Plantwide benefits of EtherNet IP Seminar

Industrial IoT in Action
Phil George – Solution Architect

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.

SQL
Cloud

BIG DATA

Social Media
Mobility

Virtualization

Ethernet


Blog

Buzzword

informationalize

phishing

Google

IM

Cyber grieving

Tagging
Speed Dating

JPG
Sidebar

Tweet

Inflection Point
Cloud

App
Infotainment

BFF

Landline
Webinar

Podcast

hashtag

Flat screen

Chatroom

ping

Unfriend
firewall

Wiki

LOL

Geek

Widget

Flash drive

“an event that changes the way we think and act” Andy Grove, Intel Co-founder

INFLECTION

Now!
Cloud
Ethernet

Faster Time-to-Market
Improved Asset Utilization
Lower Total Cost of Ownership
Enterprise Risk Management
$

Mobility

Big Data

Disruptive
Technologies

SECURE
Connected Enterprise

Unprecedented
Value

Business Analytics

$
Faster Time
to Market

Lower Total Cost of
Ownership

Improved Asset
Utilization

Enterprise Risk
Management


Global

POPULATION
trends (2020)

Will exceed 7.6 billion
More than 70 million annually will
cross into the middle class
Middle class adding $8 trillion
to consumer spend
Source: McKinsey

11

Increased Demand on Industrial Production
GLOBAL POPULATION TRENDS
INCREASE DEMAND FOR
Manufacturing

EMERGING MARKET CONSUMERISM

30% 100%
More Water

Resources
Infrastructure

More Vehicles

80% 150%
0%
More Steel

RESOURCE PRODUCTIVITY
INVESTMENT

$1T

More Energy

Source: McKinsey

12

THE CONNECTED ENTERPRISE
Optimized for Rapid Value Creation
 Supply Chain Integration
 Collaborative, Demand Driven
 Compliant and Sustainable

Enterprise

PRODUCTIVITY
SUSTAINABILITY
Smart Grid

AGILITY

Customers

Supply
Chain
COMPANY CONFIDENTIAL

Distribution
Center


13

INDUSTRIAL
Internet of Things

Raw data > Contextualized Data >

Business System

Customer Demand

Industrial Processes

Supply Chain

14

Sensors

Actuators

Intelligent Motor Control

Terminals

Audio

Video


TRANSFORMATION

INTEGRATED CONTROL AND INFORMATION
ENABLER Common Secure Ethernet Infrastructure

Enterprise
Infrastructure

Automation
Infrastructure

CONVENTIONAL: SEPARATE IT & AUTOMATION

One Common
Environment

FUTURE: UNIFIED INFRASTRUCTURE

16

@ PAINT LAB
KENTUCKY FACILITY

Visibility into loss of production
faults lead to root cause
identification
Allows all to
access EPA data

$302k/yr

2011

2012

Oven temperatures
accessed real-time

Eliminated by
Contract Dispatch

# of ReCoats reduced due
to real-time alerts


Fundamentals of Ethernet/IP
Designing the Physical Layer

Agenda

Plant-wide Benefits of Ethernet/IP

Industrial & IT Network Convergence
Ethernet/IP Product Selection
Securing Automation Networks

Reserved

18

www.rockwellautomation.com/connectedenterprise

Follow ROKAutomation on Facebook & Twitter.
Connect with us on LinkedIn.
www.rockwellautomation.com

EtherNet/IP Overview
Benefits of EtherNet/IP Seminar Series

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Industrial Networks Needs
Long Term Trends

 Open network
 Converged network technologies (information sharing, common design)
 Better asset utilization - lean initiatives (training, support, and inventory)

 Future ready – to maximize investments and minimize risks


2

Industrial Applications Convergence
Industrial Network Trends

Information

I/O
Drive
Control

Safety
Applications

Process
Power
Control

High
Availability

Energy
Management

Multi-discipline Industrial Network Convergence

Disparate Network Technology

Single Industrial
Network Technology
Camera Plant/Site

I/O

Controller
Plant/Site Network
I/O Network
Safety Network
Drive Network

Controller
HMI

Instrumentation
VFD
Drive

Safety I/O

3

EtherNet/IP - One Standard Industrial
Network Technology For….
System Integrator
 Enable seamless plant-wide /
site-wide information sharing
 Converge industrial and nonindustrial traffic

IT Network Engineer
 Use standard Ethernet and TCP/IP
 Utilize common network
infrastructure assets & tools

Equipment Builder
 Enable convergence-ready
solutions
 Use a single multi-discipline
control and information
platform

Control System Engineer
 Enable future-ready, high performance
 Use an established, widely accepted
network technology supported by
leading industry vendors

EtherNet/IP is the global leader: 5M+ nodes sold, 300+ vendors, 1000s product lines

4

EtherNet/IP: “IP” - Industrial Protocol
Single Industrial Network Technology

 ODVA




Supported by global industry leaders such as Cisco Systems®,
Omron®, Schneider Electric®, Bosch Rexroth AG®,
Endress+Hauser and Rockwell Automation
Conformance & Performance Testing

www.odva.org

 Standard





IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588)
IETF - Internet Engineering Task Force, standard Internet Protocol (IP)
ODVA - Common Industrial Protocol (CIP)
IEC - International Electrotechnical Commission – IEC 61158

 IT Friendly and Future-Ready (Sustainable)
 Multi-discipline control and information platform
 Established - products, applications and vendors


5

OSI 7-Layer Reference Model
Single Industrial Network Technology

What makes EtherNet/IP
industrial?

Open Systems
Interconnection
Layer Name

Layer No.

Function

Examples

Application

Layer 7

Network Services to User App

Presentation

Layer 6

Encryption/Other processing

Session

Layer 5

Manage Multiple Applications

Transport

Layer 4

Reliable End-to-End Delivery
Error Correction

IETF TCP/UDP

Layer 3

Packet Delivery, Routing

IETF IP

Layer 2

Framing of Data, Error Checking

IEEE
802.3/802.1

Layer 1

Signal type to transmit bits,
pin-outs, cable type

TIA - 1005

CIP
IEC 61158

Routers

Network
Switches

Data Link
Physical

Physical Layer
Hardening

Cabling

Infrastructure Device
Hardening

Common Application
Layer Protocol

5-Layer TCP/IP Model

6

OSI Reference Model
Protocol Stack

Layer No.

Application

Layer 6

Presentation
Session

Layer 4

Data Transport
Layers

Layer 7

Layer 5

Application
Layers

Layer Name

Function

Transport

IETF TCP/UDP

Layer 3

Network

IETF IP

Layer 2

Data Link

IEEE
802.3/802.1

Layer 1

Physical

TIA - 1005

CIP


7

OSI Reference Model
Open Systems Interconnection

Layer No.

Layer Name

Function

Layer 7

Application

Layer 6

Presentation

Layer 5

Session

Layer 4

Transport

Vendor Specific

Layer 3

Network

Vendor Specific

Layer 2

Data Link

IEEE
802.3/802.1

Layer 1

Physical

TIA - 1005

Limits Portability and Routability,
may require additional assets
to forward information throughout
the plant-wide / site-wide architecture

8

OSI Reference Model
Open Systems Interconnection

Layer No.

Layer Name

Function

Layer 7

Application

Layer 6

Presentation

Layer 5

Session

Layer 4

Transport

Vendor Specific

Layer 3

Network

Vendor Specific

Layer 2

Data Link

Vendor Specific

Layer 1

Physical

TIA - 1005

Non standard Ethernet,
will require additional assets
to connect into
the plant-wide / site-wide architecture

9

OSI Reference Model
Network Independent

Layer No.

Layer 7

Layer 4
Layer 3
Layer 2

Network
Independent

Layer 1


10

Industrial Applications Convergence

Disparate Network Technology





Single Industrial
Network Technology
Camera

Controlle
r
HMI

Plant/Site I/O

Instrumentation

Multiple Network Technologies
Topology Limits
Physical Segmentation
Data Duplication






Multiple 1 Network Technologies
Topology Limits
Physical Segmentation Options
Data Duplication

VFD
Drive
Safety I/O

11

The Alternative

“Islands of Automation”


12

Collaboration of Partners
Network Technology Convergence
Wide Area Network (WAN)
Physical or Virtualized Servers
• ERP, Email, Call Manager
• Active Directory (AD)
• AAA – Radius

Enterprise
WAN

Gbps Link
for Failover
Detection

•
•
•
•

Enterprise Zone
Levels 4 and 5

Patch Management
Remote Gateway Services
Application Mirror
AV Server

Firewall
(Standby)

Cisco
ASA 5500

Firewall
(Active)

Micro Data Center
 Racks
 Patching
 Cable Management
 Copper/Fiber

Industrial
Demilitarized Zone
(IDMZ)

Industrial Zone
Site Operations and Control
Level 3


•
•
•
•
•

FactoryTalk Application Servers & Services Platform
Network Services – e.g. DNS, AD, DHCP, AAA
Remote Access Server (RAS)
Call Manager
Storage Array

Catalyst
6500/4500

Remote
Access
Server

Plant Firewall:
 Inter-zone traffic segmentation
 ACLs, IPS and IDS
 VPN Services
 Portal and Terminal Server
proxy

Network Discovery
Protocol Statistics




Catalyst 3750
StackWise
Switch Stack

Cell/Area Zones
Levels 0–2

Rockwell Automation
Stratix 8000
Layer 2 Access Switch

Phone





Copper, Fiber,
Wireless Testers
Network Discovery
Protocol Statistics

HMI

Safety
I/O

Safety
Controller

Controller

Camera

Robot

Instrumentation
Cell/Area Zone #1
Redundant Star Topology
Flex Links Resiliency

MCC

Soft
Starter

I/O
Cell/Area Zone #2
Ring Topology
Resilient Ethernet Protocol (REP)

Servo
Drive
Cell/Area Zone #3
Bus/Star Topology





Noise Mitigation
Control Panel
Network Zone

Logical Framework
Common Toolsets
PhysicalFramework

13

TRANSFORMATION

INTEGRATED CONTROL AND INFORMATION
ENABLER Common Secure Ethernet Infrastructure

Enterprise
Infrastructure

Automation
Infrastructure

CONVENTIONAL: SEPARATE IT &
AUTOMATION

One
Common
Environment

FUTURE: UNIFIED INFRASTRUCTURE

14

Industrial Networks Summary
 Open networks are in demand


Broad availability of products, applications and vendor support for Industrial Automation
Network standards for coexistence and interoperability of industrial automation devices

 Convergence of network technologies




Reduce the number of disparate networks in an operation and create seamless
information sharing throughout the plant-wide / site-wide architecture
Use of common network design, deployment and troubleshooting tools across the plantwide / site-wide architecture; avoid special tools for each application

 Better asset utilization to support lean initiatives


Common network infrastructure assets, while accounting for environmental requirements
Reduce training, support, and inventory for different networking technologies



Support new technologies and features without a network forklift upgrade



 Future-ready – maximizing investments and minimizing risks

Reduce Risk

Simplify Design

Speed Deployment

15

 A new ‘go-to’ resource for educational, technical and
thought leadership information about industrial
communications
 Standard Internet Protocol (IP) for
Industrial Applications
 Coalition of like-minded companies
www.industrialip.org


16

Agenda
Plant-wide Benefits of Ethernet/IP

 Fundamentals of Ethernet/IP
 Designing the Physical Layer

 Industrial & IT Network Convergence
 Ethernet/IP Product Selection
 Securing Automation Networks


17

EtherNet/IP Overview
Benefits of EtherNet/IP Seminar Series

Follow ROKAutomation on Facebook & Twitter.
Connect with us on LinkedIn.
www.rockwellautomation.com

Will your Physical Layer perform?

Plantwide EtherNet/IP
Ecosystem
Design and Deployment

Panduit’s Distributor Partner

Vision: Unified Physical Infrastructure

Manufacturing:
Industrial Automation Solution

Building:
Connected Buildings Solution

Office:
Data Center Solution

Critical Manufacturing Assets are at Risk!

• Downtime
•
•

Security lapses
Performance degradation

3

Installation pitfalls
1. Proper cable
installation is
critical

3. This makes it impossible to
manage, maintain and
troubleshoot

2. No matter the
hardware, shoddy
cable installation
will result in a poor
network

Importance of the Physical Layer

“A significant portion of network
downtime, approx. 80%, is attributed
to Physical Layer Connections.”
Sage Research

Designing the Physical Layer for Ethernet/IP

What do Physical Layer Reference
Architecture based best practices
look like?

Physical Layer Design Considerations
•
•
•

•

•

Design and implement a
robust physical layer
Environment Classification - MICE
More than cable
– Connectors
– Patch panels
– Cable management LAN Troubleshooting Guide
– Grounding, Bonding and
Shielding
(noise mitigation)
Standard Physical Media
– Wired vs. Wireless
Industrial Ethernet Physical
– Copper vs. Fiber
Infrastructure Reference
– UTP vs. STP
Architecture Design Guide
– Singlemode vs. Multimode
– SFP – LC vs. SC
Standard Topology Choices
ODVA Guide
– Switch-Level & Device-Level

Cable Selection
ENET-WP007

7

Logical

8

Rockwell/Cisco RA
Enterprise Zone (EZ)
De-Militarized Zone (DMZ)
Windows 2003 Servers
• Remote Desktop
Connection
• VNC
• PCAnywhere

FIREWALL
(STANDBY)

FIREWALL
(ACTIVE)

GE Link for Failover
Detection

Automation Apps
• Historian
• Data Distribution
• Asset Security
• Engineering Applications
• Databases
Network Services
• DNS, DHCP, Syslog Server
• Network & Security Management

De-Militarized Zone (DMZ)
Manufacturing Zone

LAYER 3
ROUTER

LAYER 3
SWITCH

LAYER 3
ROUTER

LAYER 3
SWITCH

Manufacturing Zone
Cell/Area Zone

(Redundant Star Topology)

(Ring Topology)

(Bus/Star Topology)

Enterprise Zone

FIREWALL
(STANDBY)

FIREWALL
(ACTIVE)

LAYER 3
ROUTER

LAYER 3
SWITCH

(Ring Topology)

LAYER 3
ROUTER

LAYER 3
SWITCH

(Bus/Star Topology)

Physical

Reference IN-Solution

Enterprise Zone

IN-Frastructure
Cell/Area
Zones

FWB

L2S

Manufacturing Zone

CTRLR

L2S
HMI

DMZ

FWA

IN-Panel

L3R
L2S

PaS

L3S

L3S

IN-Field

DB

IN-Room

DRIVE

L3R

DIST i/O

L2S

IN-Route

Panduit Industrial Automation
5 Core Solutions
IN-ROOM
ININ ROOMTM
Control Room, Data Center,
Telco Closet

IN-ROUTE
ININ ROUTETM
Industrial Pathways, Network
Zone Enclosures

IN-PANEL
ININ PANELTM
Control Panels, Electrical
Panels and MCC

IN-FIELD
ININ FIELDTM
On the Machine, In the
Process Area, or Outdoors

IN-FRASTRUCTURE
ININ FRASTRUCTURETM
Power Distribution, Lighting,
HVAC Security, Safety

Simplify with validated building blocks

Micro Data Center

Zone Enclosures

Control Panel Solutions

IN-ROOM
ININ ROOMTM

Micro Data Center – IN-Room Solution
Enterprise/Office
Patchfield used to uplink switch
to level 4 & 5 Enterprise

Server Patching
Cross connect between production
servers and switch

Firewall and DMZ
Logical buffer zone between the
Enterprise and Manufacturing

Manufacturing Zone
Patchfield used to connect layer 3
switch to layer 2 switches used on
plant floor

IN-ROOM
ININ ROOMTM

Physical Network Security

IN-ROUTE
ININ ROUTETM
IN-PANEL
ININ PANELTM
IN-FIELD
ININ FIELDTM
•

•
•

Keyed solutions for copper
and fiber
USB Type A, B Ports
Lock-in, Blockout products
secure connections

IN-ROOM
ININ ROOMTM

Micro Data Center Solutions

15


Micro Data Center Simplification - Organize, Secure, and Standardize

BEFORE
Challenges:
• Disorganized
• Network performance issues
• Frequent moves, adds & changes

AFTER
Solutions:
• Structured approach
• Media selection/security
• Visual identification

IN-ROUTE
ININ ROUTETM

IN-Route - Getting from “Point A” to “Point B”

Built-In
Failure
Points

17

Environmental Focus – M.I.C.E.

Increased Environmental Severity

Mechanical

M1

M2

M3

• Water
• Dust

I1

I2

I3

Climatic
Chemical

C1

C2

C3

Electro

E1

E2

E3

• Shock
• Vibration

Ingress

magnetic
TIA/EIA
1005

Office

Industrial

You can’t choose components without knowing the
Environment

IN-ROUTE
ININ ROUTETM

IN-Route - Zone Cabling Methods

Z
Z

Z

TR
Centralized Cabling – Home runs from
each node back to the telecommunication room.

TR
Zone Cabling – Provides for Reduced
home-run wiring, easy moves / adds /
changes and reduced size of telecommunication room

19

Pathways

• Overhead cable
tray routing
system
• Designed to
route and
manage copper,
fiber optic, or
power cables

IN-ROUTE
ININ ROUTETM

IN-ROUTE
ININ ROUTETM

Fiber Pathways

IN-ROUTE
ININ ROUTETM

Dielectric Conduited Fiber Cable (DCF)

22

KEY BENEFIT:
Easier to install fiber cable
(eliminates conduit & grounding) with
rugged, crush resistant construction

SOLUTION COMPONENTS
1. 12 part numbers.
•

Fiber Counts: 2, 4, 8, & 12

•

Fiber Types: OS1/OS2, OM1, OM2

2. Compatible with OptiCam connectors

IN-ROUTE
ININ ROUTETM

Zone Enclosures – Pre-configured

Best way to structure
manufacturing network
•Leverages Cisco/RA recommended
architecture for best network
performance
•Built for capability of rapid network
expansion
•Touch-safe for Facility IT access
•Significantly reduces lead time to
deploy

23

Zone Enclosures – Optimized for Stratix

• Pre-configured,
Pre-tested for
Stratix 8300, 8000
and 5700 switches
• Safe, Secure,
Thermally tested
• Save time/cost/risk:
– IT/controls
convergence point
– Machine Builders

IN-ROUTE
ININ ROUTETM

IN-Route: Network Distribution Simplification

IN-ROUTE
ININ ROUTETM


Robust, Secure, Future-Ready Network Distribution

BEFORE
Challenges:
• Scalability issues
• Diagnostics & troubleshooting
• Evolving cable mgmt

AFTER
Solutions:
• Zone enclosure
• Media selection & security
• Cable routing

25

IN-PANEL
ININ PANELTM

IN-Panel - Understanding the Problem

There are several market trends that are exerting
pressure on the design and architecture of a Control
Panel.
–
–
–
–
–

Space Optimization
Terminations
Network Cabling
Noise Mitigation
Safety/Security

IN-PANEL
ININ PANELTM

EtherNet in the Control Panel

• Additional requirements and
solutions are required with the
addition of EtherNet into the Control
Panel.

IN-PANEL
ININ PANELTM

Planning for networking in the panel

N

• What are common networking
challenges in the panel?
– Overall concerns
• Diagnostics/troubleshooting
• Maintenance
• Future system upgrades

– Performance in potentially high
noise environment
• Zoned layouts
• Shielding

– Finding panel space for new
components

Clean

Noisy

Very Noisy

Noise Mitigation Demo

IN-PANEL
ININ PANELTM

Polymer Coated Fiber (PCF)

Cable, LC Connector, Termination Tool Kit

KEY BENEFITS: Ease of field termination (CRIMP,
CLEAVE AND LEAVE), Performance, Noise Immunity
SOLUTION COMPONENTS
1. Polymer Coated Fiber (PCF) cable (zip cord and breakout cables)
2. Field-attached LC connector for 50/200/230µm &
62.5/200/230µm PCF fiber
3. Field termination tool kit

Panduit Confidential Information - not for Distribution

IN-PANEL
ININ PANELTM
IN-FIELD
ININ FIELDTM

Terminating Fiber Using PCF Crimp-On Connectors

No-Voiceover

IN-PANEL
ININ PANELTM
IN-FIELD
ININ FIELDTM

Space Optimization Increases Design Flexibility

IN-PANEL
ININ PANELTM


• Maximizes panel space utilization
• Easier to design for future system upgrades
• Provide up to 30% space savings

Design
Flexibility

Panduit PanelMax™ Offering:
DIN Rail Wiring Duct

Corner Wiring
Duct

Utilizes space
typically unusable in
enclosure corner

Uses enclosure depth to save
panel footprint space ;improve
component access

Shielded Wiring Duct

Mitigates EMI noise to reduce
wire separation distance

Conventional
Wiring Duct

All of these products contribute to cost savings

Shielded Wiring Duct

Panduit Network Solutions for the Control Panel

IN-PANEL
ININ PANELTM


• Optimized solutions for
Machine Builder Stratix
5700 deployments

DIN Rail Mount Adapter

Modular DIN rail mounting for
Copper or Fiber connectivity

Patch Panel

Facilitate testing, and future
Moves, Adds and Changes

Fiber, Cat6 Patch Cords
Performance guaranteed

Insert product
photo

IN-Panel: Optimized with Partners

IN-PANEL
ININ PANELTM

•

•

Leverage power of EtherNet/IP and
eco-system partners
– Panduit Fiber, Patching, Noise
Mitigation, Space Optimization,
Grounding/Bonding
– RA Stratix 5700 for machine
builder
– RA 1585 patch cords
– Test with Fluke Networks
EtherNet/IP connects to Zone
Enclosures and Micro Data Center for
convergence aligned with Cisco/RA
CPwE

IN-FIELD
ININ FIELDTM

IN-Field Challenges
ON Machine or Process areas

• High MICE levels
–
–
–
–

Vibration
Chemical
Temperature
Wash down

• Wire management
rated for environment
• Food safety

IN-Field Solutions: Manage and Protect

IN-FIELD
ININ FIELDTM

• Harsh rated cable management
and identification
• Abrasion protection
• Grounding/Bonding

Metal detectable
wire management
for Food industry

IN-Frastructure: Challenges

• Facility Grounding/Bonding, Power
• Costs of safety incidences

• Lockout/Tagout implementation

IN-FRASTRUCTURE
ININ FRASTRUCTURETM

IN-Frastructure: Solutions
• Grounding/Bonding
components and solutions

• Safety labels and signage
• Lockout/Tagout systems

IN-FRASTRUCTURE
ININ FRASTRUCTURETM

Application Guides

Network Security

SM

Control Panel Layout Whitepaper
• Best practices = reduced call backs, problems..greater
solution sales

SM

41

http://www.industrial-ip.org

SM

Easy Building Block Approach
Design your system using cost effective and easy to
troubleshoot Network Architectures

Micro Data Center
SM

Zone Enclosure

Control Panel Solutions

43

Industry Level Thought Leadership

All wrapped up in a 450
page, “How To” manual
with contributions from
Fluke and Rockwell
Automation, on designing
and installing the physical
infrastructure for an
Industrial Ethernet
Network

Enterprise
Functional
Design

Logical Level
Shared
Architecture

Environmental
Requirements
(M.I.C.E.)

Physical Level
Plant Floor
Design

Panduit: Physical Infrastructure
Reference Architecture
SM

Design/Spec Tools
Design Micro Data Centers in Visio and paste BOM into Proposalworks!

SM

45

Plant Floor - “Macro Architecture” summary

MICE 1-1-1-1

MICE 3-1-2-3
MICE 1-1-1-3
MICE 3-3-3-3

MICE 2-1-3-2

SM

MICE 3-2-3-3

MICE 2-2-2-1

Fiber Optic Application Best Practices for
EtherNet/IP

2/13/2014
SM

Agenda

Physical Infrastructure for Fiber Deployments

Fiber Selection
Saving Time/Cost with Fiber

SM

Agenda

Physical Infrastructure for Fiber Deployments

Fiber Selection


SM

Industrial Networks Live in the Real World
• Industrial Networks Must take
into consideration the physical
challenges of the facilities
environment.

Plant Ethernet
Controller

Switch

• Location, routing and equipment
choices should be based on the
complete understanding of cause
and effect conditions.

Ethernet

I/O

• Environmental Focus
– M.I.C.E. (TIA-1005)
SM

Drive

Sensor

Fiber that Fits Both the Environment and the Application
Fiber is now being used in all areas of an Industrial Network Deployment

SM

Benefits of Fiber in an Industrial Space
• Fiber is completely noise immune
• Fiber can be used in high M.I.C.E.
environments
• Fiber can be rated for indoor,
outdoor and transition spaces
• Armored Fiber (available in both
metallic and all-dielectric) reduces
the need for, and installations costs
of, innerduct and conduits
• Smaller footprint of cables
(one fiber cable vs. bundle
copper (UTP))
• Reliability and speed of installation
reduces the
total cost of ownership
SM

Corporate Network
Office
Applications,
Internetworking,
Data Servers,
Storage

Back-Office Mainframes and
Servers (ERP, MES, etc.)

Human Machine
Interface (HMI)

Supervisory
Control

Robotics

Controller

Motors, Drives
Actuators
Sensors and other
Input/Output Devices

Converged Ethernet
Manufacturing Network Model

Key Elements of a Successful
EtherNet/IP Network Design
• Understanding application
and functional
requirements

• Developing a logical
framework (roadmap)
• Developing a physical
framework

• Determining security
requirements and
partnering with IT
• Using technology and
industry standards,
reference models and
reference architectures

ERP, Email,
Wide Area Network
(WAN)

Demilitarized Zone (DMZ)

Patch Management
Remote Gateway Services
Application Mirror
AV Server

Gbps Link
for Failover
Detection

Firewall
(Standby)

Plant Firewall:
 Inter-zone traffic segmentation
 ACLs, IPS and IDS
 VPN Services
 Portal and Terminal Server proxy

Cisco
ASA 5500

Firewall
(Active)

Industrial Zone
Site Operations and Control
Level 3

FactoryTalk Application Servers





Enterprise Zone
Levels 4 and 5

View
Historian
AssetCentre,
Transaction Manager

Catalyst
6500/4500

FactoryTalk Services
Platform
 Directory
 Security/Audit

Remote
Access
Server

Data Servers

Catalyst 3750
StackWise
Switch Stack

Network Services

 DNS, DHCP, syslog server
 Network and security mgmt

Cell/Area Zones
Levels 0–2

Rockwell Automation
Stratix 8000
Layer 2 Access Switch

HMI

Controller
HMI

Drive
Controller
HMI

I/O

Controller

SM

Cell/Area Zone #1
Redundant Star Topology
Flex Links Resiliency

Drive

Drive

I/O
I/O

Cell/Area Zone #2
Ring Topology
Resilient Ethernet Protocol (REP)

I/O

Cell/Area Zone #3
Bus/Star Topology

Selecting the Right Fiber Requires

…

Knowing the Application
Environment.

…

Knowing the Distance
Requirements.

…

Knowing the Equipment
you are connecting to.

SM

Let’s take a sample application and go thru it step-by-step.

Knowing the Capability of Your Equipment
The Equipment – The first step in choosing the right fiber
is to look at the capability of your equipment.

• Look at the specifications
of the equipment to
determine the speed of
the connections
• The Fiber you choose
should at least be able to
handle the fastest mode of
the existing system

SM

The Stratix is a good switch to use as an example
because it has both Uplink ports and
Data ports running at different speeds.
• The uplink port speed is determined by the
use of copper or fiber. If it’s fiber the
configuration of the “SFP” module
determines the speed of the system.

SFP Stands for “Small
Form Pluggable”
Module
SM

The Stratix is a good switch to use as an example
because it has both Uplink ports and
Data ports running at different speeds.

Form Pluggable”
Form Pluggable”
Module
Module
SM

Understanding Your Expansion
or Upgrade Path
The following is an example list of specifications for the fiber-optic SFP module
connections. It’s IMPORTANT that each port must match the wave-length
specifications on the other end of the cable, and for reliable communication, the cable
must not exceed the rated maximum cable length.
SFP Module
Type

Cat. No.

Wavelength
(nm)

Fiber Type

Core Size/Cladding
Size (micron)

Modal
Bandwidth
(MHz/km)(1)

Cable Distance

100BASE-FX

1783SFP100FX

1310

MMF

50/125
62.5/125

500
500

2 km (6562 ft)
2 km (6562 ft)

100BASE-LX

1783SFP100LX

1310

SMF

G.6522

1000BASE-SX

1783SFP1GSX

850

MMF

62.5/125
62.5/125
50/125
50/125

1000BASELX/LH

1783SFP1GLX

1310

SMF

G.6522

(1) Modal bandwidth applies only to multimode fiber.
SM

10 km (32,810 ft)
160
200
400
500

220 m (722 ft)
275 m (902 ft))
500 m (1640 ft)
550 m (1804 ft)

10 km (32,810 ft)
* Information comes from Stratix Users Manual

Answers Always Lead to More Questions
The Equipment – The result of our equipment investigation
is that we learned:
• The max speed for the uplink is 1GBase-T
• The max speed for the data port is 100Base-T
• There are several choices for SFP modules
that can support both Single and Multimode.
The next question:

“Is there an existing system of fiber, and
what core size is being used?”

SM

Core size?
….yes, Core
size?

What Makes Up a Fiber Cable?
The Cable – There are two classes of Fiber in use today:
• Single Mode – Long Distance Fiber, more expensive technology
• Multi Mode – Shorter Distance, more cost effective for inside plant use.

• To understand the differences between core sizes, and why they matter,
you need to know what makes up a fiber cable.

SM

How Big is the Fiber, (relatively)?
Buffer
Cladding
125µm 230µm

Core

9

50
62.5

200µm

Core size will tell
you the OMx of
the Fiber
All sizes expressed In Microns
SM

Single Mode Fiber

125µm
9µm

SM

Multi-Mode Fiber (50 and 62.5 micron)

125
50
62.5

SM

Polymer Coated Multi-mode Fiber (PCF)

230
50
62.5

200

SM

What Do the OM Ratings Mean?
If you see OM in the Fiber grade it always means Multi-Mode.
– The US Adopted a Grading System Invented By ISO, The International Standards
Organization in Geneva, Switzerland. The “Optical Multimode” Rating System

•
•
•
•

“OM 1” --- 62.5 Micron (Mostly legacy systems)
“OM 2” --- 50 Micron (plain vanilla variety)
“OM 3” --- 50 Micron (Laser optimized to work with VCELS)
“OM 4” --- 50 micron (Extended Bandwidth – Further refined to reduce pulse
spreading and enable longer distances)

And just like with Copper Categories –
A bigger number means better cable!
SM

What Do the OS Ratings Mean?
• If you see OS in the Fiber grade it always means Single-Mode.
• “OS 1” --- 9 Micron (Used with wavelengths of 1310 nm)
• “OS 2” --- 9 Micron (Used with wavelengths of 1550 nm)

Why does the core size make such a difference in Fiber performance?
• OS (single-mode) vs. OM (multi-mode).

Think of it like the difference between a rifle shot and a shotgun blast.

SM

Example of Single-mode vs. Multi-mode
Singlemode – more efficient – goes FURTHER
A Fabry-Perot LASER

Multimode – less efficient – doesn’t go as far
A Cheap, Slow LED

SM

Light Pulse Spreading (“Modal Dispersion”)
The Enemy of Throughput

A Cheap Slow LED

• Some of the photons (light particles) go straight, some ricochet around the
outside, the further they travel the closer the leading edge from one pulse
gets to the trailing edge of the one before it.
• Eventually you can’t tell one pulse from another.
SM

The Further You Go, the Worse it Gets.
Hey, I
sent a
“1”

What?

You can only go so far with a given grade of multimode fiber before light
pulses begin to overlap
SM

How the OM/OS Ratings Equate to Distance
ANSI/TIA-568-C.0 (D.3) Optical fiber
cabling supportable distances table.
• Table 7 - lists maximum supportable
distances and maximum channel
attenuation
for applications using optical
fiber cabling
• The table is based on the minimum
performance requirements of
62.5/125 µm, 50/125 µm, 850 nm
laser-optimized 50/125 µm, and
single-mode fiber established by
ANSI/TIA-568-C.3

SM

Remember the MICE Table?
Where you put the fiber, “The Environment”,
determines the type of fiber you choose.

SM

Applications for “Indoor” Fiber
• Indoor Opti-Core Fiber
Distribution
• Indoor Opti-Core
Interlocking Armor
• Indoor Industrial-Net
(PCF) Polymer Clad
Fiber
• Indoor Dielectric
Conduited Fiber (DCF)

SM

Used when you
have sufficient
protection for the
fiber

**NEW**
Electrician Friendly
crimp on connector
for direct connect
node to node

Used when the
fiber has to
protect itself

**NEW** All the benefits
of an armored fiber
without the metal. Use in
area suspected of unequal
potential grounds

Applications for “Indoor-Outdoor” Fiber
• Indoor/Outdoor Opti-Core All-Dielectric Fiber Cable
• Indoor/Outdoor Opti-Core Gel-Free Fiber
Interlocking Aluminum Armored Cable

Used to transition
from indoor to
outdoor in a
protected area, tray
or conduit.
SM

Used to transition from
indoor to outdoor yet still
protect the cable from
harsh mechanical
conditions

Applications for “Outdoor” Fiber
• Opti-Core Gel-Free Fiber Optic Outside Plant All-Dielectric Cable
• Opti-Core Gel-Free Fiber Optic Outside Plant Armored Cable

Allows installation
using loose tube
cable methods for
aerial and duct
applications
SM

Allows installation using
loose tube cable methods
for aerial, duct and direct
burial applications

One Last Thought When
Choosing a Fiber Type – Choosing the Connector
Traditional Puck and
Polish type
Connectors
(5-7min.)

OptiCam Factory
Polished Connectors
(2 - 3min.)
Industrial Strip &
Crimp no-Polish
Required Fiber
Connectors
(aprox 1 min.)
SM

Choosing the Connector

OptiCam Connector

PCF Connector

SM

Choosing the Right Fiber Type For the Application
Can Save Big $$$ in Materials and Labour

SM

Links From Field Switches to Control Rooms
Should Support Higher Speeds and Greater Volume

SM

Electrician Friendly Fiber
Can be Used to Install Long Distance Bus Systems

SM

Fiber Optic Infrastructure Planning
New joint application guide
Increase the integrity and availability of
EtherNet/IP networks with fiber solutions
from trusted partners!

Physical infrastructure

Integrated Architecture,
Stratix Switches, ETAPs,
more

Higher level switches

SM

Fiber Guide
ENET-TD003
81 81

Easy to follow Fiber best practices!

• Partner validated application guide

SM

82

Summary
Physical Infrastructure for Fiber
Deployments
Understanding the Environment and the Application

Fiber Selection

Knowing how to determine equipment and system requirements


Choosing the proper network design for application
SM

Industrial and IT Network Convergence
Ethernet/IP Enables Convergence
Name – Mike Loughran
Title – Solution Architect
Date – 11th February 2014


Emerging Technologies in Operations
All the BUZZ…

The Internet of Things (IoT)

Intelligent devices start to communicate with each other

COMPANY CONFIDENTIAL - Internal Use Only


What does it all mean?
 Big Data


Large amounts of information is available to
manage the supply chain & complex processes

 Cloud Computing & Virtualization




Speed up deployment of production, add flexibility,
reduce capital investments & increase access
across global operations
Increase longevity, reliability & provide disaster
recovery

 Mobility & BYOD (Bring Your Own Device)


Improve maintainability, uptime, asset longevity,
safety and cost control

Most of it is buried on the
production floor in
historians or other
databases
Centers around Information
Technology (IT) more than
Operations/Production
management
Technicians, Supervisors,
Operators are all mobile
during their typical work day

Driven Largely by Information Technology



3

Why are Emerging Technologies so
Important?

Automated adaptable processes & decisions


4

Why are Emerging Technologies so
Important?
 Empowers companies to grow faster, produce
better products and serve customers more
effectively
 It connects a workforce, analyzes data and
allows for continuous improvements
 Companies can leverage technological
advances as a competitive advantage and
must constantly seek newer, faster and better
technologies to improve their business
Early adopters
Early-adopters typically acknowledge the risk that comes with new technology

Keeping abreast of new developments is an ongoing job with
both risks and rewards


5

Industrial Network Convergence

Process Control
Intelligent Motor Control
Discrete Control

Information Technology

EtherNet/IP – Enabling & Driving
MultiMulti discipline Industrial Network Convergence



6

The Value in Bringing the Information
Together
Laboratory
Information
Management
Systems
Production
Scheduling

Performan
ce

Alarms/Events

HMIs

Quality
Systems

Control Systems
Data Historians
Computerized Maintenance
Management Systems

You need robust Infrastructure SolutionsSTANDARD,
to deliver the
You need a network technology that is STANDARD
information MORE than an FIELDBUS!
PROVEN andfast, reliably and securely!!
FIELDBUS
Other Database Systems



7

From Production to the Enterprise Rockwell Automation & Cisco Alliance
Rockwell Automation and Cisco present the most valuable resource in
the industry for deploying a converged network infrastructure
 Common Technology View


Single system architecture, using open, industry
standard networking technologies – EtherNet/IP

 Delivering Converged Plantwide Ethernet
(CPwE) Architectures for manufacturing and
industrial environments


Best pathway to Operations/IT network convergence
with detailed design and implementation guidance

 Joint Product and Solution Collaboration


Creating an ideal networking environment for both IT
and controls professionals.

 People and Process Optimization


Education and services to facilitate Manufacturing and
IT convergence

Leadership in IT and Plant Operations



8

Risks and threats to networked systems
Application of
Security patches

Natural or Man-made
disasters

Worms and
viruses
Sabotage

Theft
Unauthorized
access
INFORMATION

Denial of
Service

Unauthorized actions
by employees

Business
Risk
Unauthorized
remote access

Unintended
employee actions

OPERATIONS

Security risks increase potential for disruption to
System uptime and Safe operation and a loss of IP


A Vendor’s Perspective
 Control System lifecycles are long (20+ years)
 Products will have vulnerabilities
 Security is a team sport





Vendors & Customers
IT & Engineering
Pick your teams (point  don’t go it alone)
REMEMBER: Human beings are imperfect

 Control System safety & security are closely linked
 Control System security manages variables
 Managing the security variables enhances uptime

UPTIME = PROFITABILITY


10

Our Approach to Industrial Security
A secure application depends on multiple layers of protection.
Industrial security must be implemented as a system.
 Layered Security Model
Shield potential targets behind multiple levels
of protection to reduce security risks

Physical
Network
Computer
Application
Device

 Defense in Depth

Use multiple security countermeasures to
protect integrity of components or systems

 Openness

Consideration for participation of a variety of
vendors in our security solutions

 Flexibility

Able to accommodate a customer’s needs,
including policies & procedures

 Consistency

Solutions that align with Government
directives and Standards Bodies

11

Evolving Global Standards

ISA S99 and IEC 62443
• Asset Owners • Vendors • Industry Consortia •
NIST 800

ISO 27002

RFC 2196

NERC-CIP

WIB 2.0

Req’s & Certifications

WIB

ISA Security Compliance Institute (ISCI)
Exida.com LLC
Achilles™ test platform
SAL 1
SAL 2
SAL 3

ODVA

Wurldtech

• Building Blocks •

Independent

Wurldtech

Achilles™
Bronze
Silver
Gold

Confrm
Test

L-1
L-2
L-3

© rockwell automation


12

Design for Security approach

Specifications

Audits & Gaps

Enhance &
Improve

Resiliency & Robustness

13

Additional Material
Educational - Cisco and Rockwell Automation Alliance

 Education Series Webcasts








What every IT professional should know about Plant-Floor Networking
What every Plant-Floor Engineer should know about working with IT
Industrial Ethernet: Introduction to Resiliency
Fundamentals of Secure Remote Access
for Plant-Floor Applications and Data
Securing Architectures and Applications
for Network Convergence
IT-Ready EtherNet/IP Solutions
Available Online


http://www.ab.com/networks/architectures.html


14

Additional Material
Simplify Design - Rockwell Automation

 Networks Website: http://www.ab.com/networks/
 EtherNet/IP Toolkit:
http://www.rockwellautomation.com/rockwellautomation/productstechnologies/integrated-architecture/tools/overview.page#/tab4
 Ethernet Tools


15

Additional Material
Simplify Design - Cisco and Rockwell Automation Alliance

 Websites
 http://www.ab.com/networks/architectures.html
 Design Guides
 Converged plant-wide Ethernet (CPwE)
 Application Guides
 Fiber Optic Infrastructure Application Guide
 Education Series
 http://www.ab.com/networks/architectures.html
 Whitepapers
 Top 10 Recommendations for plant-wide
EtherNet/IP Deployments
 Securing Manufacturing Computer and Controller
Assets
 Production Software within Manufacturing
Reference Architectures


16

Additional Material
Simplify Design - Collaboration

 Plant-wide EtherNet/IP Ecosystem Partners Website
 Fiber Optic Infrastructure Application Guide

ENET-TD003


17

Additional Material
Simplify Design and Speed Deployment - Panduit Corp

 Panduit Corp. Website:
 http://www.panduit.com/
 Industrial Automation Solutions:
 Industrial Automation Product Systems Brochure
 Industrial Communication Solutions – Interactive Roadmap


18

Additional Material
Speed Deployment - Fluke Networks

 Fluke Networks Websites
 www.flukenetworks.com
 www.flukenetworks.comindustrial
 www.flukenetworks.comknowledgebase


19

Reduce design time
Procurement Specifications on-line
http://www.rockwellautomation.com/rockwellautomation/industries/procurementspecifications/overview.page?


20

Stratix Ethernet
Switch Family
A family of high performance
Industrial Ethernet switches ideal
for the end user and equipment
builder

Rev 5058-CO900C


Stratix Portfolio Overview
Routers and switches for:

• Security
• Productivity
• Safe Operations

 Enabling security to new or existing
architectures
 Applications for simple to complex networks
 Monitoring and controlling distributed
devices
 Plant floor and enterprise integration

• Remote Access
• Time to Market
• Protecting IP

Stratix 5100
Wireless AP/WGB

Stratix 5900
Security Appliance

Stratix 5700
Layer 2
Stratix 8000/8300
Layer 2, Layer 3
PUBLIC INFORMATION

Stratix 6000
Layer 2
Stratix 2000
Unmanaged

Stratix
ETAPs

The Stratix Family Overview
Overview

Key Benefits

Applications

Family of industrial Ethernet switches that are:
• Optimized for configuration, monitoring, security and maintenance
• Modular and scalable
• Designed for simple to complex Ethernet applications

• IT-ready and IT-friendly solutions
• Simplified integration of machine systems in infrastructure
• Integrated Architecture programming tools and features
• Secure remote access for improved productivity and OEE

• Connected or isolated machine and Process control applications
• Plant floor and enterprise integration
• Distributed network devices that need to be monitored and controlled

Integrating your enterprise and manufacturing
environments

PUBLIC INFORMATION


24

Stratix 2000 Unmanaged Switches
Refresh & Product Line Expansion

PUBLIC INFORMATION

Rev 5058-CO900E


Stratix 2000 Unmanaged Switches
Overview
 Low cost solutions designed for isolated control
networks




Recommended for Micro 850 & Micro 820
applications
Unmanaged switches are not recommended for
safety or motion applications

 Simple “Plug & Play”



Automatically negotiates speed and duplex settings
(no configuration required)
Automatically detects cross-over cable

 Expanded operating temperature from -20ºC to
70ºC to meet a wider variety of application
needs for most catalog numbers

PUBLIC INFORMATION

Exception: 1783-US5T & 1783-US8T range 0 to
60ºC


Stratix 6000 Fixed Managed Switches

PUBLIC INFORMATION

Rev 5058-CO900E


Stratix 6000™ Managed Switches
 Fixed port managed switch
 4 port or 8 port versions with optional fiber optic
uplink (SFP)
 Control system integrated


CIP communications for:

 Diagnostics (tags)
 Configuration (RSLogix 5000)
 Security





DHCP persistence for automatic end device IP address
assignment
Unauthorized User Identification
Traffic Level Monitor with Alarms
FactoryTalk View Faceplates

Integrated Tightly Into The Integrated Architecture
PUBLIC INFORMATION

Reserved

28

Stratix 5700
Industrial Managed Switches

PUBLIC INFORMATION

Rev 5058-CO900E


The Stratix 5700
Layer 2 Managed Switches with Cisco Technology

Compact & Scalable
 Premiere Integration to the Integrated Architecture


CIP interface




Studio 5000 AOP
ControlLogix tags
FactoryTalk View faceplates

 Built with Cisco technology (IOS)




Common feature set with Stratix 8x00
Common IT development tools


(CLI, CNA, DM, CiscoWorks)

 Simple to Deploy & Maintain


Easy integration






Default configurations
Common Smartports
DHCP per port IP addressing

Easy maintenance



Secure Digital card for configuration backup
Diagnostics & network management tools

Best of Rockwell Automation & Cisco in a compact size
PUBLIC INFORMATION


Stratix 5700 Configurations
 3 base platforms offering 20 configurations


6, 10 & 20 port base units





6 copper & 4 copper + 2 SFP slots
8 copper + 2 combo*
16 copper + 2 combo* + 2 SFP slots

2 Gig port option
 SFP slots support multi & single mode fiber


Wide variety of SFPs available
 Compatible with other Cisco SFPs
 Advanced feature set to address:


EtherNet/IP applications
 Security
 Resiliency & Redundancy
 Two software packages to choose from




Lite & Full versions

 Conformal coating option for harsh environments

*Combo ports can be
either copper or SFP

Ideal for simple to complex applications
PUBLIC INFORMATION


Stratix 8000 / 8300
Industrial Managed
Switches

Rev 5058-CO900C


Stratix 8000/8300 - Modular Design
Base Module

Extension Module A

Extension Module B

(6-port or 10-port)

(8-port Copper)

(8-port Fiber)

8 Extended Data Ports
10/100 Copper

Dual Purpose Uplink Ports

Data Ports

10/100/1000 Copper or SFP

8 Extended Data Ports
100 Fixed Fiber

10/100 Copper
SFP Fiber Transceiver
100M and 1G
Multimode and Singlemode

PUBLIC INFORMATION

Copyright © 2011 Rockwell Automation, Inc. All rights reserved. Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 33

Stratix 8300 layer 3 Managed Switch
 Layer 3 Routing Capabilities
Dynamic Routing Protocols such as RIP, EIGRP

and OSPF

PUBLIC INFORMATION

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.(Confi

Stratix 5900
Industrial Services Router

PUBLIC INFORMATION

Rev 5058-CO900E


The Stratix 5900 Security Appliance
 Premiere Routing & Security Services
 Firewall
 Virtual Private Network (VPN)
 Network Address Translation (NAT)
 1GE WAN, 4 FE LAN, 1 Serial Port
 Built with Cisco technology (IOS)
 Common features of Stratix Switch
 Common IT development tools


(CLI, CNA, DM, CiscoWorks, CCP)

 Ruggedized with Extended Temp, Shock & Vib
 Compact Size with Din Rail Mount

Best of Rockwell & Cisco in a compact size
PUBLIC INFORMATION


Embedded Switch
Technology

PUBLIC INFORMATION

Rev 5058-CO900E


Embedded Switch Technology
 Embedded Switch Technology enables LINEAR and RING topologies on EtherNet/IP
 Network traffic is managed to ensure timely delivery of critical data (QoS, IGMP
supported)
 Open standard (ODVA) allows 3rd party suppliers to develop compatible products

Linear

• Linear Ethernet segments greatly
extend the length of the
application
• No need to run cables from each
device back to a centralized
switch
PUBLIC INFORMATION

Device-Level Ring (DLR)

• Single fault tolerant network
provides resiliency
• Device level ring requires no
additional hardware to implement


38
38

1783-ETAP
• The 1783-ETAP is a standalone device that allows devices (that do not support the
Embedded Switch Technology) to join a linear or a DLR network.
• Other product features:
- Capable of being a Ring Supervisor in a Device Level Ring
- Managed switch functions to help manage traffic on the network (i.e.: IGMP and QoS)
- Fiber versions available in the future for long distance applications

Device Port – used for
connecting single-port
Ethernet device

Network Ports (2) – used for
connecting to neighboring devices
to form a linear or a ring network

PUBLIC INFORMATION

(Confidential – For Copyright © 2008 Rockwell Automation, Inc. AllAutomation, Inc. AllCopyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 39
Internal Use Only) Copyright © 2009 Rockwell rights reserved. rights reserved.
39

DLR Enabled Products
 1756-ENT2R, Point, Flex, ArmorPoint, ETAP, CompactLogix, 193-DNENCATR,
1747-AENTR, ArmorBlock, ArmorStart

PUBLIC INFORMATION


40

Stratix 5100
Wireless Access Point

PUBLIC INFORMATION

Rev 5058-CO900E


Stratix Wireless Access Points
 Value

 Product


Access Point / Work Group Bridge



Autonomous



Leveraging the latest 802.11N WiFi
technology


MIMO, Packet Aggregation & Spatial
Multiplexing
•



Higher performance

•



Provides real-time performance
for mission critical applications
 Eliminates wire & cabling to
reducing installation costs
 Enables mobility and portability to
people and devices
 Seamless integration within a
Cisco wireless network


Flexibility and segmentation

2.4GHz and 5Ghz radios

Support for VLAN, QoS and RADIUS
Segmentation, priority handling and
authorization
 Backward compliant to 802.11a/b/g




CIP enabled



PUBLIC INFORMATION

Logix for system diagnostics
Profile & tags

Typical Configurations
Enterprise Zone

ERP, Email, Wide Area
Network (WAN)

Network
Enterprise

5900 Industrial
Services Router

8300 Managed
Layer 3 Switch

Manufacturing Zone
8000 Managed
Layer 2 Switch

FactoryTalk
Applications
and Services

5100
802.11n – Dual Band
Access point

Ring Topology

Lightweight AP
(LWAP)
Mobile User
AP as Workgroup
Bridge (WGB)

ETAP - Embedded
Layer 2 Switch
Ring Topology

Cell/Area Zone #1
PUBLIC INFORMATION

Embedded Layer 2
Switch Linear
Topology

6000 Managed
Layer 2 Switch
Star Topology

Cell/Area Zone #2

Cell/Area Zone #3

Cell/Area Zone #4


Stratix Family Quick Reference

PUBLIC INFORMATION


Invisible Cost to Visible Value
Rob Price
Head of Technical Strategy
Partner & Commercial Team
roprice@cisco.com
September 2013

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

1

“I cannot imagine a life without…”

% of 14 – 29 year olds
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V., 2010


Cisco Confidential

2

• A mobile phone: 97%

Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien

Cisco Confidential

3

• The 2 photos on the right are of St

Peters Square during the
announcement of the election of last 2
Popes

• In just 8 years mobile devices have

become ubiquitous. Everyone carries
the internet in their pocket


Cisco Confidential

4

• The Internet: 84%


Cisco Confidential

5

• A car: 64%


Cisco Confidential

6

• My current partner: 43%


Cisco Confidential

7


Cisco Confidential

8


Cisco Confidential

9


Cisco Confidential

10


Cisco Confidential

11


Cisco Confidential

12

*
• Will gather 14 ExaBytes of data per
day !!

• Will store over 1 PetaByte per day
• Transmit

• Store
• Analyse

* 1 ExaByte = 1,000,000,000,000,000,000 Bytes
It took until 2004 for internet traffic to pass
1 Exabyte per month


Cisco Confidential

13

IMMERSIVE
COLLABORATION
Pervasive Video

MOBILITY

CLOUD

BYOD

XaaS
XaaS | DC / V

THE NETWORK

SECURITY, Accelerating Cyber-Threats
IT PRODUCTIVITY, Service and Network Management
GREEN, Energy Efficiency

Cisco Confidential

14

How You Worked Depended on This…
Now It Depends on This…

FIXED

MOBILE
Cisco Confidential

15

X aaS

Cisco Confidential

16

Pop Quiz


Cisco Confidential

17

Thank you.


Cisco Confidential

18

Securing Controls Networks
Protecting against the bad dumb guys ;)

Steve Matthews (stmatthe@cisco.com)
Consulting Systems Engineer IoT Sales EMEAR
11th Feb 2014

Industrial Security
!"#$%&'('))#*+),'-#
."#/01#2344'5634#
."#7%8(9:;#<3='-#

Source of Industrial
Security Incidents
Source: BCIT (2009)

."#>'(53#1',?3&@#
AB"#>&:),'=#>C%&=908&,+#2344'5634#
#DE45(:=')#E4F'5,'=#G8;,3;)H#

Average Cost of
Manufacturing Downtime =
$210,000 per Hour
Source: Infonetics (2005)


A."#E4,'&4',#7%&'5,(+#
IJ"#/%8#23&;3&8,'#$K1#84=#
L:)%4'))#1',?3&@#

How Big Are the Risks?
!! Less than 2% of incidents are reported
–! Concern for damage of corporate reputation and stock price

!! Risk = Threat Probability X Consequence
!! Targets of choice at higher financial risk than targets of opportunity
>'*,*&',-$?@A,&+$B$C/DDEDDD$
4#
4#$0,12+,3)#
5#$9,&:)8$
5#
5#$6+7)8$

>'*,*&',-$?@A,&+$F$C/DDEDDD$
./#$0,12+,3)$

/.#$%&&'()*+,-$
;5#$<,-=,8)$
*3:&5'M#N&%5#L+&')O#L2E>#


!"#$%&&'()*+,-$

The Game Changer in 2010..
!! NOT external network
proliferated!
!! Unique 4x 0 day
exploits - undetectable
!! USB & print spooler
!! Focussed ONLY on:
–! Step 7
–! S7 400 PLC
–! & 2 hi freq drives
!! Then ‘duqu’ (related)
–! Data mining /stealing

!! Then ‘flame’ (older)
!! Stuxnet is now
effectively ‘open
source’ !


I#

A breakdown of Stuxnet
CP;MQQ???R,'=R53-Q,8(@)Q&8(;CS(84T4'&S5&85@%4TS),:U4',S8SVA),S5'4,:&+S5+W'&?'8;34RC,-(#
#
X8(;C#G84T4'&#
#
Y'&-84#234,&3(#)+),'-)#)'5:&%,+#
534):(,84,#
#

>G0)&H8)$=8,AGHA$2*$0+HI*)+$
CP;MQQ???R+3:,:W'R53-Q?8,5CZ[T]^8=]E.)53#

#


Common Areas of Vulnerability
!! Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup
!! Little or no device level authentication
!! Poor network design – daisy chains, hubs
!! Windows based IA servers – patching, legacy OS
!! Unnecessary services running – FTP, HTTP
!! Open environment, no port security, no physical security of switch, Ethernet ports
!! Limited auditing and monitoring of access to IA devices
!! Unauthorised use of HMI, IA systems for browsing, music/movie downloads
!! Lack of IT expertise in IA networks, many blind spots


Defense-in-Depth
Critical Elements to Security
!! Security is basically two pronged:
–! Technical vs. Non-technical
–! A balanced Security Program must address both
Technical (technology) and Non-Technical (procedures)
Elements
Non
Technical

Technical

!! Technical controls - Firewalls, Group Policy Objects,
Layer 3 ACLs, etc.
!! Non-technical controls - rules for environments, such
as policy and procedure, risk management
!! Security is only as strong as the weakest link
!! Vigilance and Attention to Detail are KEY to the longterm security success

_34'9)%^'9`,)98((a#

Defense-in-Depth
Multiple Layers to Protect the network and Defend the edge
!! Physical Security – limit physical access to authorized
personnel: areas, control panels, devices, cabling, and
control room – escort and track visitors
!! Network Hardening – infrastructure framework – e.g.
firewalls with intrusion detection and intrusion prevention
systems (IDS/IPS), and integrated protection of networking
equipment such as switches and routers
!! End-point Hardening – patch management, antivirus
software as well as removal of unused applications,
protocols, and services
!! Application Security – authentication, authorization, and
audit software
!! Device Hardening – change management and restrictive
access


Physical
Network
Computer
Application
Device

Defense
in Depth

Defense-in-Depth
Network Security
!! Security is not a bolt-on component
!! Comprehensive Network Security
Model for Defense-in-Depth
!! Industrial Security Policy
!! DMZ Implementation
!! Design Remote Partner Access
Policy, with robust & secure
implementation


Defence-in-Depth
Physical Security - Examples
•! Keyed solutions for
copper and fibre
•! Lock-in, Blockout
products secure
connections


Secure Network Architectures for
Industrial Control Systems

Purdue model ISA 95
N4,'&;&%)'#b34'#

Enterprise Network
Site Business Planning and Logistics
Network

7<b#

Level 5
Level 4

7'-%(%,8&%^'=#b34'#c#*C8&'=#K55'))#

027#c#0&35'))#234,&3(#73-8%4#Q#

*%,'#<84:F85,:&%4T#d;'&8634)#84=#234,&3(# Level 3

<84:F85,:&%4T#b34'#
021#c#0&35'))#234,&3(#1',?3&@#Q#
2'((#Q#K&'8#b34'#

Level
3!

K&'8#*:;'&[%)3&+#234,&3(#

Level 2

L8)%5#234,&3(#

Level 1

0&35'))#

Level 0


Converged Plant-wide Ethernet Architecture
E4,'&4',
#

N4,'&;&%)'QE>#E4,'T&8634
#
23((8W3&8634
#
$%&'('))
#
K;;(%58634#d;6-%^8634
#

N4,'&;&%)'#1',?3&@#
G'['()#Icg#
$'W
#

08,5C#<848T'-'4,O#>'&-%48(#
*'&[%5')O#K;;(%58634#<%&&3&)O#K/#
*'&['&)
#

K;;)
#

71*
#

]>0
#

YW;)#G%4@#F3&#]8%(3['&#
7','5634
#

K;;(%58634#84=#78,8#)C8&'
#

7'-%(%,8&%^'=#b34'#
]%&'?8((
#
D*,84=W+H
#
2%)53#

]%&'?8((
#
DK56['H
#

K55'))#234,&3(
#

D7<bH#]%&'?8(()#

K*K#ggBB#

>C&'8,#0&3,'5634
#

<84:F85,:&%4T#b34'#
2%)53#28,8(+),#
*2K7K#K;;(%58634
#

28,8(+),#
*?%,5C
#

84=#*'&[%5')#*'&['&)
#
2%)53#28,R#!.gBi#
*,85@$%)'#
*?%,5C#*,85@#

EN!BBBQ!BABQVBBB#

1',?3&@#*'&[%5')##
#

<:(69*'&[%5'#1',?3&@)
#

7%),&%W:634#84=#23&'#

1',?3&@#84=#*'5:&%,+#
<848T'-'4,
#

2'((QK&'8#b34'#

k<E
#

G8+'&#V#K55'))#*?%,5C#

7&%['
#

G'['(#!#

2%)53
#

hgBBQIgBB#

*%,'#d;'&8634)#84=#234,&3(
#

234,&3(('&
#
k<E
#

234,&3(('&
#

2'((QK&'8#jA
#
DX'=:4=84,#*,8&#>3;3(3T+H
#

7&%['
#

7&%['
#

#
k<E 7%),&%W:,'=#EQd
#
234,&3(('&
#
2'((QK&'8#jV
#
DX%4T#>3;3(3T+H
#

7%),&%W:,'=#EQd
#


2'((QK&'8#j!
#
#DG%4'8&#>3;3(3T+H
#

G'['()#BcV#
G8+'&#V#K55'))#

X3:64T
#
X'8(c>%-'#234,&3(
#
]8),#234['&T'45'
#
>&8e5#*'T-'4,8634#84=#
<848T'-'4,
#
N8)'#3F#f)'
#

Switch Security Features & Techniques

Defend the Industrial Edge
DMZ and Secure Remote Access Guiding Principals

# # # # # ## #
Enterprise
WAN

### ## #

!! ICS Protocols Stay Home

Enterprise
Data Centre

**G /01

!! Use IT-Approved Access and Authentication
–! VPN for secure remote access
–! Enterprise Access and Authentication servers (e.g Active
Directory, Radius, etc.)

E0*N2 /01
E0*N2 /01
E0*N2 /01
E0*N2 /01
E0*N2 /01
E0*N2 /01
E0*N2 /01
E0*N2 /01
E0*N2 /01
E0*N2 /01
E0*N2 /01
0
0
0
0
0
0
0
0
0
0
01
01
01
01
01
01
01
01
01
01

!! Firewalling and remote access at levels 0-2 (L2
Transparent Mode) with Industrial IPS/IDS

Internet

Enterprise Zone
Levels 4 and 5


!! Control the Application

!! Remote Access (Terminal) Server
!! Application level security
!! No direct traffic through the firewall
!! Only one path in and out of industrial - the firewalls


Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Cell/Area Zones
Levels 0–2

Protect the Interior – switch config options..
L2/3 Network Security Features
"!Authentication
–! 802.1x Authentication, WebAuth, MAB
"!CISF (Cisco Integrated Security Features):
!! Port Security (Limit MACs)
!! IPv4 and IPv6 DHCP Snooping (Prevent rogues)
!! IP Source Guard (No false IPs)
!! Dynamic Arp Inspection (Prevent rogues)
"!Access Control Lists


Protect the Interior – switch config options..
Traffic Control – Prevent DoS or accidental storms
§  Storm Control
–  small-frame violation-rate 100 (frames less than 67b)
–  storm-control broadcast level pps 5k 4.5k
–  Storm-control broadcast level 20% 15%
–  storm-control multicast level pps 10k 9.5k
–  storm-control unicast level pps 5k 4.5k
–  storm-control action shutdown / trap

§  Rate Limiting
–  Rate-limit input rate(bps) burst(bytes)
–  Rate-limit output rate(bps) burst(bytes)


End-point and Network (Switches) Hardening Procedures
!! Use secure protocols on switches and devices(HTTPS, SCP, SNMPv3, SSH)
!! Do not implement shared or “backdoor” accounts/password
!! Enable password encryption (service password-encryption)
!! Disable password recovery (no service password-recovery) CAUTION
!! Disable small servers (
(tod, hello, etc.)
–! no service tcp-small-servers
–! no service udp-small-servers
–! no ip finger

!! Enable memory leak detection and threshold alarming
!! Comprehensive information here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml


Cisco Security Logical Framework
Enterprise Network

Purdue Reference Model, ISA-95

Level 5
Level 4

E-Mail, Intranet, etc.

Enterprise
Zone

Site Business Planning and Logistics Network
Firewall

Terminal
Services

Patch
Management

Application
Mirror

Level 3
Level 2

FactoryTalk
App Server

Web Services
Operations

FactoryTalk
Directory

FactoryTalk
Client

AV
Server
Application
Server

Engineering
Workstation

Site Manufacturing Operations and
Control
Area Supervisory
Control
Engineering
Workstation

Level 0

Batch
Control

Discrete
Control

Sensors

Drive
Control

Drives

Continuous
Process
Control

Actuators


Process
Control
Domain

Operator
Interface
Basic Control

Level 1

DMZ

Firewall

Domain
Controller

FactoryTalk
Client

Operator
Interface

Web
E-Mail
CIP

Safety
Control

Robots

Process
Control
Network

Industrial Security Standard ISA-99

Strong Segmentation

Process

VB#

Cisco/RA Applied Security – What goes where?
%0%$
K*K92i#

N4,'&;&%)'#b34'#

Level 5
Level 4

E0*#
?0J$
/01#

7<b#

Level
3!

027#Q##

Level 3

<84:F85,:&%4T#b34'#
Level 2

/7E#
021#Q#

$*K#

2'((#Q#K&'8#b34'#

Level 1
Level 0

0+8,KI$L"DD$

Cisco 819H ISR (Rockwell Stratix 5900) Feature Highlights
Security features:
•! *,8,'F:(#E4);'5634#]%&'?8((#
•! b34'#W8)'=#]%&'?8((#
•! E4,&:)%34#0&'['4634#*+),'-#DE0*H#
•! 7+48-%5#<:(6;3%4,#/01#D7</01H#
•! YN>/01#
•! E0)'5#
•! l:8(%,+#3F#)'&[%5'#Dl3*H#
•! fXG#`(,'&%4T#
•! k%TC#K[8%(8W%(%,+#F3&#>20#W8)'=#)'&[%5')#D:)'F:(#F3&#)'&[%5')#(%@'#<3=W:)Q>20H#
Industrial Characteristics
•! 13#]84#
•! k8&='4'=#
•! E4T&'))#0&3,'5634#

Cisco ASA 5500 Adaptive Security Appliances
Delivering Leading Threat Defense and VPN Services
Provides Converged Threat Defense, Flexible Secure Connectivity,
Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats
Market-Leading Firewall Services

Market-Leading VPN Services

!! Integrates and extends the #1 deployed firewall
technology from Cisco PIX Security Appliances
!! Built upon the experience of over
one million PIX deployed worldwide
and 10+ years of innovation

!! Integrates and extends the #1 deployed remote
access VPN technology from Cisco VPN 3000
Concentrators and Cisco PIX Security Appliances,
offering both
SSL and IPsec VPN services

Market-Leading IPS Services

Market-Leading Content Security

!! Integrates and extends the #1 deployed IPS and IDS
technology from the Cisco IPS 4200 Series
!! Provides comprehensive security from directed attacks
and many other threats including signatures for DNP3,
modbus, ICCP

!! Integrates and extends the #1 deployed gateway
content security technology to protect from viruses,
spyware, spam, phishing, and employee productivity
impacting websites

Market-Leading Secure Unified Communications
!! Comprehensive access control, threat protection, network policies, service protection and voice/video confidentiality for
© 2014
real-time Unified Communications traffic Cisco and/or its affiliates. All rights reserved.

Identity Service Engine ‘Context-Aware Security’
I want to allow only authorized
users access to my network

I want to allow guests into the
network

Y:'),#G%F'5+5('#
<848T'-'4,#

I need to allow/deny iPADs in
my network (BYOD)

M'N&2$$
?0J$

K:,C'4658634#84=#
K:,C3&%^8634#

0&3`(%4T#*'&[%5')#

I need to ensure my endpoints
don’t become a threat vector

03),:&'#*'&[%5')#

I need a scalable way of
authorizing users or devices in
the network

*'5:&%,+#Y&3:;#K55'))#
<848T'-'4,#

How can I set my firewall
policies based on identity
instead of IP addresses?

E='46,+9W8)'=#]%&'?8((#


Employ Secure Remote Access Techniques
SSL Clientless VPN
§  No VPN client needs to be installed on remote client
§  Access to internal network through one point entry
§  Uses a standard web browser, platform independent: Internet Explorer, Firefox
§  Can access web applications http, https, Common Internet File Sharing
(CIFS), File Transfer Protocol (FTP)
§  Client-Server Plug-ins for Remote Desktop Protocol (RDP), Virtual Network
Computing (VNC), Secure Shell (SSH) access, Telnet and Citrix
§  VPN appliance gives web-based look and feel for the application access
(customizable) through content
rewrite process


Secure Remote Access – Clientless SSL VPN via ASA 55xx
!! O)@2+)$)*3'*))8$28$A,8+*)8$)N+,1-'N7)N$
PQR$+2$&28A28,+)$*)+=28:S$,&&)NN$'N$
8)N+8'&+)($+2$?Q$,((8)NN$2T$A-,*+$U<V$
W8)=,--$
!! Q28+,-$2*$A-,*+$W8)=,--$)*,1-)N$,&&)NN$+2$
?%M0$(,+,E$W-)N$,*($,AA-'&,K2*N$$

!! %&&)NN$+2$,AA-'&,K2*N$2*$8)@2+)$,&&)NN$
N)8)8$'N$8)N+8'&+)($+2$NA)&'W)($A-,*+$]228$
?%M0$8)N2H8&)N$+782H37$?%M0$,AA-'&,K2*$
N)&H8'+X$$

*#*G#/# 1#
# 0#

Enterprise
Data Center

?*+8HN'2*$A82+)&K2*$NXN+)@$Y?Q0Z$2*$
A-,*+$W8)=,--$()+)&+N$,*($A82+)&+N$
,3,'*N+$,[,&:N$T82@$8)@2+)$72N+$
!! >'8)=,--$A82I')N$,$&-')*+$N)NN'2*$+2$8)@2+)$
$
,&&)NN$N)8)8$

0 # 0#
E# #*#N2#/# 1#

Remote Engineer
or Partner

Cisco VPN
Client
Internet
Enterprise Edge
Firewall
Enterprise
Connected
Engineer

Enterprise
WAN

Patch Management
Terminal Services
Application Mirror
AV Server

]85,3&+>8(@#K;;(%58634#*'&['&)#
!! /%'?#
!! k%),3&%84#
!! K))',2'4,&'#
!! >&84)85634#<848T'&#
]85,3&+>8(@#*'&[%5')##
0(8m3&-#
n! 7%&'5,3&+#
n! *'5:&%,+QK:=%,#
78,8#*'&['&)#

k>>0*#

Gbps Link
Failover
Detection

Cisco
ASA 5500

Enterprise Zone
Levels 4 and 5

Enterprise Zone
Levels 4 and 5

Firewall
(Standby)

Firewall
(Active)

Catalyst
6500/4500

X'-3,'#7')@,3;#0&3,353(#
DX70H#

Remote Access Server
!!RSLogix 5000
!!FactoryTalk View Studio
Catalyst 3750
StackWise
Switch Stack
N,C'&1',QE0#

Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Cell/Area Zones


21 Steps to securing a SCADA network
1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the SCADA network
3. Evaluate and strengthen the security of any remaining connections to the SCADA network
4. Harden SCADA networks by removing or disabling unnecessary services
5. Do not rely on proprietary protocols to protect your system
6. Implement the security features provided by device and system vendors
7. Establish strong controls over any medium that is used as a backdoor into the SCADA network
8. Implement internal and external intrusion detection systems and establish 24-hour-a-day
incident monitoring
9. Perform technical audits of SCADA devices and networks, and any other connected
networks, to identify security concerns
10. Conduct physical security surveys and assess all remote sites connected to the
SCADA network to evaluate their security
11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
12. Clearly define cyber security roles, responsibilities, and authorities for managers,
system administrators, and users
13. Document network architecture and identify systems that serve critical functions
or contain sensitive information that require additional levels of protection
14. Establish a rigorous, ongoing risk management process
15. Establish a network protection strategy based on the principle of defense-in-depth
16. Clearly identify cyber security requirements
17. Establish effective configuration management processes
18. Conduct routine self-assessments
19. Establish system backups and disaster recovery plans
20. Senior organizational leadership should establish expectations for cyber security
performance and hold individuals accountable for their performance
21. Establish policies and conduct training to minimize the likelihood that organizational
personnel will inadvertently disclose sensitive information regarding SCADA system
design, operations, or security controls

7[A^__===`2)`*)+-`(2)`32_(2&N_A8)A,8)_./N+)AN122:-)+`A(T$
$

Plantwide benefits of EtherNet IP Seminar

Plantwide benefits of EtherNet IP Seminar

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Plantwide benefits of EtherNet IP Seminar

Similar to Plantwide benefits of EtherNet IP Seminar (20)

Recently uploaded

Recently uploaded (20)

Plantwide benefits of EtherNet IP Seminar