsRoutecoMarketing
02_5G下物聯網的挑戰與機會.pdfChien Huang Chang
Fundamentals of ether netip i iot network technologyIntelligentManufacturingInstitute
BRKIOT-2108.pdf
- #CLUS
- #CLUS Arun Siddeswaran, Sr. Manager, IoT Solutions Frank Baro, Sr. Solution Architect, Customer Experience BRKIOT 2108 Connected Factory Architecture Theory and Practice
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Source: http://photographyblogger.net
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Agenda BRKIOT 2108 4 • Connected Factory Architecture • Cisco Reference Architecture • Factory Network • Factory Wireless • Factory Security • Connected Factory in Practice • Achieving Business Outcomes • Factory Security • Enabling Analytics • Factory Wireless – AGV Roaming • Conclusion
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Market pressures are putting productivity and profitability for industrial operations at risk BRKIOT 2108 5
- Connected Factory Reference Architectures
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS CPwE, a holistic blueprint for reliable and secure digital transformation 7 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Built on Industry Standards Purdue/IE62443 Reference Model 8 Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Remote Gateway Services Patch Management AV Server Application Mirror Web Services Operations Application Server Enterprise Network Site Business Planning and Logistics Network E-Mail, Intranet, etc. FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server FactoryTalk Client Operator Interface FactoryTalk Client Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control Sensors Drives Actuators Robots Enterprise Security Zone Industrial DMZ Industrial Zone Cell/Area Zone Firewall Firewall Site Operations and Control Area Supervisory Control Basic Control Process BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Converged Plantwide Ethernet (CPwE) Reference Architecture Physical or Virtualized Servers • FactoryTalk Application Servers and Services Platform • Network & Security Services – IND, DNS, AD, DHCP, Identity Services (AAA), MSE • Storage Array Industrial Network Director Stealthwatch Physical or Virtualized Servers • Patch Management • AV Server • Application Mirror • Remote Desktop Gateway Server Distribution Switch Stack HMI Cell/Area Zone - Levels 0–2 Redundant Star Topology - Flex Links Resiliency Unified Wireless LAN (Lines, Machines, Skids, Equipment) Cell/Area Zone - Levels 0–2 Linear/Bus/Star Topology Autonomous Wireless LAN (Lines, Machines, Skids, Equipment) Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Industrial Ethernet Switch (IE2K,IE3X / IE4K) Industrial Zone Levels 0–3 (Plant-wide Network) Phone Controller Camera Safety Controller Robot Soft Starter Cell/Area Zone - Levels 0–2 Ring Topology - Unified Wireless LAN (Lines, Machines, Skids, Equipment) I/O Plant Firewalls • Active/Standby • Inter-zone traffic segmentation • ACLs, IPS and IDS • VPN Services • Portal and Remote Desktop Services proxy Safety I/O Servo Drive IE-1K Level 3 - Site Operations (Control Room) HMI Active AP SSID 5 GHz Safety I/O Controller IW3700 (WGB) LWAP SSID 5 GHz LWAP Controller LWAP SSID 2.4 GHz Standby Wireless LAN Controller (WLC) Cell/Area Zone Levels 0–2 Cell/Area Zone Levels 0–2 Drive IE 5K (Distribution Switch) Wide Area Network (WAN) Data Center - Virtualized Servers • ERP - Business Systems • Email, Web Services • Security Services - Active Directory (AD), Identity Services (AAA) • Network Services – DNS, DHCP • Call Manager Enterprise Identity Services Identity Services External DMZ/ Firewall Internet Access Sw itches Access Sw itches ASA 5500 Core ASA 5500 IFW IFW IFW 2.4 GHz Cisco Kinetic (IoT Platform) IW3700 (WGB) IE2K / IE3X, IE4K IE2K / IE3K / IE4K IE2K / IE3X / IE4K IW3700 (WGB) IE-1K IE2K / IE3X / IE4K 9
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Connected Factory - Designed for Digital Manufacturing 10 BRKIOT 2108
- Factory Network
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Cell/Area Zone Overview Cell/Area Zone - Functional Area of a Production Facility. Considerations Include: • Environmental constraints • Range of device intelligence • Time-sensitive applications VFD HMI Controller Controller Distributed IO Controller Controller HMI Cell/Area Zone Cell/Area Zone Media and Connectors Layer 3 Distribution Switch Layer 2 Access Switch Level 2 HMI Level 0 Device (Drive) Layer 2 Interswitch Uplink-VLAN Trunk, Layer 2 Resiliency Layer 2 Access Link-Single VLAN Assigned to Port Legend: Level 1 Controller IE5K IE2K / IE3X / IE4K IE2K / IE3X / IE4K IE2K / IE3X / IE4K IE2K / IE3X / IE4K 12 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Typical Cell/Area Zone Traffic Flows 13 Engineering Laptop Network Management HMI HMI Drive Cell/Area Zone Cell/Area Zone Manufacturing Zone IDMZ Controller CIP Explicit - Informational control and administration Intra- and inter-cell/area zone traffic flow Non-critical administrative or data traffic using TCP ~1500 Bytes, infrequent Above 500 ms CIP Implicit - Producers & Consumer >80% local Cyclical I/O traffic, UDP unicast and multicast <500 Bytes, Frequent 0.5 to 10’s of ms, typically 20 ms IE2K /IE3X/ IE4K IE2K /IE3X/ IE4K IE2K /IE3X/ IE4K IE2K /IE3X/ IE4K IE5K BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Benefits of Managed Infrastructure 14 Benefits Considerations Managed Switches Loop prevention and resiliency Security services Management services (Multicast and DHCP per port) Diagnostic information Segmentation services (VLANs) Prioritization services (QoS) More expensive Requires some level of support and configuration to start up Unmanaged Switches Inexpensive Simple to set up No loop prevention or resiliency No security services No diagnostic information No segmentation or prioritization services Difficult to troubleshoot, no management services BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Industrial Network Topologies Cell/Area Zone Topology Options Linear Ring Redundant Star Cabling Requirements Ease of Configuration Implementation Costs Bandwidth Redundancy and Convergence Disruption During Network Upgrade Readiness for Network Convergence Overall in Network TCO and Performance Worst OK Best 15 Star/Bus Linear Cell/Area Zone Controllers, Drives, and Distributed I/O HMI Controllers IE5K (Distribution Switch) HMI Cisco Catalyst 2955 Cell/Area Zone Controllers, Drives, and Distributed I/O Cell/Area Zone HMI Controller Redundant Star Flex Links EtherChannel Cell/Area Zone Controllers, Drives, and Distributed I/O HMI Controllers Ring Resilient Ethernet Protocol (REP) IE5K (Distribution Switch) IE5K (Distribution Switch) Access IE2K / IE3X / IE4K Access IE2K / IE3X / IE4K Access IE2K / IE3X / IE4K BRKIOT 2108 15
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Performance Requirements Industrial Automation & Control System Applications Source: ARC Advisory Group Loss Critical Multi-axis Motion Control Hardware and Software solutions, e.g. CIP Motion, PTP Life/equipment safety, Synchronization of multiple axes: printing presses, wire drawing, web making, picking and placing Utilities Subset of Discrete automation 100 µs to 10 ms Loss Critical Discrete Automation Industrial Protocols, CIP, Profinet 1 ms to 100 ms Material handling, filling, labeling, palletizing, packaging; welding, stamping, cutting,metal forming, soldering, sorting Auto, food and bev, electrical assembly, semiconductor, metals, pharmaceutical Process Automation Information Integration, Slower Process Automation .Net, DCOM, TCP/IP 1 second or longer Pumps, compressors, mixers; monitoring of temperature, pressure, flow Oil & Gas, chemicals, energy, water Process Automation Function Comm. Technology Period Applications Industries Time-critical Factory Automation Discrete Automation 16 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Network Resiliency Protocols Selection is Application Driven * Not part of CPwE Resiliency Protocol Mixed Vendor Ring Redundant Star Net Conv >250 ms Net Conv 50-100 ms Net Conv < 0~10 ms Layer 3 Layer 2 STP (802.1D) RSTP (802.1w) MSTP (802.1s) PVST+ REP EtherChannel (LACP 802.3ad) MRP (IEC 62439-2)* Flex Links PRP/HSR (IEC 62439)* DLR (IEC & ODVA) StackWise HSRP VRRP (IETF RFC 3768) Process and Information Time Critical Loss Critical 17 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Industrial IoT Networking Portfolio Industrial Switching IE 1K,2K,3K,4K,5K, CGS, 3x00 Low Power Wide Area Wireless LoRaWAN IXM Gateway IoT Gateways 819-MNA, IR807, IR809, IR829, IR1101 Industrial Routing ASR 902U/903U/920U, CGR 1000, CGR 2000 Cisco Resilient Mesh IR500, DevNet Industrial Wireless AP1552, IW3702 Management & Automation Field Network Director Industrial Network Director Industrial Security ISA 3000 Embedded IoT ESS, ESR Edge Computing IOx IC 3000 18 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Industrial Ethernet Switch Characteristics Features Cisco Industrial Ethernet (IE) Typical Non-Industrial Ethernet Switch Form Factor / Mounting Options Din Rail, Panel and Rack Mount Rack Mount Interface Options Port density 6-28 High port density PoE Density / Max Power Port density 6-28 High port density Power Supply Options AC and DC DC input voltage range = 10 to 300 AC and DC DC input voltage range = 36 to 72 Converged Access (Wired plus Wireless) No Yes, Mobility agent and Mobility controller Environmental Design • Fanless (no moving parts) vs Fans • Operating Temperature Range • Ingress Protection (IP) Rating • Industry Certifications Fanless -40c to +60c IP30 (models up to IP67) Hardened for vibration, shock, surge, and noise immunity Fans -5c to +45c IP XX (Not Specified, IP20 or less) Enterprise class certifications “Swap Drive” – Removable Flash Yes No Dying Gasp - Upon loss of input power Yes No Alarm Ports Yes No Deterministic Ethernet IEEE 802.1 TSN Yes – Supported by IE 4000 and 5000 No BRKIOT 2108 19
- Features Cisco Industrial Ethernet (IE) Typical Non-Industrial Ethernet Switch Industrial Protocols - Management EtherNet/IP CIP, Profinet, Modbus TCP Not available Industrial Protocols – High Availability REP, MRP, Flexlink, PRP, HSR REP (slower convergence time), Flexlink Smart-port Macros IE Smart-port macros (Qty 32): QoS policies, IED, PTP, CIP, HMI etc… Enterprise (qty 6): global, desktop, phone, switch, router, wireless No IE Smart-port macros Enterprise (qty 6) : global, desktop, phone, switch, router, wireless Device Manager Ease of use on device web server for device management On device web server for device management Network Management Industrial Network Director (IND) Prime Infrastructure / DNA-C Prime Infrastructure/DNA-C Typical Boot Time 30sec – 2 min,20 sec 5 mins (single switch) L2 and L3 Images Yes, same hardware Yes, same hardware Precise Timing IEEE 1588 PTP IEEE C37.238-2011 (Power Profile) Yes IEEE 1588, inc. Power Profile level of accuracy (50ns per hop) Option for GPS and IRIG-B on IE 5000, including Grand Master with Stratum 3E on board oscillator No Industrial Ethernet Switch Characteristics Cont.
- Factory Network Layer 2 NAT
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Challenge - Ethernet Growing Pains • Ethernet networks continue to grow: • Each machine adds another 5 - 50 EtherNet/IP enabled devices • Every line adds another 250 - 1,000 EtherNet/IP enabled devices How do I connect all these machines into a plant network to gain the advantages? 22 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Solution- Layer 2 Network Address Translation (NAT) 23 One to One (1:1) NAT Outside Subnet (ex. 10.0.0.x) NAT Enabled Device Inside Subnet (ex. 192.168.1.x) Many Outside IP addresses (One per device wishing to be accessible from the Outside Subnet Many Inside IP addresses (One per connected device) BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKIOT-2108 Why use Layer 2 NAT? • Helps simplify integration of IP address mapping from a machine level IP addresses to the plant network • Allows Machine Builders to develop standard machines and eliminate the need for unique IP addressing and code modifications • Allows End Users to more easily integrate machines into their larger plant network without extensive coordination with machine builders • Provides better maintainability at the machines as they remain standard • Allows for reuse of IP addresses allowing for more connected devices in a limited address pool. Allows a single device to act as an agent between the Plant (Outside) network and the Machine (Inside) network 24
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Layer 3 vs Layer 2 NAT • Typically a software implementation • NAT device acts as the default gateway (router) for the devices on the inside network • NAT device will intercept traffic, perform translation, and route traffic • Translations are handled by the NAT CPU • Performance of translation directly tied to the loading of the NAT CPU • Hardware based implementation • NAT device does not act as a router and utilizes 2 translations tables – inside to outside & outside to inside • Performance is at wire speed throughout switch loading • Supports multiple VLANs through NAT boundary enhancing segmentation flexibility (Communication between VLANS requires a separate layer 3 device) Layer 3 Layer 2 25 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Layer 2 NAT Design Scenarios Single-Cell, Single VLAN per Switch 26 Machine Inside Address 192.168.1.10 IE 5K (Distribution Switch) VLAN10 INSIDE OUTSIDE VLAN10 Line Controller 10.10.10.30 Trunk Inside Outside 192.168.1.10 10.10.10.10 Outside Inside 10.10.10.30 192.168.1.30 Inside to Outside NAT Table Outside to inside NAT Table IE2K / IE4K BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Layer 2 NAT Design Scenarios Cont. Multi-Cell, Single VLAN per Switch 27 Machine 1 .4 .3 Work Station 10.10.30.10 VLAN10 VLAN20 VLAN30 .7 INSIDE OUTSIDE Machine 2 .4 .3 .7 VLAN30 Line Controller 10.10.30.12 IP Address: 192.168.1.X IP Address: 10.10.30.X INSIDE IP Address: 192.168.1.X IE2K/IE4K (Access switch NAT) IE2K/IE4K (Access switch NAT) IE 5K (Distribution Switch) Inside Outside 192.168.1.3 10.10.10.3 192.168.1.4 10.10.10.4 192.168.1.7 10.10.10.7 Machine 1 NAT Table Inside Outside 192.168.1.3 10.10.20.3 192.168.1.4 10.10.20.4 192.168.1.7 10.10.20.7 Machine 2NAT Table BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Layer 2 NAT Design Scenarios Cont. Multi-Cell, Single Switch, Multi-VLAN 28 INSIDE IP Address: 192.168.1.X 1 .2 .7 .3 NAT 1 .4 .7 .3 1 .4 .7 .3 OUTSIDE .4 Work Station 10.10.40.10 VLAN40 VLAN10 VLAN20 VLAN30 VLAN40 Line Controller 10.10.40.12 IP Address: 10.10.40.X INSIDE IP Address: 192.168.1.X INSIDE IP Address: 192.168.1.X IE 5K (Distribution Switch) Inside Outside 192.168.1.3 10.10.10.3 192.168.1.4 10.10.10.4 192.168.1.7 10.10.10.7 Machine 1 NAT Table Inside Outside 192.168.1.3 10.10.20.3 192.168.1.4 10.10.20.4 192.168.1.7 10.10.20.7 Machine 2 NAT Table Inside Outside 192.168.1.3 10.10.30.3 192.168.1.4 10.10.30.4 192.168.1.7 10.10.30.7 Machine 3 NAT Table Multiple Instance of NAT per VLAN IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K BRKIOT 2108
- Factory Network Network Management for OT
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Current Challenges 30 Operations IT IT Staff Supporting OT Line Operator/ Technician Network experts Lack tools that provide network visibility in an operations context Control Systems/ Design Engineer Plant/ Facility Manager IT or a person with hybrid IT and OT talents Day to day operations of control system Designs and maintains the automation and control system Plant/Facility uptime is top of mind Operations IND Target Users BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Cisco Industrial Network Director Network Management, Simplified & Automated 31 Network Troubleshooting with Automation Context Improved Industrial Asset Visibility APIs for Integration with Automation Systems Plug-and-Play for Zero-Touch Switch Commissioning Native industrial protocol support Plug-and-Play Day-0 configuration Dashboard for monitoring system health, metrics, and traffic statistics Alarm management with real-time alerts of network events BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Cisco Plug and Play Zero-Touch Commissioning and Replacement Pre-provision configuration and software for automated network commissioning Help ensure consistent network design and security policy Swap hardware when switch fails and recover with automated configuration and software image replacement Switch Configuration Cisco® Industrial Network Director Cisco Industrial Ethernet Switch PnP-Agent PnP Protocol XML Software Image PnP-Server Open protocol based on XMPP and HTTP with publically available schema 32 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Plug and Play Implementation on IND Simplify and Automate with Plug and Play Lightweight – Can run on a laptop Workflow tailored for industrial use cases such as machine builders Profiles can be exported across instances for multi-party provisioning scenarios Technicians commissioning switches do not need to understand networking Experts pre-define configuration through templates Technicians commission switches onsite with laptop Export 33 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Feature Highlights Real-time monitoring of system health, metrics, and traffic statistics CIP, PROFINET, Modbus, BACnet industrial device discovery Dynamic topology of Industrial and Network assets Optimized alarm management with real-time network alerts Detailed audit trails to track adds, moves, and changes Group-based dashboard for summary of system status Rich APIs for rapid integration with industrial applications Plug-and-play server for zero-touch switch commissioning PnP 34 BRKIOT 2108
- Factory Wireless
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Wireless Overview Benefits of industrial wireless network 36 • Connection to hard-to-reach and restricted areas • Integration of machines / skids • Remote diagnostics • Intelligent assets • Lower installation and operational costs • Cabling reduction, elimination of cable failures • Equipment mobility • New and more efficient machine designs BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Wireless Overview Benefits of industrial wireless network 37 • Workforce mobility improves effectiveness • Operators can trend/write back from a mobile device when they step away from machine • Engineering and Maintenance can see and react to system alarming and production data from anywhere, anytime • Industrial IT provide secure infrastructure and multi-platform support • Equipment wireless • IEEE 802.11 Wireless connectivity for critical Industrial Automation and Control System (IACS) applications • Asset Tracking • Track assets to optimize cost and for safety BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Wireless Overview Challenges of wireless communication 38 • Half-duplex shared medium: • Only one radio can transmit on a particular wireless channel • A radio cannot transmit and receive at the same time on the same channel • Higher latency, jitter and packet loss compared to wired Ethernet • Media contention, collisions and interference • Can be minimized but not eliminated AP/WGB - IW3702 IW3702 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Wireless Overview Challenges of wireless communication 39 • Wireless coverage area cannot be precisely defined • Site survey is required • Spectrum sharing and security concerns • Signal quality may change over time • Interference sources and obstructions • Unauthorized transmissions Wireless advantages > challenges when • WLAN is designed and maintained properly • Used for appropriate applications BRKIOT 2108
- Factory Wireless Equipment to Equipment
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Wireless Overview Wireless Client Types 41 AP Workgroup Bridge is the main method of connecting industrial devices Bridge External adapter (wireless bridge) WGB WGB Workgroup Bridge (WGB) Embedded wireless adapter AP/WGB - IW3702 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Equipment to Equipment – Use Cases Wireless Mobility Types • Static equipment • Permanent location • Wire replacement for hard-to-reach places • Examples: process control, condition monitoring, standalone OEM machines 42 AP WGB IW3702 Access IE2K / IE3X / IE4K AP/WGB - IW3702 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Equipment to Equipment – Use Cases Wireless Mobility Types • Nomadic equipment • Stays in place while operating • Moves to a new location in the shutdown state • Examples: process skids, storage tanks, reactors, portable manufacturing equipment 43 AP AP WGB Access IE2K / IE3X / IE4K AP/WGB - IW3702 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Equipment to Equipment – Use Cases Wireless Mobility Types • Mobile equipment (no roaming) • Changes position while operating • Remains connected to the same AP • Examples: rotary platforms, manufacturing machines with tracks, overhead cranes with small spans 44 AP WGB Access IE2K / IE3X / IE4K AP/WGB - IW3702 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Equipment to Equipment – Use Cases Wireless Mobility Types Mobile equipment (fast roaming) • Connects to multiple APs while operating • Does not drop application connections • Examples: AGVs, ASRS, overhead cranes, train cars, entertainment ride vehicles 45 AP WGB Site survey and architecture selection are critical Access IE2K / IE3X / IE4K AP/WGB - IW3702 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Unified WLAN Architecture Overview 46 Identity Services Engine (ISE) WGB LWAP … SSID1 5 GHz SSID2 5 GHz WLC LWAP … WGB LWAP LWAP WGB (Roaming) WGB SSID3 2.4 GHz Access IE2K / IE3X / IE4K Access IE2K / IE3X / IE4K AP/WGB - IW3702 BRKIOT 2108
- Wireless Access Asset Tracking
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Location Based Asset Tracking 48 Asset Utilization • Track supplies in transit • Inventory accuracy of receivables • Retrieve misplaced components, subassemblies, etc. • Locate missing tools, test harnesses, etc. • Vehicle location for smarter dispatch Material Flow Efficiency • Wireless restocking trigger • Choke point recording • The right supplies get to the right place • In-line rework • Bar Code replacement Business Value Production throughput increase Improved equipment utilization Reduced scrap Labor efficiency “82% improvement in retrieval time results in increased throughput, and “on time delivery” was improved 13%” – Ops Manager, Semiconductor BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Real Time Location Services (RTLS) Architecture Open Ecosystem Scalable Infrastructure Leverage Common Wireless Infrastructure Track Any Wi-Fi Device or Tag Chokepoint Integration Applications and Management Wireless Infrastructure Device Access Point Access Point Access Point Wireless LAN Controller Mobility Services Engine Enterprise Network Cisco® Identity Services Engine (ISE)/ Cisco PrimeTM Network Chokepoint Business Intelligence Partner Applications Single Pane of Glass for Cockpit Dashboard 49 BRKIOT 2108
- Wireless Access Recommendations
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Application Recommendations Choosing an Appropriate Application 51 IACS Traffic Type CIP Standard Use with Wireless Considerations Supervisory information and diagnostics, peer- to-peer messaging CIP Class 3 (HMI) CIP Class 3 (MSG) Yes Need to control bandwidth if combined with CIP Class 1 Standard and Safety traffic Peer-to-peer Control I/O Control CIP Class 1 Produced/Consumed Distributed I/O Yes Application should tolerate occasional high latency, jitter and dropped packets; Packet rate restrictions Safety Control CIP Safety Yes Fast safety reaction times may not be supported Time synchronization CIP Sync Applicatio n Dependen t Accuracy and reliability can be optimized in specific configurations Motion Control Integrated Motion on the EtherNet/IP™ network (direct drive control) No Not feasible due to higher latency and jitter and limited CIP Sync accuracy BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS WLAN Recommendations Radio Spectrum • 5 GHz frequency band is recommended • Regulations vary by country • Need spectrum survey and monitoring • Avoid DFS channels (Dynamic Frequency Selection) • Weather / military radars cause disruption of service in DFS channels • If DFS channels are used, RF survey and monitoring are required • Reserve a channel exclusively for the application, if possible Country examples* 5 GHz Channels (20 MHz wide) No DFS DFS U.S., Canada, Australia 9 12 Europe 4 15 China 5 0 *Regulations change over time Wireless spectrum management policy is critical! 52 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS WLAN Recommendations Site Survey 53 • Do not rely on predictive software results, must test at location • RF spectrum survey: • Monitoring for interference and existing traffic • Extended period throughout the site • Active survey: • Verify performance, not just coverage • Verify cell overlap for roaming (if needed) • More strict criteria than enterprise WLAN RSSI -67 dBm SNR 25 dB RSSI -73 dBm (1/4 less in mW) SNR 19 dB Can associate and pass data but poor EtherNet/IP performance Acceptable for EtherNet/IP BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS WLAN Recommendations Site Survey 54 • Survey conditions should match production environment • Wireless hardware, RF channels, transmit power • Installed equipment, moving obstacles • Installation restrictions, WGB placement • Complete walk-through of the coverage area • Site survey helps to select or validate antenna type and placement • Changes in the environment may require a follow-up survey BRKIOT 2108
- Factory Security IDMZ
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Controlling Access to the Industrial Zone IEC62443- Industrial Network Security Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Remote Gateway Services Patch Management AV Server Application Mirror Web Services Operations Application Server Enterprise Network Site Business Planning and Logistics Network E-Mail, Intranet, etc. Application Server Directory Engineering Workstation Remote Access Server Client Operator Interface Client Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control Sensors Drives Actuators Robots Enterprise Security Zone Industrial DMZ Industrial Security Zone Cell/Area Zone Web E-Mail CIP Firewall Firewall Site Operations and Control Area Supervisory Control Basic Control Process Logical Model – Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone 56 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Industrial Demilitarized Zone (IDMZ) Controlling Access to the Industrial Zone TRUSTED? UNTRUSTED? TRUSTED BROKER Enterprise Security Zone Industrial DMZ Industrial Security Zone 57 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Industrial Demilitarized Zone (IDMZ) Best practices 58 • All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ • Only path between zones • No common protocols in each logical firewall • No control traffic into the IDMZ, CIP stays home • No primary services are permanently housed in the IDMZ • IDMZ shall not permanently house data • Application data mirror to move data into and out of the Industrial Zone • Limit outbound connections from the IDMZ • Be prepared to “turn-off” access via the firewall No Direct Traffic Enterprise Security Zone Industrial Security Zone Disconnect Point Disconnect Point IDMZ Replicated Services Trusted? Untrusted? Trusted BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS IDMZ – Replicated Data and Services Firewalls (Active/Standby) MCC Enterprise Zone Levels 4-5 IO Level 3 Site Operations Drive Industrial Demilitarized Zone (IDMZ) Industrial Zone Levels 0-3 FactoryTalk Client WGB WLC (Active) ISE WLC (Standby) LWAP PAC PAC PAC Levels 0-2 Cell/Area Zone Core switches Distribution switch Core switches WLC (Enterprise) ISE (Enterprise) Physical or Virtualized Servers • FactoryTalk Application Servers & Services • Network Services – e.g. DNS, AD, DHCP, AAA • Call Manager • Storage Array Remote Access Server VantagePoint Plant Manager Remote Access Untrusted Untrusted Block Block Permit Remote Desktop Gateway Permit Web Reports Web Proxy Firewall (Inspect Traffic) Physical or Virtualized Servers • Patch Management • AV Server • Application Mirror • Remote Desktop Gateway Server Wide Area Network (WAN) Physical or Virtualized Servers • ERP, Email • Active Directory (AD), AAA – Radius • Call Manager Firewall (Inspect Traffic) Permit Secure Remote Access to Industrial Assets Permit Data from the Industrial Zone to Enterprise Stakeholders Block Untrusted Access to Industrial Zone Block Untrusted Access to Enterprise Zone Engineer 59 Access IE2K / IE3X / IE4K BRKIOT 2108
- Factory Security Industrial Firewall – ISA 3000
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS FireSIGHT Management Center FirePOWER ISA 3000 Hardware FirePOWER Application & Threat Control Adaptive Security Appliance (ASA) Firewall, ACL, NAT & VPN Cisco Security Manager (CSM) Firewall Adaptive Security Device Manager (ASDM) Firewall & FirePOWER Management Centralized Management Local Management Firewall, ACL, NAT & VPN IPS - Application & Threat control On Board the ISA 3000 Industrial Firewall – ISA 3000 Architecture & Management software 61 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS MCC Enterprise Zone: Levels 4-5 Soft Starter I/O Physical or Virtualized Servers • Patch Management • AV Server • Application Mirror • Remote Desktop Gateway Server Level 0 - Process Level 1 - Controller Level 3 – Site Operations Controller Drive Level 2: Area Supervisory Control FactoryTalk Client Industrial Firewall Controller Industrial Demilitarized Zone (IDMZ) Industrial Zone: Levels 0-3 Authentication, Authorization and Accounting (AAA) LWAP SSID 2.4 GHz SSID 5 GHz WGB I/O Active Wireless LAN Controller (WLC) Standby Core Switches Distribution Switch Stack Enterprise External DMZ/ Firewall Internet IDMZ Firewalls create a security boundary between the Enterprise and Industrial Zone Industrial Firewall – ISA 3000 Architecture Positioning 62 BRKIOT 2108
- Factory Security OT Intent-based Security for Industrial Networks
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS NETWORK / USER CONTEXT How What Who Where When DEVICE PROFILING FEED SERVICE REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN Employee Access Contractor + Vendor (e.g. RBAC) Guest Access Cisco Identity Services Engine (ISE) Delivering Visibility, Context, and Control to Secure Network Access 64 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Who? Employee Attacker Guest What? Personal Device Company Asset Where? @ plant 1, zone 2 Headquarters When? Weekends (8:00am – 5:00pm) PST How? Wired Wireless VPN Secure Access Consolidating access for employee/contractors/vendors 65 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Operational challenges due to IT-OT dependency 66 VISIBILITY INTENT Enforcing security in the process network requires Security systems to have visibility to plant floor Assets with the Context of observed behaviors Maintaining it effectively, requires dynamic security policy application triggered by OT intent without dependency on IT for day to day operations BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Defining security policies without visibility is complex 67 Security Platforms C a m e r a P r i n t e r L a p t o p P h o n e ? ? ? ? ? ? ? ? ? ? Enterprise Assets Industrial Assets BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Operational challenges due to IT-OT dependency 68 Plant-1 Plant-2 Plant-n Enterprise …. OT OT OT IT • Centralized IT team • OT engineers to make adds, moves, and changes to the control system for day-to-day operations • Dependency on a centralized IT team to modify security policies Centralized IT OT distributed across plants BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS IoT Threat Defense 69 IND V I S I B I L I T Y OT Platform ISE pxGrid IT Platform I N T E N T IE Switching NGFW StealthWatch C O N T E X T C O N T E X T C O N T E X T SXP SGT dACL pxGrid Quarantine BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Identity Services Engine Who What When Vulnerability Threat Compliance How Where Context Enhances Security Bob Rockwell PLC 11:00 AM EST on April 10th Extrusion, Zone-2, Cell-1 Wired Access Yes None CVSS score of 6 pxGrid Industrial Network Director Discover Industrial Assets using CIP, PROFINET, Modbus, BACNet Protocols Visualize connectivity between automation and networking assets Security starts with Visibility IND shares industrial asset identity with ISE over pxGrid … this Visibility combined with Context, becomes a force-multiplier for Security Visibility in Industrial Networks 70 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS IND Asset Inventory iotIpAddress iotMacAddress ISE Profiler Attributes iotName iotVendor iotProductId iotSerialNumber iotDeviceType iotSwRevision iotHwRevision iotProtocol iotConnectedLinks iotCustomAttributes pxGrid Identity Services Engine ISE profiling rules based on attributes like Make, Model, Serial Number, Device Type etc. instead of just IP address Custom Attributes allows IND to signal higher order information that is common to a group of assets Industrial Asset Visibility with IND 71 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Cell-1 OT User Tag assets as Cell-1 ISE IND Topology UI pxGrid Update PxGrid attribute “Cell-1” matches profiling policy-X and triggers Authorization policy-Y SGT dACL VLAN N E W N E W N E W OT personnel use with IND UI to express intent pxGrid update results in automatic policy update IT manages ISE. OT uses IND to express intent to influence the IT owned Security Policy OT user intent driven policy updates Putting OT in the driver’s seat 72 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Level 0-2 Level 3 ISE MES OT User IT User 1 2 SGT 200 SGT 33 SGT 100 SGT 33 4 IND pxGrid C O N T E X T 3 Segmentation Requirement • Segment the industrial network • OT user have the ability classify the assets into segments Security Policy Pre-Staging • IT and OT decide on the segmentation policy • IT configures ISE with Secure Group Tags (SGT), TrustSec policy to match rules Workflow during Asset Classification 1. OT user selects assets and groups them in IND as Cell-1 and Cell-2 2. OT user assigns a tag to C2-PLC 3. IND sends OT user intent and asset details to ISE in pxGrid 4. Profiling policy match in ISE results TrustSec policy distribution ✓ ✓ ✓ ✓ ✓ ✘ ✓ ✘ ✓ SGT 33 SGT 100 SGT 200 SGT 33 SGT 100 SGT 200 Use Case#1 - Cell Segmentation 73 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Level 0-2 Level 3 DMZ ISE IND ASA AnyConnect to check security posture, establish VPN, and collect application telemetry info – Track user session in ISE along with SGT role. AnyConnect Remote Access Requirement • Only specific asset in the machine must be accessible • No dependency on IT IT User OT User C O N T E X T 2 RDP S X P SGT 777 SGT 777 3 1 Security Policy Pre-Staging 1. IT user pre-defines profiling rules in ISE to match custom attributes 2. IT user pre-defines SGT firewall rules in ASA to allow remote Access Workflow during Maintenance Window 1. During machine maintenance, OT user changes asset attribute tag in IND which denotes intent to allow remote access 2. IND sends OT user intent and asset details to ISE in pxGrid, which results in asset reauthorization 3. ISE distributes new TrustSec policy to Firewall and access switches to enable remote access OEM Use Case#2 On-Demand Remote Access 74 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Level 0-2 Level 3 Cell-1 Cell-2 OT User ISE Stealth Watch N E T F L O W C O N T E X T H O S T G R O U P S IND Requirement • Group assets in communication trust zones and detect anomalous traffic behavior • Easily detect the source of anomaly Security Policy Pre-Staging • Assets grouped in IND by OT user, automatically creates Host Groups in StealthWatch • IT defines Alarms in StealthWatch for Host Group zone map violations • IT configures policies in ISE to quarantine devices on violations Workflow 1. Compromised Camera in Cell-2 initiates Port Scan 2. StealthWatch raises Recon Alarm, and zone map violation alarm 3. StealthWatch sends quarantine request to ISE 4. ISE moves camera access port to isolated VLAN to quarantine Port Scan 1 2 Q u a r a n t i n e 3 C o A 4 IT User Use Case#3 Flow Based Anomaly Detection 75 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Industrial Network Security Framework CPwE - Holistic Defense-in-Depth 76 MCC Enterprise Zone: Levels 4-5 Soft Starter I/O Physical or Virtualized Servers • Patch Management • AV Server • Application Mirror • Remote Desktop Gateway Server Level 0 - Process Level 1 - Controller Level 3 – Site Operations Controller Drive Level 2 – Area Supervisory Control FactoryTalk Client Controller Industrial Demilitarized Zone (IDMZ) Industrial Zone: Levels 0-3 LWAP SSID 2.4 GHz SSID 5 GHz WGB I/O Active Wireless LAN Controller (WLC) Standby Core Switches Distribution Switch Stack Control System Engineers Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) IT Security Architects in Collaboration with Control Systems Engineers Enterprise Identity Services External DMZ/ Firewall Internet IFW Access IE2K / IE3X / IE4K BRKIOT 2108
- Connected Factory in Practice Achieving Business Outcomes
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKIOT-2108 Drivers for the Connected Factory • Becoming an Insight-Driven Manufacturer • Have the Ability to Accurately Track Machine Utilization (e.g. OEE) • Facilitate the Use of Advanced Sensor Technologies and Enabling Predictive Maintenance • Continuously Innovating Products, Services, and Relationships • Create Connected Environments Inclusive of Partners (Internal and External ones) • Becoming Agile While Maintaining Control of the Business • We Want New Operational and Business Models 78
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Automation Network Management Network Sensors Robots Supply Chain Applications Networks Devices Collaboration Network (IT) Tracking Unified Network Management Layer (Deployment + Service Management) Unified Application Layer (Any Device - Any Application) ReduceCosts (Optimize Operations) Increase Revenues (More Capabilities) Meet Responsibilities (Environmental, Safety, Regulatory) Production Automation Energy Voice Video Inventory Management Quality Control Cost Management Workforce Enablement Personal Devices Building Management Facilities Management SCADA Ind. Access & Control Manu. Execution Systems Ent. Resource Planning Reports Analytics Collab. Internet Safety Security Real Time Location Services Product Enhancement Connected Factory - Achieving Business Outcomes 79 “The right information to the right place at the right time…securely” BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Industry 4.0 80 18th Century Steam 20th Century Mass Production 70’s Robots Today Digitization/Cyber-Physical Technology Progress Smart Devices • Cyber-physical systems monitor physical processes, create a virtual copy (“Digital Twin”) of the physical world, and make decision decentralized decisions • Cyber-physical systems communicate and cooperate with each other and with humans in real time • Internal and cross-organizational services are offered and used by participants of the value chain • Includes “soft” topics like work/life balance BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS IoT, IIoT, Industrie 4.0 and the Connected Factory Connected Factory 81 BRKIOT 2108
- Connected Factory in Practice Factory Security
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKIOT-2108 Cyber Attacks Continue… • One of the Latest - Norsk Hydro Cyber Attack Cost It Nearly $52M in First Quarter 2019 83
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKIOT-2108 Hope is NOT a Strategy 84 • 40 percent of manufacturing companies ended up affected by cyber incidents in the past 12 months, • 38 percent of those that felt the effects indicated cyber breaches resulted in damages in excess of $1 million, www.isssource.com Manufacturing is the most targeted category…and small to medium manufacturers are the most targeted.
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Industry 4.0 Driving the Connected Factory 85 Material Handling Processing Batching/ Blending Receiving Packaging Shipping Control Room Utilities Corporate Headquarters OEM Supplier Other Plant Customer Enterprise-wide Systems Plant-wide Systems Lower Total Cost of Ownership | Faster Time to Market | Better Asset Optimization | Broader Risk Management West East North South Connect Protect & Detect Collect BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Security is NOT a Product but a Process 86 Where do I Begin? NIST Cybersecurity Framework – MFG Profile People, Process and Technology BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS NIST Framework Core Functions and Categories FUNCTION CATEGORIES IDENTIFY - Asset Management - Business Environment - Governance - Risk Assessment - Risk Management Strategy PROTECT - Access Control - Awareness and Training - Data Security - Information Protection Processes and Procedures - Maintenance - Protective Technology DETECT - Anomalies and Events - Security Continuos Monitoring - Detection Processes RESPOND - Response Planning - Communications - Analysis - Migration - Improvements RECOVER - Recovery Planning - Improvements - Communications Know what you have & How critical it is to your org. Secure what you have Spot threats quickly Take action immediately Restore operations People, Process and Technology BRKIOT 2108 87
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Technology Doesn´t Cover Everything 88 FUNCTION CATEGORIES People Process Technology IDENTIFY - Asset Management - Business Environment - Governance - Risk Assessment - Risk Management Strategy - Applies - Applies - Applies - Applies - Apples - Applies - Applies - Applies - Applies - Apples - Applies - Applies PROTECT - Access Control - Awareness and Training - Data Security - Information Protection Processes and Procedures - Maintenance - Protective Technology - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies DETECT - Anomalies and Events - Security Continuos Monitoring - Detection Processes - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies RESPOND - Response Planning - Communications - Analysis - Migration - Improvements - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies - Applies RECOVER - Recovery Planning - Improvements - Communications - Applies - Applies - Applies - Applies - Applies - Applies Only half of the framework´s categories are addressed by technology Highlights the importance of both People and Process in cybersecurity BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Enterprise Network IDMZ Supervisory Network Control System Network Web Server App Server SCADA Databas e Histor ian HM I PLCs Remote Facility VP N Field Network PLCs Cloud Systems Internet Threats through Remote Access Threats from Infected HMI’s or PLC’s Threats from Unauthorized Control Threats from Cloud Services and Internet Threats from Unauthorized Control Uncontrolled Access Exfiltration attacks Historian Assess the Threats and Vulnerabilities 89 Targeted or Not • Asset Discovery and Inventory • Employee carelessness • Employee(&former employee sabotage • Internet • Phishing email • Infected CD • Infected PDF file • Infected memory stick • A printer Core cybersecurity principle is “that which is not visible cannot be protected” BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Structured and Hardened IACS Network Infrastructure Flat and Open IACS Network Infrastructure Flat and Open IACS Network Infrastructure Future State Develop the Transformation 90 Current State Security through Obscurity BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Strategic Factory Security Approach Phase 2 Phase 1 Secure Network Environment Advanced Industrial Security OT Identity Base Network (ISE) OT Dedicated Security Appliances at Major Demarcation OT Network Security Monitoring Enhance Protections Phase 3 Factory(OT) Architecture IDMZ (IT – OT Separation) Secure Remote Access to OT OT Network Segmentation Secure Visibility & Control Convergence of IT and OT Network Security Cyber-Security Overlays Content Phased Factory Security Maturity 91 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Challenge Need to connect machines from the factory floor for visibility, but have “Security by Obscurity” posture. Need protect IT from OT and OT from IT. Solution Factory Cyber Security Assessment Industrial DMZ Defense in Depth Framework Business Outcomes Reduced downtime Protect brand reputation Minimize cyber theft Increase Visibility to Factory Floor Reduced Downtime Reduced Risk Factory Security
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Protecting IoT and OT devices 93 Detect malicious behavior No endpoint agents Segmentation BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Why Segmentation? manages attacks Segment infrastructure – Protect inbound and outbound communications and each other Scalable software defined segmentation – Separate systems and users based on role and policy. Reducing security complexity Identity based access – Restrict connection to known systems and devices Profiling IoT – Evaluate and determine characteristics and posture to see if a device is Misbehaving Securing Environment 94 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS • Requirements for the network services and application data flow • Applications and protocols may have to be allowed • A certain network services may be allowed to communicate directly while ICS applications use IDMZ assets to exchange data. Map out IDMZ Traffic Flow 95 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS IDMZ Implementation- Current State Connected Factory - Holistic Defense-in-Depth 96 MCC Soft Starter I/O Level 0 - Process Level 1 - Controller Controller Controller Distribution Switch Stack Enterprise External DMZ/ Firewall Internet • Implement Purdue model with level segmentation via firewall with routing controls –Proper configuration and maintenance on Firewalls and ACL’s • Build and commission a DMZ at level 3.5 for IT services, agents, patch management etc. Layer 2 Layer 3 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS IDMZ Implementation- Interim Connected Factory - Holistic Defense-in-Depth 97 MCC Enterprise Zone: Levels 4-5 Soft Starter I/O Level 0 - Process Level 1 - Controller Controller Controller Industrial Demilitarized Zone (IDMZ) Industrial Zone: Levels 0-3 Core Switches Distribution Switch Stack Enterprise Identity Services External DMZ/ Firewall Internet Layer 2 Layer 3 Layer 2 Layer 3 • Build the New IDMZ and the Factory Core BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS IDMZ Implementation- Access Migration Connected Factory - Holistic Defense-in-Depth 98 MCC Enterprise Zone: Levels 4-5 Soft Starter I/O Level 0 - Process Level 1 - Controller Controller Controller Industrial Demilitarized Zone (IDMZ) Industrial Zone: Levels 0-3 Core Switches Distribution Switch Stack Enterprise Identity Services External DMZ/ Firewall Internet Layer 2 Layer 3 • Migrate Access/Distribution Factory Floor Switch to New Core • Add Static Routes on Enterprise Core to Factory Floor Subnets and Redistribute into Enterprise IGP • IDMZ FW Permit Any/Any and Logging BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS IDMZ Implementation- Server Migration Connected Factory - Holistic Defense-in-Depth 99 MCC Enterprise Zone: Levels 4-5 Soft Starter I/O Physical or Virtualized Servers • Patch Management • AV Server • Application Mirror • Remote Desktop Gateway Server Level 0 - Process Level 1 - Controller Level 3 – Site Operations Controller Controller Industrial Demilitarized Zone (IDMZ) Industrial Zone: Levels 0-3 Core Switches Distribution Switch Stack Enterprise Identity Services External DMZ/ Firewall Internet • Migrate Servers in to their proper zones • IDMZ FW build policy and enforce BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Protect Critical Infrastructure: Through Network Segmentation – Zone Definition 100
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS How TrustSec Simplifies Network Segmentation Access Layer Factory Network Machine VLAN Machine Data VLAN Employee Aggregation Layer Supplier Guest VLAN BYOD BYOD VLAN Non-Compliant Quarantine VLAN VLAN Address DHCP Scope Redundancy Routing Static ACL VACL Security Policy based on Topology High cost and complex maintenance Data VLAN Employee Supplier BYOD Non-Compliant Use existing topology and automate security policy to reduce OpEx ISE No VLAN Change No Topology Change Central Policy Provisioning Micro/Macro Segmentation Employee Tag Supplier Tag Non-Compliant Tag Access Layer IDMZ Firewall / Switch IDC Servers Policy TrustSec Traditional Segmentation Machine Machine VLAN Factory Network 101 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Extensible - Scalable Segmentation Easily Separate Devices and Data Using the Network 102 Conveyor system 1 Conveyor system 2 Utilize a controller to support group design Get up and running quickly Assign business-based groupings to provide consistent policy and access independent of network topology Assign role-based groups SGT_Contractor SGT_Factory Floor SGT_Employee Guest 1 Guest 2 Guest 3 Guest 4 Employee 1 Employee 2 Employee 3 Employee 4 Leverage attributes such as location and device type to define group assignments Establish context-aware groups SGT_ERP SGT_Cell ERP 1 ERP 2 Temperature Device 1 Temperature Device 2 IP Camera IP Camera 50° 50° BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Factory Device Segmentation – Example Software-Defined Segmentation- TrustSec 103 Factory Backbone SW 1 SW 2 (SGACL) Data Center DC FW Vendor / Contractor Historian ISE MES Server Engineering Workstation Switch automatically downloads all policies from ISE for only devices connected TrustSec Policy (SGACL) configured and provisioned by ISE Traffic filtered even in same VLAN Factory FW SGACL Policy SF Operator SF Development Vendor/Contactor SF Device SF Operator Vendor/Con SF Development SF Device SF Operator SF Development Vendor/Contactor SF Device SF Operator Vendor/Con SF Development SF Device Shop Floor Device BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Factory Data Access Control using TrustSec Software-Defined Segmentation- TrustSec 104 Factory Backbone SW 1 SW 2 Data Center DC FW Vendor / Contractor Historian ISE MES Server Engineering Workstation OS Type: Windows XP Embedded User: Frank AD Group: Shop Floor Device Group: Eng Workstation Security Group = Shop Flr Device OS Type: Windows 8.1 User: contractor123@acme.com AD Group: None Device Group: BYOD Laptop Security Group = Contractor Access Privilege Authorization with Security Group ASA Firewall Policy Factory FW (SGFW) MES SF Operator MES Server MES Server Historian Eng Work Stn SF Device SF Operator MES Server BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKIOT-2108 Why Visibility Communication in both IT and OT Monitor Infrastructure communications – Identify and alert on abnormal traffic flows Threat intelligence – Knowledge of existing attacks and communication vectors Intrusion Prevention - Block attacks, exploitation and intelligence gathering Monitoring & Analysis 105
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS You have already made a lot of investment in network and security …yet threats are getting through. Have you been compromised? How and when would you know? 106 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Datacenter Identify every asset on the network Set policies based on hosts as well as applications Model policies before enforcing them Manufacturing Enterprise IoT Devices SEE every conversation Understand what is NORMAL Be alerted to CHANGE KNOW every host Respond to THREATS quickly Effective security depends on total visibility 107 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Data collection Rich telemetry from the existing network infrastructure Security Analytics with Stealthwatch 108 Global threat intelligence (powered by Talos) Intelligence of global threat campaigns mapped to local alarms for faster mitigation Behavioral modeling Behavioral analysis of every activity within the network to pinpoint anomalies Multilayered machine learning Combination of supervised and unsupervised techniques to convict advanced threats with high fidelity Encrypted Traffic Analytics Malware detection without any decryption using enhanced telemetry from the new Cisco devices Stealthwatch BRKIOT 2108
- Introduction into Data and Analytics: Insight Driven Operations
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Data in Manufacturing - Two Distinct Viewpoints 110 • “Manufacturing has always had Big Data. We have been collecting data with historians, and MES systems for decades.” • “Manufacturing is an untapped market for Big Data. There is lots of data, lots of different types of data, and hardly any of it is being used for analysis today.” Cisco Kinetic Edge Compute Big Data Analytics Selected data with modeling & logic applied Data with context & quality flag Ethernet Switch Edge Compute Data PLC I/O BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Data Opportunities and Challenges in Manufacturing 111 Opportunities Improve quality and increase throughput Better insights into root cause of manufacturing issues Reduce machine failure and downtime Intelligence Challenges Extreme composition of data require new approaches, infrastructure, and tools Data scientist nor business analysts required Little time to for refining data models, massaging analytical tools, and teasing out insight Need simple intuitive analytical tools and dashboards Lack of expertise derive algorithm to predictively models. BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS “Can analytics system answer questions we didn’t know to ask?” 112 • Data and Analytics can bring together: • Structured • Time series • Unstructured data • Artificial intelligence (AI) • based analytics on top these are the solutions answering unasked questions to drive real and unexpected value Analytics Data Old Answers to Old Questions New Answers to Old Questions New Answers to New Questions New Answers to Old Questions Big Data Data Analytics Machine Learning Analytics BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Data Driving Decision Making – Analytics 113 MEASURE ANALYZE DECIDE ACT STREAMING DATA BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Decision Action Human Input Required Analytics Descriptive What happened? Diagnostic Why did it happen? Predictive What will happen? Prescriptive What should I do? Decision Support Decision Automation Data Data analytics applied to factory equipment and sensors can bring operational efficiencies and cost savings to manufacturing processes. Analytics Maturity – Data into Action 114 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Data and Decision Time within the Purdue Model 115 Planning Decision: Month/Year Network: Enterprise Business Systems Decision: Days/Weeks Network: Enterprise Manufacturing Operation Management Decision: Seconds/Minutes/Hours Network: Plant/Enterprise Equipment and Process Control Decision: Sub-second Network: Plant Sensors, Instrumentation, and Data Collection Decision: Sub-second Network: Plant Production Assets Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Kinetic Edge (IE w/ IOx Fog Enterprise Cloud BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Data Driving Design and Digital Twin – Analytics 116 DESIGN SIMULATE & OPTIMIZE PRODUCE REACT STREAMING DATA Physical Digital BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Manufacturing Data Examples 117 • Data is characterized by huge data sets with varied data types, which can be classified as structured, real- time structured, or unstructured Real-Time Structured Data Unstructured Data Structured Data • Sensors(vibration, pressure, value, and acoustics), Relays • RFID • Direct from PLCs, Motor and Drives • Direct from motion controllers, robot arm • Manufacturing historians(time series data structure) • Operator shift reports • Machine logs • Error logs • Texts • Vision Images • Audio/Video • Manufacturing collaboration social platforms • RDBMS database • NoSQL • Enterprise data warehouse • Files stored in manufacturing PC • Spreadsheets BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Data Types and Sizes 118 • Manufacturing generate massive data files • Limits the ability to store, analyze, and extract useful information from them using conventional methods. • Extremely hard to even visualize the information in large data sets from various sources DATA TYPES DATA SIZE (per week) EXAMPLES Machine Parameters and error logs ~5 GB per machine Used to monitor machine performance: dispense height, placement(x,y,z),belt speed, flow rate, over temperature, laser power, etc Machine events ~10 GB per machine Used to measure process time: start dispense ,end dispense, start setup, and end setup Defect images from vision equipment ~50 GB per unit or 750 GB per lot Used to identify root cause of failure modes, defect commonality, defect mapping BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS What problems are we solving for customers? 119 Environmental Sensing • Plant Hazard Awareness • Pollution • Security • Safety • Compliance Remote Visibility • Condition Monitoring • Preventive & Predictive Maintenance • Asset Health • Cost Avoidance • Reliability Efficiency through Process Automation • Cost Reduction • Efficiency • Consistency • Increased up time • Faster and accurate decision Business Outcomes Business Outcomes Business Outcomes BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKIOT-2108 Key Takeaways • The power of big data technology stems from the ability to merge and correlate these data set types to create business value through newfound insights. • New Big data technology allows manufacturers to aggregate and centralize various types of data in a cost-effective, scalable manner. • Process variability drives a real business need for manufacturers to turn to a big data solution based on a scalable platform that can grow with their businesses and manufacturing requirements. • Machine data is strongly correlated to yield, quality, and output, thereby providing valuable information to proactively detect processes that are getting out of control 120
- Factory Wireless Autonomous Guided Vehicle(AGV) Roaming
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Use Cases •Wireless tooling •Monitoring hard-to-reach and restricted areas •PLCs and automated guided vehicles (AGVs) Key Enabling IW3702 Features •Seamless roaming at low to moderate speeds •Supports prioritized PROFINET traffic for industrial applications •PRP (Parallel Redundancy Protocol) over wireless for high resilience Factory Wireless BRKIOT 2108 122
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Factory Wireless WGB Roaming Evolution 123 Basic WGB roaming Fast WGB roaming PRP enhanced roaming Low to moderate speed • Limited Scanning of channels High speed • 802.11v BSS Fast Transition on WGB • RSSI smoothing filter • Optimized rate- shifting algorithm Highest speed • PRP over wireless • Dual radios enables always-best- connected • Roaming coordination prevents two radios from roaming at the same time BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Parallel Redundancy Protocol (PRP) over Wireless RF interference, hand off results in packet loss PRP Enabled Wireless Network PRP over wireless creates redundant radio path for data transmission Zero recovery time in event of temporary failure Each data transmission goes through single radio path Wireless Network Without PRP PRP RedBox PRP RedBox Data Frame Data Frame PRP is defined in the International Standard IEC 62439-3 and designed to provide hitless redundancy (zero recovery time after failures) in networks 124 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS PRP over Wireless Redundancy Options Single WGB, Dual Radios - WLC 8.5 Dual WGBs, Dual Radios - WLC 8.4 • External PRP switch as RedBox (redundancy box) performs packet duplication/duplication discard function • Application examples: Industrial automation and AGV applications 5GHz 5GHz PRP Switch as RedBox 2.4GHz 5GHz WGB as RedBox • WGB as RedBox (redundancy box) performs packet duplication/duplication discard function • Application examples: Autonomous vehicles and straddle carriers and mission critical applications etc. WGB WGB 125 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Roaming Coordination Gi1.51 Gi1.51 VLAN 51 Direct Wired Connection or through a Switch Gi0/1 Gi0/2 WGB1 WGB2 Switch AP1 AP2 WGB 5GHz 2.4GHz • WGB sends an indication to the other WGB indicating it wants to start roam • Other WGB shall wait for 100ms (configurable) by default if it also needs to roam • Once the roam event on the WGB is complete or if the timeout expires, the other WGB is free to roam 126 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Sample Topology for Dual WGBs PRP Function • Infrastructure Side • An aggregate switch in the infrastructure side carries the duplicated packets • APs in flex connect mode • The APs transmits/receives the redundant data traffic over different SSIDs, tag with different VLANs • Mobile Client Side • Each WGB associates to different SSIDs and locates in different VLANs • Roaming Coordination • WGBs are connected to provide roaming coordination function, preventing both WGBs from roaming at the same time Client VLAN SSID A (LAN_A) Client VLAN PRP Switch Aggregate Switch AP1 AP2 WGB1 WGB2 SSID B (LAN_B) WLC PRP Switch Infrastructure Side Mobile Client Side Client VLAN: 800 LAN_A: 801 LAN_B: 802 Data frame Data frame Data frame Data frame Data frame Data frame 802 Data frame 801 Data frame 801 Data frame 802 Data frame Data frame Data frame 5GHz 5GHz 127 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Sample Topology for Single WGB PRP Function Client VLAN SSID A (LAN_A) Client VLAN PRP Switch Aggregate Switch AP1 AP2 WGB WLC Infrastructure Side Mobile Client Side Client VLAN: 800 LAN_A: 801 LAN_B: 802 Data frame Data frame Data frame Data frame 802 Data frame 801 Data frame 801 Data frame 802 Data frame Data frame Data frame SSID B (LAN_B) 2.4GHz 5GHz • Infrastructure Side • An aggregate switch in the infrastructure side carries the duplicated packets • APs in flex connect mode • The APs transmits/receives the redundant data traffic over different SSIDs, tag with different VLANs • Mobile Client Side • WGB associates to different SSIDs and locates in different VLANs • Roaming Coordination • WGBs are connected to provide roaming coordination function, preventing both WGBs from roaming at the same time 128 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Accelerate time to value with Cisco Validated Designs and Cisco CX solutions Fixed SKUs built on CVDs Lab validation, field pilots, edge services New! Cisco Validated Designs Validated Blueprints for Industry Solutions New and updated versions! Simplify adoption with services from pilots to scale Updated! Lifecycle Solutions Solution Support On-demand expertise for complex problems BRKIOT 2108 129
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Conclusion: Measure Twice, Cut Once • Connected Factories reference architectures - Simplified design, quicker deployment, reduced risk in deploying new technology to achieve business outcomes • Factory Network: Secure, scalable and resilient network infrastructure • Factory Wireless: Enables mobility, secure personnel access, equipment to equipment communication and asset tracking • Factory Security: Defense-in-depth security for multiple layers of threat detection and prevention 130 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS For your reference • Websites • Design Zone Industry Solutions • https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-industry-solutions/index.html Recommended Resources Reference Architectures 131 BRKIOT 2108
- Questions? Use Cisco Webex Teams to chat with the speaker after the session Find this session in the Cisco Live Mobile App Click “Join the Discussion” Install Webex Teams or go directly to the team space Enter messages/questions in the team space How Webex Teams will be moderated by the speaker until June 16, 2019. 1 2 3 4 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Cisco Webex Teams cs.co/ciscolivebot# 132 BRKIOT 2108
- Complete your online session evaluation • Please complete your session survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle. • All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us. Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS BRKIOT 2108 133
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Continue your education 134 BRKIOT 2108 Related sessions Walk-in labs Demos in the Cisco campus Meet the engineer 1:1 meetings
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Wireless Cisco education offerings Course Description Cisco Certification • Designing Cisco Wireless Enterprise Networks • Deploying Cisco Wireless Enterprise Networks • Troubleshooting Cisco Wireless Enterprise Networks • Securing Cisco Wireless Enterprise Networks Professional level instructor led trainings to prepare candidates to conduct site surveys, implement, configure and support APs and controllers in converged Enterprise networks. Focused on 802.11 and related technologies to design, deploy, troubleshoot as well as secure Wireless infrastructure. Course also provide details around Cisco mobility services Engine, Prime Infrastructure and wireless security. CCNP® Wireless Implementing Cisco Unified Wireless Network Essential Prepares candidates to design, install, configure, monitor and conduct basic troubleshooting tasks of a Cisco WLAN in Enterprise installations. CCNA® Wireless Deploying Basic Cisco Wireless LANs (WDBWL) Understanding of the Cisco Unified Wireless Networking for enterprise deployment scenarios. In this course, you will learn the basics of how to install, configure, operate, and maintain a wireless network, both as an add-on to an existing wireless LAN (WLAN) and as a new Cisco Unified Wireless Networking solution. 1.2 Deploying Advanced Cisco Wireless LANs (WDAWL) The WDAWL advanced course is designed with the goal of providing learners with the knowledge and skills to successfully plan, install, configure, troubleshoot, monitor, and maintain advanced Cisco wireless LAN solutions such as QoS, “salt and pepper” mobility, high density deployments, and outdoor mesh deployments in an enterprise customer environment. 1.2 Deploying Cisco Connected Mobile Experiences (WCMX) WCMX will prepare professionals to use the Cisco Unified Wireless Network to configure, administer, manage, troubleshoot, and optimize utilization of mobile content while gaining meaningful client analytics. 2.0 For more details, please visit: http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth 135 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Cybersecurity Cisco education offerings Course Description Cisco Certification Understanding Cisco Cybersecurity Fundamentals (SFUND) The SECFND course provides understanding of cybersecurity’s basic principles, foundational knowledge, and core skills needed to build a foundation for understanding more advanced cybersecurity material & skills. CCNA® Cyber Ops Implementing Cisco Cybersecurity Operations (SECOPS) This course prepares candidates to begin a career within a Security Operations Center (SOC), working with Cybersecurity Analysts at the associate level. CCNA® Cyber Ops Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s latest security products, including NGFW, ASA, NGIPS, AMP, Identity Services Engine, Email and Web Security Appliances, and much more. For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth 136 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Internet of Things (IoT) Cisco education offerings Course Description Cisco Certification Managing Industrial Networks for Manufacturing (IMINS2) An associate level instructor led lab based training focuses on common industrial application protocols, security, wireless and troubleshooting designed to prepare you for the CCNA Industrial certification CCNA® Industrial Managing Industrial Networks with Cisco Networking Technologies (IMINS) This instructor led lab based training addresses foundational skills needed to manage and administer networked industrial control systems for today's connected plants and enterprises. It helps prepare plant administrators, control system engineers and traditional network engineers for the Cisco Industrial Networking Specialist certification. Cisco Industrial Networking Specialist Control Systems Fundamentals for Industrial Networking (ICINS) For IT and Network Engineers, provides an introduction to industry IoT verticals, automation environment and an overview of industrial control networks (E-Learning) Pre-learning for IMINS, IMINS2 training & certifications Networking Fundamentals for Industrial Control Systems (INICS) For Industrial Engineers and Control System Technicians, covers basic IP and networking concepts, and introductory overview of Automation industry Protocols. Pre-learning for IMINS, IMINS2 training & certifications For more details, please visit: http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth 137 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Data and Analytics Cisco education offerings Course Description ANDMB – Data Management, Architecture and Applications Provides hands on training with a technical mix of application, compute, storage and networking topics concerning the deployment of Big Data clusters. ANDMA – Advanced Data Management, Architecture and Applications Covers major architecture design to cater to different needs of the application, data center or deployment requirements. It provides architectural designs and advanced hands-on training on topics covering Scaling of cluster to thousands of nodes and management, Data Life Cycle management with HDFS tiered storage, and different approaches for Multi-tenant Hadoop cluster deployments with Openstack Data and Analytics training page: http://www.cisco.com/c/en/us/training-events/resources/learning-services/technology/data-analytics.html For more details, please visit: http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth 138 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Cybersecurity Cisco education offerings Course Description Cisco Certification CCIE Security 5.0 CCIE® Security Implementing Cisco Edge Network Security Solutions (SENSS) Implementing Cisco Threat Control Solutions (SITCS) v1.5 Implementing Cisco Secure Access Solutions (SISAS) Implementing Cisco Secure Mobility Solutions (SIMOS) Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware Protection), as well as Web Security, Email Security and Cloud Web Security Deploy Cisco’s Identity Services Engine and 802.1X secure network access Protect data traversing a public or shared infrastructure such as the Internet by implementing and maintaining Cisco VPN solutions CCNP® Security Implementing Cisco Network Security (IINS 3.0) Focuses on the design, implementation, and monitoring of a comprehensive security policy, using Cisco IOS security features CCNA® Security For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth 139 BRKIOT 2108
- © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS Digital Business Transformation Cisco education offerings Course Description Cisco Certification For Technology Sellers: Adopting the Cisco Business Architecture Approach Builds skills to discover and address technology needs using a business-focused, consultative sales approach, broadly applicable and targeted to prepare for the digital transformation journey that is demanded across the business world. Cisco Business Architecture Analyst Applying Cisco Business Architecture Techniques Provides tools and skills training to prepare the learner to use a business led approach to technology solutions sales and deployments. This continues the journey begun with the Adopting the Cisco Business Architecture Approach above Cisco Business Architecture Specialist Mastering the Cisco Business Architecture Discipline Builds skills, and proven, real-world techniques to prepare for a Business architect leadership role in the sales and deployment of transformative technology solutions. Cisco Business Architecture Practitioner Cisco Customer Success Manager Specialist Prepares for the crucial role that drives adoption and enablement, ensuring that customers achieve their expected business outcomes, and reduces churn/increases renewal for services and subscription based products. Cisco Certified Customer Success Manager For more details, please visit: http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth 140 BRKIOT 2108
- Thank you #CLUS
- #CLUS