Plantwide Benefits of EtherNet/IP Seminar Billingham 09.07.2014

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Industrial IoT in Action
Phil George – Solution Architect

Ethernet
SQL
Cloud
BIG DATA
Virtualization
Mobility
Social Media

Podcast
Chatroom
Inflection Point
“an event that changes the way we think and act” Andy Grove, Intel Co-founder
Infotainment
Sidebar
GeekLandline
Speed Dating
App
Buzzword
Widget
Webinar
Cyber grieving
ping
Blog
hashtag
BFF
LOL
phishing
Flash drive
Tagging
firewall
JPG
Flat screen
informationalize TweetGoogle
Unfriend
Wiki
IM
Cloud

SECURE
Connected Enterprise
Unprecedented
Value
Disruptive
Technologies
Faster Time-to-Market
Lower Total Cost of Ownership
Improved Asset Utilization
Enterprise Risk Management
INFLECTION
Now!
$
Cloud
Ethernet
Mobility
Big Data
Business Analytics

$
Faster Time
to Market
Improved Asset
Utilization
Enterprise Risk
Management
Lower Total Cost of
Ownership

Will exceed 7.6 billion
More than 70 million annually will
cross into the middle class
Middle class adding $8 trillion
to consumer spend
Global POPULATION
trends (2020)
11
Source: McKinsey

EMERGING MARKET CONSUMERISM RESOURCE PRODUCTIVITY
INVESTMENT
Increased Demand on Industrial Production
$1T
Source: McKinsey
150%More Energy
More Water
30% 100%More Vehicles
GLOBAL POPULATION TRENDS
INCREASE DEMAND FOR
Manufacturing
80%More Steel
Resources
Infrastructure
12

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 13
Supply
Chain
Optimized for Rapid Value Creation
 Supply Chain Integration
 Collaborative, Demand Driven
 Compliant and Sustainable
AGILITY
PRODUCTIVITY
Enterprise
Distribution
Center
Smart Grid
Customers
COMPANY CONFIDENTIAL
THE CONNECTED ENTERPRISE
SUSTAINABILITY

Customer Demand
Industrial Processes Supply Chain
INDUSTRIAL
Internet of Things
Raw data > Contextualized Data >
Business System
14

Actuators Intelligent Motor Control Terminals Audio VideoSensors

Enterprise
Infrastructure
Automation
Infrastructure
One Common
Environment
CONVENTIONAL: SEPARATE IT & AUTOMATION FUTURE: UNIFIED INFRASTRUCTURE
TRANSFORMATION
INTEGRATED CONTROL AND INFORMATION
16
ENABLER Common Secure Ethernet Infrastructure

2011 2012
# of ReCoats reduced due
to real-time alerts
Oven temperatures
accessed real-time
$302k/yr Eliminated by
Contract Dispatch
Allows all to
access EPA data
Visibility into loss of production
faults lead to root cause
identification
@ PAINT LAB
KENTUCKY FACILITY

Fundamentals of Ethernet/IP
Designing the Physical Layer
Industrial & IT Network Convergence
Ethernet/IP Product Selection
Securing Automation Networks
Plant-wide Benefits of Ethernet/IP
18
Agenda

www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter.
Connect with us on LinkedIn.
www.rockwellautomation.com/connectedenterprise

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP Overview
Benefits of EtherNet/IP Seminar Series

Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 2
Industrial Networks Needs
Long Term Trends
 Open network
 Converged network technologies (information sharing, common design)
 Better asset utilization - lean initiatives (training, support, and inventory)
 Future ready – to maximize investments and minimize risks

Industrial Applications Convergence
Industrial Network Trends
3
Information
I/O
Drive
Control
Safety
Applications
Process
Power
Control
Multi-discipline Industrial Network Convergence
High
Availability
Energy
Management
Controller
Drive Network
Safety Network
I/O Network
Plant/Site Network
Disparate Network Technology
Safety I/O
Single Industrial
Network Technology
Camera
Controller
VFD
Drive
HMI
I/OPlant/Site
Instrumentation

EtherNet/IP is the global leader: 5M+ nodes sold, 300+ vendors, 1000s product lines
Control System Engineer
 Enable future-ready, high performance
 Use an established, widely accepted
network technology supported by
leading industry vendors
IT Network Engineer
 Use standard Ethernet and TCP/IP
 Utilize common network
infrastructure assets & tools
System Integrator
 Enable seamless plant-wide /
site-wide information sharing
 Converge industrial and non-
industrial traffic
Equipment Builder
 Enable convergence-ready
solutions
 Use a single multi-discipline
control and information
platform
EtherNet/IP - One Standard Industrial
Network Technology For….
4

EtherNet/IP: “IP” - Industrial Protocol
Single Industrial Network Technology
 ODVA
 Supported by global industry leaders such as Cisco Systems®,
Omron®, Schneider Electric®, Bosch Rexroth AG®,
Endress+Hauser and Rockwell Automation
 Conformance & Performance Testing
 Standard
 IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588)
 IETF - Internet Engineering Task Force, standard Internet Protocol (IP)
 ODVA - Common Industrial Protocol (CIP)
 IEC - International Electrotechnical Commission – IEC 61158
 IT Friendly and Future-Ready (Sustainable)
 Multi-discipline control and information platform
 Established - products, applications and vendors
www.odva.org

OSI 7-Layer Reference Model
Single Industrial Network Technology
6
Application
Presentation
Session
Transport
Network
Data Link
Physical
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1
Network Services to User App
Encryption/Other processing
Manage Multiple Applications
Reliable End-to-End Delivery
Error Correction
Packet Delivery, Routing
Framing of Data, Error Checking
Signal type to transmit bits,
pin-outs, cable type
CIP
IEC 61158
IETF TCP/UDP
IETF IP
IEEE
802.3/802.1
TIA - 1005
Routers
Switches
Cabling
Layer Name Layer No. Function Examples
What makes EtherNet/IP
industrial?
Physical Layer
Hardening
Infrastructure Device
Hardening
Common Application
Layer Protocol
5-Layer TCP/IP Model
CIP
IEC 61158
Open Systems
Interconnection

OSI Reference Model
Protocol Stack
7
Application
Presentation
Session
Transport
Network
Data Link
Physical
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1 TIA - 1005
Layer NameLayer No. Function
CIP
Application
Layers
Data Transport
Layers
IETF TCP/UDP
IETF IP
IEEE
802.3/802.1

OSI Reference Model
Open Systems Interconnection
8
Application
Presentation
Session
Transport
Network
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Vendor Specific
Vendor Specific
Layer NameLayer No. Function
Data Link
Physical
Layer 2
Layer 1
IEEE
802.3/802.1
TIA - 1005
Limits Portability and Routability,
may require additional assets
to forward information throughout
the plant-wide / site-wide architecture

OSI Reference Model
Open Systems Interconnection
9
Vendor Specific
Vendor Specific
Function
Vendor Specific
TIA - 1005
Non standard Ethernet,
will require additional assets
to connect into
the plant-wide / site-wide architecture
Application
Presentation
Session
Transport
Network
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer NameLayer No.
Data Link
Physical
Layer 2
Layer 1

OSI Reference Model
Network Independent
10
Layer 7
Layer 4
Layer 3
Layer 2
Layer 1
Layer No.
Network
Independent

Industrial Applications Convergence
11
Safety I/O
Single Industrial
Network Technology
Camera
Controlle
r
VFD
Drive
HMI
I/OPlant/Site
Instrumentation
 Multiple Network Technologies
 Topology Limits
 Physical Segmentation
 Data Duplication
 Multiple 1 Network Technologies
 Topology Limits
 Physical Segmentation Options
 Data Duplication
Disparate Network Technology

The Alternative
“Islands of Automation”
12

Micro Data Center
 Racks
 Patching
 Cable Management
 Copper/Fiber
Collaboration of Partners
Network Technology Convergence
13
Logical FrameworkPhysical Framework
 Noise Mitigation
 Control Panel
 Network Zone
Catalyst 3750
StackWise
Switch Stack
Gbps Link
for Failover
Detection
Firewall
(Active)
Firewall
(Standby)
MCC
Levels 0–2
HMI
Cell/Area Zone #1
Redundant Star Topology
Flex Links Resiliency
Cell/Area Zone #3
Bus/Star Topology
Cell/Area Zones
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4 and 5
Rockwell Automation
Stratix 8000
Layer 2 Access Switch
Cisco
ASA 5500
Industrial Zone
Site Operations and Control
Level 3
Remote
Access
Server
Catalyst
6500/4500
Phone
Controller
Camera
Safety
Controller
Robot
Soft
Starter
Cell/Area Zone #2
Ring Topology
Resilient Ethernet Protocol (REP)
I/O
Plant Firewall:
 Inter-zone traffic segmentation
 ACLs, IPS and IDS
 VPN Services
 Portal and Terminal Server
proxy
Physical or Virtualized Servers
• Patch Management
• Remote Gateway Services
• Application Mirror
• AV Server
• FactoryTalk Application Servers & Services Platform
• Network Services – e.g. DNS, AD, DHCP, AAA
• Remote Access Server (RAS)
• Call Manager
• Storage Array
Wide Area Network (WAN)
• ERP, Email, Call Manager
• Active Directory (AD)
• AAA – Radius
Enterprise
WAN
Safety
I/O
Servo
Drive
Instrumentation
 Copper, Fiber,
Wireless Testers
 Network Discovery
 Protocol Statistics
 Network Discovery
 Protocol Statistics
Common Toolsets

Enterprise
Infrastructure
Automation
Infrastructure
One
Common
Environment
CONVENTIONAL: SEPARATE IT &
AUTOMATION
FUTURE: UNIFIED INFRASTRUCTURE
TRANSFORMATION
INTEGRATED CONTROL AND INFORMATION
14
ENABLER Common Secure Ethernet Infrastructure

Industrial Networks Summary
 Open networks are in demand
 Broad availability of products, applications and vendor support for Industrial Automation
Network standards for coexistence and interoperability of industrial automation devices
 Convergence of network technologies
 Reduce the number of disparate networks in an operation and create seamless
information sharing throughout the plant-wide / site-wide architecture
 Use of common network design, deployment and troubleshooting tools across the plant-
wide / site-wide architecture; avoid special tools for each application
 Better asset utilization to support lean initiatives
 Common network infrastructure assets, while accounting for environmental requirements
 Reduce training, support, and inventory for different networking technologies
 Future-ready – maximizing investments and minimizing risks
 Support new technologies and features without a network forklift upgrade
Reduce Risk Simplify Design Speed Deployment

 A new ‘go-to’ resource for educational, technical and
thought leadership information about industrial
communications
 Standard Internet Protocol (IP) for
Industrial Applications
 Coalition of like-minded companies
www.industrialip.org

Agenda
Plant-wide Benefits of Ethernet/IP
17
 Fundamentals of Ethernet/IP
 Designing the Physical Layer
 Industrial & IT Network Convergence
 Ethernet/IP Product Selection
 Securing Automation Networks

www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter.
Connect with us on LinkedIn.
EtherNet/IP Overview
Benefits of EtherNet/IP Seminar Series

Will your Physical Layer perform?
Plantwide EtherNet/IP
Ecosystem
Design and Deployment
Panduit’s Distributor Partner

Vision: Unified Physical Infrastructure
Office:
Data Center Solution
Building:
Connected Buildings Solution
Manufacturing:
Industrial Automation Solution

Critical Manufacturing Assets are at Risk!
• Downtime
• Security lapses
• Performance degradation
3

Installation pitfalls
3. This makes it impossible to
manage, maintain and
troubleshoot
2. No matter the
hardware, shoddy
cable installation
will result in a poor
network
1. Proper cable
installation is
critical

Importance of the Physical Layer
“A significant portion of network
downtime, approx. 80%, is attributed
to Physical Layer Connections.”
Sage Research

Designing the Physical Layer for Ethernet/IP
What do Physical Layer Reference
Architecture based best practices
look like?

Physical Layer Design Considerations
• Design and implement a
robust physical layer
• Environment Classification - MICE
• More than cable
– Connectors
– Patch panels
– Cable management
– Grounding, Bonding and
Shielding
(noise mitigation)
• Standard Physical Media
– Wired vs. Wireless
– Copper vs. Fiber
– UTP vs. STP
– Singlemode vs. Multimode
– SFP – LC vs. SC
• Standard Topology Choices
– Switch-Level & Device-Level
Cable Selection
ENET-WP007
LAN Troubleshooting Guide
Industrial Ethernet Physical
Infrastructure Reference
Architecture Design Guide
ODVA Guide
7

8
Rockwell/Cisco RA
Logical
De-Militarized Zone (DMZ)
Enterprise Zone (EZ)
De-Militarized Zone (DMZ)
Manufacturing Zone
Manufacturing Zone
Cell/Area Zone
FIREWALL
(ACTIVE)
FIREWALL
(STANDBY)
GE Link for Failover
Detection
Windows 2003 Servers
• Remote Desktop
Connection
• VNC
• PCAnywhere
LAYER 3
ROUTER
LAYER 3
ROUTER
LAYER 3
SWITCHLAYER 3
SWITCH
Automation Apps
• Historian
• Data Distribution
• Asset Security
• Engineering Applications
• Databases
Network Services
• DNS, DHCP, Syslog Server
• Network & Security Management
(Redundant Star Topology) (Ring Topology) (Bus/Star Topology)

Enterprise Zone
FIREWALL
(ACTIVE)
FIREWALL
(STANDBY)
(Ring Topology) (Bus/Star Topology)
LAYER 3
ROUTER
LAYER 3
ROUTER
LAYER 3
SWITCHLAYER 3
SWITCH

Reference IN-Solution
IN-Frastructure
IN-Route
IN-Panel
HMI
CTRLR
DRIVE
DISTi/O
IN-Field
Enterprise Zone
FWA FWB
DMZ
IN-Room
L3R L3R
L3S L3SPaS
DB
Manufacturing Zone
Cell/Area
Zones
Physical
L2S
L2S
L2S
L2S

Panduit Industrial Automation
5 Core Solutions
IN-ROOMTM
Control Room, Data Center,
Telco Closet
IN-PANELTM
Control Panels, Electrical
Panels and MCC
IN-FIELDTM
On the Machine, In the
Process Area, or Outdoors
IN-FRASTRUCTURETM
Power Distribution, Lighting,
HVAC Security, Safety
IN-ROUTETM
Industrial Pathways, Network
Zone Enclosures

Simplify with validated building blocks
Micro Data Center
Zone Enclosures
Control Panel Solutions

Micro Data Center – IN-Room Solution
Enterprise/Office
Patchfield used to uplink switch
to level 4 & 5 Enterprise
Server Patching
Cross connect between production
servers and switch
Firewall and DMZ
Logical buffer zone between the
Enterprise and Manufacturing
Manufacturing Zone
Patchfield used to connect layer 3
switch to layer 2 switches used on
plant floor
IN-ROOMTM

Physical Network Security
• Keyed solutions for copper
and fiber
• USB Type A, B Ports
• Lock-in, Blockout products
secure connections
IN-ROOMTM
IN-ROUTETM
IN-PANELTM
IN-FIELDTM

Micro Data Center Simplification - Organize, Secure, and Standardize
Challenges:
• Disorganized
• Network performance issues
• Frequent moves, adds & changes
Solutions:
• Structured approach
• Media selection/security
• Visual identification
BEFORE AFTER
Micro Data Center Solutions
15IN-ROOMTM

IN-Route - Getting from “Point A” to “Point B”
Built-In
Failure
Points
IN-ROUTETM

17
Environmental Focus – M.I.C.E.
Office Industrial
Increased Environmental Severity
TIA/EIA
1005
Electro
magnetic
Climatic
Chemical
Ingress
• Water
• Dust
Mechanical
• Shock
• Vibration
E1
C1
I1
M1
E2
C2
I2
M2
E3
C3
I3
M3

You can’t choose components without knowing the
Environment

19
IN-Route - Zone Cabling Methods
TR
Centralized Cabling – Home runs from
each node back to the tele-
communication room.
TR
Z
Z
Z
Zone Cabling – Provides for Reduced
home-run wiring, easy moves / adds /
changes and reduced size of tele-
communication room
IN-ROUTETM

Pathways
• Overhead cable
tray routing
system
• Designed to
route and
manage copper,
fiber optic, or
power cables
IN-ROUTETM

Dielectric Conduited Fiber Cable (DCF)
22
KEY BENEFIT:
Easier to install fiber cable
(eliminates conduit & grounding) with
rugged, crush resistant construction
SOLUTION COMPONENTS
1. 12 part numbers.
• Fiber Counts: 2, 4, 8, & 12
• Fiber Types: OS1/OS2, OM1, OM2
2. Compatible with OptiCam connectors
IN-ROUTETM

Zone Enclosures – Pre-configured
Best way to structure
manufacturing network
•Leverages Cisco/RA recommended
architecture for best network
performance
•Built for capability of rapid network
expansion
•Touch-safe for Facility IT access
•Significantly reduces lead time to
deploy
23IN-ROUTETM

Zone Enclosures – Optimized for Stratix
• Pre-configured,
Pre-tested for
Stratix 8300, 8000
and 5700 switches
• Safe, Secure,
Thermally tested
• Save time/cost/risk:
– IT/controls
convergence point
– Machine Builders
IN-ROUTETM

Robust, Secure, Future-Ready Network Distribution
Challenges:
• Scalability issues
• Diagnostics & troubleshooting
• Evolving cable mgmt
Solutions:
• Zone enclosure
• Media selection & security
• Cable routing
BEFORE AFTER
IN-Route: Network Distribution Simplification
25IN-ROUTETM

IN-Panel - Understanding the Problem
There are several market trends that are exerting
pressure on the design and architecture of a Control
Panel.
– Space Optimization
– Terminations
– Network Cabling
– Noise Mitigation
– Safety/Security
IN-PANELTM

EtherNet in the Control Panel
• Additional requirements and
solutions are required with the
addition of EtherNet into the Control
Panel.
IN-PANELTM

Planning for networking in the panel
• What are common networking
challenges in the panel?
– Overall concerns
• Diagnostics/troubleshooting
• Maintenance
• Future system upgrades
– Performance in potentially high
noise environment
• Zoned layouts
• Shielding
– Finding panel space for new
components
Clean Noisy Very Noisy
N
IN-PANELTM

Noise Mitigation Demo
IN-PANELTM

Panduit Confidential Information - not for Distribution
PolymerCoatedFiber(PCF)
Cable,LCConnector,TerminationToolKit
KEY BENEFITS: Ease of field termination (CRIMP,
CLEAVE AND LEAVE), Performance, Noise Immunity
SOLUTION COMPONENTS
1. Polymer Coated Fiber (PCF) cable (zip cord and break-
out cables)
2. Field-attached LC connector for 50/200/230µm &
62.5/200/230µm PCF fiber
3. Field termination tool kit
IN-PANELTM
IN-FIELDTM

Terminating Fiber Using PCF Crimp-On Connectors
No-Voiceover
IN-PANELTM
IN-FIELDTM

• Maximizes panel space utilization
• Easier to design for future system upgrades
• Provide up to 30% space savings
Panduit PanelMax™ Offering:
Space Optimization Increases Design Flexibility
Corner Wiring
Duct
Utilizes space
typically unusable in
enclosure corner
DIN Rail Wiring Duct
Uses enclosure depth to save
panel footprint space ;improve
component access
Shielded Wiring Duct
MitigatesEMI noise to reduce
wire separation distance
Shielded Wiring Duct
Conventional
Wiring Duct
Design
Flexibility
All of these products contribute to cost savings
IN-PANELTM

Panduit Network Solutions for the Control Panel
• Optimized solutions for
Machine Builder Stratix
5700 deployments
DIN Rail Mount Adapter
Modular DIN rail mounting for
Copper or Fiber connectivity
Patch Panel
Facilitate testing, and future
Moves, Adds and Changes
Fiber, Cat6 Patch Cords
Performance guaranteed
Insert product
photo
IN-PANELTM

IN-Panel: Optimized with Partners
• Leverage power of EtherNet/IP and
eco-system partners
– Panduit Fiber, Patching, Noise
Mitigation, Space Optimization,
Grounding/Bonding
– RA Stratix 5700 for machine
builder
– RA 1585 patch cords
– Test with Fluke Networks
• EtherNet/IP connects to Zone
Enclosures and Micro Data Center for
convergence aligned with Cisco/RA
CPwE
IN-PANELTM

IN-Field Challenges
• High MICE levels
– Vibration
– Chemical
– Temperature
– Wash down
• Wire management
rated for environment
• Food safety
ON Machine or Process areas
IN-FIELDTM

IN-Field Solutions: Manage and Protect
• Harsh rated cable management
and identification
• Abrasion protection
• Grounding/Bonding
Metal detectable
wire management
for Food industry
IN-FIELDTM

IN-Frastructure: Challenges
• Facility Grounding/Bonding, Power
• Costs of safety incidences
• Lockout/Tagout implementation
IN-FRASTRUCTURETM

IN-Frastructure: Solutions
• Grounding/Bonding
components and solutions
• Safety labels and signage
• Lockout/Tagout systems
IN-FRASTRUCTURETM

SM
Application Guides
Network Security

SM
Control Panel Layout Whitepaper
• Best practices = reduced call backs, problems..greater
solution sales

SM
http://www.industrial-ip.org
41

SM
Design your system using cost effective and easy to
troubleshoot Network Architectures
Micro Data Center Zone Enclosure Control Panel Solutions
Easy Building Block Approach

SM
43
Industry Level Thought Leadership
Enterprise
Functional
Design
Environmental
Requirements
(M.I.C.E.)
Logical Level
Shared
Architecture
Physical Level
Plant Floor
Design
All wrapped up in a 450
page, “How To” manual
with contributions from
Fluke and Rockwell
Automation, on designing
and installing the physical
infrastructure for an
Industrial Ethernet
Network
Panduit: Physical Infrastructure
Reference Architecture

SM
Design/Spec Tools
Design Micro Data Centers in Visio and paste BOM into Proposalworks!

SM
45
Plant Floor - “Macro Architecture” summary
MICE 1-1-1-1
MICE 3-2-3-3
MICE 3-1-2-3
MICE 1-1-1-3
MICE 3-3-3-3
MICE 2-1-3-2
MICE 2-2-2-1

SM
5/1/2014
Fiber Optic Application Best Practices for
EtherNet/IP

SM
Agenda
Saving Time/Cost with Fiber
Fiber Selection
Physical Infrastructure for Fiber Deployments

SM
• Industrial Networks Must take
into consideration the physical
challenges of the facilities
environment.
• Location, routing and equipment
choices should be based on the
complete understanding of cause
and effect conditions.
• Environmental Focus
– M.I.C.E. (TIA-1005)
Industrial Networks Live in the Real World
Sensor
Drive
I/O
Plant Ethernet
Controller
Switch
Ethernet

SM
Fiber that Fits Both the Environment and the Application
Fiber is now being used in all areas of an Industrial Network Deployment

SM
Converged Ethernet
Manufacturing Network Model
Corporate Network
Sensors and other
Input/Output Devices
Motors, Drives
Actuators
Supervisory
Control
Robotics
Back-Office Mainframes and
Servers (ERP, MES, etc.)
Office
Applications,
Internetworking,
Data Servers,
Storage
Human Machine
Interface (HMI)
Controller
• Fiber is completely noise immune
• Fiber can be used in high M.I.C.E.
environments
• Fiber can be rated for indoor,
outdoor and transition spaces
• Armored Fiber (available in both
metallic and all-dielectric) reduces
the need for, and installations costs
of, innerduct and conduits
• Smaller footprint of cables
(one fiber cable vs. bundle
copper (UTP))
• Reliability and speed of installation
reduces the
total cost of ownership
Benefits of Fiber in an Industrial Space

SM
Key Elements of a Successful
EtherNet/IP Network Design
• Understanding application
and functional
requirements
• Developing a logical
framework (roadmap)
• Developing a physical
framework
• Determining security
requirements and
partnering with IT
• Using technology and
industry standards,
reference models and
reference architectures
Catalyst 3750
StackWise
Switch Stack
FactoryTalk Application Servers
 View
 Historian
 AssetCentre,
 Transaction Manager
FactoryTalk Services
Platform
 Directory
 Security/Audit
Data Servers
Gbps Link
for Failover
Detection
Firewall
(Active)
Firewall
(Standby)
I/O
Levels 0–2
HMI
Cell/Area Zone #1
Redundant Star Topology
Flex Links Resiliency
Cell/Area Zone #3
Bus/Star Topology
Cell/Area Zones
Demilitarized Zone (DMZ)
Enterprise Zone
Levels 4 and 5
Rockwell Automation
Stratix 8000
Cisco
ASA 5500
Industrial Zone
Level 3
Remote
Access
Server
Catalyst
6500/4500
ERP, Email,
Wide Area Network
(WAN)
Network Services
 DNS, DHCP, syslog server
 Network and security mgmt
Drive
Controller
HMI
I/O
Controller
Drive
Controller
Drive
HMI
Cell/Area Zone #2
Ring Topology
Resilient Ethernet Protocol (REP)
I/O
I/O
Patch Management
Remote Gateway Services
Application Mirror
AV Server Plant Firewall:
 Inter-zone traffic segmentation
 ACLs, IPS and IDS
 VPN Services
 Portal and Terminal Server proxy

SM
Selecting the Right Fiber Requires
Knowing the Application
Environment.…
…
…
Knowing the Distance
Requirements.
Knowing the Equipment
you are connecting to.

SM
Let’s take a sample application and go thru it step-by-step.
Knowing the Capability of Your Equipment
The Equipment – The first step in choosing the right fiber
is to look at the capability of your equipment.
• Look at the specifications
of the equipment to
determine the speed of
the connections
• The Fiber you choose
should at least be able to
handle the fastest mode of
the existing system

SM
SFP Stands for “Small
Form Pluggable”
Module
The Stratix is a good switch to use as an example
because it has both Uplink ports and
Data ports running at different speeds.
• The uplink port speed is determined by the
use of copper or fiber. If it’s fiber the
configuration of the “SFP” module
determines the speed of the system.

SM
The Stratix is a good switch to use as an example
because it has both Uplink ports and
Data ports running at different speeds.
Form Pluggable”
Module
Form Pluggable”
Module

SM
Understanding Your Expansion
or Upgrade Path
The following is an example list of specifications for the fiber-optic SFP module
connections. It’s IMPORTANT that each port must match the wave-length
specifications on the other end of the cable, and for reliable communication, the cable
must not exceed the rated maximum cable length.
SFP Module
Type
Cat. No. Wavelength
(nm)
Fiber Type Core Size/Cladding
Size (micron)
Modal
Bandwidth
(MHz/km)(1)
Cable Distance
100BASE-FX 1783-
SFP100FX
1310 MMF 50/125
62.5/125
500
500
2 km (6562 ft)
2 km (6562 ft)
100BASE-LX 1783-
SFP100LX
1310 SMF G.6522 10 km (32,810 ft)
1000BASE-SX 1783-
SFP1GSX
850 MMF 62.5/125
62.5/125
50/125
50/125
160
200
400
500
220 m (722 ft)
275 m (902 ft))
500 m (1640 ft)
550 m (1804 ft)
1000BASE-
LX/LH
1783-
SFP1GLX
1310 SMF G.6522 10 km (32,810 ft)
(1) Modal bandwidth applies only to multimode fiber. * Information comes from Stratix Users Manual

SM
Answers Always Lead to More Questions
The Equipment – The result of our equipment investigation
is that we learned:
• The max speed for the uplink is 1GBase-T
• The max speed for the data port is 100Base-T
• There are several choices for SFP modules
that can support both Single and Multimode.
“Is there an existing system of fiber, and
what core size is being used?”
The next question:
Core size?
….yes, Core
size?

SM
What Makes Up a Fiber Cable?
The Cable – There are two classes of Fiber in use today:
• Single Mode – Long Distance Fiber, more expensive technology
• Multi Mode – Shorter Distance, more cost effective for inside plant use.
• To understand the differences between core sizes, and why they matter,
you need to know what makes up a fiber cable.

SM
How Big is the Fiber, (relatively)?
9
230µm
All sizes expressed In Microns
50
62.5
125µm
200µm
Cladding
Core
Buffer
Core size will tell
you the OMx of
the Fiber

SM
Single Mode Fiber
9µm
125µm

SM
Multi-Mode Fiber (50 and 62.5 micron)
50
62.5
125

SM
Polymer Coated Multi-mode Fiber (PCF)
230
50
62.5 200

SM
What Do the OM Ratings Mean?
If you see OM in the Fiber grade it always means Multi-Mode.
– The US Adopted a Grading System Invented By ISO, The International Standards
Organization in Geneva, Switzerland. The “Optical Multimode” Rating System
• “OM 1” --- 62.5 Micron (Mostly legacy systems)
• “OM 2” --- 50 Micron (plain vanilla variety)
• “OM 3” --- 50 Micron (Laser optimized to work with VCELS)
• “OM 4” --- 50 micron (Extended Bandwidth – Further refined to reduce pulse
spreading and enable longer distances)
And just like with Copper Categories –
A bigger number means better cable!

SM
What Do the OS Ratings Mean?
• If you see OS in the Fiber grade it always means Single-Mode.
• “OS 1” --- 9 Micron (Used with wavelengths of 1310 nm)
• “OS 2” --- 9 Micron (Used with wavelengths of 1550 nm)
Why does the core size make such a difference in Fiber performance?
• OS (single-mode) vs. OM (multi-mode).
Think of it like the difference between a rifle shot and a shotgun blast.

SM
A Fabry-Perot LASER
A Cheap, Slow LED
Singlemode – more efficient – goes FURTHER
Multimode – less efficient – doesn’t go as far
Example of Single-mode vs. Multi-mode

SM
• Some of the photons (light particles) go straight, some ricochet around the
outside, the further they travel the closer the leading edge from one pulse
gets to the trailing edge of the one before it.
• Eventually you can’t tell one pulse from another.
A Cheap Slow LED
Light Pulse Spreading (“Modal Dispersion”)
The Enemy of Throughput

SM
What?
You can only go so far with a given grade of multimode fiber before light
pulses begin to overlap
The Further You Go, the Worse it Gets.
Hey, I
sent a
“1”

SM
ANSI/TIA-568-C.0 (D.3) Optical fiber
cabling supportable distances table.
• Table 7 - lists maximum supportable
distances and maximum channel
attenuation
for applications using optical
fiber cabling
• The table is based on the minimum
performance requirements of
62.5/125 µm, 50/125 µm, 850 nm
laser-optimized 50/125 µm, and
single-mode fiber established by
ANSI/TIA-568-C.3
How the OM/OS Ratings Equate to Distance

SM
Remember the MICE Table?
Where you put the fiber, “The Environment”,
determines the type of fiber you choose.

SM
• Indoor Opti-Core Fiber
Distribution
• Indoor Opti-Core
Interlocking Armor
• Indoor Industrial-Net
(PCF) Polymer Clad
Fiber
• Indoor Dielectric
Conduited Fiber (DCF)
Applications for “Indoor” Fiber
Used when you
have sufficient
protection for the
fiber
Used when the
fiber has to
protect itself
**NEW**
Electrician Friendly
crimp on connector
for direct connect
node to node
**NEW** All the benefits
of an armored fiber
without the metal. Use in
area suspected of unequal
potential grounds

SM
Applications for “Indoor-Outdoor” Fiber
• Indoor/Outdoor Opti-Core All-Dielectric Fiber Cable
• Indoor/Outdoor Opti-Core Gel-Free Fiber
Interlocking Aluminum Armored Cable
Used to transition
from indoor to
outdoor in a
protected area, tray
or conduit.
Used to transition from
indoor to outdoor yet still
protect the cable from
harsh mechanical
conditions

SM
Applications for “Outdoor” Fiber
• Opti-Core Gel-Free Fiber Optic Outside Plant All-Dielectric Cable
• Opti-Core Gel-Free Fiber Optic Outside Plant Armored Cable
Allows installation
using loose tube
cable methods for
aerial and duct
applications
Allows installation using
loose tube cable methods
for aerial, duct and direct
burial applications

SM
One Last Thought When
Choosing a Fiber Type – Choosing the Connector
Traditional Puck and
Polish type
Connectors
(5-7min.)
OptiCam Factory
Polished Connectors
(2 - 3min.)
Industrial Strip &
Crimp no-Polish
Required Fiber
Connectors
(aprox 1 min.)

SM
Choosing the Connector
OptiCam Connector
PCF Connector

SM
Choosing the Right Fiber Type For the Application
Can Save Big $$$ in Materials and Labour

SM
Links From Field Switches to Control Rooms
Should Support Higher Speeds and Greater Volume

SM
Electrician Friendly Fiber
Can be Used to Install Long Distance Bus Systems

SM
Fiber Optic Infrastructure Planning
81 81
New joint application guide
Increase the integrity and availability of
EtherNet/IP networks with fiber solutions
from trusted partners!
Physical infrastructure
Integrated Architecture,
Stratix Switches, ETAPs,
more
Higher level switches
Fiber Guide
ENET-TD003

SM
Easy to follow Fiber best practices!
• Partner validated application guide
82

SM
Summary
Fiber Selection
Physical Infrastructure for Fiber
Deployments
Saving Time/Cost with Fiber
Understanding the Environment and the Application
Knowing how to determine equipment and system requirements
Choosing the proper network design for application

To Test is to Know.
How Good is your Layer 1 Infrastructure?
Fluke Networks
@ Routeco plc: July 2014
A company

2Company Confidential
Enterprise Network Test Solutions For
Datacom Installers, Network Engineers
• Market leader in copper and fiber cable certification and testing
– Copper test solutions
– Fiber test solutions
– Wireless solutions
• Market leader in troubleshooting and portable
management
– Portable network test and analysis
– Wireless LAN troubleshooting and management
– Deep Packet Analysis and Capture
• Fluke Networks Solutions
– OptiView XG Network Analyzer tablet
– DTX CableAnalyzer
– Network Time Machine
– MicroScanner, NetTool, LinkRunner

So, Why Bother Testing?
• Confidence for your client.
• Assurance for yourself
• Evidence for a Cabling system Warranty
• Avoids potentially expensive delays in commissioning
• Uncovers ‘environmental’ issues
• Provides for future upgrades.
• End result of testing is Documentation!
• The Documentation provides for all above.

What’s the big deal? It’s cable, right?
• Right!
– You’ve used the best components (like building a Formula 1 car)
– Followed all the installation rules and guidance…

What you have, is a link from A to B….
A
B

Reference Points for Testing: Industry
Standards….
• As for almost every other part of a major project, the
cabling industry has recognised, defined and understood
standards:
– EIA/TIA 568C.2 (American, contains the standards for Cat5e,
Cat6 and Cat6A and for MM and SM fibre installations)
– ISO 11801 (International, contains approximate equivalents
Class D, Class E and Class Ea, plus Class F and fibre)
– EN 10573 (European Norm, equivalent to ISO 11801.)
– Application-specific standards:
– TIA1005 (Industrial Ethernet-specific)
– 100MB/s Ethernet / 1GB/s Ethernet
– 40GB/s Ethernet (fibre only)

These standards require us to:
• Test (and Pass) a specified range of parameters, save the
result and provide documentation.

Permanent Link or Channel Test?
• Permanent Link: Patch panel to wall
outlet including max 1 Cross-connect.
• Channel: Permanent Link plus 1
additional patch panel, and user patch
cords. Maximum 4 connectors.
• Which standard? To be decided by
negotiation with your client as part of
contract.
• Which test model? Default to
Permanent Link. Channel is end-user
test.

Additional Considerations
• Is the cable Shielded or Unshielded?
– What type of shield is it? S/UTP or FTP or SSTP?
• Will the application include Power over Ethernet?
– PoE has a separate and specific set of specifications.
• Does the client or the warranty provider or the hardware
manufacturer have specific additional requirements?
– Balance measurements may be required.

The end result: 100% compliant
documentation of the infrastructure

Power over Ethernet (PoE-specific test)
• New test limits with specific tests for PoE optimisation.
• New Shield Integrity test finds shield errors/damage.

What About the Fails?
• Real Diagnostics for complex NEXT and Return Loss Fails

Let’s talk about fibre…..

Enterprise Fiber:
Growing Exponentially
• 1.5 Billion new internet-connected
devices by 2015 (Intel)
• 57% annual growth in Enterprise
fiber ports: 2011 - 2015 (Dell’Oro,
2011)
• In 2015, the equivalent of every
movie ever made will transit IP
networks, every 5 minutes (Cisco
Systems)

Enterprise Fiber: Growing
Exponentially
• 24% annual growth in storage
spending for cloud computing
(IDC)
• 54% growth in 10Gbps+ fiber LAN
transceivers (Finisar)
• One-hop fabrics replacing
traditional switch architecture in
datacentres

Four Steps to Determining
Fibre link Performance
1. Inspect it - Clean it - Inspect it again
2. Polarity check
3. Performance Test
4. Extra Data and Troubleshooting

Inspect it – Clean it – Inspect it again.
• ALL end-faces have to be
clean and undamaged!
• Inspecting the fibre end-
faces is part of the BASIC
test regime according to
IEC 14763-3
• Cleaning the end-faces
each and every time is not
an option….it’s mandatory!
“Any connecting hardware adapters used
together with all connector end-faces on the test cords
comprising the cabling interface adapter, and the cabling
under test shall be cleaned according to the instructions
provided by the manufacturer of the connectors.
Cleaning shall be repeated every time a test cord is
connected to the cabling or component under test.”

What you can’t see CAN hurt your test result!
• Dirt migrates from a dirty to a clean connector

Check Polarity
• Visual Fault Locator (Laser light-pen)
• Uses high intensity visible light source
• Quick and Easy to use
• Relatively low cost
• Provides a go/no-go indication
• Can help find sources of loss.

Fibre Performance Certification
• Standards-based Two-Tier Testing (TIA TSB-140)
• Tier 1: OLTS (Optical Loss Test Set)
– Encircled Flux Compliance Required.
– Power Meter and Light Source with built-in
length measurement.
– Losses and lengths conform to industry
standards
• Most closely simulates active system
– Verify polarity using OLTS
• Tier 2: Tier 1 plus OTDR trace
– Evidence that cable is installed without
degrading events (e.g. bends, connectors,
splices)

Loss/Length Certification
Test two fibers (a transmit/receive pair)
• Each fiber at two wavelengths
– Measure optical length
– Compute power budget and display Pass or Fail
– Standards-based Tier 1 certification
• 2 power measurements in each direction, plus length
– Comprehensive Go/No-go result

Tier 2: Where fibre diagnostics reside.
• Tier 2: Tier 1 plus OTDR trace
– Evidence that cable is installed
without degrading events (e.g.
bends, connectors, splices)

A new type of OTDR Result that almost
everyone can understand
• Alternative trace
presentation of link
topology
• Reduce need for OTDR
expertise
• Icons designate the type
of fiber event
• One-tap gives access to
all event details

Back to the Documentation:

IMPORTANT part of the fibre condition…

OTDR Traces are not for everyone…
EventMap provides an easily understood pictorial representation
of the fibre link, for many the end of ‘trace-psychosis’.

Every ‘PASS’ report includes a Compliant
Network Standards List…

Thank you

Industrial and IT Network Convergence
Ethernet/IP Enables Convergence
Name – Mike Loughran
Title – Solution Architect
Date – 29th April 2014

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Emerging Technologies in Operations
All the BUZZ…
The Internet of Things (IoT)
Intelligent devices start to communicate with each other

What does it all mean?
3
 Big Data
 Large amounts of information is available to
manage the supply chain & complex processes
 Cloud Computing & Virtualization
 Speed up deployment of production, add flexibility,
reduce capital investments & increase access
across global operations
 Increase longevity, reliability & provide disaster
recovery
 Mobility & BYOD (Bring Your Own Device)
 Improve maintainability, uptime, asset longevity,
safety and cost control
Driven Largely by Information Technology
Most of it is buried on the
production floor in
historians or other
databases
Centers around Information
Technology (IT) more than
Operations/Production
management
Technicians, Supervisors,
Operators are all mobile
during their typical work day

Why are Emerging Technologies so
Important?
4
Automated adaptable processes & decisions

Why are Emerging Technologies so
Important?
 Empowers companies to grow faster, produce
better products and serve customers more
effectively
 It connects a workforce, analyzes data and
allows for continuous improvements
 Companies can leverage technological
advances as a competitive advantage and
must constantly seek newer, faster and better
technologies to improve their business
5
Early-adopters typically acknowledge the risk that comes with new technology
Keeping abreast of new developments is an ongoing job with
both risks and rewards

Industrial Network Convergence
6
EtherNet/IP – Enabling & Driving
Multi-discipline Industrial Network Convergence
Process Control
Discrete Control
Information Technology
Intelligent Motor Control

The Value in Bringing the Information
Together
7
Control Systems
HMIs
Production
Scheduling
Alarms/Events
Other Database Systems
Computerized Maintenance
Management Systems
Performan
ce
Quality
Systems
Data Historians
Laboratory
Information
Management
Systems
You need a network technology that is STANDARD,
PROVEN and MORE than an FIELDBUS!
You need robust Infrastructure Solutions to deliver the
information fast, reliably and securely!

From Production to the Enterprise -
Rockwell Automation & Cisco Alliance
8
 Common Technology View
 Single system architecture, using open, industry
standard networking technologies – EtherNet/IP
 Delivering Converged Plantwide Ethernet
(CPwE) Architectures for manufacturing and
industrial environments
 Best pathway to Operations/IT network convergence
with detailed design and implementation guidance
 Joint Product and Solution Collaboration
 Creating an ideal networking environment for both IT
and controls professionals.
 People and Process Optimization
 Education and services to facilitate Manufacturing and
IT convergence
Rockwell Automation and Cisco present the most valuable resource in
the industry for deploying a converged network infrastructure
Leadership in IT and Plant Operations

Risks and threats to networked systems
Security risks increase potential for disruption to
System uptime and Safe operation and a loss of IP
Unintended
employee actions
Theft
Unauthorized actions
by employees
Unauthorized
access
Denial of
Service
Application of
Security patches
Unauthorized
remote access
Natural or Man-made
disasters
Sabotage
Worms and
viruses
Business
Risk
INFORMATION
OPERATIONS

A Vendor’s Perspective
 Control System lifecycles are long (20+ years)
 Products will have vulnerabilities
 Security is a team sport
 Vendors & Customers
 IT & Engineering
 Pick your teams (point  don’t go it alone)
 REMEMBER: Human beings are imperfect
 Control System safety & security are closely linked
 Control System security manages variables
 Managing the security variables enhances uptime
10
UPTIME = PROFITABILITY

Our Approach to Industrial Security
 Layered Security Model
Shield potential targets behind multiple levels
of protection to reduce security risks
 Defense in Depth
Use multiple security countermeasures to
protect integrity of components or systems
 Openness
Consideration for participation of a variety of
vendors in our security solutions
 Flexibility
Able to accommodate a customer’s needs,
including policies & procedures
 Consistency
Solutions that align with Government
directives and Standards Bodies
A secure application depends on multiple layers of protection.
Industrial security must be implemented as a system.
ApplicationApplication
ComputerComputer
DeviceDevice
PhysicalPhysical
NetworkNetwork
ApplicationApplication
ComputerComputer
DeviceDevice
PhysicalPhysical
NetworkNetwork
11

Evolving Global Standards
12
• Building Blocks •
ISA S99 and IEC 62443
• Asset Owners • Vendors • Industry Consortia •
NIST 800 NERC-CIPISO 27002 RFC 2196
ISA Security Compliance Institute (ISCI)
Achilles™
Exida.com LLC
Achilles™ test platform
Wurldtech
Bronze
Silver
Gold
© rockwell automation
Wurldtech
L-1
L-2
L-3
WIB
Independent
Req’s & Certifications
SAL 1
SAL 2
SAL 3
WIB 2.0
ODVA
Confrm
Test

Design for Security approach
Specifications Audits & Gaps
Enhance &
Improve
Resiliency & Robustness
13

Additional Material
Educational - Cisco and Rockwell Automation Alliance
 Education Series Webcasts
 What every IT professional should know about Plant-Floor Networking
 What every Plant-Floor Engineer should know about working with IT
 Industrial Ethernet: Introduction to Resiliency
 Fundamentals of Secure Remote Access
for Plant-Floor Applications and Data
 Securing Architectures and Applications
for Network Convergence
 IT-Ready EtherNet/IP Solutions
 Available Online
 http://www.ab.com/networks/architectures.html

Additional Material
Simplify Design - Rockwell Automation
 Networks Website: http://www.ab.com/networks/
 EtherNet/IP Toolkit:
http://www.rockwellautomation.com/rockwellautomation/products-
technologies/integrated-architecture/tools/overview.page#/tab4
 Ethernet Tools

Additional Material
Simplify Design - Cisco and Rockwell Automation Alliance
 Websites
 Design Guides
 Converged plant-wide Ethernet (CPwE)
 Application Guides
 Fiber Optic Infrastructure Application Guide
 Education Series
 Whitepapers
 Top 10 Recommendations for plant-wide
EtherNet/IP Deployments
 Securing Manufacturing Computer and Controller
Assets
 Production Software within Manufacturing
Reference Architectures

Additional Material
Simplify Design - Collaboration
 Plant-wide EtherNet/IP Ecosystem Partners Website
 Fiber Optic Infrastructure Application Guide
ENET-TD003

Additional Material
Simplify Design and Speed Deployment - Panduit Corp
 Panduit Corp. Website:
 http://www.panduit.com/
 Industrial Automation Solutions:
 Industrial Automation Product Systems Brochure
 Industrial Communication Solutions – Interactive Roadmap

Additional Material
Speed Deployment - Fluke Networks
 Fluke Networks Websites
 www.flukenetworks.com
 www.flukenetworks.comindustrial
 www.flukenetworks.comknowledgebase

Reduce design time
Procurement Specifications on-line
http://www.rockwellautomation.com/rockwellautomation/industries/procurement-
specifications/overview.page?

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C
A family of high performance
Industrial Ethernet switches ideal
for the end user and equipment
builder
Stratix Ethernet
Switch Family

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Stratix Portfolio Overview
• Security
• Productivity
• Safe Operations
• Remote Access
• Time to Market
• Protecting IP
Routers and switches for:
 Enabling security to new or existing
architectures
 Applications for simple to complex networks
 Monitoring and controlling distributed
devices
 Plant floor and enterprise integration
Stratix 8000/8300
Layer 2, Layer 3
Stratix 2000
Unmanaged
Stratix 6000
Layer 2
Stratix
ETAPs
Stratix 5700
Layer 2
Stratix 5100
Wireless AP/WGB Stratix 5900
Security Appliance

Family of industrial Ethernet switches that are:
• Optimized for configuration, monitoring, security and maintenance
• Modular and scalable
• Designed for simple to complex Ethernet applications
• IT-ready and IT-friendly solutions
• Simplified integration of machine systems in infrastructure
• Integrated Architecture programming tools and features
• Secure remote access for improved productivity and OEE
• Connected or isolated machine and Process control applications
• Plant floor and enterprise integration
• Distributed network devices that need to be monitored and controlled
24
The Stratix Family Overview
Integrating your enterprise and manufacturing
environments
Overview
Key Benefits
Applications

PUBLIC INFORMATION
Stratix 2000 Unmanaged Switches
Refresh & Product Line Expansion

Stratix 2000 Unmanaged Switches
Overview
 Low cost solutions designed for isolated control
networks
 Recommended for Micro 850 & Micro 820
applications
 Unmanaged switches are not recommended for
safety or motion applications
 Simple “Plug & Play”
 Automatically negotiates speed and duplex settings
(no configuration required)
 Automatically detects cross-over cable
 Expanded operating temperature from -20ºC to
70ºC to meet a wider variety of application
needs for most catalog numbers
 Exception: 1783-US5T & 1783-US8T range 0 to
60ºC

PUBLIC INFORMATION
Stratix 6000 Fixed Managed Switches

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 28
Stratix 6000™ Managed Switches
 Fixed port managed switch
 4 port or 8 port versions with optional fiber optic
uplink (SFP)
 Control system integrated
 CIP communications for:
 Diagnostics (tags)
 Configuration (RSLogix 5000)
 Security
 DHCP persistence for automatic end device IP address
assignment
 Unauthorized User Identification
 Traffic Level Monitor with Alarms
 FactoryTalk View Faceplates
Integrated Tightly Into The Integrated Architecture

PUBLIC INFORMATION
Stratix 5700
Industrial Managed Switches

The Stratix 5700
Layer 2 Managed Switches with Cisco Technology
 Premiere Integration to the Integrated Architecture
 CIP interface
 Studio 5000 AOP
 ControlLogix tags
 FactoryTalk View faceplates
 Built with Cisco technology (IOS)
 Common feature set with Stratix 8x00
 Common IT development tools
 (CLI, CNA, DM, CiscoWorks)
 Simple to Deploy & Maintain
 Easy integration
 Default configurations
 Common Smartports
 DHCP per port IP addressing
 Easy maintenance
 Secure Digital card for configuration backup
 Diagnostics & network management tools
Compact & Scalable
Best of Rockwell Automation & Cisco in a compact size

Stratix 5700 Configurations
 3 base platforms offering 20 configurations
 6, 10 & 20 port base units
 6 copper & 4 copper + 2 SFP slots
 8 copper + 2 combo*
 16 copper + 2 combo* + 2 SFP slots
 2 Gig port option
 SFP slots support multi & single mode fiber
 Wide variety of SFPs available
 Compatible with other Cisco SFPs
 Advanced feature set to address:
 EtherNet/IP applications
 Security
 Resiliency & Redundancy
 Two software packages to choose from
 Lite & Full versions
 Conformal coating option for harsh environments *Combo ports can be
either copper or SFP
Ideal for simple to complex applications

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Stratix 8000/8300 - Modular Design
Base Module
(6-port or 10-port)
Extension Module A
(8-port Copper)
Extension Module B
(8-port Fiber)
Data Ports
10/100 Copper
Dual Purpose Uplink Ports
10/100/1000 Copper or SFP
8 Extended Data Ports
10/100 Copper
8 Extended Data Ports
100 Fixed Fiber
SFP Fiber Transceiver
100M and 1G
Multimode and Singlemode
33

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION (Confi
Stratix 8300 layer 3 Managed Switch
 Layer 3 Routing Capabilities
Dynamic Routing Protocols such as RIP, EIGRP
and OSPF

PUBLIC INFORMATION
Stratix 5900
Industrial Services Router

The Stratix 5900 Security Appliance
 Premiere Routing & Security Services
 Firewall
 Virtual Private Network (VPN)
 Network Address Translation (NAT)
 1GE WAN, 4 FE LAN, 1 Serial Port
 Built with Cisco technology (IOS)
 Common features of Stratix Switch
 Common IT development tools
 (CLI, CNA, DM, CiscoWorks, CCP)
 Ruggedized with Extended Temp, Shock & Vib
 Compact Size with Din Rail Mount
Best of Rockwell & Cisco in a compact size

PUBLIC INFORMATION
Embedded Switch
Technology

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 38
3838
Embedded Switch Technology
 Embedded Switch Technology enables LINEAR and RING topologies on EtherNet/IP
 Network traffic is managed to ensure timely delivery of critical data (QoS, IGMP
supported)
 Open standard (ODVA) allows 3rd party suppliers to develop compatible products
Linear
• Linear Ethernet segments greatly
extend the length of the
application
• No need to run cables from each
device back to a centralized
switch
Device-Level Ring (DLR)
• Single fault tolerant network
provides resiliency
• Device level ring requires no
additional hardware to implement

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 39(Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 39Copyright © 2008 Rockwell Automation, Inc. All rights reserved. 39
1783-ETAP
• The 1783-ETAP is a standalone device that allows devices (that do not support the
Embedded Switch Technology) to join a linear or a DLR network.
• Other product features:
- Capable of being a Ring Supervisor in a Device Level Ring
- Managed switch functions to help manage traffic on the network (i.e.: IGMP and QoS)
- Fiber versions available in the future for long distance applications
Device Port – used for
connecting single-port
Ethernet device
Network Ports (2) – used for
connecting to neighboring devices
to form a linear or a ring network

DLR Enabled Products
 1756-ENT2R, Point, Flex, ArmorPoint, ETAP, CompactLogix, 193-DNENCATR,
1747-AENTR, ArmorBlock, ArmorStart
40

PUBLIC INFORMATION
Stratix 5100
Wireless Access Point

Stratix Wireless Access Points
 Product
 Access Point / Work Group Bridge
 Autonomous
 Leveraging the latest 802.11N WiFi
technology
 MIMO, Packet Aggregation & Spatial
Multiplexing
• Higher performance
 2.4GHz and 5Ghz radios
• Flexibility and segmentation
 Support for VLAN, QoS and RADIUS
 Segmentation, priority handling and
authorization
 Backward compliant to 802.11a/b/g
 CIP enabled
 Logix for system diagnostics
 Profile & tags
 Value
 Provides real-time performance
for mission critical applications
 Eliminates wire & cabling to
reducing installation costs
 Enables mobility and portability to
people and devices
 Seamless integration within a
Cisco wireless network

Typical Configurations
Cell/Area Zone #3 Cell/Area Zone #4
FactoryTalk
Applications
and Services
Ring Topology
Cell/Area Zone #1 Cell/Area Zone #2
Manufacturing Zone
8000 Managed
Layer 2 Switch
ETAP - Embedded
Layer 2 Switch
Ring Topology
Enterprise Zone
Enterprise
Network
6000 Managed
Layer 2 Switch
Star Topology
Embedded Layer 2
Switch Linear
Topology
Mobile User
Lightweight AP
(LWAP)
AP as Workgroup
Bridge (WGB)
ERP, Email, Wide Area
Network (WAN)
5100
802.11n – Dual Band
Access point
8300 Managed
Layer 3 Switch
5900 Industrial
Services Router

Stratix Family Quick Reference

Thank you!
To learn more visit:
www.ab.com/networks

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1
Invisible Cost to Visible Value
Rob Price
Head of Technical Strategy
Partner & Commercial Team
roprice@cisco.com
April 2014

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
“I cannot imagine a life without…”
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V., 2010
% of 14 – 29 year olds

Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien
• A mobile phone: 97%

• The 2 photos on the right are of St
Peters Square during the
announcement of the election of last 2
Popes
• In just 8 years mobile devices have
become ubiquitous. Everyone carries
the internet in their pocket

• The Internet: 84%

• A car: 64%

• My current partner: 43%

Digital Band-Aids
Smart Pill Bottle CapsAsthma inhalers
'Electronic Skin' Patches Monitor
Health Wirelessly

• Will gather 14 ExaBytes of data per
day !!
• Will store over 1 PetaByte per day
• Transmit
• Store
• Analyse
*
*1 ExaByte = 1,000,000,000,000,000,000 Bytes
It took until 2004 for internet traffic to pass
1 Exabyte per month

X aaS

Thank you.

Control Network Security & Secure RemoteAccess
Guy Denis gudenis@cisco.com
Rockwell Automation Alliance Manager Europe
29th April 2014

3% Wireless System
7% VPN Connection
7% Dial-up Modem
7% Telco Network
10% Trusted Third-Party Connection
(Includes Infected Laptops)
17% Internet Directly
49% Via Corporate WAN and
Business Network
Source of Industrial
Security Incidents
Source: BCIT (2009)
Average Cost of
Manufacturing Downtime =
$210,000 per Hour
Source: Infonetics (2005)

includes infected laptops
and is growing
from Eric Byres, BCIT

A breakdown of Stuxnet
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
Ralph Langner
German Control systems security
consultant
F-Secure wrap-up on Stuxnet
http://www.youtube.com/watch?v=gFzadFI7sco

• Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup
• Little or no device level authentication
• Poor network design – daisy chains, hubs
• Windows based IA servers – patching, legacy OS
• Unnecessary services running – FTP, HTTP
• Open environment, no port security, no physical security of switch, Ethernet
ports
• Limited auditing and monitoring of access to IA devices
• Unauthorised use of HMI, IA systems for browsing, music/movie downloads
• Lack of IT expertise in IA networks, many blind spots

• Physical Security – limit physical access to authorized
personnel: areas, control panels, devices, cabling, and
control room – escort and track visitors
• Network Hardening – infrastructure framework – e.g.
firewalls with intrusion detection and intrusion prevention
systems (IDS/IPS), and integrated protection of networking
equipment such as switches and routers
• End-point Hardening – patch management, antivirus
software as well as removal of unused applications,
protocols, and services
• Application Security – authentication, authorization, and
audit software
• Device Hardening – change management and restrictive
access
Defense
in Depth
Computer
Device
Physical
Network
Application

• Security is not a bolt-on
component
• Comprehensive Network
Security Model for
Defense-in-Depth
• Industrial Security Policy
• DMZ Implementation
• Design Remote Partner Access
Policy, with robust & secure
implementation

• Comprehensive information here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Secure NetworkArchitectures for
Industrial Control Systems

Panduit/RA Physical Layer Reference Architectures Design
Guide June ‘09
PSL-DCPL
PSL-DCJB

Real–Time Control
Fast Convergence
Traffic Segmentation and
Management
Ease of Use
Multi-Service Networks
Network and Security
Management
Routing
Application and Data share
Access Control
Threat Protection
Gbps Link for
Failover Detection
Firewall
(Active)
Firewall
(Standby)
SCADA Application
and Services Servers
Cisco
ASA 5500
Cisco
Catalyst
Switch
Network Services
Cisco Catalyst
6500/4500
Cisco Cat. 3750X
StackWise
Switch Stack
Patch Management, Terminal
Services, Application Mirrors,
AV Servers
Cell/Area #1
(Redundant Star
Topology)
Drive
Controller
HMI Distributed
I/O
Controller
DriveDrive
HMI
Distributed I/O
HMI
Cell/Area #2
(Ring Topology)
Cell/Area #3
(Linear Topology)
IE3000/3010/2000
Controller
Enterprise/IT Integration
Collaboration
Wireless
Application Optimization
Cell/Area Zone
Levels 0–2
Layer 2 Access
Manufacturing Zone
Level 3
Distribution and Core
Demilitarized Zone
(DMZ) Firewalls
Enterprise Network
Levels 4–5
Web Apps DNS FTP
Internet

Defend the Industrial Edge
• Firewalling and remote access at levels 0-2 (L2 Transparent
Mode) with Industrial IPS/IDS
• Use IT-Approved Access and Authentication
VPN for secure remote access
Enterprise Access and Authentication servers (e.g Active
Directory, Radius, etc.)
• ICS Protocols Stay Home
• Control the Application
Remote Access (Terminal) Server
Application level security
• No direct traffic through the firewall
• Only one path in and out of industrial - the firewalls
DMZ and Secure Remote Access Guiding Principals
Enterprise
WAN
Enterprise
Data Centre
IPSECVPN
SSLVPN
Levels 0–2
Cell/Area Zones
Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Internet
Enterprise Zone
Levels 4 and 5

Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal
Services
Patch
Management
AV
Server
Application
Mirror
Web Services
Operations
Application
Server
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
SCADA
App
Server
SCADA
Directory
Engineering
Workstation
Domain
Controller
SCADA
Client
Operator
Interface
SCADA
Client
Engineerin
g
Workstatio
n
Operato
r
Interfac
e
Batch
Control
Discrete
Control
Drive
Control
Continuou
s
Process
Control
Safety
Control
Sensors Drives Actuators Robots
Enterprise
Zone
DMZ
Process
Control
Domain
Process
Control
Network
Web
E-Mail
CIP
Firewal
l
Firewall
Site Manufacturing Operations and
Control
Area Supervisory
Control
Basic Control
Process
PurdueReferenceModel,ISA-95
IndustrialSecurityStandardISA-99

• All network traffic from either side of the DMZ terminates in the DMZ;
network traffic does not directly traverse the DMZ
• Application Data Mirror
• No primary services are permanently
housed in the DMZ
• DMZ shall not permanently
house data
• No control traffic into the DMZ
• Be prepared to “turn-off” access
via the firewall
No Direct
Traffic
Enterprise
Security
Zone
Industrial
Security
Zone
Disconnect Point
Disconnect Point
DMZReplicated
Services

1.Firewall Services (Segmentation, Isolation)
2.Application Services (Behavior Enforcement, Application
Intelligence and Awareness, Gateway Capabilities)
3.Logging and Historical Services (Traffic, Event histories)
4.Encryption and Data Integrity Services (remote access, and
secure channels for data transfer)
5.IPS/IDS Services (deep packet inspection – Sourcefire and
Wurldtech Industrial Signatures
1.Malware Detection and Filtering (deep packet and URL
inspection

I want to allow guests into the
network
I need to allow/deny iPADs in
my network (BYOD)
I want to allow only authorized
users access to my network
I need a scalable way of
authorizing users or devices in
the network
I need to ensure my endpoints
don’t become a threat vector
How can I set my firewall
policies based on identity
instead of IP addresses?
Guest Lifecycle
Management
Profiling Services
Posture Services
Authentication and
Authorization
Security Group Access
Management
Identity-based Firewall
Cisco
ISE

VPN
VDI
WSA
IPS
ASA-CX
ASA
ISE
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Level
3½
Enterprise Zone
DMZ
PCD /
Manufacturing Zone
PCN /
Cell / Area Zone
1783-SR

DefenseinDepth
Securitytechnologiesapplied
Authentication, Authorization and Accounting
Access Control Lists (ACLs)
Secure Browsing (HTTPS)
Intrusion Protection and Detection
Remote Terminal Session
Application Security
VLANs
Remote Engineers and Partners
Plant Floor Applications and Data

Typical Functions of Secure Routing Platform
© 2014 Cisco and/or its affiliates. All rights reserved.
NAT connecting machines with overlapping address space
Machine
#1
Machine
#2
Stra x 5900 Stra x 5900
192.168.1.0/24 192.168.1.0/24 (overlaping
address space)
NAT NAT
Zone-based Policy Firewall (ZFW)
ZFW1
zone TRUSTED zone UNTRUSTED
Int 1
Int 3
Zone-Policy
OUTBOUND
INTERNET
Client1
Server
Int 4
Int 2
Client2
§ Zone: set of interfaces that share a certain “trust level”
§ Policies define rules between zones
ZFW policies are Unidirec onal: Source >> Des na on
Virtual Private Networks (VPNs)

1783-SR/ISR819 Software Features - Security
Secure Connectivity:
• Secure Sockets Layer (SSL) VPN for secure remote
access
• Hardware-accelerated DES, 3DES, AES 128, AES 192,
and AES 256
• Public-key-infrastructure (PKI) support
• 20 IPsec tunnels
• Cisco Easy VPN Client and Server
• Network Address Translation (NAT) transparency
• Dynamic Multipoint VPN (DMVPN)
• Tunnel-less Group Encrypted Transport VPN
• IPsec stateful failover
• VRF-aware IPsec
• IPsec over IPv6
• Adaptive control technology
• Session Initiation Protocol (SIP) application layer
gateway
Cisco IOS Firewall:
• Zone-Based Policy Firewall
• VRF-aware stateful inspection routing firewall
• Stateful inspection transparent firewall
• Advanced application inspection and control
• Secure HTTP (HTTPS), FTP, and Telnet Authentication
Proxy
• Dynamic and static port security
• Firewall stateful failover
• VRF-aware firewall
Content Filtering:
• Subscription-based content filtering with Trend Micro
• Support for Websense and SmartFilter
• Cisco IOS Software black and white lists
Integrated Threat Control:
• Intrusion prevention system (IPS)
• Control Plane Policing
• Flexible Packet Matching
• Network foundation protection
These Features Allow:
Highly Secure
Highly Flexible
Scaleable Remote Access Solutions
Configurable via Web GUI Wizards
For Small to Medium Sized
Deployments

WAN
Plant Engineer
Skid Builder
System Integrator
Remote Site
WAN
Router
Plant Site
WAN
Router
• Stand-alone Remote Industrial Application
Example: remote site
Requirements
Connection out from the Plant, direct access
Little to no IT support, little to no alignment with Industrial Automation and Control System security
standards
Potential Solution
IPSecVPN, DMVPN,FlexVPN – ASA5515 and/or ISR819
1783-SR/819
ISR
IPSec
X many

• No VPN client needs to be installed on remote client
• Access to internal network through one point entry
• Uses a standard web browser, platform independent: Internet Explorer,
Firefox
• Can access web applications http, https, Common Internet File Sharing
(CIFS), File Transfer Protocol (FTP)
• Client-Server Plug-ins for Remote Desktop Protocol (RDP), Virtual Network
Computing (VNC), Secure Shell (SSH) access, Telnet and Citrix
• VPN appliance gives web-based look and feel for the application access
(customizable) through content
rewrite process

Levels 0–2
Cell/Area Zones
Enterprise Zone
Levels 4 and 5
Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Internet
Enterprise Zone
Levels 4 and 5
Enterprise
WAN
Enterprise
Data Center
Gbps Link Failover
Detection
Firewall
(Active)
Firewall
(Standby)
Patch Management
Terminal Services
Application Mirror
AV Server
Cisco
ASA 5500
Remote Access Server
• RSLogix 5000
• FactoryTalk View Studio
Catalyst
6500/4500
Remote Engineer
or Partner
Enterprise
Connected
Engineer
Enterprise Edge
Firewall
HTTPS
Cisco VPN Client
Remote Desktop
Protocol (RDP)
Catalyst 3750
StackWise
Switch Stack
EtherNet/IP
IPSECVPN
SSLVPN
FactoryTalk Application Servers
• View
• Historian
• AssetCentre
• Transaction Manager
FactoryTalk Services
Platform
• Directory
• Security/Audit
Data Servers
1. Remote engineer or partner
establishes VPN to corporate
network; access is restricted to
IP address of plant DMZ firewall
2. Portal on plant firewall enables
access to IACS data, files and
applications
– Intrusion protection system (IPS) on
plant firewall detects and protects
against attacks from remote host
3. Firewall proxies a client session
to remote
access server
4. Access to applications on
remote access server is
restricted to specified plant floor
IACS resources through IACS
application security

1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the SCADA network
3. Evaluate and strengthen the security of any remaining connections to the SCADA network
4. Harden SCADA networks by removing or disabling unnecessary services
5. Do not rely on proprietary protocols to protect your system
6. Implement the security features provided by device and system vendors
7. Establish strong controls over any medium that is used as a backdoor into the SCADA network
8. Implement internal and external intrusion detection systems and establish 24-hour-a-day
incident monitoring
9. Perform technical audits of SCADA devices and networks, and any other connected
networks, to identify security concerns
10. Conduct physical security surveys and assess all remote sites connected to the
SCADA network to evaluate their security
11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
12. Clearly define cyber security roles, responsibilities, and authorities for managers,
system administrators, and users
13. Document network architecture and identify systems that serve critical functions
or contain sensitive information that require additional levels of protection
14. Establish a rigorous, ongoing risk management process
15. Establish a network protection strategy based on the principle of defense-in-depth
16. Clearly identify cyber security requirements
17. Establish effective configuration management processes
18. Conduct routine self-assessments
19. Establish system backups and disaster recovery plans
20. Senior organizational leadership should establish expectations for cyber security
performance and hold individuals accountable for their performance
21. Establish policies and conduct training to minimize the likelihood that organizational
personnel will inadvertently disclose sensitive information regarding SCADA system
design, operations, or security controls
21 Steps to securing a SCADA network
http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

www.shodanhq.com

Plantwide Benefits of EtherNet/IP Seminar Billingham 09.07.2014

Plantwide Benefits of EtherNet/IP Seminar Billingham 09.07.2014

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Plantwide Benefits of EtherNet/IP Seminar Billingham 09.07.2014

Similar to Plantwide Benefits of EtherNet/IP Seminar Billingham 09.07.2014 (20)

Recently uploaded

Recently uploaded (20)

Plantwide Benefits of EtherNet/IP Seminar Billingham 09.07.2014