Industrial IoT in Action
Phil George – Solution Architect

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
SQL
Cloud

BIG DATA

Social Media
Mobility

Virtualization

Ethernet

Copyright © 2013 Rockwell Automation, Inc. All Right...
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Blog

Buzzword

informationalize

phishing

Google

IM

Cyber grieving

Tagging
Speed Dating

JPG
Sidebar

Tweet

Inflecti...
INFLECTION

Now!
Cloud
Ethernet

Faster Time-to-Market
Improved Asset Utilization
Lower Total Cost of Ownership
Enterprise...
$
Faster Time
to Market

Lower Total Cost of
Ownership

Improved Asset
Utilization

Enterprise Risk
Management

Copyright ...
Global

POPULATION
trends (2020)

Will exceed 7.6 billion
More than 70 million annually will
cross into the middle class
M...
Increased Demand on Industrial Production
GLOBAL POPULATION TRENDS
INCREASE DEMAND FOR
Manufacturing

EMERGING MARKET CONS...
THE CONNECTED ENTERPRISE
Optimized for Rapid Value Creation
 Supply Chain Integration
 Collaborative, Demand Driven
 Co...
INDUSTRIAL
Internet of Things

Raw data > Contextualized Data >

Business System

Customer Demand

Industrial Processes

S...
Sensors

Actuators

Intelligent Motor Control

Terminals

Audio

Video

Copyright © 2013 Rockwell Automation, Inc. All Rig...
TRANSFORMATION

INTEGRATED CONTROL AND INFORMATION
ENABLER Common Secure Ethernet Infrastructure

Enterprise
Infrastructur...
@ PAINT LAB
KENTUCKY FACILITY

Visibility into loss of production
faults lead to root cause
identification
Allows all to
a...
Fundamentals of Ethernet/IP
Designing the Physical Layer

Agenda

Plant-wide Benefits of Ethernet/IP

Industrial & IT Netw...
www.rockwellautomation.com/connectedenterprise

Follow ROKAutomation on Facebook & Twitter.
Connect with us on LinkedIn.
w...
EtherNet/IP Overview
Benefits of EtherNet/IP Seminar Series

Copyright © 2013 Rockwell Automation, Inc. All rights reserve...
Industrial Networks Needs
Long Term Trends

 Open network
 Converged network technologies (information sharing, common d...
Industrial Applications Convergence
Industrial Network Trends

Information

I/O
Drive
Control

Safety
Applications

Proces...
EtherNet/IP - One Standard Industrial
Network Technology For….
System Integrator
 Enable seamless plant-wide /
site-wide ...
EtherNet/IP: “IP” - Industrial Protocol
Single Industrial Network Technology

 ODVA




Supported by global industry le...
OSI 7-Layer Reference Model
Single Industrial Network Technology

What makes EtherNet/IP
industrial?

Open Systems
Interco...
OSI Reference Model
Protocol Stack

Layer No.

Application

Layer 6

Presentation
Session

Layer 4

Data Transport
Layers
...
OSI Reference Model
Open Systems Interconnection

Layer No.

Layer Name

Function

Layer 7

Application

Layer 6

Presenta...
OSI Reference Model
Open Systems Interconnection

Layer No.

Layer Name

Function

Layer 7

Application

Layer 6

Presenta...
OSI Reference Model
Network Independent

Layer No.

Layer 7

Layer 4
Layer 3
Layer 2

Network
Independent

Layer 1

Copyri...
Industrial Applications Convergence
Industrial Network Trends

Disparate Network Technology





Single Industrial
Net...
The Alternative

“Islands of Automation”

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

12
Collaboration of Partners
Network Technology Convergence
Wide Area Network (WAN)
Physical or Virtualized Servers
• ERP, Em...
TRANSFORMATION

INTEGRATED CONTROL AND INFORMATION
ENABLER Common Secure Ethernet Infrastructure

Enterprise
Infrastructur...
Industrial Networks Summary
 Open networks are in demand


Broad availability of products, applications and vendor suppo...
 A new ‘go-to’ resource for educational, technical and
thought leadership information about industrial
communications
 S...
Agenda
Plant-wide Benefits of Ethernet/IP

 Fundamentals of Ethernet/IP
 Designing the Physical Layer

 Industrial & IT...
EtherNet/IP Overview
Benefits of EtherNet/IP Seminar Series

Follow ROKAutomation on Facebook & Twitter.
Connect with us o...
Will your Physical Layer perform?

Plantwide EtherNet/IP
Ecosystem
Design and Deployment

Panduit’s Distributor Partner
Vision: Unified Physical Infrastructure

Manufacturing:
Industrial Automation Solution

Building:
Connected Buildings Solu...
Critical Manufacturing Assets are at Risk!

• Downtime
•
•

Security lapses
Performance degradation

3
Installation pitfalls
1. Proper cable
installation is
critical

3. This makes it impossible to
manage, maintain and
troubl...
Importance of the Physical Layer

“A significant portion of network
downtime, approx. 80%, is attributed
to Physical Layer...
Designing the Physical Layer for Ethernet/IP

What do Physical Layer Reference
Architecture based best practices
look like...
Physical Layer Design Considerations
•
•
•

•

•

Design and implement a
robust physical layer
Environment Classification ...
Logical

8

Rockwell/Cisco RA
Enterprise Zone (EZ)
De-Militarized Zone (DMZ)
Windows 2003 Servers
• Remote Desktop
Connect...
Enterprise Zone

FIREWALL
(STANDBY)

FIREWALL
(ACTIVE)

LAYER 3
ROUTER

LAYER 3
SWITCH

(Ring Topology)

LAYER 3
ROUTER

L...
Physical

Reference IN-Solution

Enterprise Zone

IN-Frastructure
Cell/Area
Zones

FWB

L2S

Manufacturing Zone

CTRLR

L2...
Panduit Industrial Automation
5 Core Solutions
IN-ROOM
ININ ROOMTM
Control Room, Data Center,
Telco Closet

IN-ROUTE
ININ ...
Simplify with validated building blocks
Physical Layer Design Considerations

Micro Data Center

Zone Enclosures

Control ...
IN-ROOM
ININ ROOMTM

Micro Data Center – IN-Room Solution
Enterprise/Office
Patchfield used to uplink switch
to level 4 & ...
IN-ROOM
ININ ROOMTM

Physical Network Security

IN-ROUTE
ININ ROUTETM
IN-PANEL
ININ PANELTM
IN-FIELD
ININ FIELDTM
•

•
•

...
IN-ROOM
ININ ROOMTM

Micro Data Center Solutions

15

Physical Layer Design Considerations

Micro Data Center Simplificati...
IN-ROUTE
ININ ROUTETM

IN-Route - Getting from “Point A” to “Point B”

Built-In
Failure
Points
17

Environmental Focus – M.I.C.E.

Increased Environmental Severity

Mechanical

M1

M2

M3

• Water
• Dust

I1

I2

I3

...
You can’t choose components without knowing the
Environment
IN-ROUTE
ININ ROUTETM

IN-Route - Zone Cabling Methods

Z
Z

Z

TR
Centralized Cabling – Home runs from
each node back to ...
Pathways

• Overhead cable
tray routing
system
• Designed to
route and
manage copper,
fiber optic, or
power cables

IN-ROU...
IN-ROUTE
ININ ROUTETM

Fiber Pathways
IN-ROUTE
ININ ROUTETM

Dielectric Conduited Fiber Cable (DCF)

22

KEY BENEFIT:
Easier to install fiber cable
(eliminates ...
IN-ROUTE
ININ ROUTETM

Zone Enclosures – Pre-configured

Best way to structure
manufacturing network
•Leverages Cisco/RA r...
Zone Enclosures – Optimized for Stratix
Physical Layer Design Considerations

• Pre-configured,
Pre-tested for
Stratix 830...
IN-Route: Network Distribution Simplification

IN-ROUTE
ININ ROUTETM

Physical Layer Design Considerations

Robust, Secure...
IN-PANEL
ININ PANELTM

IN-Panel - Understanding the Problem

There are several market trends that are exerting
pressure on...
IN-PANEL
ININ PANELTM

EtherNet in the Control Panel

• Additional requirements and
solutions are required with the
additi...
IN-PANEL
ININ PANELTM

Planning for networking in the panel

N

• What are common networking
challenges in the panel?
– Ov...
Noise Mitigation Demo

IN-PANEL
ININ PANELTM
Polymer Coated Fiber (PCF)

Cable, LC Connector, Termination Tool Kit

KEY BENEFITS: Ease of field termination (CRIMP,
CLE...
Terminating Fiber Using PCF Crimp-On Connectors

No-Voiceover

IN-PANEL
ININ PANELTM
IN-FIELD
ININ FIELDTM
Space Optimization Increases Design Flexibility

IN-PANEL
ININ PANELTM

Physical Layer Design Considerations

• Maximizes ...
Panduit Network Solutions for the Control Panel

IN-PANEL
ININ PANELTM

Physical Layer Design Considerations

• Optimized ...
IN-Panel: Optimized with Partners

IN-PANEL
ININ PANELTM

Physical Layer Design Considerations
•

•

Leverage power of Eth...
IN-FIELD
ININ FIELDTM

IN-Field Challenges
ON Machine or Process areas

• High MICE levels
–
–
–
–

Vibration
Chemical
Tem...
IN-Field Solutions: Manage and Protect

IN-FIELD
ININ FIELDTM

• Harsh rated cable management
and identification
• Abrasio...
IN-Frastructure: Challenges

• Facility Grounding/Bonding, Power
• Costs of safety incidences

• Lockout/Tagout implementa...
IN-Frastructure: Solutions
• Grounding/Bonding
components and solutions

• Safety labels and signage
• Lockout/Tagout syst...
Application Guides

Network Security

SM
Control Panel Layout Whitepaper
• Best practices = reduced call backs, problems..greater
solution sales

SM
41

http://www.industrial-ip.org

SM
Easy Building Block Approach
Design your system using cost effective and easy to
troubleshoot Network Architectures

Micro...
43

Industry Level Thought Leadership

All wrapped up in a 450
page, “How To” manual
with contributions from
Fluke and Roc...
Design/Spec Tools
Physical Layer Design Considerations
Design Micro Data Centers in Visio and paste BOM into Proposalworks...
45

Plant Floor - “Macro Architecture” summary

MICE 1-1-1-1

MICE 3-1-2-3
MICE 1-1-1-3
MICE 3-3-3-3

MICE 2-1-3-2

SM

MI...
Fiber Optic Application Best Practices for
EtherNet/IP

2/13/2014
SM
Agenda

Physical Infrastructure for Fiber Deployments

Fiber Selection
Saving Time/Cost with Fiber

SM
Agenda

Physical Infrastructure for Fiber Deployments

Fiber Selection

Saving Time/Cost with Fiber

SM
Industrial Networks Live in the Real World
• Industrial Networks Must take
into consideration the physical
challenges of t...
Fiber that Fits Both the Environment and the Application
Fiber is now being used in all areas of an Industrial Network Dep...
Benefits of Fiber in an Industrial Space
• Fiber is completely noise immune
• Fiber can be used in high M.I.C.E.
environme...
Key Elements of a Successful
EtherNet/IP Network Design
• Understanding application
and functional
requirements

• Develop...
Agenda

Physical Infrastructure for Fiber Deployments

Fiber Selection

Saving Time/Cost with Fiber

SM
Selecting the Right Fiber Requires

…

Knowing the Application
Environment.

…

Knowing the Distance
Requirements.

…

Kno...
Let’s take a sample application and go thru it step-by-step.

Knowing the Capability of Your Equipment
The Equipment – The...
Knowing the Capability of Your Equipment
The Stratix is a good switch to use as an example
because it has both Uplink port...
Knowing the Capability of Your Equipment
The Stratix is a good switch to use as an example
because it has both Uplink port...
Understanding Your Expansion
or Upgrade Path
The following is an example list of specifications for the fiber-optic SFP mo...
Answers Always Lead to More Questions
The Equipment – The result of our equipment investigation
is that we learned:
• The ...
What Makes Up a Fiber Cable?
The Cable – There are two classes of Fiber in use today:
• Single Mode – Long Distance Fiber,...
How Big is the Fiber, (relatively)?
Buffer
Cladding
125µm 230µm

Core

9

50
62.5

200µm

Core size will tell
you the OMx ...
Single Mode Fiber

125µm
9µm

All sizes expressed In Microns
SM
Multi-Mode Fiber (50 and 62.5 micron)

125
50
62.5

All sizes expressed In Microns
SM
Polymer Coated Multi-mode Fiber (PCF)

230
50
62.5

200

All sizes expressed In Microns
SM
What Do the OM Ratings Mean?
If you see OM in the Fiber grade it always means Multi-Mode.
– The US Adopted a Grading Syste...
What Do the OS Ratings Mean?
• If you see OS in the Fiber grade it always means Single-Mode.
• “OS 1” --- 9 Micron (Used w...
Example of Single-mode vs. Multi-mode
Singlemode – more efficient – goes FURTHER
A Fabry-Perot LASER

Multimode – less eff...
Light Pulse Spreading (“Modal Dispersion”)
The Enemy of Throughput

A Cheap Slow LED

• Some of the photons (light particl...
The Further You Go, the Worse it Gets.
Hey, I
sent a
“1”

What?

You can only go so far with a given grade of multimode fi...
How the OM/OS Ratings Equate to Distance
ANSI/TIA-568-C.0 (D.3) Optical fiber
cabling supportable distances table.
• Table...
Remember the MICE Table?
Where you put the fiber, “The Environment”,
determines the type of fiber you choose.

SM
Applications for “Indoor” Fiber
• Indoor Opti-Core Fiber
Distribution
• Indoor Opti-Core
Interlocking Armor
• Indoor Indus...
Applications for “Indoor-Outdoor” Fiber
• Indoor/Outdoor Opti-Core All-Dielectric Fiber Cable
• Indoor/Outdoor Opti-Core G...
Applications for “Outdoor” Fiber
• Opti-Core Gel-Free Fiber Optic Outside Plant All-Dielectric Cable
• Opti-Core Gel-Free ...
One Last Thought When
Choosing a Fiber Type – Choosing the Connector
Traditional Puck and
Polish type
Connectors
(5-7min.)...
Choosing the Connector

OptiCam Connector

PCF Connector

SM
Agenda

Physical Infrastructure for Fiber Deployments

Fiber Selection
Saving Time/Cost with Fiber

SM
Choosing the Right Fiber Type For the Application
Can Save Big $$$ in Materials and Labour

SM
Links From Field Switches to Control Rooms
Should Support Higher Speeds and Greater Volume

SM
Electrician Friendly Fiber
Can be Used to Install Long Distance Bus Systems

SM
Fiber Optic Infrastructure Planning
Physical Layer Design Considerations
New joint application guide
Increase the integrit...
Easy to follow Fiber best practices!
Physical Layer Design Considerations

• Partner validated application guide

SM

82
Summary
Physical Infrastructure for Fiber
Deployments
Understanding the Environment and the Application

Fiber Selection

...
Industrial and IT Network Convergence
Ethernet/IP Enables Convergence
Name – Mike Loughran
Title – Solution Architect
Date...
Emerging Technologies in Operations
All the BUZZ…

The Internet of Things (IoT)

Intelligent devices start to communicate ...
What does it all mean?
 Big Data


Large amounts of information is available to
manage the supply chain & complex proces...
Why are Emerging Technologies so
Important?

Automated adaptable processes & decisions
COMPANY CONFIDENTIAL - Internal Use...
Why are Emerging Technologies so
Important?
 Empowers companies to grow faster, produce
better products and serve custome...
Industrial Network Convergence
Industrial Network Trends

Process Control
Intelligent Motor Control
Discrete Control

Info...
The Value in Bringing the Information
Together
Laboratory
Information
Management
Systems
Production
Scheduling

Performan
...
From Production to the Enterprise Rockwell Automation & Cisco Alliance
Rockwell Automation and Cisco present the most valu...
Risks and threats to networked systems
Application of
Security patches

Natural or Man-made
disasters

Worms and
viruses
S...
A Vendor’s Perspective
 Control System lifecycles are long (20+ years)
 Products will have vulnerabilities
 Security is...
Our Approach to Industrial Security
A secure application depends on multiple layers of protection.
Industrial security mus...
Evolving Global Standards

ISA S99 and IEC 62443
• Asset Owners • Vendors • Industry Consortia •
NIST 800

ISO 27002

RFC ...
Design for Security approach

Specifications

Audits & Gaps

Enhance &
Improve

Resiliency & Robustness
Copyright © 2012 R...
Additional Material
Educational - Cisco and Rockwell Automation Alliance

 Education Series Webcasts








What ...
Additional Material
Simplify Design - Rockwell Automation

 Networks Website: http://www.ab.com/networks/
 EtherNet/IP T...
Additional Material
Simplify Design - Cisco and Rockwell Automation Alliance

 Websites
 http://www.ab.com/networks/arch...
Additional Material
Simplify Design - Collaboration

 Plant-wide EtherNet/IP Ecosystem Partners Website
 Fiber Optic Inf...
Additional Material
Simplify Design and Speed Deployment - Panduit Corp

 Panduit Corp. Website:
 http://www.panduit.com...
Additional Material
Speed Deployment - Fluke Networks

 Fluke Networks Websites
 www.flukenetworks.com
 www.flukenetwor...
Reduce design time
Procurement Specifications on-line
http://www.rockwellautomation.com/rockwellautomation/industries/proc...
Stratix Ethernet
Switch Family
A family of high performance
Industrial Ethernet switches ideal
for the end user and equipm...
Stratix Portfolio Overview
Routers and switches for:

• Security
• Productivity
• Safe Operations

 Enabling security to ...
The Stratix Family Overview
Overview

Key Benefits

Applications

Family of industrial Ethernet switches that are:
• Optim...
Stratix 2000 Unmanaged Switches
Refresh & Product Line Expansion

PUBLIC INFORMATION

Rev 5058-CO900E

Copyright © 2013 Ro...
Stratix 2000 Unmanaged Switches
Overview
 Low cost solutions designed for isolated control
networks




Recommended for...
Stratix 6000 Fixed Managed Switches

PUBLIC INFORMATION

Rev 5058-CO900E

Copyright © 2013 Rockwell Automation, Inc. All R...
Stratix 6000™ Managed Switches
 Fixed port managed switch
 4 port or 8 port versions with optional fiber optic
uplink (S...
Stratix 5700
Industrial Managed Switches

PUBLIC INFORMATION

Rev 5058-CO900E

Copyright © 2013 Rockwell Automation, Inc. ...
The Stratix 5700
Layer 2 Managed Switches with Cisco Technology

Compact & Scalable
 Premiere Integration to the Integrat...
Stratix 5700 Configurations
 3 base platforms offering 20 configurations


6, 10 & 20 port base units





6 copper &...
Stratix 8000 / 8300
Industrial Managed
Switches

Rev 5058-CO900C

Copyright © 2012 Rockwell Automation, Inc. All rights re...
Stratix 8000/8300 - Modular Design
Base Module

Extension Module A

Extension Module B

(6-port or 10-port)

(8-port Coppe...
Stratix 8300 layer 3 Managed Switch
 Layer 3 Routing Capabilities
Dynamic Routing Protocols such as RIP, EIGRP

and OSPF
...
Stratix 5900
Industrial Services Router

PUBLIC INFORMATION

Rev 5058-CO900E

Copyright © 2013 Rockwell Automation, Inc. A...
The Stratix 5900 Security Appliance
 Premiere Routing & Security Services
 Firewall
 Virtual Private Network (VPN)
 Ne...
Embedded Switch
Technology

PUBLIC INFORMATION

Rev 5058-CO900E

Copyright © 2013 Rockwell Automation, Inc. All Rights Res...
Embedded Switch Technology
 Embedded Switch Technology enables LINEAR and RING topologies on EtherNet/IP
 Network traffi...
1783-ETAP
• The 1783-ETAP is a standalone device that allows devices (that do not support the
Embedded Switch Technology) ...
DLR Enabled Products
 1756-ENT2R, Point, Flex, ArmorPoint, ETAP, CompactLogix, 193-DNENCATR,
1747-AENTR, ArmorBlock, Armo...
Stratix 5100
Wireless Access Point

PUBLIC INFORMATION

Rev 5058-CO900E

Copyright © 2013 Rockwell Automation, Inc. All Ri...
Stratix Wireless Access Points
 Value

 Product


Access Point / Work Group Bridge



Autonomous



Leveraging the la...
Typical Configurations
Enterprise Zone

ERP, Email, Wide Area
Network (WAN)

Network
Enterprise

5900 Industrial
Services ...
Stratix Family Quick Reference

PUBLIC INFORMATION

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Stratix Family Quick Reference

PUBLIC INFORMATION

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Invisible Cost to Visible Value
Rob Price
Head of Technical Strategy
Partner & Commercial Team
roprice@cisco.com
September...
“I cannot imagine a life without…”

% of 14 – 29 year olds
Source: BITKOM – Bundesverband Informationswirtschaft, Telekomm...
“I cannot imagine a life without…”
• A mobile phone: 97%

% of 14 – 29 year olds
Source: BITKOM – Bundesverband Informatio...
• The 2 photos on the right are of St

Peters Square during the
announcement of the election of last 2
Popes

• In just 8 ...
“I cannot imagine a life without…”
• The Internet: 84%

% of 14 – 29 year olds
Source: BITKOM – Bundesverband Informations...
“I cannot imagine a life without…”
• A car: 64%

% of 14 – 29 year olds
Source: BITKOM – Bundesverband Informationswirtsch...
“I cannot imagine a life without…”
• My current partner: 43%

% of 14 – 29 year olds
Source: BITKOM – Bundesverband Inform...
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

8
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

9
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

10
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

11
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

12
*
• Will gather 14 ExaBytes of data per
day !!

• Will store over 1 PetaByte per day
• Transmit

• Store
• Analyse

* 1 Ex...
IMMERSIVE
COLLABORATION
Pervasive Video

MOBILITY

CLOUD

BYOD

XaaS
XaaS | DC / V

THE NETWORK

SECURITY, Accelerating Cy...
How You Worked Depended on This…
Now It Depends on This…

FIXED
© 2010 Cisco and/or its affiliates. All rights reserved.

...
X aaS
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

16
Pop Quiz

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

17
Thank you.

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

18
Securing Controls Networks
Protecting against the bad dumb guys ;)

Steve Matthews (stmatthe@cisco.com)
Consulting Systems...
Industrial Security
!"#$%&'('))#*+),'-#
."#/01#2344'5634#
."#7%8(9:;#<3='-#

Source of Industrial
Security Incidents
Sourc...
How Big Are the Risks?
!! Less than 2% of incidents are reported
–! Concern for damage of corporate reputation and stock p...
The Game Changer in 2010..
!! NOT external network
proliferated!
!! Unique 4x 0 day
exploits - undetectable
!! USB & print...
A breakdown of Stuxnet
CP;MQQ???R,'=R53-Q,8(@)Q&8(;CS(84T4'&S5&85@%4TS),:U4',S8SVA),S5'4,:&+S5+W'&?'8;34RC,-(#
#
X8(;C#G84...
Common Areas of Vulnerability
!! Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup
!! Little or no device level authenticati...
Defense in Depth.
Defense-in-Depth
Critical Elements to Security
!! Security is basically two pronged:
–! Technical vs. Non-technical
–! A b...
Defense-in-Depth
Multiple Layers to Protect the network and Defend the edge
!! Physical Security – limit physical access t...
Defense-in-Depth
Network Security
!! Security is not a bolt-on component
!! Comprehensive Network Security
Model for Defen...
Defence-in-Depth
Physical Security - Examples
•! Keyed solutions for
copper and fibre
•! Lock-in, Blockout
products secure...
Secure Network Architectures for
Industrial Control Systems
Purdue model ISA 95
N4,'&;&%)'#b34'#

Enterprise Network
Site Business Planning and Logistics
Network

7<b#

Level 5
Level...
Converged Plant-wide Ethernet Architecture
E4,'&4',
#

N4,'&;&%)'QE>#E4,'T&8634
#
23((8W3&8634
#
$%&'('))
#
K;;(%58634#d;6...
Switch Security Features & Techniques
Defend the Industrial Edge
DMZ and Secure Remote Access Guiding Principals

# # # # # ## #
Enterprise
WAN

### ## #

!! IC...
Protect the Interior – switch config options..
L2/3 Network Security Features
"!Authentication
–! 802.1x Authentication, W...
Protect the Interior – switch config options..
Traffic Control – Prevent DoS or accidental storms
§  Storm Control
–  sma...
End-point and Network (Switches) Hardening Procedures
!! Use secure protocols on switches and devices(HTTPS, SCP, SNMPv3, ...
Cisco Security Logical Framework
Enterprise Network

Purdue Reference Model, ISA-95

Level 5
Level 4

E-Mail, Intranet, et...
Cisco/RA Applied Security – What goes where?
%0%$
K*K92i#

N4,'&;&%)'#b34'#

Level 5
Level 4

E0*#
?0J$
/01#

7<b#

Level
...
Cisco 819H ISR (Rockwell Stratix 5900) Feature Highlights
Security features:
•! *,8,'F:(#E4);'5634#]%&'?8((#
•! b34'#W8)'=...
Cisco ASA 5500 Adaptive Security Appliances
Delivering Leading Threat Defense and VPN Services
Provides Converged Threat D...
Identity Service Engine ‘Context-Aware Security’
I want to allow only authorized
users access to my network

I want to all...
Secure Remote Access
Employ Secure Remote Access Techniques
SSL Clientless VPN
§  No VPN client needs to be installed on remote client
§  Acc...
Secure Remote Access – Clientless SSL VPN via ASA 55xx
!! O)@2+)$)*3'*))8$28$A,8+*)8$)N+,1-'N7)N$
PQR$+2$&28A28,+)$*)+=28:...
Q&A
21 Steps to securing a SCADA network
1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections t...
Plantwide benefits of EtherNet IP Seminar
Upcoming SlideShare
Loading in …5
×

Plantwide benefits of EtherNet IP Seminar

2,323 views

Published on

The slides presented by Rockwell Automation, Panduit and Cisco Systems at the EtherNet IP Seminar - 11th February 2014

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
2,323
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
85
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Plantwide benefits of EtherNet IP Seminar

  1. 1. Industrial IoT in Action Phil George – Solution Architect Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  2. 2. SQL Cloud BIG DATA Social Media Mobility Virtualization Ethernet Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  3. 3. Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  4. 4. Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  5. 5. Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  6. 6. Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  7. 7. Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  8. 8. Blog Buzzword informationalize phishing Google IM Cyber grieving Tagging Speed Dating JPG Sidebar Tweet Inflection Point Cloud App Infotainment BFF Landline Webinar Podcast hashtag Flat screen Chatroom ping Unfriend firewall Wiki LOL Geek Widget Flash drive “an event that changes the way we think and act” Andy Grove, Intel Co-founder Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  9. 9. INFLECTION Now! Cloud Ethernet Faster Time-to-Market Improved Asset Utilization Lower Total Cost of Ownership Enterprise Risk Management $ Mobility Big Data Disruptive Technologies SECURE Connected Enterprise Unprecedented Value Business Analytics Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  10. 10. $ Faster Time to Market Lower Total Cost of Ownership Improved Asset Utilization Enterprise Risk Management Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  11. 11. Global POPULATION trends (2020) Will exceed 7.6 billion More than 70 million annually will cross into the middle class Middle class adding $8 trillion to consumer spend Source: McKinsey Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 11
  12. 12. Increased Demand on Industrial Production GLOBAL POPULATION TRENDS INCREASE DEMAND FOR Manufacturing EMERGING MARKET CONSUMERISM 30% 100% More Water Resources Infrastructure More Vehicles 80% 150% 0% More Steel RESOURCE PRODUCTIVITY INVESTMENT $1T More Energy Source: McKinsey Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 12
  13. 13. THE CONNECTED ENTERPRISE Optimized for Rapid Value Creation  Supply Chain Integration  Collaborative, Demand Driven  Compliant and Sustainable Enterprise PRODUCTIVITY SUSTAINABILITY Smart Grid AGILITY Customers Supply Chain COMPANY CONFIDENTIAL Distribution Center Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 13
  14. 14. INDUSTRIAL Internet of Things Raw data > Contextualized Data > Business System Customer Demand Industrial Processes Supply Chain Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 14
  15. 15. Sensors Actuators Intelligent Motor Control Terminals Audio Video Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  16. 16. TRANSFORMATION INTEGRATED CONTROL AND INFORMATION ENABLER Common Secure Ethernet Infrastructure Enterprise Infrastructure Automation Infrastructure CONVENTIONAL: SEPARATE IT & AUTOMATION One Common Environment FUTURE: UNIFIED INFRASTRUCTURE Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 16
  17. 17. @ PAINT LAB KENTUCKY FACILITY Visibility into loss of production faults lead to root cause identification Allows all to access EPA data $302k/yr 2011 2012 Oven temperatures accessed real-time Eliminated by Contract Dispatch # of ReCoats reduced due to real-time alerts Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  18. 18. Fundamentals of Ethernet/IP Designing the Physical Layer Agenda Plant-wide Benefits of Ethernet/IP Industrial & IT Network Convergence Ethernet/IP Product Selection Securing Automation Networks Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. Reserved 18
  19. 19. www.rockwellautomation.com/connectedenterprise Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. www.rockwellautomation.com Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  20. 20. EtherNet/IP Overview Benefits of EtherNet/IP Seminar Series Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
  21. 21. Industrial Networks Needs Long Term Trends  Open network  Converged network technologies (information sharing, common design)  Better asset utilization - lean initiatives (training, support, and inventory)  Future ready – to maximize investments and minimize risks Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 2
  22. 22. Industrial Applications Convergence Industrial Network Trends Information I/O Drive Control Safety Applications Process Power Control High Availability Energy Management Multi-discipline Industrial Network Convergence Disparate Network Technology Single Industrial Network Technology Camera Plant/Site I/O Controller Plant/Site Network I/O Network Safety Network Drive Network Controller HMI Instrumentation VFD Drive Safety I/O Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 3
  23. 23. EtherNet/IP - One Standard Industrial Network Technology For…. System Integrator  Enable seamless plant-wide / site-wide information sharing  Converge industrial and nonindustrial traffic IT Network Engineer  Use standard Ethernet and TCP/IP  Utilize common network infrastructure assets & tools Equipment Builder  Enable convergence-ready solutions  Use a single multi-discipline control and information platform Control System Engineer  Enable future-ready, high performance  Use an established, widely accepted network technology supported by leading industry vendors EtherNet/IP is the global leader: 5M+ nodes sold, 300+ vendors, 1000s product lines Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 4
  24. 24. EtherNet/IP: “IP” - Industrial Protocol Single Industrial Network Technology  ODVA   Supported by global industry leaders such as Cisco Systems®, Omron®, Schneider Electric®, Bosch Rexroth AG®, Endress+Hauser and Rockwell Automation Conformance & Performance Testing www.odva.org  Standard     IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588) IETF - Internet Engineering Task Force, standard Internet Protocol (IP) ODVA - Common Industrial Protocol (CIP) IEC - International Electrotechnical Commission – IEC 61158  IT Friendly and Future-Ready (Sustainable)  Multi-discipline control and information platform  Established - products, applications and vendors Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 5
  25. 25. OSI 7-Layer Reference Model Single Industrial Network Technology What makes EtherNet/IP industrial? Open Systems Interconnection Layer Name Layer No. Function Examples Application Layer 7 Network Services to User App Presentation Layer 6 Encryption/Other processing Session Layer 5 Manage Multiple Applications Transport Layer 4 Reliable End-to-End Delivery Error Correction IETF TCP/UDP Layer 3 Packet Delivery, Routing IETF IP Layer 2 Framing of Data, Error Checking IEEE 802.3/802.1 Layer 1 Signal type to transmit bits, pin-outs, cable type TIA - 1005 CIP IEC 61158 Routers Network Switches Data Link Physical Physical Layer Hardening Cabling Infrastructure Device Hardening Common Application Layer Protocol 5-Layer TCP/IP Model Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 6
  26. 26. OSI Reference Model Protocol Stack Layer No. Application Layer 6 Presentation Session Layer 4 Data Transport Layers Layer 7 Layer 5 Application Layers Layer Name Function Transport IETF TCP/UDP Layer 3 Network IETF IP Layer 2 Data Link IEEE 802.3/802.1 Layer 1 Physical TIA - 1005 CIP Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 7
  27. 27. OSI Reference Model Open Systems Interconnection Layer No. Layer Name Function Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Vendor Specific Layer 3 Network Vendor Specific Layer 2 Data Link IEEE 802.3/802.1 Layer 1 Physical TIA - 1005 Limits Portability and Routability, may require additional assets to forward information throughout the plant-wide / site-wide architecture Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 8
  28. 28. OSI Reference Model Open Systems Interconnection Layer No. Layer Name Function Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Vendor Specific Layer 3 Network Vendor Specific Layer 2 Data Link Vendor Specific Layer 1 Physical TIA - 1005 Non standard Ethernet, will require additional assets to connect into the plant-wide / site-wide architecture Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 9
  29. 29. OSI Reference Model Network Independent Layer No. Layer 7 Layer 4 Layer 3 Layer 2 Network Independent Layer 1 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 10
  30. 30. Industrial Applications Convergence Industrial Network Trends Disparate Network Technology     Single Industrial Network Technology Camera Controlle r HMI Plant/Site I/O Instrumentation Multiple Network Technologies Topology Limits Physical Segmentation Data Duplication     Multiple 1 Network Technologies Topology Limits Physical Segmentation Options Data Duplication VFD Drive Safety I/O Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 11
  31. 31. The Alternative “Islands of Automation” Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 12
  32. 32. Collaboration of Partners Network Technology Convergence Wide Area Network (WAN) Physical or Virtualized Servers • ERP, Email, Call Manager • Active Directory (AD) • AAA – Radius Enterprise WAN Gbps Link for Failover Detection Physical or Virtualized Servers • • • • Enterprise Zone Levels 4 and 5 Patch Management Remote Gateway Services Application Mirror AV Server Firewall (Standby) Cisco ASA 5500 Firewall (Active) Micro Data Center  Racks  Patching  Cable Management  Copper/Fiber Industrial Demilitarized Zone (IDMZ) Industrial Zone Site Operations and Control Level 3 Physical or Virtualized Servers • • • • • FactoryTalk Application Servers & Services Platform Network Services – e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Catalyst 6500/4500 Remote Access Server Plant Firewall:  Inter-zone traffic segmentation  ACLs, IPS and IDS  VPN Services  Portal and Terminal Server proxy Network Discovery Protocol Statistics   Catalyst 3750 StackWise Switch Stack Cell/Area Zones Levels 0–2 Rockwell Automation Stratix 8000 Layer 2 Access Switch Phone    Copper, Fiber, Wireless Testers Network Discovery Protocol Statistics HMI Safety I/O Safety Controller Controller Camera Robot Instrumentation Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency MCC Soft Starter I/O Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP) Servo Drive Cell/Area Zone #3 Bus/Star Topology    Noise Mitigation Control Panel Network Zone Logical Framework Common Toolsets PhysicalFramework Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 13
  33. 33. TRANSFORMATION INTEGRATED CONTROL AND INFORMATION ENABLER Common Secure Ethernet Infrastructure Enterprise Infrastructure Automation Infrastructure CONVENTIONAL: SEPARATE IT & AUTOMATION One Common Environment FUTURE: UNIFIED INFRASTRUCTURE Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 14
  34. 34. Industrial Networks Summary  Open networks are in demand  Broad availability of products, applications and vendor support for Industrial Automation Network standards for coexistence and interoperability of industrial automation devices  Convergence of network technologies   Reduce the number of disparate networks in an operation and create seamless information sharing throughout the plant-wide / site-wide architecture Use of common network design, deployment and troubleshooting tools across the plantwide / site-wide architecture; avoid special tools for each application  Better asset utilization to support lean initiatives  Common network infrastructure assets, while accounting for environmental requirements Reduce training, support, and inventory for different networking technologies  Support new technologies and features without a network forklift upgrade   Future-ready – maximizing investments and minimizing risks Reduce Risk Simplify Design Speed Deployment Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 15
  35. 35.  A new ‘go-to’ resource for educational, technical and thought leadership information about industrial communications  Standard Internet Protocol (IP) for Industrial Applications  Coalition of like-minded companies www.industrialip.org Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 16
  36. 36. Agenda Plant-wide Benefits of Ethernet/IP  Fundamentals of Ethernet/IP  Designing the Physical Layer  Industrial & IT Network Convergence  Ethernet/IP Product Selection  Securing Automation Networks Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 17
  37. 37. EtherNet/IP Overview Benefits of EtherNet/IP Seminar Series Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. www.rockwellautomation.com Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
  38. 38. Will your Physical Layer perform? Plantwide EtherNet/IP Ecosystem Design and Deployment Panduit’s Distributor Partner
  39. 39. Vision: Unified Physical Infrastructure Manufacturing: Industrial Automation Solution Building: Connected Buildings Solution Office: Data Center Solution
  40. 40. Critical Manufacturing Assets are at Risk! • Downtime • • Security lapses Performance degradation 3
  41. 41. Installation pitfalls 1. Proper cable installation is critical 3. This makes it impossible to manage, maintain and troubleshoot 2. No matter the hardware, shoddy cable installation will result in a poor network
  42. 42. Importance of the Physical Layer “A significant portion of network downtime, approx. 80%, is attributed to Physical Layer Connections.” Sage Research
  43. 43. Designing the Physical Layer for Ethernet/IP What do Physical Layer Reference Architecture based best practices look like?
  44. 44. Physical Layer Design Considerations • • • • • Design and implement a robust physical layer Environment Classification - MICE More than cable – Connectors – Patch panels – Cable management LAN Troubleshooting Guide – Grounding, Bonding and Shielding (noise mitigation) Standard Physical Media – Wired vs. Wireless Industrial Ethernet Physical – Copper vs. Fiber Infrastructure Reference – UTP vs. STP Architecture Design Guide – Singlemode vs. Multimode – SFP – LC vs. SC Standard Topology Choices ODVA Guide – Switch-Level & Device-Level Cable Selection ENET-WP007 7
  45. 45. Logical 8 Rockwell/Cisco RA Enterprise Zone (EZ) De-Militarized Zone (DMZ) Windows 2003 Servers • Remote Desktop Connection • VNC • PCAnywhere FIREWALL (STANDBY) FIREWALL (ACTIVE) GE Link for Failover Detection Automation Apps • Historian • Data Distribution • Asset Security • Engineering Applications • Databases Network Services • DNS, DHCP, Syslog Server • Network & Security Management De-Militarized Zone (DMZ) Manufacturing Zone LAYER 3 ROUTER LAYER 3 SWITCH LAYER 3 ROUTER LAYER 3 SWITCH Manufacturing Zone Cell/Area Zone (Redundant Star Topology) (Ring Topology) (Bus/Star Topology)
  46. 46. Enterprise Zone FIREWALL (STANDBY) FIREWALL (ACTIVE) LAYER 3 ROUTER LAYER 3 SWITCH (Ring Topology) LAYER 3 ROUTER LAYER 3 SWITCH (Bus/Star Topology)
  47. 47. Physical Reference IN-Solution Enterprise Zone IN-Frastructure Cell/Area Zones FWB L2S Manufacturing Zone CTRLR L2S HMI DMZ FWA IN-Panel L3R L2S PaS L3S L3S IN-Field DB IN-Room DRIVE L3R DIST i/O L2S IN-Route
  48. 48. Panduit Industrial Automation 5 Core Solutions IN-ROOM ININ ROOMTM Control Room, Data Center, Telco Closet IN-ROUTE ININ ROUTETM Industrial Pathways, Network Zone Enclosures IN-PANEL ININ PANELTM Control Panels, Electrical Panels and MCC IN-FIELD ININ FIELDTM On the Machine, In the Process Area, or Outdoors IN-FRASTRUCTURE ININ FRASTRUCTURETM Power Distribution, Lighting, HVAC Security, Safety
  49. 49. Simplify with validated building blocks Physical Layer Design Considerations Micro Data Center Zone Enclosures Control Panel Solutions
  50. 50. IN-ROOM ININ ROOMTM Micro Data Center – IN-Room Solution Enterprise/Office Patchfield used to uplink switch to level 4 & 5 Enterprise Server Patching Cross connect between production servers and switch Firewall and DMZ Logical buffer zone between the Enterprise and Manufacturing Manufacturing Zone Patchfield used to connect layer 3 switch to layer 2 switches used on plant floor
  51. 51. IN-ROOM ININ ROOMTM Physical Network Security IN-ROUTE ININ ROUTETM IN-PANEL ININ PANELTM IN-FIELD ININ FIELDTM • • • Keyed solutions for copper and fiber USB Type A, B Ports Lock-in, Blockout products secure connections
  52. 52. IN-ROOM ININ ROOMTM Micro Data Center Solutions 15 Physical Layer Design Considerations Micro Data Center Simplification - Organize, Secure, and Standardize BEFORE Challenges: • Disorganized • Network performance issues • Frequent moves, adds & changes AFTER Solutions: • Structured approach • Media selection/security • Visual identification
  53. 53. IN-ROUTE ININ ROUTETM IN-Route - Getting from “Point A” to “Point B” Built-In Failure Points
  54. 54. 17 Environmental Focus – M.I.C.E. Increased Environmental Severity Mechanical M1 M2 M3 • Water • Dust I1 I2 I3 Climatic Chemical C1 C2 C3 Electro E1 E2 E3 • Shock • Vibration Ingress magnetic TIA/EIA 1005 Office Industrial
  55. 55. You can’t choose components without knowing the Environment
  56. 56. IN-ROUTE ININ ROUTETM IN-Route - Zone Cabling Methods Z Z Z TR Centralized Cabling – Home runs from each node back to the telecommunication room. TR Zone Cabling – Provides for Reduced home-run wiring, easy moves / adds / changes and reduced size of telecommunication room 19
  57. 57. Pathways • Overhead cable tray routing system • Designed to route and manage copper, fiber optic, or power cables IN-ROUTE ININ ROUTETM
  58. 58. IN-ROUTE ININ ROUTETM Fiber Pathways
  59. 59. IN-ROUTE ININ ROUTETM Dielectric Conduited Fiber Cable (DCF) 22 KEY BENEFIT: Easier to install fiber cable (eliminates conduit & grounding) with rugged, crush resistant construction SOLUTION COMPONENTS 1. 12 part numbers. • Fiber Counts: 2, 4, 8, & 12 • Fiber Types: OS1/OS2, OM1, OM2 2. Compatible with OptiCam connectors
  60. 60. IN-ROUTE ININ ROUTETM Zone Enclosures – Pre-configured Best way to structure manufacturing network •Leverages Cisco/RA recommended architecture for best network performance •Built for capability of rapid network expansion •Touch-safe for Facility IT access •Significantly reduces lead time to deploy 23
  61. 61. Zone Enclosures – Optimized for Stratix Physical Layer Design Considerations • Pre-configured, Pre-tested for Stratix 8300, 8000 and 5700 switches • Safe, Secure, Thermally tested • Save time/cost/risk: – IT/controls convergence point – Machine Builders IN-ROUTE ININ ROUTETM
  62. 62. IN-Route: Network Distribution Simplification IN-ROUTE ININ ROUTETM Physical Layer Design Considerations Robust, Secure, Future-Ready Network Distribution BEFORE Challenges: • Scalability issues • Diagnostics & troubleshooting • Evolving cable mgmt AFTER Solutions: • Zone enclosure • Media selection & security • Cable routing 25
  63. 63. IN-PANEL ININ PANELTM IN-Panel - Understanding the Problem There are several market trends that are exerting pressure on the design and architecture of a Control Panel. – – – – – Space Optimization Terminations Network Cabling Noise Mitigation Safety/Security
  64. 64. IN-PANEL ININ PANELTM EtherNet in the Control Panel • Additional requirements and solutions are required with the addition of EtherNet into the Control Panel.
  65. 65. IN-PANEL ININ PANELTM Planning for networking in the panel N • What are common networking challenges in the panel? – Overall concerns • Diagnostics/troubleshooting • Maintenance • Future system upgrades – Performance in potentially high noise environment • Zoned layouts • Shielding – Finding panel space for new components Clean Noisy Very Noisy
  66. 66. Noise Mitigation Demo IN-PANEL ININ PANELTM
  67. 67. Polymer Coated Fiber (PCF) Cable, LC Connector, Termination Tool Kit KEY BENEFITS: Ease of field termination (CRIMP, CLEAVE AND LEAVE), Performance, Noise Immunity SOLUTION COMPONENTS 1. Polymer Coated Fiber (PCF) cable (zip cord and breakout cables) 2. Field-attached LC connector for 50/200/230µm & 62.5/200/230µm PCF fiber 3. Field termination tool kit Panduit Confidential Information - not for Distribution IN-PANEL ININ PANELTM IN-FIELD ININ FIELDTM
  68. 68. Terminating Fiber Using PCF Crimp-On Connectors No-Voiceover IN-PANEL ININ PANELTM IN-FIELD ININ FIELDTM
  69. 69. Space Optimization Increases Design Flexibility IN-PANEL ININ PANELTM Physical Layer Design Considerations • Maximizes panel space utilization • Easier to design for future system upgrades • Provide up to 30% space savings Design Flexibility Panduit PanelMax™ Offering: DIN Rail Wiring Duct Corner Wiring Duct Utilizes space typically unusable in enclosure corner Uses enclosure depth to save panel footprint space ;improve component access Shielded Wiring Duct Mitigates EMI noise to reduce wire separation distance Conventional Wiring Duct All of these products contribute to cost savings Shielded Wiring Duct
  70. 70. Panduit Network Solutions for the Control Panel IN-PANEL ININ PANELTM Physical Layer Design Considerations • Optimized solutions for Machine Builder Stratix 5700 deployments DIN Rail Mount Adapter Modular DIN rail mounting for Copper or Fiber connectivity Patch Panel Facilitate testing, and future Moves, Adds and Changes Fiber, Cat6 Patch Cords Performance guaranteed Insert product photo
  71. 71. IN-Panel: Optimized with Partners IN-PANEL ININ PANELTM Physical Layer Design Considerations • • Leverage power of EtherNet/IP and eco-system partners – Panduit Fiber, Patching, Noise Mitigation, Space Optimization, Grounding/Bonding – RA Stratix 5700 for machine builder – RA 1585 patch cords – Test with Fluke Networks EtherNet/IP connects to Zone Enclosures and Micro Data Center for convergence aligned with Cisco/RA CPwE
  72. 72. IN-FIELD ININ FIELDTM IN-Field Challenges ON Machine or Process areas • High MICE levels – – – – Vibration Chemical Temperature Wash down • Wire management rated for environment • Food safety
  73. 73. IN-Field Solutions: Manage and Protect IN-FIELD ININ FIELDTM • Harsh rated cable management and identification • Abrasion protection • Grounding/Bonding Metal detectable wire management for Food industry
  74. 74. IN-Frastructure: Challenges • Facility Grounding/Bonding, Power • Costs of safety incidences • Lockout/Tagout implementation IN-FRASTRUCTURE ININ FRASTRUCTURETM
  75. 75. IN-Frastructure: Solutions • Grounding/Bonding components and solutions • Safety labels and signage • Lockout/Tagout systems IN-FRASTRUCTURE ININ FRASTRUCTURETM
  76. 76. Application Guides Network Security SM
  77. 77. Control Panel Layout Whitepaper • Best practices = reduced call backs, problems..greater solution sales SM
  78. 78. 41 http://www.industrial-ip.org SM
  79. 79. Easy Building Block Approach Design your system using cost effective and easy to troubleshoot Network Architectures Micro Data Center SM Zone Enclosure Control Panel Solutions
  80. 80. 43 Industry Level Thought Leadership All wrapped up in a 450 page, “How To” manual with contributions from Fluke and Rockwell Automation, on designing and installing the physical infrastructure for an Industrial Ethernet Network Enterprise Functional Design Logical Level Shared Architecture Environmental Requirements (M.I.C.E.) Physical Level Plant Floor Design Panduit: Physical Infrastructure Reference Architecture SM
  81. 81. Design/Spec Tools Physical Layer Design Considerations Design Micro Data Centers in Visio and paste BOM into Proposalworks! SM
  82. 82. 45 Plant Floor - “Macro Architecture” summary MICE 1-1-1-1 MICE 3-1-2-3 MICE 1-1-1-3 MICE 3-3-3-3 MICE 2-1-3-2 SM MICE 3-2-3-3 MICE 2-2-2-1
  83. 83. Fiber Optic Application Best Practices for EtherNet/IP 2/13/2014 SM
  84. 84. Agenda Physical Infrastructure for Fiber Deployments Fiber Selection Saving Time/Cost with Fiber SM
  85. 85. Agenda Physical Infrastructure for Fiber Deployments Fiber Selection Saving Time/Cost with Fiber SM
  86. 86. Industrial Networks Live in the Real World • Industrial Networks Must take into consideration the physical challenges of the facilities environment. Plant Ethernet Controller Switch • Location, routing and equipment choices should be based on the complete understanding of cause and effect conditions. Ethernet I/O • Environmental Focus – M.I.C.E. (TIA-1005) SM Drive Sensor
  87. 87. Fiber that Fits Both the Environment and the Application Fiber is now being used in all areas of an Industrial Network Deployment SM
  88. 88. Benefits of Fiber in an Industrial Space • Fiber is completely noise immune • Fiber can be used in high M.I.C.E. environments • Fiber can be rated for indoor, outdoor and transition spaces • Armored Fiber (available in both metallic and all-dielectric) reduces the need for, and installations costs of, innerduct and conduits • Smaller footprint of cables (one fiber cable vs. bundle copper (UTP)) • Reliability and speed of installation reduces the total cost of ownership SM Corporate Network Office Applications, Internetworking, Data Servers, Storage Back-Office Mainframes and Servers (ERP, MES, etc.) Human Machine Interface (HMI) Supervisory Control Robotics Controller Motors, Drives Actuators Sensors and other Input/Output Devices Converged Ethernet Manufacturing Network Model
  89. 89. Key Elements of a Successful EtherNet/IP Network Design • Understanding application and functional requirements • Developing a logical framework (roadmap) • Developing a physical framework • Determining security requirements and partnering with IT • Using technology and industry standards, reference models and reference architectures ERP, Email, Wide Area Network (WAN) Demilitarized Zone (DMZ) Patch Management Remote Gateway Services Application Mirror AV Server Gbps Link for Failover Detection Firewall (Standby) Plant Firewall:  Inter-zone traffic segmentation  ACLs, IPS and IDS  VPN Services  Portal and Terminal Server proxy Cisco ASA 5500 Firewall (Active) Industrial Zone Site Operations and Control Level 3 FactoryTalk Application Servers     Enterprise Zone Levels 4 and 5 View Historian AssetCentre, Transaction Manager Catalyst 6500/4500 FactoryTalk Services Platform  Directory  Security/Audit Remote Access Server Data Servers Catalyst 3750 StackWise Switch Stack Network Services  DNS, DHCP, syslog server  Network and security mgmt Cell/Area Zones Levels 0–2 Rockwell Automation Stratix 8000 Layer 2 Access Switch HMI Controller HMI Drive Controller HMI I/O Controller SM Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency Drive Drive I/O I/O Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP) I/O Cell/Area Zone #3 Bus/Star Topology
  90. 90. Agenda Physical Infrastructure for Fiber Deployments Fiber Selection Saving Time/Cost with Fiber SM
  91. 91. Selecting the Right Fiber Requires … Knowing the Application Environment. … Knowing the Distance Requirements. … Knowing the Equipment you are connecting to. SM
  92. 92. Let’s take a sample application and go thru it step-by-step. Knowing the Capability of Your Equipment The Equipment – The first step in choosing the right fiber is to look at the capability of your equipment. • Look at the specifications of the equipment to determine the speed of the connections • The Fiber you choose should at least be able to handle the fastest mode of the existing system SM
  93. 93. Knowing the Capability of Your Equipment The Stratix is a good switch to use as an example because it has both Uplink ports and Data ports running at different speeds. • The uplink port speed is determined by the use of copper or fiber. If it’s fiber the configuration of the “SFP” module determines the speed of the system. SFP Stands for “Small Form Pluggable” Module SM
  94. 94. Knowing the Capability of Your Equipment The Stratix is a good switch to use as an example because it has both Uplink ports and Data ports running at different speeds. SFP Stands for “Small SFP Stands for “Small Form Pluggable” Form Pluggable” Module Module SM
  95. 95. Understanding Your Expansion or Upgrade Path The following is an example list of specifications for the fiber-optic SFP module connections. It’s IMPORTANT that each port must match the wave-length specifications on the other end of the cable, and for reliable communication, the cable must not exceed the rated maximum cable length. SFP Module Type Cat. No. Wavelength (nm) Fiber Type Core Size/Cladding Size (micron) Modal Bandwidth (MHz/km)(1) Cable Distance 100BASE-FX 1783SFP100FX 1310 MMF 50/125 62.5/125 500 500 2 km (6562 ft) 2 km (6562 ft) 100BASE-LX 1783SFP100LX 1310 SMF G.6522 1000BASE-SX 1783SFP1GSX 850 MMF 62.5/125 62.5/125 50/125 50/125 1000BASELX/LH 1783SFP1GLX 1310 SMF G.6522 (1) Modal bandwidth applies only to multimode fiber. SM 10 km (32,810 ft) 160 200 400 500 220 m (722 ft) 275 m (902 ft)) 500 m (1640 ft) 550 m (1804 ft) 10 km (32,810 ft) * Information comes from Stratix Users Manual
  96. 96. Answers Always Lead to More Questions The Equipment – The result of our equipment investigation is that we learned: • The max speed for the uplink is 1GBase-T • The max speed for the data port is 100Base-T • There are several choices for SFP modules that can support both Single and Multimode. The next question: “Is there an existing system of fiber, and what core size is being used?” SM Core size? ….yes, Core size?
  97. 97. What Makes Up a Fiber Cable? The Cable – There are two classes of Fiber in use today: • Single Mode – Long Distance Fiber, more expensive technology • Multi Mode – Shorter Distance, more cost effective for inside plant use. • To understand the differences between core sizes, and why they matter, you need to know what makes up a fiber cable. SM
  98. 98. How Big is the Fiber, (relatively)? Buffer Cladding 125µm 230µm Core 9 50 62.5 200µm Core size will tell you the OMx of the Fiber All sizes expressed In Microns SM
  99. 99. Single Mode Fiber 125µm 9µm All sizes expressed In Microns SM
  100. 100. Multi-Mode Fiber (50 and 62.5 micron) 125 50 62.5 All sizes expressed In Microns SM
  101. 101. Polymer Coated Multi-mode Fiber (PCF) 230 50 62.5 200 All sizes expressed In Microns SM
  102. 102. What Do the OM Ratings Mean? If you see OM in the Fiber grade it always means Multi-Mode. – The US Adopted a Grading System Invented By ISO, The International Standards Organization in Geneva, Switzerland. The “Optical Multimode” Rating System • • • • “OM 1” --- 62.5 Micron (Mostly legacy systems) “OM 2” --- 50 Micron (plain vanilla variety) “OM 3” --- 50 Micron (Laser optimized to work with VCELS) “OM 4” --- 50 micron (Extended Bandwidth – Further refined to reduce pulse spreading and enable longer distances) And just like with Copper Categories – A bigger number means better cable! SM
  103. 103. What Do the OS Ratings Mean? • If you see OS in the Fiber grade it always means Single-Mode. • “OS 1” --- 9 Micron (Used with wavelengths of 1310 nm) • “OS 2” --- 9 Micron (Used with wavelengths of 1550 nm) Why does the core size make such a difference in Fiber performance? • OS (single-mode) vs. OM (multi-mode). Think of it like the difference between a rifle shot and a shotgun blast. SM
  104. 104. Example of Single-mode vs. Multi-mode Singlemode – more efficient – goes FURTHER A Fabry-Perot LASER Multimode – less efficient – doesn’t go as far A Cheap, Slow LED SM
  105. 105. Light Pulse Spreading (“Modal Dispersion”) The Enemy of Throughput A Cheap Slow LED • Some of the photons (light particles) go straight, some ricochet around the outside, the further they travel the closer the leading edge from one pulse gets to the trailing edge of the one before it. • Eventually you can’t tell one pulse from another. SM
  106. 106. The Further You Go, the Worse it Gets. Hey, I sent a “1” What? You can only go so far with a given grade of multimode fiber before light pulses begin to overlap SM
  107. 107. How the OM/OS Ratings Equate to Distance ANSI/TIA-568-C.0 (D.3) Optical fiber cabling supportable distances table. • Table 7 - lists maximum supportable distances and maximum channel attenuation for applications using optical fiber cabling • The table is based on the minimum performance requirements of 62.5/125 µm, 50/125 µm, 850 nm laser-optimized 50/125 µm, and single-mode fiber established by ANSI/TIA-568-C.3 SM
  108. 108. Remember the MICE Table? Where you put the fiber, “The Environment”, determines the type of fiber you choose. SM
  109. 109. Applications for “Indoor” Fiber • Indoor Opti-Core Fiber Distribution • Indoor Opti-Core Interlocking Armor • Indoor Industrial-Net (PCF) Polymer Clad Fiber • Indoor Dielectric Conduited Fiber (DCF) SM Used when you have sufficient protection for the fiber **NEW** Electrician Friendly crimp on connector for direct connect node to node Used when the fiber has to protect itself **NEW** All the benefits of an armored fiber without the metal. Use in area suspected of unequal potential grounds
  110. 110. Applications for “Indoor-Outdoor” Fiber • Indoor/Outdoor Opti-Core All-Dielectric Fiber Cable • Indoor/Outdoor Opti-Core Gel-Free Fiber Interlocking Aluminum Armored Cable Used to transition from indoor to outdoor in a protected area, tray or conduit. SM Used to transition from indoor to outdoor yet still protect the cable from harsh mechanical conditions
  111. 111. Applications for “Outdoor” Fiber • Opti-Core Gel-Free Fiber Optic Outside Plant All-Dielectric Cable • Opti-Core Gel-Free Fiber Optic Outside Plant Armored Cable Allows installation using loose tube cable methods for aerial and duct applications SM Allows installation using loose tube cable methods for aerial, duct and direct burial applications
  112. 112. One Last Thought When Choosing a Fiber Type – Choosing the Connector Traditional Puck and Polish type Connectors (5-7min.) OptiCam Factory Polished Connectors (2 - 3min.) Industrial Strip & Crimp no-Polish Required Fiber Connectors (aprox 1 min.) SM
  113. 113. Choosing the Connector OptiCam Connector PCF Connector SM
  114. 114. Agenda Physical Infrastructure for Fiber Deployments Fiber Selection Saving Time/Cost with Fiber SM
  115. 115. Choosing the Right Fiber Type For the Application Can Save Big $$$ in Materials and Labour SM
  116. 116. Links From Field Switches to Control Rooms Should Support Higher Speeds and Greater Volume SM
  117. 117. Electrician Friendly Fiber Can be Used to Install Long Distance Bus Systems SM
  118. 118. Fiber Optic Infrastructure Planning Physical Layer Design Considerations New joint application guide Increase the integrity and availability of EtherNet/IP networks with fiber solutions from trusted partners! Physical infrastructure Integrated Architecture, Stratix Switches, ETAPs, more Higher level switches SM Fiber Guide ENET-TD003 81 81
  119. 119. Easy to follow Fiber best practices! Physical Layer Design Considerations • Partner validated application guide SM 82
  120. 120. Summary Physical Infrastructure for Fiber Deployments Understanding the Environment and the Application Fiber Selection Knowing how to determine equipment and system requirements Saving Time/Cost with Fiber Choosing the proper network design for application SM
  121. 121. Industrial and IT Network Convergence Ethernet/IP Enables Convergence Name – Mike Loughran Title – Solution Architect Date – 11th February 2014 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
  122. 122. Emerging Technologies in Operations All the BUZZ… The Internet of Things (IoT) Intelligent devices start to communicate with each other COMPANY CONFIDENTIAL - Internal Use Only Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
  123. 123. What does it all mean?  Big Data  Large amounts of information is available to manage the supply chain & complex processes  Cloud Computing & Virtualization   Speed up deployment of production, add flexibility, reduce capital investments & increase access across global operations Increase longevity, reliability & provide disaster recovery  Mobility & BYOD (Bring Your Own Device)  Improve maintainability, uptime, asset longevity, safety and cost control Most of it is buried on the production floor in historians or other databases Centers around Information Technology (IT) more than Operations/Production management Technicians, Supervisors, Operators are all mobile during their typical work day Driven Largely by Information Technology COMPANY CONFIDENTIAL - Internal Use Only Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 3
  124. 124. Why are Emerging Technologies so Important? Automated adaptable processes & decisions COMPANY CONFIDENTIAL - Internal Use Only Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 4
  125. 125. Why are Emerging Technologies so Important?  Empowers companies to grow faster, produce better products and serve customers more effectively  It connects a workforce, analyzes data and allows for continuous improvements  Companies can leverage technological advances as a competitive advantage and must constantly seek newer, faster and better technologies to improve their business Early adopters Early-adopters typically acknowledge the risk that comes with new technology Keeping abreast of new developments is an ongoing job with both risks and rewards COMPANY CONFIDENTIAL - Internal Use Only Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 5
  126. 126. Industrial Network Convergence Industrial Network Trends Process Control Intelligent Motor Control Discrete Control Information Technology EtherNet/IP – Enabling & Driving MultiMulti discipline Industrial Network Convergence COMPANY CONFIDENTIAL - Internal Use Only Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 6
  127. 127. The Value in Bringing the Information Together Laboratory Information Management Systems Production Scheduling Performan ce Alarms/Events HMIs Quality Systems Control Systems Data Historians Computerized Maintenance Management Systems You need robust Infrastructure SolutionsSTANDARD, to deliver the You need a network technology that is STANDARD information MORE than an FIELDBUS! PROVEN andfast, reliably and securely!! FIELDBUS Other Database Systems COMPANY CONFIDENTIAL - Internal Use Only Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 7
  128. 128. From Production to the Enterprise Rockwell Automation & Cisco Alliance Rockwell Automation and Cisco present the most valuable resource in the industry for deploying a converged network infrastructure  Common Technology View  Single system architecture, using open, industry standard networking technologies – EtherNet/IP  Delivering Converged Plantwide Ethernet (CPwE) Architectures for manufacturing and industrial environments  Best pathway to Operations/IT network convergence with detailed design and implementation guidance  Joint Product and Solution Collaboration  Creating an ideal networking environment for both IT and controls professionals.  People and Process Optimization  Education and services to facilitate Manufacturing and IT convergence Leadership in IT and Plant Operations COMPANY CONFIDENTIAL - Internal Use Only Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 8
  129. 129. Risks and threats to networked systems Application of Security patches Natural or Man-made disasters Worms and viruses Sabotage Theft Unauthorized access INFORMATION Denial of Service Unauthorized actions by employees Business Risk Unauthorized remote access Unintended employee actions OPERATIONS Security risks increase potential for disruption to System uptime and Safe operation and a loss of IP Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
  130. 130. A Vendor’s Perspective  Control System lifecycles are long (20+ years)  Products will have vulnerabilities  Security is a team sport     Vendors & Customers IT & Engineering Pick your teams (point  don’t go it alone) REMEMBER: Human beings are imperfect  Control System safety & security are closely linked  Control System security manages variables  Managing the security variables enhances uptime UPTIME = PROFITABILITY Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 10
  131. 131. Our Approach to Industrial Security A secure application depends on multiple layers of protection. Industrial security must be implemented as a system.  Layered Security Model Shield potential targets behind multiple levels of protection to reduce security risks Physical Network Computer Application Device  Defense in Depth Use multiple security countermeasures to protect integrity of components or systems  Openness Consideration for participation of a variety of vendors in our security solutions  Flexibility Able to accommodate a customer’s needs, including policies & procedures  Consistency Solutions that align with Government directives and Standards Bodies Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 11
  132. 132. Evolving Global Standards ISA S99 and IEC 62443 • Asset Owners • Vendors • Industry Consortia • NIST 800 ISO 27002 RFC 2196 NERC-CIP WIB 2.0 Req’s & Certifications WIB ISA Security Compliance Institute (ISCI) Exida.com LLC Achilles™ test platform SAL 1 SAL 2 SAL 3 ODVA Wurldtech • Building Blocks • Independent Wurldtech Achilles™ Bronze Silver Gold Confrm Test L-1 L-2 L-3 © rockwell automation Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 12
  133. 133. Design for Security approach Specifications Audits & Gaps Enhance & Improve Resiliency & Robustness Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 13
  134. 134. Additional Material Educational - Cisco and Rockwell Automation Alliance  Education Series Webcasts        What every IT professional should know about Plant-Floor Networking What every Plant-Floor Engineer should know about working with IT Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access for Plant-Floor Applications and Data Securing Architectures and Applications for Network Convergence IT-Ready EtherNet/IP Solutions Available Online  http://www.ab.com/networks/architectures.html Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 14
  135. 135. Additional Material Simplify Design - Rockwell Automation  Networks Website: http://www.ab.com/networks/  EtherNet/IP Toolkit: http://www.rockwellautomation.com/rockwellautomation/productstechnologies/integrated-architecture/tools/overview.page#/tab4  Ethernet Tools Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 15
  136. 136. Additional Material Simplify Design - Cisco and Rockwell Automation Alliance  Websites  http://www.ab.com/networks/architectures.html  Design Guides  Converged plant-wide Ethernet (CPwE)  Application Guides  Fiber Optic Infrastructure Application Guide  Education Series  http://www.ab.com/networks/architectures.html  Whitepapers  Top 10 Recommendations for plant-wide EtherNet/IP Deployments  Securing Manufacturing Computer and Controller Assets  Production Software within Manufacturing Reference Architectures Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 16
  137. 137. Additional Material Simplify Design - Collaboration  Plant-wide EtherNet/IP Ecosystem Partners Website  Fiber Optic Infrastructure Application Guide ENET-TD003 Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 17
  138. 138. Additional Material Simplify Design and Speed Deployment - Panduit Corp  Panduit Corp. Website:  http://www.panduit.com/  Industrial Automation Solutions:  Industrial Automation Product Systems Brochure  Industrial Communication Solutions – Interactive Roadmap Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 18
  139. 139. Additional Material Speed Deployment - Fluke Networks  Fluke Networks Websites  www.flukenetworks.com  www.flukenetworks.comindustrial  www.flukenetworks.comknowledgebase Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 19
  140. 140. Reduce design time Procurement Specifications on-line http://www.rockwellautomation.com/rockwellautomation/industries/procurementspecifications/overview.page? Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 20
  141. 141. Stratix Ethernet Switch Family A family of high performance Industrial Ethernet switches ideal for the end user and equipment builder Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
  142. 142. Stratix Portfolio Overview Routers and switches for: • Security • Productivity • Safe Operations  Enabling security to new or existing architectures  Applications for simple to complex networks  Monitoring and controlling distributed devices  Plant floor and enterprise integration • Remote Access • Time to Market • Protecting IP Stratix 5100 Wireless AP/WGB Stratix 5900 Security Appliance Stratix 5700 Layer 2 Stratix 8000/8300 Layer 2, Layer 3 PUBLIC INFORMATION Stratix 6000 Layer 2 Stratix 2000 Unmanaged Stratix ETAPs Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  143. 143. The Stratix Family Overview Overview Key Benefits Applications Family of industrial Ethernet switches that are: • Optimized for configuration, monitoring, security and maintenance • Modular and scalable • Designed for simple to complex Ethernet applications • IT-ready and IT-friendly solutions • Simplified integration of machine systems in infrastructure • Integrated Architecture programming tools and features • Secure remote access for improved productivity and OEE • Connected or isolated machine and Process control applications • Plant floor and enterprise integration • Distributed network devices that need to be monitored and controlled Integrating your enterprise and manufacturing environments PUBLIC INFORMATION Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 24
  144. 144. Stratix 2000 Unmanaged Switches Refresh & Product Line Expansion PUBLIC INFORMATION Rev 5058-CO900E Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  145. 145. Stratix 2000 Unmanaged Switches Overview  Low cost solutions designed for isolated control networks   Recommended for Micro 850 & Micro 820 applications Unmanaged switches are not recommended for safety or motion applications  Simple “Plug & Play”   Automatically negotiates speed and duplex settings (no configuration required) Automatically detects cross-over cable  Expanded operating temperature from -20ºC to 70ºC to meet a wider variety of application needs for most catalog numbers  PUBLIC INFORMATION Exception: 1783-US5T & 1783-US8T range 0 to 60ºC Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  146. 146. Stratix 6000 Fixed Managed Switches PUBLIC INFORMATION Rev 5058-CO900E Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  147. 147. Stratix 6000™ Managed Switches  Fixed port managed switch  4 port or 8 port versions with optional fiber optic uplink (SFP)  Control system integrated  CIP communications for:  Diagnostics (tags)  Configuration (RSLogix 5000)  Security     DHCP persistence for automatic end device IP address assignment Unauthorized User Identification Traffic Level Monitor with Alarms FactoryTalk View Faceplates Integrated Tightly Into The Integrated Architecture PUBLIC INFORMATION Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. Reserved 28
  148. 148. Stratix 5700 Industrial Managed Switches PUBLIC INFORMATION Rev 5058-CO900E Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  149. 149. The Stratix 5700 Layer 2 Managed Switches with Cisco Technology Compact & Scalable  Premiere Integration to the Integrated Architecture  CIP interface    Studio 5000 AOP ControlLogix tags FactoryTalk View faceplates  Built with Cisco technology (IOS)   Common feature set with Stratix 8x00 Common IT development tools  (CLI, CNA, DM, CiscoWorks)  Simple to Deploy & Maintain  Easy integration     Default configurations Common Smartports DHCP per port IP addressing Easy maintenance   Secure Digital card for configuration backup Diagnostics & network management tools Best of Rockwell Automation & Cisco in a compact size PUBLIC INFORMATION Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  150. 150. Stratix 5700 Configurations  3 base platforms offering 20 configurations  6, 10 & 20 port base units    6 copper & 4 copper + 2 SFP slots 8 copper + 2 combo* 16 copper + 2 combo* + 2 SFP slots 2 Gig port option  SFP slots support multi & single mode fiber  Wide variety of SFPs available  Compatible with other Cisco SFPs  Advanced feature set to address:  EtherNet/IP applications  Security  Resiliency & Redundancy  Two software packages to choose from   Lite & Full versions  Conformal coating option for harsh environments *Combo ports can be either copper or SFP Ideal for simple to complex applications PUBLIC INFORMATION Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  151. 151. Stratix 8000 / 8300 Industrial Managed Switches Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
  152. 152. Stratix 8000/8300 - Modular Design Base Module Extension Module A Extension Module B (6-port or 10-port) (8-port Copper) (8-port Fiber) 8 Extended Data Ports 10/100 Copper Dual Purpose Uplink Ports Data Ports 10/100/1000 Copper or SFP 8 Extended Data Ports 100 Fixed Fiber 10/100 Copper SFP Fiber Transceiver 100M and 1G Multimode and Singlemode PUBLIC INFORMATION Copyright © 2011 Rockwell Automation, Inc. All rights reserved. Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 33
  153. 153. Stratix 8300 layer 3 Managed Switch  Layer 3 Routing Capabilities Dynamic Routing Protocols such as RIP, EIGRP and OSPF PUBLIC INFORMATION Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.(Confi
  154. 154. Stratix 5900 Industrial Services Router PUBLIC INFORMATION Rev 5058-CO900E Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  155. 155. The Stratix 5900 Security Appliance  Premiere Routing & Security Services  Firewall  Virtual Private Network (VPN)  Network Address Translation (NAT)  1GE WAN, 4 FE LAN, 1 Serial Port  Built with Cisco technology (IOS)  Common features of Stratix Switch  Common IT development tools  (CLI, CNA, DM, CiscoWorks, CCP)  Ruggedized with Extended Temp, Shock & Vib  Compact Size with Din Rail Mount Best of Rockwell & Cisco in a compact size PUBLIC INFORMATION Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  156. 156. Embedded Switch Technology PUBLIC INFORMATION Rev 5058-CO900E Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  157. 157. Embedded Switch Technology  Embedded Switch Technology enables LINEAR and RING topologies on EtherNet/IP  Network traffic is managed to ensure timely delivery of critical data (QoS, IGMP supported)  Open standard (ODVA) allows 3rd party suppliers to develop compatible products Linear • Linear Ethernet segments greatly extend the length of the application • No need to run cables from each device back to a centralized switch PUBLIC INFORMATION Device-Level Ring (DLR) • Single fault tolerant network provides resiliency • Device level ring requires no additional hardware to implement Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 38 38
  158. 158. 1783-ETAP • The 1783-ETAP is a standalone device that allows devices (that do not support the Embedded Switch Technology) to join a linear or a DLR network. • Other product features: - Capable of being a Ring Supervisor in a Device Level Ring - Managed switch functions to help manage traffic on the network (i.e.: IGMP and QoS) - Fiber versions available in the future for long distance applications Device Port – used for connecting single-port Ethernet device Network Ports (2) – used for connecting to neighboring devices to form a linear or a ring network PUBLIC INFORMATION (Confidential – For Copyright © 2008 Rockwell Automation, Inc. AllAutomation, Inc. AllCopyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 39 Internal Use Only) Copyright © 2009 Rockwell rights reserved. rights reserved. 39
  159. 159. DLR Enabled Products  1756-ENT2R, Point, Flex, ArmorPoint, ETAP, CompactLogix, 193-DNENCATR, 1747-AENTR, ArmorBlock, ArmorStart PUBLIC INFORMATION Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 40
  160. 160. Stratix 5100 Wireless Access Point PUBLIC INFORMATION Rev 5058-CO900E Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  161. 161. Stratix Wireless Access Points  Value  Product  Access Point / Work Group Bridge  Autonomous  Leveraging the latest 802.11N WiFi technology  MIMO, Packet Aggregation & Spatial Multiplexing •  Higher performance •  Provides real-time performance for mission critical applications  Eliminates wire & cabling to reducing installation costs  Enables mobility and portability to people and devices  Seamless integration within a Cisco wireless network  Flexibility and segmentation 2.4GHz and 5Ghz radios Support for VLAN, QoS and RADIUS Segmentation, priority handling and authorization  Backward compliant to 802.11a/b/g   CIP enabled   PUBLIC INFORMATION Logix for system diagnostics Profile & tags Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  162. 162. Typical Configurations Enterprise Zone ERP, Email, Wide Area Network (WAN) Network Enterprise 5900 Industrial Services Router 8300 Managed Layer 3 Switch Manufacturing Zone 8000 Managed Layer 2 Switch FactoryTalk Applications and Services 5100 802.11n – Dual Band Access point Ring Topology Lightweight AP (LWAP) Mobile User AP as Workgroup Bridge (WGB) ETAP - Embedded Layer 2 Switch Ring Topology Cell/Area Zone #1 PUBLIC INFORMATION Embedded Layer 2 Switch Linear Topology 6000 Managed Layer 2 Switch Star Topology Cell/Area Zone #2 Cell/Area Zone #3 Cell/Area Zone #4 Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  163. 163. Stratix Family Quick Reference PUBLIC INFORMATION Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  164. 164. Stratix Family Quick Reference PUBLIC INFORMATION Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
  165. 165. Invisible Cost to Visible Value Rob Price Head of Technical Strategy Partner & Commercial Team roprice@cisco.com September 2013 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  166. 166. “I cannot imagine a life without…” % of 14 – 29 year olds Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V., 2010 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  167. 167. “I cannot imagine a life without…” • A mobile phone: 97% % of 14 – 29 year olds Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  168. 168. • The 2 photos on the right are of St Peters Square during the announcement of the election of last 2 Popes • In just 8 years mobile devices have become ubiquitous. Everyone carries the internet in their pocket © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  169. 169. “I cannot imagine a life without…” • The Internet: 84% % of 14 – 29 year olds Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  170. 170. “I cannot imagine a life without…” • A car: 64% % of 14 – 29 year olds Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  171. 171. “I cannot imagine a life without…” • My current partner: 43% % of 14 – 29 year olds Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  172. 172. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  173. 173. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  174. 174. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  175. 175. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  176. 176. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  177. 177. * • Will gather 14 ExaBytes of data per day !! • Will store over 1 PetaByte per day • Transmit • Store • Analyse * 1 ExaByte = 1,000,000,000,000,000,000 Bytes It took until 2004 for internet traffic to pass 1 Exabyte per month © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  178. 178. IMMERSIVE COLLABORATION Pervasive Video MOBILITY CLOUD BYOD XaaS XaaS | DC / V THE NETWORK SECURITY, Accelerating Cyber-Threats IT PRODUCTIVITY, Service and Network Management GREEN, Energy Efficiency © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  179. 179. How You Worked Depended on This… Now It Depends on This… FIXED © 2010 Cisco and/or its affiliates. All rights reserved. MOBILE Cisco Confidential 15
  180. 180. X aaS © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  181. 181. Pop Quiz © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  182. 182. Thank you. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  183. 183. Securing Controls Networks Protecting against the bad dumb guys ;) Steve Matthews (stmatthe@cisco.com) Consulting Systems Engineer IoT Sales EMEAR 11th Feb 2014
  184. 184. Industrial Security !"#$%&'('))#*+),'-# ."#/01#2344'5634# ."#7%8(9:;#<3='-# Source of Industrial Security Incidents Source: BCIT (2009) ."#>'(53#1',?3&@# AB"#>&:),'=#>C%&=908&,+#2344'5634# #DE45(:=')#E4F'5,'=#G8;,3;)H# Average Cost of Manufacturing Downtime = $210,000 per Hour Source: Infonetics (2005) © 2014 Cisco and/or its affiliates. All rights reserved. A."#E4,'&4',#7%&'5,(+# IJ"#/%8#23&;3&8,'#$K1#84=# L:)%4'))#1',?3&@#
  185. 185. How Big Are the Risks? !! Less than 2% of incidents are reported –! Concern for damage of corporate reputation and stock price !! Risk = Threat Probability X Consequence !! Targets of choice at higher financial risk than targets of opportunity >'*,*&',-$?@A,&+$B$C/DDEDDD$ 4# 4#$0,12+,3)# 5#$9,&:)8$ 5# 5#$6+7)8$ >'*,*&',-$?@A,&+$F$C/DDEDDD$ ./#$0,12+,3)$ /.#$%&&'()*+,-$ ;5#$<,-=,8)$ *3:&5'M#N&%5#L+&')O#L2E># © 2014 Cisco and/or its affiliates. All rights reserved. !"#$%&&'()*+,-$
  186. 186. The Game Changer in 2010.. !! NOT external network proliferated! !! Unique 4x 0 day exploits - undetectable !! USB & print spooler !! Focussed ONLY on: –! Step 7 –! S7 400 PLC –! & 2 hi freq drives !! Then ‘duqu’ (related) –! Data mining /stealing !! Then ‘flame’ (older) !! Stuxnet is now effectively ‘open source’ ! © 2014 Cisco and/or its affiliates. All rights reserved. I#
  187. 187. A breakdown of Stuxnet CP;MQQ???R,'=R53-Q,8(@)Q&8(;CS(84T4'&S5&85@%4TS),:U4',S8SVA),S5'4,:&+S5+W'&?'8;34RC,-(# # X8(;C#G84T4'&# # Y'&-84#234,&3(#)+),'-)#)'5:&%,+# 534):(,84,# # >G0)&H8)$=8,AGHA$2*$0+HI*)+$ CP;MQQ???R+3:,:W'R53-Q?8,5CZ[T]^8=]E.)53# # © 2014 Cisco and/or its affiliates. All rights reserved.
  188. 188. Common Areas of Vulnerability !! Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup !! Little or no device level authentication !! Poor network design – daisy chains, hubs !! Windows based IA servers – patching, legacy OS !! Unnecessary services running – FTP, HTTP !! Open environment, no port security, no physical security of switch, Ethernet ports !! Limited auditing and monitoring of access to IA devices !! Unauthorised use of HMI, IA systems for browsing, music/movie downloads !! Lack of IT expertise in IA networks, many blind spots © 2014 Cisco and/or its affiliates. All rights reserved.
  189. 189. Defense in Depth.
  190. 190. Defense-in-Depth Critical Elements to Security !! Security is basically two pronged: –! Technical vs. Non-technical –! A balanced Security Program must address both Technical (technology) and Non-Technical (procedures) Elements Non Technical Technical !! Technical controls - Firewalls, Group Policy Objects, Layer 3 ACLs, etc. !! Non-technical controls - rules for environments, such as policy and procedure, risk management !! Security is only as strong as the weakest link !! Vigilance and Attention to Detail are KEY to the longterm security success _34'9)%^'9`,)98((a# © 2014 Cisco and/or its affiliates. All rights reserved.
  191. 191. Defense-in-Depth Multiple Layers to Protect the network and Defend the edge !! Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors !! Network Hardening – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers !! End-point Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services !! Application Security – authentication, authorization, and audit software !! Device Hardening – change management and restrictive access © 2014 Cisco and/or its affiliates. All rights reserved. Physical Network Computer Application Device Defense in Depth
  192. 192. Defense-in-Depth Network Security !! Security is not a bolt-on component !! Comprehensive Network Security Model for Defense-in-Depth !! Industrial Security Policy !! DMZ Implementation !! Design Remote Partner Access Policy, with robust & secure implementation © 2014 Cisco and/or its affiliates. All rights reserved.
  193. 193. Defence-in-Depth Physical Security - Examples •! Keyed solutions for copper and fibre •! Lock-in, Blockout products secure connections © 2014 Cisco and/or its affiliates. All rights reserved.
  194. 194. Secure Network Architectures for Industrial Control Systems
  195. 195. Purdue model ISA 95 N4,'&;&%)'#b34'# Enterprise Network Site Business Planning and Logistics Network 7<b# Level 5 Level 4 7'-%(%,8&%^'=#b34'#c#*C8&'=#K55'))# 027#c#0&35'))#234,&3(#73-8%4#Q# *%,'#<84:F85,:&%4T#d;'&8634)#84=#234,&3(# Level 3 <84:F85,:&%4T#b34'# 021#c#0&35'))#234,&3(#1',?3&@#Q# 2'((#Q#K&'8#b34'# Level 3! K&'8#*:;'&[%)3&+#234,&3(# Level 2 L8)%5#234,&3(# Level 1 0&35'))# Level 0 © 2014 Cisco and/or its affiliates. All rights reserved.
  196. 196. Converged Plant-wide Ethernet Architecture E4,'&4', # N4,'&;&%)'QE>#E4,'T&8634 # 23((8W3&8634 # $%&'(')) # K;;(%58634#d;6-%^8634 # N4,'&;&%)'#1',?3&@# G'['()#Icg# $'W # 08,5C#<848T'-'4,O#>'&-%48(# *'&[%5')O#K;;(%58634#<%&&3&)O#K/# *'&['&) # K;;) # 71* # ]>0 # YW;)#G%4@#F3&#]8%(3['&# 7','5634 # K;;(%58634#84=#78,8#)C8&' # 7'-%(%,8&%^'=#b34'# ]%&'?8(( # D*,84=W+H # 2%)53# ]%&'?8(( # DK56['H # K55'))#234,&3( # D7<bH#]%&'?8(()# K*K#ggBB# >C&'8,#0&3,'5634 # <84:F85,:&%4T#b34'# 2%)53#28,8(+),# *2K7K#K;;(%58634 # 28,8(+),# *?%,5C # 84=#*'&[%5')#*'&['&) # 2%)53#28,R#!.gBi# *,85@$%)'# *?%,5C#*,85@# EN!BBBQ!BABQVBBB# 1',?3&@#*'&[%5')## # <:(69*'&[%5'#1',?3&@) # 7%),&%W:634#84=#23&'# 1',?3&@#84=#*'5:&%,+# <848T'-'4, # 2'((QK&'8#b34'# k<E # G8+'&#V#K55'))#*?%,5C# 7&%[' # G'['(#!# 2%)53 # hgBBQIgBB# *%,'#d;'&8634)#84=#234,&3( # 234,&3(('& # k<E # 234,&3(('& # 2'((QK&'8#jA # DX'=:4=84,#*,8&#>3;3(3T+H # 7&%[' # 7&%[' # # k<E 7%),&%W:,'=#EQd # 234,&3(('& # 2'((QK&'8#jV # DX%4T#>3;3(3T+H # 7%),&%W:,'=#EQd # © 2014 Cisco and/or its affiliates. All rights reserved. 2'((QK&'8#j! # #DG%4'8&#>3;3(3T+H # G'['()#BcV# G8+'&#V#K55'))# X3:64T # X'8(c>%-'#234,&3( # ]8),#234['&T'45' # >&8e5#*'T-'4,8634#84=# <848T'-'4, # N8)'#3F#f)' #
  197. 197. Switch Security Features & Techniques
  198. 198. Defend the Industrial Edge DMZ and Secure Remote Access Guiding Principals # # # # # ## # Enterprise WAN ### ## # !! ICS Protocols Stay Home Enterprise Data Centre **G /01 !! Use IT-Approved Access and Authentication –! VPN for secure remote access –! Enterprise Access and Authentication servers (e.g Active Directory, Radius, etc.) E0*N2 /01 E0*N2 /01 E0*N2 /01 E0*N2 /01 E0*N2 /01 E0*N2 /01 E0*N2 /01 E0*N2 /01 E0*N2 /01 E0*N2 /01 E0*N2 /01 0 0 0 0 0 0 0 0 0 0 01 01 01 01 01 01 01 01 01 01 !! Firewalling and remote access at levels 0-2 (L2 Transparent Mode) with Industrial IPS/IDS Internet Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) !! Control the Application !! Remote Access (Terminal) Server !! Application level security !! No direct traffic through the firewall !! Only one path in and out of industrial - the firewalls © 2014 Cisco and/or its affiliates. All rights reserved. Manufacturing Zone Site Manufacturing Operations and Control Level 3 Cell/Area Zones Levels 0–2
  199. 199. Protect the Interior – switch config options.. L2/3 Network Security Features "!Authentication –! 802.1x Authentication, WebAuth, MAB "!CISF (Cisco Integrated Security Features): !! Port Security (Limit MACs) !! IPv4 and IPv6 DHCP Snooping (Prevent rogues) !! IP Source Guard (No false IPs) !! Dynamic Arp Inspection (Prevent rogues) "!Access Control Lists © 2014 Cisco and/or its affiliates. All rights reserved.
  200. 200. Protect the Interior – switch config options.. Traffic Control – Prevent DoS or accidental storms §  Storm Control –  small-frame violation-rate 100 (frames less than 67b) –  storm-control broadcast level pps 5k 4.5k –  Storm-control broadcast level 20% 15% –  storm-control multicast level pps 10k 9.5k –  storm-control unicast level pps 5k 4.5k –  storm-control action shutdown / trap §  Rate Limiting –  Rate-limit input rate(bps) burst(bytes) –  Rate-limit output rate(bps) burst(bytes) © 2014 Cisco and/or its affiliates. All rights reserved.
  201. 201. End-point and Network (Switches) Hardening Procedures !! Use secure protocols on switches and devices(HTTPS, SCP, SNMPv3, SSH) !! Do not implement shared or “backdoor” accounts/password !! Enable password encryption (service password-encryption) !! Disable password recovery (no service password-recovery) CAUTION !! Disable small servers ( (tod, hello, etc.) –! no service tcp-small-servers –! no service udp-small-servers –! no ip finger !! Enable memory leak detection and threshold alarming !! Comprehensive information here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml © 2014 Cisco and/or its affiliates. All rights reserved.
  202. 202. Cisco Security Logical Framework Enterprise Network Purdue Reference Model, ISA-95 Level 5 Level 4 E-Mail, Intranet, etc. Enterprise Zone Site Business Planning and Logistics Network Firewall Terminal Services Patch Management Application Mirror Level 3 Level 2 FactoryTalk App Server Web Services Operations FactoryTalk Directory FactoryTalk Client AV Server Application Server Engineering Workstation Site Manufacturing Operations and Control Area Supervisory Control Engineering Workstation Level 0 Batch Control Discrete Control Sensors Drive Control Drives Continuous Process Control Actuators © 2014 Cisco and/or its affiliates. All rights reserved. Process Control Domain Operator Interface Basic Control Level 1 DMZ Firewall Domain Controller FactoryTalk Client Operator Interface Web E-Mail CIP Safety Control Robots Process Control Network Industrial Security Standard ISA-99 Strong Segmentation Process VB#
  203. 203. Cisco/RA Applied Security – What goes where? %0%$ K*K92i# N4,'&;&%)'#b34'# Level 5 Level 4 E0*# ?0J$ /01# 7<b# Level 3! 027#Q## Level 3 <84:F85,:&%4T#b34'# Level 2 /7E# 021#Q# $*K# 2'((#Q#K&'8#b34'# Level 1 Level 0 0+8,KI$L"DD$ © 2014 Cisco and/or its affiliates. All rights reserved.
  204. 204. Cisco 819H ISR (Rockwell Stratix 5900) Feature Highlights Security features: •! *,8,'F:(#E4);'5634#]%&'?8((# •! b34'#W8)'=#]%&'?8((# •! E4,&:)%34#0&'['4634#*+),'-#DE0*H# •! 7+48-%5#<:(6;3%4,#/01#D7</01H# •! YN>/01# •! E0)'5# •! l:8(%,+#3F#)'&[%5'#Dl3*H# •! fXG#`(,'&%4T# •! k%TC#K[8%(8W%(%,+#F3&#>20#W8)'=#)'&[%5')#D:)'F:(#F3&#)'&[%5')#(%@'#<3=W:)Q>20H# Industrial Characteristics •! 13#]84# •! k8&='4'=# •! E4T&'))#0&3,'5634# © 2014 Cisco and/or its affiliates. All rights reserved.
  205. 205. Cisco ASA 5500 Adaptive Security Appliances Delivering Leading Threat Defense and VPN Services Provides Converged Threat Defense, Flexible Secure Connectivity, Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats Market-Leading Firewall Services Market-Leading VPN Services !! Integrates and extends the #1 deployed firewall technology from Cisco PIX Security Appliances !! Built upon the experience of over one million PIX deployed worldwide and 10+ years of innovation !! Integrates and extends the #1 deployed remote access VPN technology from Cisco VPN 3000 Concentrators and Cisco PIX Security Appliances, offering both SSL and IPsec VPN services Market-Leading IPS Services Market-Leading Content Security !! Integrates and extends the #1 deployed IPS and IDS technology from the Cisco IPS 4200 Series !! Provides comprehensive security from directed attacks and many other threats including signatures for DNP3, modbus, ICCP !! Integrates and extends the #1 deployed gateway content security technology to protect from viruses, spyware, spam, phishing, and employee productivity impacting websites Market-Leading Secure Unified Communications !! Comprehensive access control, threat protection, network policies, service protection and voice/video confidentiality for © 2014 real-time Unified Communications traffic Cisco and/or its affiliates. All rights reserved.
  206. 206. Identity Service Engine ‘Context-Aware Security’ I want to allow only authorized users access to my network I want to allow guests into the network Y:'),#G%F'5+5('# <848T'-'4,# I need to allow/deny iPADs in my network (BYOD) M'N&2$$ ?0J$ K:,C'4658634#84=# K:,C3&%^8634# 0&3`(%4T#*'&[%5')# I need to ensure my endpoints don’t become a threat vector 03),:&'#*'&[%5')# I need a scalable way of authorizing users or devices in the network *'5:&%,+#Y&3:;#K55'))# <848T'-'4,# How can I set my firewall policies based on identity instead of IP addresses? E='46,+9W8)'=#]%&'?8((# © 2014 Cisco and/or its affiliates. All rights reserved.
  207. 207. Secure Remote Access
  208. 208. Employ Secure Remote Access Techniques SSL Clientless VPN §  No VPN client needs to be installed on remote client §  Access to internal network through one point entry §  Uses a standard web browser, platform independent: Internet Explorer, Firefox §  Can access web applications http, https, Common Internet File Sharing (CIFS), File Transfer Protocol (FTP) §  Client-Server Plug-ins for Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), Secure Shell (SSH) access, Telnet and Citrix §  VPN appliance gives web-based look and feel for the application access (customizable) through content rewrite process © 2014 Cisco and/or its affiliates. All rights reserved.
  209. 209. Secure Remote Access – Clientless SSL VPN via ASA 55xx !! O)@2+)$)*3'*))8$28$A,8+*)8$)N+,1-'N7)N$ PQR$+2$&28A28,+)$*)+=28:S$,&&)NN$'N$ 8)N+8'&+)($+2$?Q$,((8)NN$2T$A-,*+$U<V$ W8)=,--$ !! Q28+,-$2*$A-,*+$W8)=,--$)*,1-)N$,&&)NN$+2$ ?%M0$(,+,E$W-)N$,*($,AA-'&,K2*N$$ !! %&&)NN$+2$,AA-'&,K2*N$2*$8)@2+)$,&&)NN$ N)8)8$'N$8)N+8'&+)($+2$NA)&'W)($A-,*+$]228$ ?%M0$8)N2H8&)N$+782H37$?%M0$,AA-'&,K2*$ N)&H8'+X$$ *#*G#/# 1# # 0# Enterprise Data Center ?*+8HN'2*$A82+)&K2*$NXN+)@$Y?Q0Z$2*$ A-,*+$W8)=,--$()+)&+N$,*($A82+)&+N$ ,3,'*N+$,[,&:N$T82@$8)@2+)$72N+$ !! >'8)=,--$A82I')N$,$&-')*+$N)NN'2*$+2$8)@2+)$ $ ,&&)NN$N)8)8$ 0 # 0# E# #*#N2#/# 1# Remote Engineer or Partner Cisco VPN Client Internet Enterprise Edge Firewall Enterprise Connected Engineer Enterprise WAN Patch Management Terminal Services Application Mirror AV Server ]85,3&+>8(@#K;;(%58634#*'&['&)# !! /%'?# !! k%),3&%84# !! K))',2'4,&'# !! >&84)85634#<848T'&# ]85,3&+>8(@#*'&[%5')## 0(8m3&-# n! 7%&'5,3&+# n! *'5:&%,+QK:=%,# 78,8#*'&['&)# k>>0*# Gbps Link Failover Detection Cisco ASA 5500 Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Firewall (Standby) Firewall (Active) Catalyst 6500/4500 X'-3,'#7')@,3;#0&3,353(# DX70H# Remote Access Server !!RSLogix 5000 !!FactoryTalk View Studio Catalyst 3750 StackWise Switch Stack N,C'&1',QE0# Manufacturing Zone Site Manufacturing Operations and Control Level 3 Cell/Area Zones © 2014 Cisco and/or its affiliates. All rights reserved.
  210. 210. Q&A
  211. 211. 21 Steps to securing a SCADA network 1. Identify all connections to SCADA networks 2. Disconnect unnecessary connections to the SCADA network 3. Evaluate and strengthen the security of any remaining connections to the SCADA network 4. Harden SCADA networks by removing or disabling unnecessary services 5. Do not rely on proprietary protocols to protect your system 6. Implement the security features provided by device and system vendors 7. Establish strong controls over any medium that is used as a backdoor into the SCADA network 8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring 9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns 10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios 12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users 13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection 14. Establish a rigorous, ongoing risk management process 15. Establish a network protection strategy based on the principle of defense-in-depth 16. Clearly identify cyber security requirements 17. Establish effective configuration management processes 18. Conduct routine self-assessments 19. Establish system backups and disaster recovery plans 20. Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance 21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls 7[A^__===`2)`*)+-`(2)`32_(2&N_A8)A,8)_./N+)AN122:-)+`A(T$ © 2014 Cisco and/or its affiliates. All rights reserved. $

×