plantwide benefits of ethernet ip seminar
DESCRIPTION
The slides presented by Rockwell Automation, Panduit and Cisco Systems at the EtherNet IP Seminar - 11th February 2014TRANSCRIPT
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Industrial IoT in ActionPhil George – Solution Architect
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Ethernet
SQL
Cloud
BIG DATA EthernetEthernetVirtualization
MobilityMobilitySocial Media
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
PodcastChatroom
Inflection Point
“an event that changes the way we think and act” Andy Grove, Intel Co-founder
Infotainment
Sidebar
GeekLandline
Speed Dating
App
Buzzword
WidgetWebinar
Cyber grieving
ping
Blog
hashtagBFF
LOL
phishing
Flash drive
Tagging
firewall
JPG
Flat screen
informationalize TweetTweetGoogle
UnfriendUnfriend
Wiki
IMIMIMIM
CloudCloudCloudCloud
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
SECUREConnected Enterprise
Unprecedented Value
Disruptive Technologies
Faster Time-to-Market
Lower Total Cost of OwnershipImproved Asset Utilization
Enterprise Risk Management
INFL
ECTI
ON
Now!
$$$$
Cloud
Ethernet
Mobility
Big Data
Business Analytics
CloudCloud
EthernetEthernet
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
$$$$$Faster Time to Market
Improved Asset Utilization
Enterprise Risk Management
Lower Total Cost of Ownership
Enterprise Risk Enterprise Risk Management
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Will exceed 7.6 billion
More than 70 million annually will cross into the middle class
Middle class adding $8 trillion to consumer spend
Global POPULATIONGlobal POPULATIONtrends (2020)
11
Source: McKinsey
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
EMERGING MARKET CONSUMERISM RESOURCE PRODUCTIVITY INVESTMENT
Increased Demand on Industrial Production
$1T
Source: McKinsey
150%More Energy150%
More Water30%30% 100%
More Vehicles100%
GLOBAL POPULATION TRENDS INCREASE DEMAND FOR
Manufacturing
80%More Steel
150%0%Resources
Infrastructure
12
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 13
Supply Chain
Optimized for Rapid Value CreationOptimized for Rapid Value Creation
Optimized for Rapid Value CreationOptimized for Rapid Value Creation Supply Chain Integration
Supply Chain IntegrationSupply Chain IntegrationSupply Chain IntegrationSupply Chain IntegrationSupply Chain IntegrationCollaborative, Demand Driven
Collaborative, Demand DrivenCompliant and Sustainable
Collaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCompliant and SustainableCompliant and Sustainable
Collaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand Driven Compliant and SustainableCompliant and SustainableCompliant and SustainableCompliant and SustainableCompliant and Sustainable
AGILITY
PRODUCTIVITY
Enterprise
Supply Supply Distribution Distribution Distribution Distribution Center
Smart Grid
PRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITY
Enterprise
Customers
ChainChainSupply Supply
Smart Grid
ChainChainSupply Supply
COMPANY CONFIDENTIAL
THE CONNECTED ENTERPRISE
SUSTAINABILITY
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Customer Demand
Industrial Processes
Customer Demand
Supply Chain
INDUSTRIALInternet of Things
Raw data > Contextualized Data >
Business System
14
Customer Demand
Business System
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Actuators Intelligent Motor Control Terminals Audio VideoSensors VideoVideo
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Enterprise Infrastructure
Automation Infrastructure
One Common Environment
CONVENTIONAL: SEPARATE IT & AUTOMATION FUTURE: UNIFIED INFRASTRUCTURE
TRANSFORMATIONINTEGRATED CONTROL AND INFORMATION
16
ENABLER Common Secure Ethernet Infrastructure
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
2011 2012
# of ReCoats reduced due to real-time alerts
Oven temperatures accessed real-time
$302k/yr Eliminated by Contract Dispatch
Allows all to access EPA data
Visibility into loss of production faults lead to root cause identification
@ PAINT LABKENTUCKY FACILITYKENTUCKY FACILITY
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright ©Copyright © 2013 Rockwell 2013 Rockwell Automation, Inc. All Automation, Inc. All Rights ReservedRights Reserved.
Fundamentals of Ethernet/IP
Designing the Physical Layer
Industrial & IT Network Convergence
Ethernet/IP Product Selection
Securing Automation Networks
Plant-wide Benefits of Ethernet/IP
18
Agenda
www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
www.rockwellautomation.com/connectedenterprise
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP OverviewBenefits of EtherNet/IP Seminar Series
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 2
Industrial Networks NeedsLong Term Trends
Open network
Converged network technologies (information sharing, common design)
Better asset utilization - lean initiatives (training, support, and inventory)
Future ready – to maximize investments and minimize risks
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Applications ConvergenceIndustrial Network Trends
3
InformationI/O
DriveControl
SafetyApplications
ProcessPower
Control
Multi-discipline Industrial Network Convergence
HighAvailability
EnergyManagement
Controller
Drive NetworkSafety NetworkI/O NetworkPlant/Site Network
Disparate Network Technology
Controller
Drive NetworkSafety NetworkI/O NetworkPlant/Site Network
Disparate Network Technology
Safety I/O
Single IndustrialNetwork TechnologyCamera
Controller
VFDDriveHMI
I/OPlant/Site
Instrumentation
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP is the global leader: 5M+ nodes sold, 300+ vendors, 1000s product linesEtherNet/IP is the global leader: 5M+ nodes sold, 300+ vendors, 1000s product lines
Control System Engineer Enable future-ready, high performance Use an established, widely accepted
network technology supported by leading industry vendors
IT Network Engineer Use standard Ethernet and TCP/IP Utilize common network
infrastructure assets & tools
System Integrator Enable seamless plant-wide /
site-wide information sharing Converge industrial and non-
industrial traffic
Equipment Builder Enable convergence-ready
solutions Use a single multi-discipline
control and information platform
EtherNet/IP - One Standard Industrial Network Technology For….
4
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 5
EtherNet/IP: “IP” - Industrial ProtocolSingle Industrial Network Technology
ODVA Supported by global industry leaders such as Cisco Systems®,
Omron®, Schneider Electric®, Bosch Rexroth AG®,Endress+Hauser and Rockwell Automation
Conformance & Performance Testing Standard
IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588) IETF - Internet Engineering Task Force, standard Internet Protocol (IP) ODVA - Common Industrial Protocol (CIP) IEC - International Electrotechnical Commission – IEC 61158
IT Friendly and Future-Ready (Sustainable) Multi-discipline control and information platform Established - products, applications and vendors
www.odva.org
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI 7-Layer Reference ModelSingle Industrial Network Technology
6
Application
Presentation
Session
Transport
Network
Data Link
Physical
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1
Network Services to User App
Encryption/Other processing
Manage Multiple Applications
Reliable End-to-End DeliveryError Correction
Packet Delivery, Routing
Framing of Data, Error Checking
Signal type to transmit bits,pin-outs, cable type
CIPIEC 61158
IETF TCP/UDP
IETF IP
IEEE802.3/802.1
TIA - 1005
Routers
Switches
Cabling
Layer Name Layer No. Function Examples
What makes EtherNet/IP industrial?
Physical LayerHardening
Infrastructure DeviceHardening
Common ApplicationLayer Protocol
5-Layer TCP/IP Model
CIPIEC 61158
Open Systems Interconnection
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI Reference ModelProtocol Stack
7
Application
Presentation
Session
Transport
Network
Data Link
Physical
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1 TIA - 1005
Layer NameLayer No. FunctionCIP
ApplicationLayers
Data TransportLayers
IETF TCP/UDP
IETF IP
IEEE802.3/802.1
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI Reference ModelOpen Systems Interconnection
8
Application
Presentation
Session
Transport
Network
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Vendor Specific
Vendor Specific
Layer NameLayer No. Function
Data Link
Physical
Layer 2
Layer 1
IEEE802.3/802.1
TIA - 1005
Limits Portability and Routability,may require additional assets
to forward information throughoutthe plant-wide / site-wide architecture
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI Reference ModelOpen Systems Interconnection
9
Vendor Specific
Vendor Specific
Function
Vendor Specific
TIA - 1005
Non standard Ethernet,will require additional assets
to connect intothe plant-wide / site-wide architecture
Application
Presentation
Session
Transport
Network
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer NameLayer No.
Data Link
Physical
Layer 2
Layer 1
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
OSI Reference ModelNetwork Independent
10
Layer 7
Layer 4
Layer 3
Layer 2
Layer 1
Layer No.
NetworkIndependent
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Applications ConvergenceIndustrial Network Trends
11
Safety I/O
Single IndustrialNetwork TechnologyCamera
Controller VFD
DriveHMI
I/OPlant/Site
Instrumentation
Multiple Network Technologies Topology Limits Physical Segmentation Data Duplication
MultipleMultiple 1 Network Technologies Topology Limits Physical Segmentation Segmentation Options Data Duplication
Disparate Network Technology
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
The Alternative“Islands of Automation”
12
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Micro Data Center Racks Patching Cable Management Copper/Fiber
Collaboration of PartnersNetwork Technology Convergence
13
Logical FrameworkPhysical Framework
Noise Mitigation Control Panel Network Zone
Catalyst 3750StackWise
Switch Stack
Gbps Linkfor Failover Detection
Firewall(Active)
Firewall(Standby)
MCC
Levels 0–2
HMI
Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency
Cell/Area Zone #3Bus/Star Topology
Cell/Area Zones
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4 and 5
Rockwell AutomationStratix 8000
Layer 2 Access Switch
CiscoASA 5500
Industrial Zone Site Operations and Control
Level 3
Remote AccessServer
Catalyst6500/4500
Phone
Controller
Camera
Safety Controller
RobotSoft
Starter
Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)
I/O
Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server
proxy
Physical or Virtualized Servers• Patch Management• Remote Gateway Services• Application Mirror• AV Server
Physical or Virtualized Servers• FactoryTalk Application Servers & Services Platform• Network Services – e.g. DNS, AD, DHCP, AAA• Remote Access Server (RAS)• Call Manager• Storage Array
Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email, Call Manager• Active Directory (AD)• AAA – Radius
EnterpriseWAN
SafetyI/O
ServoDrive
InstrumentationI/O
Copper, Fiber, Wireless Testers
Network Discovery Protocol Statistics
Network Discovery Protocol Statistics
Common Toolsets
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Enterprise Infrastructure
Automation Infrastructure
One Common
Environment
CONVENTIONAL: SEPARATE IT & AUTOMATION
FUTURE: UNIFIED INFRASTRUCTURE
TRANSFORMATIONINTEGRATED CONTROL AND INFORMATION
14
ENABLER Common Secure Ethernet Infrastructure
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 15
Industrial Networks Summary Open networks are in demand
Broad availability of products, applications and vendor support for Industrial Automation Network standards for coexistence and interoperability of industrial automation devices
Convergence of network technologies Reduce the number of disparate networks in an operation and create seamless
information sharing throughout the plant-wide / site-wide architecture Use of common network design, deployment and troubleshooting tools across the plant-
wide / site-wide architecture; avoid special tools for each application Better asset utilization to support lean initiatives
Common network infrastructure assets, while accounting for environmental requirements Reduce training, support, and inventory for different networking technologies
Future-ready – maximizing investments and minimizing risks Support new technologies and features without a network forklift upgrade
Reduce Risk Simplify Design Speed Deployment
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 16
A new ‘go-to’ resource for educational, technical and
thought leadership information about industrial communications
Standard Internet Protocol (IP) forIndustrial Applications
Coalition of like-minded companieswww.industrialip.org
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Agenda Plant-wide Benefits of Ethernet/IP
17
Fundamentals of Ethernet/IP
Designing the Physical Layer
Industrial & IT Network Convergence
Ethernet/IP Product Selection
Securing Automation Networks
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.
EtherNet/IP OverviewBenefits of EtherNet/IP Seminar Series
Will your Physical Layer perform?
Plantwide EtherNet/IP Ecosystem Design and Deployment
Panduit’s Distributor Partner
Vision: Unified Physical Infrastructure
Office: Data Center Solution
Building: Connected Buildings Solution
Manufacturing:Industrial Automation Solution
Critical Manufacturing Assets are at Risk!
• Downtime
• Security lapses
• Performance degradation
3
Installation pitfalls
3. This makes it impossible to manage, maintain and troubleshoot
2. No matter the hardware, shoddy cable installation
will result in a poor network
1. Proper cable installation is critical
Importance of the Physical Layer
“A significant portion of network
downtime, approx. 80%, is attributed
to Physical Layer Connections.” Sage Research
Designing the Physical Layer for Ethernet/IP
What do Physical Layer Reference Architecture based best practices look like?
Physical Layer Design Considerations
• Design and implement arobust physical layer
• Environment Classification - MICE
• More than cable
– Connectors
– Patch panels
– Cable management
– Grounding, Bonding and Shielding(noise mitigation)
• Standard Physical Media
– Wired vs. Wireless
– Copper vs. Fiber
– UTP vs. STP
– Singlemode vs. Multimode
– SFP – LC vs. SC
• Standard Topology Choices
– Switch-Level & Device-Level
Cable SelectionENET-WP007
LAN Troubleshooting Guide
Industrial Ethernet Physical Infrastructure Reference Architecture Design Guide
ODVA Guide
7
8
Rockwell/Cisco RARockwell/Cisco RA
Logical
De-Militarized Zone (DMZ)
Enterprise Zone (EZ)
De-Militarized Zone (DMZ)
Manufacturing Zone
Manufacturing Zone
Cell/Area Zone
FIREWALL(ACTIVE)
FIREWALL(STANDBY)(STANDBY
GE Link for Failover Detection
Windows 2003 Servers• Remote Desktop
Connection• VNC• PCAnywhere
LAYER 3 ROUTER
LAYER 3 ROUTER
LAYER 3 SWITCHLAYER 3
SWITCH
LAYER 3 SWITCH
ROUTER
Automation Apps• Historian• Data Distribution• Asset Security• Engineering Applications• Databases
Network Services• DNS, DHCP, Syslog Server• Network & Security Management
(Redundant Star Topology) (Ring Topology)
Cell/Area Zone
(Bus/Star Topology)
SWITCH
Network & Security ManagementSWITCHSWITCH
Enterprise Zone
FIREWALL(ACTIVE)
FIREWALL(STANDBY)(STANDBY
(Ring Topology) (Bus/Star Topology)
LAYER 3 ROUTER
LAYER 3 ROUTER
LAYER 3 SWITCHLAYER 3
SWITCH
LAYER 3 SWITCH
ROUTER
Reference IN-SolutionIN-Frastructure
IN-Route
IN-Panel
HM
I
CTR
LR
DR
IVE
DIS
T i/
O
IN-Field
Enterprise Zone
FWA FWB
DMZ
IN-Room
L3R L3R
L3S L3SPaS
DB
Manufacturing Zone
Cell/Area Zones
Physical
L2S
L2S
L2S
L2S
Panduit Industrial Automation 5 Core Solutions
ININ-IN-ROOMROOMTM
Control Room, Data Center, Telco Closet
ININ-IN-PANELPANELTM
Control Panels, Electrical Panels and MCC
ININ-IN-FIELDFIELDTM
On the Machine, In the Process Area, or Outdoors
ININ-IN-FRASTRUCTUREFRASTRUCTURETM
Power Distribution, Lighting, HVAC Security, Safety
ININ-IN-ROUTEROUTETM
Industrial Pathways, Network Zone Enclosures
Simplify with validated building blocksPhysical Layer Design ConsiderationsLayer Design Considerations
Micro Data Center
Zone Enclosures
Control Panel Solutions
Micro Data Center – IN-Room Solution
Enterprise/OfficePatchfield used to uplink switch
to level 4 & 5 Enterprise
Server PatchingCross connect between production
servers and switch servers and switch
Firewall and DMZLogical buffer zone between theEnterprise and Manufacturing
Manufacturing ZonePatchfield used to connect layer 3 switch to layer 2 switches used on
plant floor
ININ-IN-ROOMROOMTM
Physical Network Security
• Keyed solutions for copper and fiber
• USB Type A, B Ports• Lock-in, Blockout products
secure connections
ININ-IN-ROOMROOMTM
ININ-IN-ROUTEROUTETM
ININ-IN-PANELPANELTM
ININ-IN-FIELDFIELDTM
Micro Data Center Simplification - Organize, Secure, and Standardize
Challenges: • Disorganized • Network performance issues• Frequent moves, adds & changes
Solutions: • Structured approach• Media selection/security • Visual identification
BEFORE AFTER
Micro Data Center SolutionsPhysical Layer Design Considerations
15ININ-IN-ROOMROOMTM
IN-Route - Getting from “Point A” to “Point B”
Built-In Failure Points
ININ-IN-ROUTEROUTETM
17Environmental Focus – M.I.C.E.
Office Industrial
Increased Environmental Severity
TIA/EIA 1005
Electromagnetic
Climatic
Chemical
C
Ingress• Water• Dust
Ingress
Mechanical• Shock• Vibration
echanical
Vibration
E1
C1
I1
M1
E2
C2
I2
M2
E3
C3
I3
M3
You can’t choose components without knowing the Environment
19IN-Route - Zone Cabling Methods
TR
Centralized Cabling – Home runs from each node back to the tele-communication room.
TR
Z
Z
Z
Z
Z
ZZ
Zone Cabling – Provides for Reduced home-run wiring, easy moves / adds / changes and reduced size of tele-communication room
ININ-IN-ROUTEROUTETM
Pathways
• Overhead cable tray routing system
• Designed to route and manage copper, fiber optic, or power cables
ININ-IN-ROUTEROUTETM
Fiber PathwaysININ-IN-ROUTEROUTETM
Dielectric Conduited Fiber Cable (DCF)22
KEY BENEFIT:
Easier to install fiber cable
(eliminates conduit & grounding) with rugged, crush resistant construction
SOLUTION COMPONENTS1. 12 part numbers.
• Fiber Counts: 2, 4, 8, & 12
• Fiber Types: OS1/OS2, OM1, OM2
2. Compatible with OptiCam connectors
ININ-IN-ROUTEROUTETM
Zone Enclosures – Pre-configured
Best way to structure manufacturing network
•Leverages Cisco/RA recommended architecture for best network performance
•Built for capability of rapid network expansion
•Touch-safe for Facility IT access
•Significantly reduces lead time to deploy
23ININ-IN-ROUTEROUTETM
Zone Enclosures – Optimized for StratixPhysical Layer Design Considerations
• Pre-configured, Pre-tested for Stratix 8300, 8000 and 5700 switches
• Safe, Secure, Thermally tested
• Save time/cost/risk:
– IT/controls convergence point
– Machine Builders
ININ-IN-ROUTEROUTETM
Robust, Secure, Future-Ready Network Distribution
Challenges: • Scalability issues• Diagnostics & troubleshooting• Evolving cable mgmt
Solutions: • Zone enclosure• Media selection & security• Cable routing
BEFORE AFTER
IN-Route: Network Distribution SimplificationPhysical Layer Design Considerations
25ININ-IN-ROUTEROUTETM
IN-Panel - Understanding the Problem
There are several market trends that are exerting pressure on the design and architecture of a Control Panel.
– Space Optimization
– Terminations
– Network Cabling
– Noise Mitigation
– Safety/Security
ININ-IN-PANELPANELTM
EtherNet in the Control Panel
• Additional requirements and solutions are required with the addition of EtherNet into the Control Panel.
ININ-IN-PANELPANELTM
Planning for networking in the panel
• What are common networking challenges in the panel?
– Overall concerns• Diagnostics/troubleshooting
• Maintenance
• Future system upgrades
– Performance in potentially high noise environment
• Zoned layouts
• Shielding
– Finding panel space for new components
Clean Noisy Very Noisy
N
ININ-IN-PANELPANELTM
Noise Mitigation DemoININ-IN-PANELPANELTM
Panduit Confidential Information - not for Distribution
Polymer Coated Fiber (PCF) Cable, LC Connector, Termination Tool Kit
KEY BENEFITS: Ease of field termination (CRIMP, CLEAVE AND LEAVE), Performance, Noise Immunity
SOLUTION COMPONENTS
1. Polymer Coated Fiber (PCF) cable (zip cord and break-out cables)
2. Field-attached LC connector for 50/200/230µm & 62.5/200/230µm PCF fiber
3. Field termination tool kit
ININ-IN-PANELPANELTM
ININ-IN-FIELDFIELDTM
Terminating Fiber Using PCF Crimp-On Connectors
No-Voiceover
ININ-IN-PANELPANELTM
ININ-IN-FIELDFIELDTM
• Maximizes panel space utilization• Easier to design for future system upgrades• Provide up to 30% space savings
Panduit PanelMax™ Offering:
Space Optimization Increases Design FlexibilityPhysical Layer Design Considerations
Corner Wiring Duct
Utilizes space typically unusable in
enclosure corner
DIN Rail Wiring DuctUses enclosure depth to save
panel footprint space ;improve component access
Shielded Wiring DuctMitigates EMI noise to reduce
wire separation distance
Shielded Wiring DuctConventionalWiring Duct
DesignFlexibility
All of these products contribute to cost savings
ININ-IN-PANELPANELTM
Panduit Network Solutions for the Control PanelPhysical Layer Design Considerations
• Optimized solutions for Machine Builder Stratix 5700 deployments
DIN Rail Mount AdapterModular DIN rail mounting for
Copper or Fiber connectivity
Patch PanelFacilitate testing, and future Moves, Adds and Changes
Fiber, Cat6 Patch CordsPerformance guaranteed
Insert product photo
ININ-IN-PANELPANELTM
IN-Panel: Optimized with PartnersPhysical Layer Design Considerations
• Leverage power of EtherNet/IP and eco-system partners
– Panduit Fiber, Patching, Noise Mitigation, Space Optimization, Grounding/Bonding
– RA Stratix 5700 for machine builder
– RA 1585 patch cords
– Test with Fluke Networks
• EtherNet/IP connects to Zone Enclosures and Micro Data Center for convergence aligned with Cisco/RA CPwE
ININ-IN-PANELPANELTM
IN-Field Challenges
• High MICE levels
– Vibration
– Chemical
– Temperature
– Wash down
• Wire management rated for environment
• Food safety
ON Machine or Process areas
ININ-IN-FIELDFIELDTM
IN-Field Solutions: Manage and Protect
• Harsh rated cable management
and identification
• Abrasion protection
• Grounding/Bonding
Metal detectable wire management for Food industry
ININ-IN-FIELDFIELDTM
IN-Frastructure: Challenges
• Facility Grounding/Bonding, Power
• Costs of safety incidences
• Lockout/Tagout implementation
ININ-IN-FRASTRUCTUREFRASTRUCTURETM
IN-Frastructure: Solutions
• Grounding/Bonding components and solutions
• Safety labels and signage
• Lockout/Tagout systems
ININ-IN-FRASTRUCTUREFRASTRUCTURETM
SM
Application Guides
Network SecurityNetwork SecurityNetwork SecurityNetwork Security
SM
Control Panel Layout Whitepaper
• Best practices = reduced call backs, problems..greater solution sales
SM
Design your system using cost effective and easy to
troubleshoot Network Architectures
Micro Data Center Zone Enclosure Control Panel SolutionsMicro Data Center Control Panel Solutions
Easy Building Block Approach
SM
43
Industry Level Thought Leadership
Enterprise Functional
Design
Environmental Requirements
(M.I.C.E.)
Logical Level Shared
Architecture
Physical Level Plant Floor
Design
All wrapped up in a 450 page, “How To” manual with contributions from Fluke and Rockwell Automation, on designing and installing the physical infrastructure for an Industrial Ethernet Network
Panduit: Physical Infrastructure Reference Architecture
SM
Design/Spec ToolsPhysical Layer Design Considerations
Design Micro Data Centers in Visio and paste BOM into Proposalworks!
SM
45Plant Floor - “Macro Architecture” summary
MICE 1-1-1-1
MICE 3-2-3-3
MICE 3-1-2-3
MICE 1-1-1-3
MICE 3-3-3-3
MICE 2-1-3-2
MICE 2-2-2-1
SM
2/13/2014
Fiber Optic Application Best Practices for EtherNet/IP
SM
Agenda
Saving Time/Cost with Fiber
Fiber Selection
Physical Infrastructure for Fiber Deployments
SM
Agenda
Saving Time/Cost with Fiber
Fiber Selection
Physical Infrastructure for Fiber Deployments
SM
• Industrial Networks Must take into consideration the physical challenges of the facilities environment.
• Location, routing and equipment choices should be based on the complete understanding of cause and effect conditions.
• Environmental Focus
– M.I.C.E. (TIA-1005)
Industrial Networks Live in the Real World
Sensor
Drive
I/O
Plant EthernetController
Switch
Ethernet
Plant EthernetController
SM
Fiber that Fits Both the Environment and the ApplicationFiber is now being used in all areas of an Industrial Network Deployment
SM
Converged EthernetManufacturing Network Model
Corporate Network
Sensors and otherInput/Output Devices
Motors, DrivesActuators
SupervisoryControl
Robotics
Back-Office Mainframes andServers (ERP, MES, etc.)
OfficeApplications,Internetworking,Data Servers,Storage
Human MachineInterface (HMI)
Controller
• Fiber is completely noise immune
• Fiber can be used in high M.I.C.E. environments
• Fiber can be rated for indoor, outdoor and transition spaces
• Armored Fiber (available in both metallic and all-dielectric) reduces the need for, and installations costs of, innerduct and conduits
• Smaller footprint of cables (one fiber cable vs. bundle copper (UTP))
• Reliability and speed of installation reduces the total cost of ownership
Benefits of Fiber in an Industrial Space
SM
Key Elements of a Successful EtherNet/IP Network Design
• Understanding application and functional requirements
• Developing a logical framework (roadmap)
• Developing a physical framework
• Determining security requirements and partnering with IT
• Using technology and industry standards, reference models and reference architectures
Catalyst 3750StackWise
Switch Stack
FactoryTalk Application Servers View Historian AssetCentre, Transaction ManagerFactoryTalk Services Platform Directory Security/AuditData Servers
Gbps Linkfor Failover Detection
Firewall(Active)
Firewall(Standby)
I/O
Levels 0–2
HMI
Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency
Cell/Area Zone #3Bus/Star Topology
Cell/Area Zones
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
I/O
Rockwell AutomationStratix 8000
Layer 2 Access Switch
CiscoASA 5500
Industrial Zone Site Operations and Control
Level 3
Remote AccessServer
Catalyst6500/4500
ERP, Email,Wide Area Network (WAN)
Network Services DNS, DHCP, syslog server Network and security mgmt
Drive
Controller
HMII/O
Controller
Drive
Controller
Drive
HMI
Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)
I/OI/O
Patch ManagementRemote Gateway ServicesApplication MirrorAV Server Plant Firewall:
Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy
SM
Agenda
Saving Time/Cost with Fiber
Fiber Selection
Physical Infrastructure for Fiber Deployments
SM
Selecting the Right Fiber Requires
Knowing the Application Environment.Knowing the Application Environment.Environment.
…
…
…
Knowing the Distance Requirements.
Knowing the Equipment you are connecting to.
SM
Let’s take a sample application and go thru it step-by-step.
Knowing the Capability of Your Equipment
The Equipment – The first step in choosing the right fiber is to look at the capability of your equipment.
• Look at the specifications of the equipment to determine the speed of the connections
• The Fiber you choose should at least be able to handle the fastest mode of the existing system
SM
SFP Stands for “Small Form Pluggable”
Module
Knowing the Capability of Your Equipment
The Stratix is a good switch to use as an example because it has both Uplink ports andData ports running at different speeds.
• The uplink port speed is determined by the use of copper or fiber. If it’s fiber the configuration of the “SFP” module determines the speed of the system.
SM
Knowing the Capability of Your Equipment
The Stratix is a good switch to use as an example because it has both Uplink ports andData ports running at different speeds.
SFP Stands for “Small Form Pluggable”
Module
SFP Stands for “Small SFP Stands for “Small Form Pluggable” Form Pluggable”
ModuleModule
SFP Stands for “Small Form Pluggable”
Module
SM
Understanding Your Expansion or Upgrade Path
The following is an example list of specifications for the fiber-optic SFP module connections. It’s IMPORTANT that each port must match the wave-length specifications on the other end of the cable, and for reliable communication, the cable must not exceed the rated maximum cable length.
SFP ModuleType
Cat. No. Wavelength(nm)
Fiber Type Core Size/CladdingSize (micron)
ModalBandwidth(MHz/km)(1)
Cable Distance
100BASE-FX 1783-SFP100FX
1310 MMF 50/12562.5/125
500500
2 km (6562 ft)2 km (6562 ft)
100BASE-LX 1783-SFP100LX
1310 SMF G.6522 10 km (32,810 ft)
1000BASE-SX 1783-SFP1GSX
850 MMF 62.5/12562.5/12550/12550/125
160200400500
220 m (722 ft)275 m (902 ft))500 m (1640 ft)550 m (1804 ft)
1000BASE-LX/LH
1783-SFP1GLX
1310 SMF G.6522 10 km (32,810 ft)
(1) Modal bandwidth applies only to multimode fiber. * Information comes from Stratix Users Manual
SM
Answers Always Lead to More Questions
The Equipment – The result of our equipment investigation is that we learned:
• The max speed for the uplink is 1GBase-T
• The max speed for the data port is 100Base-T
• There are several choices for SFP modulesthat can support both Single and Multimode.
“Is there an existing system of fiber, and what core size is being used?”
The next question:
Core size? ….yes, Core size?
SM
What Makes Up a Fiber Cable?
The Cable – There are two classes of Fiber in use today:• Single Mode – Long Distance Fiber, more expensive technology
• Multi Mode – Shorter Distance, more cost effective for inside plant use.
• To understand the differences between core sizes, and why they matter, you need to know what makes up a fiber cable.
SM
How Big is the Fiber, (relatively)?
9230µm
All sizes expressed In Microns
5062.5
125µm
200µm
Cladding
Core
Buffer
Core size will tell you the OMx of
the Fiber
SM
Single Mode Fiber
All sizes expressed In Microns
9µm
125µm
SM
Multi-Mode Fiber (50 and 62.5 micron)
5062.5
125
All sizes expressed In Microns
SM
Polymer Coated Multi-mode Fiber (PCF)
All sizes expressed In Microns
23050
62.5 200
SM
What Do the OM Ratings Mean?
If you see OM in the Fiber grade it always means Multi-Mode. – The US Adopted a Grading System Invented By ISO, The International Standards
Organization in Geneva, Switzerland. The “Optical Multimode” Rating System
• “OM 1” --- 62.5 Micron (Mostly legacy systems)
• “OM 2” --- 50 Micron (plain vanilla variety)
• “OM 3” --- 50 Micron (Laser optimized to work with VCELS)
• “OM 4” --- 50 micron (Extended Bandwidth – Further refined to reduce pulse spreading and enable longer distances)
And just like with Copper Categories –A bigger number means better cable!
SM
What Do the OS Ratings Mean?
• If you see OS in the Fiber grade it always means Single-Mode.
• “OS 1” --- 9 Micron (Used with wavelengths of 1310 nm)
• “OS 2” --- 9 Micron (Used with wavelengths of 1550 nm)
Why does the core size make such a difference in Fiber performance?
• OS (single-mode) vs. OM (multi-mode).
Think of it like the difference between a rifle shot and a shotgun blast.
SM
A Fabry-Perot LASER
A Cheap, Slow LED
Singlemode – more efficient – goes FURTHER
Multimode – less efficient – doesn’t go as far
Example of Single-mode vs. Multi-mode
SM
• Some of the photons (light particles) go straight, some ricochet around the outside, the further they travel the closer the leading edge from one pulse gets to the trailing edge of the one before it.
• Eventually you can’t tell one pulse from another.
A Cheap Slow LED
Light Pulse Spreading (“Modal Dispersion”)The Enemy of Throughput
SM
What?
You can only go so far with a given grade of multimode fiber before light pulses begin to overlap
The Further You Go, the Worse it Gets.
Hey, I sent a
“1”
SM
ANSI/TIA-568-C.0 (D.3) Optical fiber cabling supportable distances table.
• Table 7 - lists maximum supportable distances and maximum channel attenuation for applications using optical fiber cabling
• The table is based on the minimum performance requirements of 62.5/125 µm, 50/125 µm, 850 nm laser-optimized 50/125 µm, and single-mode fiber established by ANSI/TIA-568-C.3
How the OM/OS Ratings Equate to Distance
SM
Remember the MICE Table?
Where you put the fiber, “The Environment”, determines the type of fiber you choose.
SM
• Indoor Opti-Core Fiber Distribution
• Indoor Opti-Core Interlocking Armor
• Indoor Industrial-Net (PCF) Polymer Clad Fiber
• Indoor Dielectric Conduited Fiber (DCF)
Applications for “Indoor” Fiber
Used when you have sufficient
protection for the fiber
Used when the fiber has to
protect itself
**NEW** Electrician Friendly crimp on connector for direct connect
node to node
**NEW** All the benefits of an armored fiber
without the metal. Use in area suspected of unequal
potential grounds
SM
Applications for “Indoor-Outdoor” Fiber
• Indoor/Outdoor Opti-Core All-Dielectric Fiber Cable
• Indoor/Outdoor Opti-Core Gel-Free Fiber Interlocking Aluminum Armored Cable
Used to transition from indoor to
outdoor in a protected area, tray
or conduit.
Used to transition from indoor to outdoor yet still
protect the cable from harsh mechanical
conditions
SM
Applications for “Outdoor” Fiber
• Opti-Core Gel-Free Fiber Optic Outside Plant All-Dielectric Cable
• Opti-Core Gel-Free Fiber Optic Outside Plant Armored Cable
Allows installation using loose tube
cable methods for aerial and duct
applications
Allows installation using loose tube cable methods for aerial, duct and direct
burial applications
SM
One Last Thought When Choosing a Fiber Type – Choosing the Connector
Traditional Puck and Polish type Connectors (5-7min.)
Traditional Puck and
OptiCam Factory Polished Connectors
(2 - 3min.)
Industrial Strip & Crimp no-Polish Required Fiber
Connectors(aprox 1 min.)
SM
Choosing the ConnectorChoosing the Connector
OptiCam Connector
PCF Connector
SM
Agenda
Saving Time/Cost with Fiber
Fiber Selection
Physical Infrastructure for Fiber Deployments
SM
Choosing the Right Fiber Type For the Application Can Save Big $$$ in Materials and Labour
SM
Links From Field Switches to Control Rooms Should Support Higher Speeds and Greater Volume
SM
Electrician Friendly Fiber Can be Used to Install Long Distance Bus Systems
SM
Fiber Optic Infrastructure PlanningPhysical Layer Design Considerations
81 81
New joint application guide
Increase the integrity and availability of EtherNet/IP networks with fiber solutions from trusted partners!
Physical infrastructure
Integrated Architecture, Stratix Switches, ETAPs, more
Higher level switches
Fiber GuideENET-TD003
SM
Easy to follow Fiber best practices!Physical Layer Design Considerations
• Partner validated application guide
82
SM
Summary
Fiber Selection
Physical Infrastructure for Fiber Deployments
Saving Time/Cost with Fiber
Understanding the Environment and the Application
Knowing how to determine equipment and system requirements
Choosing the proper network design for application
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial and IT Network ConvergenceEthernet/IP Enables Convergence
Name – Mike LoughranTitle – Solution ArchitectDate – 11th February 2014
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Emerging Technologies in OperationsAll the BUZZ…
The Internet The Internet of Things of Things (IoT)Only
The Internet Intelligent devices start
Copyright © Automation, Inc. All rights reserved.
The Internet of Things of Things of Things (IoT)(IoT)The Internet The Internet Intelligent devices start Intelligent devices start to communicate with each
Automation, Inc. All rights reserved.Automation, Inc. All rights reserved.to communicate with each other
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
What does it all mean?
3
Big Data Large amounts of information is available to
manage the supply chain & complex processes
Cloud Computing & Virtualization Speed up deployment of production, add flexibility,
reduce capital investments & increase access across global operations
Increase longevity, reliability & provide disaster recovery
Mobility & BYOD (Bring Your Own Device) Improve maintainability, uptime, asset longevity,
safety and cost control
Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL 3COMPANY CONFIDENTIAL - Internal Use OnlyInternal Use OnlyDriven Largely by Information
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyright © Driven Largely by Information Driven Largely by Information Technology
Most Most of it is buried on the Most of it is buried on the of it is buried on the production floor
of it is buried on the production floor production floor in production floor historians or production floor in production floor production floor historians or historians or other historians or historians or other other
databases
Centers around Centers around Information Centers around Technology Centers around Information Information Centers around Centers around Technology Technology (IT) more than Technology Technology (IT) more than (IT) more than
Operations/Production Operations/Production management
Technicians, Supervisors, Technicians, Supervisors, Operators are
Technicians, Supervisors, Technicians, Supervisors, Operators are Operators are all mobile Operators are Operators are all mobile all mobile
during their typical work all mobile all mobile
during their typical work during their typical work day
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Why are Emerging Technologies soImportant?
4
Important?
Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL 4COMPANY CONFIDENTIAL - Internal Use Only
Automated adaptable Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Automated adaptable processes & decisions
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Why are Emerging Technologies so Important?
Empowers companies to grow faster, produce better products and serve customers more effectively
It connects a workforce, analyzes data and allows for continuous improvements
Companies can leverage technological advances as a competitive advantage and must constantly seek newer, faster and better technologies to improve their business
5
Early-adopters typically acknowledge the risk that comes with new technology
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 5COMPANY CONFIDENTIAL - Internal Use Only
Early adopters typically acknowledge the risk that comes with new technologyEarly adopters typically acknowledge the risk that comes with new technology
Keeping abreast of new developments is an ongoing job with Keeping abreast of new developments is an ongoing job with both risks
Copyright ©
Keeping abreast of new developments is an ongoing job with Keeping abreast of new developments is an ongoing job with both risks both risks and rewards
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Industrial Network ConvergenceIndustrial Network Trends
6Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL 6
EtherNet/IP EtherNet/IP –– Enabling & Driving COMPANY CONFIDENTIAL - Internal Use
MultiInternal Use
Multi-Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP EtherNet/IP Enabling & Driving Enabling & Driving OnlyInternal Use Only
Multi-Multi-Multi discipline Industrial Network Convergence
Process Control
Discrete Control
Information TechnologyProcess ControlProcess Control
Discrete ControlDiscrete ControlIntelligent Motor Control
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
The Value in Bringing the Information Together
7
Control Systems
HMIs
Production Scheduling Alarms/Events
Other Database Systems
Computerized Maintenance Management Systems
Performance
Quality Systems
Data Historians
Laboratory Information
ManagementSystems
Quality Systems
You need a network technology that is STANDARD, PROVEN and MORE than an FIELDBUS!
ManagementManagement Systems
Automation, Inc. All rights reserved. 7COMPANY CONFIDENTIAL - Internal Use Internal Use Automation, Inc. All rights reserved.Automation, Inc. All rights reserved.
ManagementManagement SystemsManagementManagement SystemsOther Database SystemsDatabase Systems
ManagementManagement
You need a network technology that is SystemsManagement Systems
STANDARDSTANDARD, You need a network technology that is STANDARDSTANDARDDatabase SystemsDatabase Systems
You need a network technology that is You need a network technology that is Database Systems
You need a network technology that is Database SystemsDatabase Systems
You need a network technology that is Database Systems
You need a network technology that is STANDARDSTANDARDSTANDARD, You need a network technology that is STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the Internal Use Only
PROVENPROVENPROVEN and and You need a network technology that is
PROVENYou need a network technology that is You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is
PROVENPROVENPROVENPROVEN and and and and PROVENPROVEN and and information MORE than an You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is
and and and and MORE than an You need a network technology that is
and You need a network technology that is
and You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is
and information and and information and information and information and MORE than an MORE than an MORE than an and and MORE than an MORE than an and MORE than an fastYou need a network technology that is You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is
MORE than an MORE than an MORE than an fastMORE than an MORE than an fastMORE than an MORE than an fastMORE than an MORE than an fastMORE than an fastfastMORE than an fastMORE than an MORE than an fastMORE than an , You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is
MORE than an MORE than an You need a network technology that is
MORE than an You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is
MORE than an fastMORE than an MORE than an fastMORE than an fastMORE than an fastMORE than an , , MORE than an , MORE than an MORE than an fastMORE than an , MORE than an fastMORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an reliablyYou need a network technology that is You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is
MORE than an MORE than an MORE than an MORE than an You need a network technology that is
MORE than an You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is
reliablyreliablyMORE than an reliablyMORE than an MORE than an reliablyMORE than an reliablyMORE than an reliablyMORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an and You need a network technology that is STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is STANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARDYou need robust Infrastructure Solutions to deliver the You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is STANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARD
Copyright © 2012 Rockwell Copyright © FIELDBUSFIELDBUS
You need a network technology that is You need a network technology that is You need a network technology that is FIELDBUS
You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is and and FIELDBUSand FIELDBUSFIELDBUSand FIELDBUSand FIELDBUSand FIELDBUS
Copyright © 2012 Rockwell FIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUS
Copyright © FIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUSsecurely
Automation, Inc. All rights reserved.
STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARD2012 Rockwell 2012 Rockwell Automation, Inc. All rights reserved.
FIELDBUSFIELDBUS!!STANDARDSTANDARD
FIELDBUS!STANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARD
securelysecurely2012 Rockwell
securely2012 Rockwell
FIELDBUSsecurelyFIELDBUSFIELDBUSsecurelyFIELDBUSsecurelysecurely2012 Rockwell
securely2012 Rockwell Automation, Inc. All rights reserved.
securelyAutomation, Inc. All rights reserved.
FIELDBUSsecurelyFIELDBUSFIELDBUSsecurelyFIELDBUSsecurelyFIELDBUSsecurelyFIELDBUSsecurelyFIELDBUSsecurelyFIELDBUS!
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
From Production to the Enterprise -Rockwell Automation & Cisco Alliance
8
Common Technology View Single system architecture, using open, industry
standard networking technologies – EtherNet/IP Delivering Converged Plantwide Ethernet
(CPwE) Architectures for manufacturing and industrial environments
Best pathway to Operations/IT network convergence with detailed design and implementation guidance
Joint Product and Solution Collaboration Creating an ideal networking environment for both IT
and controls professionals. People and Process Optimization
Education and services to facilitate Manufacturing and IT convergence
Rockwell Automation and Cisco present the most valuable resource in the industry for deploying a converged network infrastructure
Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL 8Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only
Leadership in IT and Plant Operations
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Risks and threats to networked systems
Security risks increase potential for disruption toSecurity risks increase potential for disruption toSystem uptime and Safe operation and a loss of IP
Unintended employee actions
Theft
Unauthorized actions by employees
Unauthorized access
Denial of Service
TheftTheft
Application of Security patches
Unauthorized remote access
Natural or Man-made disasters
Sabotage
Worms and viruses
BusinessBusinessBusinessBusinessRisk
INFORMATION
OPERATIONS
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
A Vendor’s Perspective
Control System lifecycles are long (20+ years) Products will have vulnerabilities Security is a team sport
Vendors & Customers IT & Engineering Pick your teams (point don’t go it alone)
REMEMBER: Human beings are imperfect Control System safety & security are closely linked Control System security manages variables Managing the security variables enhances uptime
10
UPTIME = PROFITABILITY
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Our Approach to Industrial Security
Layered Security ModelShield potential targets behind multiple levels of protection to reduce security risks
Defense in DepthUse multiple security countermeasures to protect integrity of components or systems
OpennessConsideration for participation of a variety of vendors in our security solutions
FlexibilityAble to accommodate a customer’s needs, including policies & procedures
ConsistencySolutions that align with Government directives and Standards Bodies
Layered Security Model
A secure application depends on multiple layers of protection.A secure application depends on multiple layers of protection.Industrial security must be implemented as a system.
ApplicationApplicationComputerComputer
Device Device
PhysicalPhysicalNetworkNetwork
ApplicationApplicationComputerComputer
Device Device
PhysicalPhysicalNetworkNetwork
11
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Evolving Global Standards
12
• Building Blocks •
ISA S99 and IEC 62443• Asset Owners • Vendors • Industry Consortia •
NIST 800 NERC-CIPISO 27002 RFC 2196
ISA Security Compliance Institute (ISCI)
Achilles™
ISA Security Compliance Institute (ISCI)Exida.com LLC
Achilles™ test platform
Wurldtech
BronzeSilver
Gold© rockwell automation
Wurldtech
L-1L-2
L-3
WIB
IndependentIndependentReq’s & Certifications
SAL 1SAL 2
SAL 3
WIB 2.0
OD
VA
ConfrmConfrmTest
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Design for Security approach
Specifications Audits & GapsEnhance &
ImproveAudits & Gaps
Resiliency & Robustness13
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 14
Additional MaterialEducational - Cisco and Rockwell Automation Alliance
Education Series Webcasts What every IT professional should know about Plant-Floor Networking What every Plant-Floor Engineer should know about working with IT Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access
for Plant-Floor Applications and Data Securing Architectures and Applications
for Network Convergence IT-Ready EtherNet/IP Solutions Available Online
http://www.ab.com/networks/architectures.html
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 15
Additional MaterialSimplify Design - Rockwell Automation
Networks Website: http://www.ab.com/networks/ EtherNet/IP Toolkit:
http://www.rockwellautomation.com/rockwellautomation/products-technologies/integrated-architecture/tools/overview.page#/tab4
Ethernet Tools
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 16
Additional MaterialSimplify Design - Cisco and Rockwell Automation Alliance
Websites http://www.ab.com/networks/architectures.html
Design Guides Converged plant-wide Ethernet (CPwE)
Application Guides Fiber Optic Infrastructure Application Guide
Education Series http://www.ab.com/networks/architectures.html
Whitepapers Top 10 Recommendations for plant-wide
EtherNet/IP Deployments Securing Manufacturing Computer and Controller
Assets Production Software within Manufacturing
Reference Architectures Achieving Secure Remote Access to Plant-Floor
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 17
Additional MaterialSimplify Design - Collaboration
Plant-wide EtherNet/IP Ecosystem Partners Website
Fiber Optic Infrastructure Application Guide
ENET-TD003
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 18
Additional MaterialSimplify Design and Speed Deployment - Panduit Corp
Panduit Corp. Website: http://www.panduit.com/
Industrial Automation Solutions: Industrial Automation Product Systems Brochure Industrial Communication Solutions – Interactive Roadmap
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 19
Additional MaterialSpeed Deployment - Fluke Networks
Fluke Networks Websites www.flukenetworks.com www.flukenetworks.com\industrial www.flukenetworks.com\knowledgebase
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 20
Reduce design timeProcurement Specifications on-line
http://www.rockwellautomation.com/rockwellautomation/industries/procurement-specifications/overview.page?
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C
A family of high performance Industrial Ethernet switches ideal for the end user and equipment builder
Stratix Ethernet Switch Family
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix Portfolio Overview
• Security• Productivity• Safe Operations
• Remote Access• Time to Market• Protecting IP
Routers and switches for: Enabling security to new or existing
architectures Applications for simple to complex networks Monitoring and controlling distributed
devices Plant floor and enterprise integration
Stratix 8000/8300Layer 2, Layer 3
Stratix 2000Unmanaged
Stratix 6000Layer 2
Stratix ETAPs
Stratix 5700Layer 2
Stratix 5100Wireless AP/WGB Stratix 5900
Security Appliance
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION
Family of industrial Ethernet switches that are:• Optimized for configuration, monitoring, security and maintenance• Modular and scalable• Designed for simple to complex Ethernet applications
• IT-ready and IT-friendly solutions• Simplified integration of machine systems in infrastructure• Integrated Architecture programming tools and features• Secure remote access for improved productivity and OEE
• Connected or isolated machine and Process control applications• Plant floor and enterprise integration• Distributed network devices that need to be monitored and controlled
24
The Stratix Family Overview
24Copyright © 2013 Rockwell Automation, Inc. All Rights
Integrating your enterprise and manufacturing PUBLIC INFORMATION
Integrating your enterprise and manufacturing environments
Overview
Key Benefits
Applications
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix 2000 Unmanaged SwitchesRefresh & Product Line Expansion
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix 2000 Unmanaged Switches Overview
Low cost solutions designed for isolated control networks
Recommended for Micro 850 & Micro 820 applications
Unmanaged switches are not recommended for safety or motion applications
Simple “Plug & Play”
Automatically negotiates speed and duplex settings (no configuration required)
Automatically detects cross-over cable Expanded operating temperature from -20ºC to
70ºC to meet a wider variety of application needs for most catalog numbers
Exception: 1783-US5T & 1783-US8T range 0 to 60ºC
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix 6000 Fixed Managed Switches
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION Copyright
28
Stratix 6000™ Managed Switches
Fixed port managed switch 4 port or 8 port versions with optional fiber optic
uplink (SFP) Control system integrated
CIP communications for: Diagnostics (tags) Configuration (RSLogix 5000) Security
DHCP persistence for automatic end device IP address assignment
Unauthorized User Identification Traffic Level Monitor with Alarms FactoryTalk View Faceplates
Copyright © 2013 Rockwell Automation, Inc. All Rights ReservedPUBLIC INFORMATIONPUBLIC INFORMATION Copy2828Copy28Copy
FactoryTalk View Faceplates
Integrated Tightly Into The Integrated Architecture
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix 5700Industrial Managed Switches
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
The Stratix 5700Layer 2 Managed Switches with Cisco Technology
Premiere Integration to the Integrated Architecture CIP interface
Studio 5000 AOP ControlLogix tags FactoryTalk View faceplates
Built with Cisco technology (IOS) Common feature set with Stratix 8x00 Common IT development tools
(CLI, CNA, DM, CiscoWorks) Simple to Deploy & Maintain
Easy integration Default configurations Common Smartports DHCP per port IP addressing
Easy maintenance Secure Digital card for configuration backup Diagnostics & network management tools
Compact Compact & Scalable
Best of Rockwell Automation & Cisco in a compact size
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix 5700 Configurations 3 base platforms offering 20 configurations
6, 10 & 20 port base units 6 copper & 4 copper + 2 SFP slots 8 copper + 2 combo* 16 copper + 2 combo* + 2 SFP slots
2 Gig port option SFP slots support multi & single mode fiber
Wide variety of SFPs available Compatible with other Cisco SFPs
Advanced feature set to address: EtherNet/IP applications Security Resiliency & Redundancy
Two software packages to choose from Lite & Full versions
Conformal coating option for harsh environments *Combo ports can be either copper or SFP
Ideal for simple to complex applications
*Combo ports can be
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C
Stratix 8000 / 8300Industrial Managed Switches
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Stratix 8000/8300 - Modular DesignBase Module
(6-port or 10-port)Extension Module A
(8-port Copper)Extension Module B
(8-port Fiber)
Data Ports10/100 Copper
Dual Purpose Uplink Ports10/100/1000 Copper or SFP
8 Extended Data Ports10/100 Copper
8 Extended Data Ports100 Fixed Fiber
SFP Fiber Transceiver100M and 1GMultimode and Singlemode
33
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION (Confidential
Stratix 8300 layer 3 Managed Switch
Layer 3 Routing CapabilitiesDynamic Routing Protocols such as RIP, EIGRP
and OSPF
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix 5900Industrial Services Router
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
The Stratix 5900 Security Appliance
Premiere Routing & Security Services Firewall Virtual Private Network (VPN) Network Address Translation (NAT) 1GE WAN, 4 FE LAN, 1 Serial Port
Built with Cisco technology (IOS) Common features of Stratix Switch Common IT development tools
(CLI, CNA, DM, CiscoWorks, CCP) Ruggedized with Extended Temp, Shock & Vib Compact Size with Din Rail Mount
Best of Rockwell & Cisco in a compact size
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATIONPUBLIC INFORMATION
Embedded Switch Technology
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 383838
Embedded Switch Technology Embedded Switch Technology enables LINEAR and RING topologies on EtherNet/IP Network traffic is managed to ensure timely delivery of critical data (QoS, IGMP
supported) Open standard (ODVA) allows 3rd party suppliers to develop compatible products
Linear
• Linear Ethernet segments greatly extend the length of the application
• No need to run cables from each device back to a centralized switch
Device-Level Ring (DLR)
• Single fault tolerant network provides resiliency
• Device level ring requires no additional hardware to implement
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 39(Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 39Copyright © 2008 Rockwell Automation, Inc. All rights reserved. 39
1783-ETAP• The 1783-ETAP is a standalone device that allows devices (that do not support the
Embedded Switch Technology) to join a linear or a DLR network. • Other product features:
- Capable of being a Ring Supervisor in a Device Level Ring- Managed switch functions to help manage traffic on the network (i.e.: IGMP and QoS)- Fiber versions available in the future for long distance applications
Device Port – used for connecting single-port Ethernet device
Network Ports (2) – used for connecting to neighboring devices to form a linear or a ring network
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
DLR Enabled Products
1756-ENT2R, Point, Flex, ArmorPoint, ETAP, CompactLogix, 193-DNENCATR, 1747-AENTR, ArmorBlock, ArmorStart
Copyright
40
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E
PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix 5100Wireless Access Point
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix Wireless Access Points
Product Access Point / Work Group Bridge Autonomous Leveraging the latest 802.11N WiFi
technology MIMO, Packet Aggregation & Spatial
Multiplexing• Higher performance
2.4GHz and 5Ghz radios• Flexibility and segmentation
Support for VLAN, QoS and RADIUS Segmentation, priority handling and
authorization Backward compliant to 802.11a/b/g
CIP enabled Logix for system diagnostics Profile & tags
Value Provides real-time performance
for mission critical applications Eliminates wire & cabling to
reducing installation costs Enables mobility and portability to
people and devices Seamless integration within a
Cisco wireless network
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
Typical Configurations
Cell/Area Zone #3 Cell/Area Zone #4
FactoryTalk Applications and Services
Ring Topology
Cell/Area Zone #1 Cell/Area Zone #2
Manufacturing Zone
8000 ManagedLayer 2 Switch
ETAP - Embedded Layer 2 SwitchRing Topology
Enterprise ZoneEnterprise
Network
6000 ManagedLayer 2 SwitchStar TopologyEmbedded Layer 2
Switch Linear Topology
Mobile User
Lightweight AP (LWAP)
AP as WorkgroupBridge (WGB)
ERP, Email, Wide Area Network (WAN)
5100802.11n – Dual Band
Access point
8300 Managed Layer 3 Switch
5900 Industrial Services Router
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix Family Quick Reference
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION
Stratix Family Quick Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1
Invisible Cost to Visible Value
Rob PriceHead of Technical StrategyPartner & Commercial [email protected]
September 2013
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
“I cannot imagine a life without…”
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V., 2010% of 14 – 29 year olds
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien
• A mobile phone: 97%
% of 14 – 29 year olds
“I cannot imagine a life without…”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• The 2 photos on the right are of St Peters Square during the announcement of the election of last 2 Popes
• In just 8 years mobile devices have become ubiquitous. Everyone carries the internet in their pocket
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien
• The Internet: 84%
% of 14 – 29 year olds
“I cannot imagine a life without…”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien
• A car: 64%
% of 14 – 29 year olds
“I cannot imagine a life without…”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien
• My current partner: 43%
% of 14 – 29 year olds
“I cannot imagine a life without…”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Will gather 14 ExaBytes of data per day !!
• Will store over 1 PetaByte per day
• Transmit
• Store
• Analyse
*
*1 ExaByte = 1,000,000,000,000,000,000 Bytes
It took until 2004 for internet traffic to pass 1 Exabyte per month
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
THE NETWORKMOBILITY
BYOD
MOBILITYBYODBYOD
IMMERSIVE COLLABORATION
Pervasive Video
IMMERSIVE IMMERSIVE COLLABORATIONCOLLABORATION
Pervasive Pervasive VideoVideo
CLOUDXaaS | DC / V
CLOUDXXaaSaaS | | DC / VDC / V
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14GREEN, Energy Efficiency
IT PRODUCTIVITY, Service and Network Management
SECURITY, Accelerating Cyber-Threats
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
How You Worked Depended on This…How You Worked Depended on This…How You Worked Depended on This…Now It Depends on This…
FIXED MOBILE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
XaaS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Pop Quiz
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Thank you.
Securing Controls Networks Protecting against the bad dumb guys ;)
Steve Matthews ([email protected]) Consulting Systems Engineer IoT Sales EMEAR 11th Feb 2014
© 2014 Cisco and/or its affiliates. All rights reserved.
!"#$%&'('))#*+),'-#."#/01#2344'5634#."#7%8(9:;#<3='-#
."#>'(53#1',?3&@#
AB"#>&:),'=#>C%&=908&,+#2344'5634##DE45(:=')#E4F'5,'=#G8;,3;)H#
A."#E4,'&4',#7%&'5,(+#IJ"#/%8#23&;3&8,'#$K1#84=#
L:)%4'))#1',?3&@#
Source of Industrial Security Incidents Source: BCIT (2009)
Average Cost of Manufacturing Downtime = $210,000 per Hour Source: Infonetics (2005)
Industrial Security
© 2014 Cisco and/or its affiliates. All rights reserved.
How Big Are the Risks? !! Less than 2% of incidents are reported
–! Concern for damage of corporate reputation and stock price !!Risk = Threat Probability X Consequence !! Targets of choice at higher financial risk than targets of opportunity
!"#$%&&'()*+,-$
./#$0,12+,3)$
/.#$%&&'()*+,-$
4#$0,12+,3)#
5#$6+7)8$
0,12+,3)4# 0,12+,3)
5#
0,12+,3)5#$9,&:)8$
;5#$<,-=,8)$
© 2014 Cisco and/or its affiliates. All rights reserved. © 2014 Cisco and/or its affiliates. All rights reserved. *3:&5'M#N&%5#L+&')O#L2E>#
4# 0,12+,3)
>'*,*&',-$?@A,&+$B$C/DDEDDD$ >'*,*&',-$?@A,&+$F$C/DDEDDD$
© 2014 Cisco and/or its affiliates. All rights reserved.
The Game Changer in 2010.. !! NOT external network
proliferated!
!! Unique 4x 0 day exploits - undetectable
!! USB & print spooler
!! Focussed ONLY on: –! Step 7 –! S7 400 PLC –! & 2 hi freq drives
!! Then ‘duqu’ (related) –! Data mining /stealing
!! Then ‘flame’ (older)
!! Stuxnet is now effectively ‘open source’ ! I#
© 2014 Cisco and/or its affiliates. All rights reserved.
A breakdown of Stuxnet CP;MQQ???R,'=R53-Q,8(@)Q&8(;CS(84T4'&S5&85@%4TS),:U4',S8SVA),S5'4,:&+S5+W'&?'8;34RC,-(##
X8(;C#G84T4'&##Y'&-84#234,&3(#)+),'-)#)'5:&%,+#534):(,84,##
© 2014 Cisco and/or its affiliates. All rights reserved.
>G0)&H8)$=8,AGHA$2*$0+HI*)+$CP;MQQ???R+3:,:W'R53-Q?8,5CZ[\T]^8=]E.)53#
#
© 2014 Cisco and/or its affiliates. All rights reserved.
Common Areas of Vulnerability !! Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup !! Little or no device level authentication !! Poor network design – daisy chains, hubs !!Windows based IA servers – patching, legacy OS !!Unnecessary services running – FTP, HTTP !!Open environment, no port security, no physical security of switch, Ethernet ports !! Limited auditing and monitoring of access to IA devices !!Unauthorised use of HMI, IA systems for browsing, music/movie downloads !! Lack of IT expertise in IA networks, many blind spots
Defense in Depth.
© 2014 Cisco and/or its affiliates. All rights reserved.
Defense-in-Depth Critical Elements to Security
!! Security is basically two pronged: –! Technical vs. Non-technical –! A balanced Security Program must address both
Technical (technology) and Non-Technical (procedures) Elements
!! Technical controls - Firewalls, Group Policy Objects, Layer 3 ACLs, etc.
!!Non-technical controls - rules for environments, such as policy and procedure, risk management
!! Security is only as strong as the weakest link !! Vigilance and Attention to Detail are KEY to the long-
term security success
_34'9)%^'9`,)98((a#
Technical Non Technical
© 2014 Cisco and/or its affiliates. All rights reserved.
Defense-in-Depth Multiple Layers to Protect the network and Defend the edge !! Physical Security – limit physical access to authorized
personnel: areas, control panels, devices, cabling, and control room – escort and track visitors
!! Network Hardening – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers
!! End-point Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services
!! Application Security – authentication, authorization, and audit software
!! Device Hardening – change management and restrictive access Defense
in Depth
Computer
Device
Physical
Network
Application
© 2014 Cisco and/or its affiliates. All rights reserved.
Defense-in-Depth Network Security
!! Security is not a bolt-on component !!Comprehensive Network Security
Model for Defense-in-Depth !! Industrial Security Policy !!DMZ Implementation !!Design Remote Partner Access
Policy, with robust & secure implementation
© 2014 Cisco and/or its affiliates. All rights reserved.
Security is not a bolt-on component Comprehensive Network Security
Design Remote Partner Access
© 2014 Cisco and/or its affiliates. All rights reserved.
Defence-in-Depth Physical Security - Examples
•! Keyed solutions for copper and fibre
•! Lock-in, Blockout
products secure connections
Secure Network Architectures for Industrial Control Systems
© 2014 Cisco and/or its affiliates. All rights reserved.
Purdue model ISA 95 N4,'&;&%)'#b34'#
7<b#
027#c#0&35'))#234,&3(#73-8%4#Q#
<84:F85,:&%4T#b34'#021#c#0&35'))#234,&3(#1',?3&@#Q#
2'((#Q#K&'8#b34'#
Enterprise Network
Site Business Planning and Logistics Network
*%,'#<84:F85,:&%4T#d;'&8634)#84=#234,&3(#
K&'8#*:;'&[%)3&+#234,&3(#
L8)%5#234,&3(#
0&35'))#
7'-%(%,8&%^'=#b34'#c#*C8&'=#K55'))#
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Level 3!
© 2014 Cisco and/or its affiliates. All rights reserved. © 2014 Cisco and/or its affiliates. All rights reserved.
X'8(c>%-'#234,&3(#
]8),#234['&T'45'#
>&8e5#*'T-'4,8634#84=#<848T'-'4,#
N8)'#3F#f)'#
*%,'#d;'&8634)#84=#234,&3(#
<:(69*'&[%5'#1',?3&@)#
1',?3&@#84=#*'5:&%,+#<848T'-'4,#
X3:64T#
K;;(%58634#84=#78,8#)C8&'#
K55'))#234,&3(#
>C&'8,#0&3,'5634#
YW;)#G%4@#F3&#]8%(3['','5634#
]%&'?8((#DK56['H#
]%&'?8((#D*,84=W+H#
*2K7K#K;;(%58634#
84=#*'&[%5')#*'&['&)#
D*,84=W+H#2%)53#
K*K#ggBB#
2%)53#
28,8(+),#*?%,5C#
1',?3&@#*'&[%5')###
2%)53#28,8(+),#
hgBBQIgBB#
2%)53#28,R#!.gBi#
*,85@$%)'#*?%,5C#*,85@#
08,5C#<848T'-'4,O#>'&-%48(#*'&[%5')O#K;;(%58634#<%&&3&)O#K/#
*'&['&)#
2'((QK&'8#jA#DX'=:4=84,#*,8&#>3;3(3T+H#
7&%['#
234,&3(('&#
k<E# 7%),&%W:,'=#EQd#
234,&3(('&#
7%),&%W:,'=#EQd#
234,&3(('&#
7&%['#7&%['#
k<E#
7%),&%W:,'=#EQd#
k<E#
2'((QK&'8#jV#DX%4T#>3;3(3T+H#
2'((QK&'8#j!##DG%4'8&#>3;3(3T+H#
7%),&%W:,'=#EQd#
234,&3(('&#EN!BBBQ!BABQVBBB#
G8+'&#V#K55'))#*?%,5C#
2'((QK&'8#jV#234,&3(('&#
N4,'&;&%)'QE>#E4,'T&8634#23((8W3&8634#$%&'('))#
K;;(%58634#d;6-%^8634#
2'((QK&'8#b34'#
G'['()#BcV#
G8+'&#V#K55'))#
<84:F85,:&%4T#b34'#
G'['(#!#
7%),&%W:634#84=#23&'#
7'-%(%,8&%^'=#b34'#
D7<bH#]%&'?8(()#
N4,'&;&%)'#1',?3&@#
G'['()#Icg#$'W# K;;)# 71*# ]>0#
E4,'&4',#
Converged Plant-wide Ethernet Architecture
AI#
Switch Security Features & Techniques
© 2014 Cisco and/or its affiliates. All rights reserved.
Defend the Industrial Edge
!! Firewalling and remote access at levels 0-2 (L2 Transparent Mode) with Industrial IPS/IDS
!! Use IT-Approved Access and Authentication –! VPN for secure remote access –! Enterprise Access and Authentication servers (e.g Active
Directory, Radius, etc.)
!! ICS Protocols Stay Home
!! Control the Application !! Remote Access (Terminal) Server !! Application level security
!! No direct traffic through the firewall
!! Only one path in and out of industrial - the firewalls
DMZ and Secure Remote Access Guiding Principals
Enterprise WAN
Enterprise Data Centre
E#0#*#N#2#/# 0#1#*#*# G#/#0# 1#
Levels 0–2 Cell/Area Zones
Demilitarized Zone (DMZ)
Manufacturing Zone Site Manufacturing
Operations and Control Level 3
EEEEEEEEEE0000000000**********NNNNNNNNNN2222222222////////// 00000000001111111111 01 001 001 001 001 001 001 001 001 001 0
Internet
Enterprise Zone Levels 4 and 5
© 2014 Cisco and/or its affiliates. All rights reserved.
Protect the Interior – switch config options..
"!Authentication –! 802.1x Authentication, WebAuth, MAB
"!CISF (Cisco Integrated Security Features): !! Port Security (Limit MACs) !! IPv4 and IPv6 DHCP Snooping (Prevent rogues) !! IP Source Guard (No false IPs) !! Dynamic Arp Inspection (Prevent rogues)
"!Access Control Lists
L2/3 Network Security Features
© 2014 Cisco and/or its affiliates. All rights reserved.
Protect the Interior – switch config options..
§ Storm Control – small-frame violation-rate 100 (frames less than 67b) – storm-control broadcast level pps 5k 4.5k – Storm-control broadcast level 20% 15% – storm-control multicast level pps 10k 9.5k – storm-control unicast level pps 5k 4.5k – storm-control action shutdown / trap
§ Rate Limiting – Rate-limit input rate(bps) burst(bytes) – Rate-limit output rate(bps) burst(bytes)
Traffic Control – Prevent DoS or accidental storms
© 2014 Cisco and/or its affiliates. All rights reserved.
End-point and Network (Switches) Hardening Procedures
!!Use secure protocols on switches and devices(HTTPS, SCP, SNMPv3, SSH) !!Do not implement shared or “backdoor” accounts/password !! Enable password encryption (service password-encryption) !!Disable password recovery (no service password-recovery) CAUTION !!Disable small servers (tod, hello, etc.)
–! no service tcp-small-servers –! no service udp-small-servers –! no ip finger
!! Enable memory leak detection and threshold alarming !!Comprehensive information here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
End-point and Network (Switches) Hardening Procedures
Use secure protocols on switches and devices(HTTPS, SCP, SNMPv3, SSH) Do not implement shared or “backdoor” accounts/password Enable password encryption (service password-encryption) Disable password recovery (no service password-recovery) Disable small servers (
no service no service no
Enable memory leak detection and threshold alarming Comprehensive information here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
© 2014 Cisco and/or its affiliates. All rights reserved.
End-point and Network (Switches) Hardening Procedures
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Security Logical Framework Strong Segmentation
VB#
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management
AV Server
Application Mirror
Web Services Operations
Application Server
Enterprise Network
Site Business Planning and Logistics Network E-Mail, Intranet, etc.
FactoryTalk App Server
FactoryTalk Directory
Engineering Workstation
Domain Controller
FactoryTalk Client
Operator Interface
FactoryTalk Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous Process Control
Safety Control
Sensors Drives Actuators Robots
Enterprise Zone
DMZ
Process Control Domain
Process Control Network
Web E-Mail
CIP
Firewall
Firewall
Site Manufacturing Operations and Control
Area Supervisory Control
Basic Control
Process
Pur
due
Ref
eren
ce M
odel
, IS
A-9
5
Indu
stria
l Sec
urity
Sta
ndar
d IS
A-9
9
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco/RA Applied Security – What goes where?
/01#
/7E#
$*K#
E0*#
K*K92i#
%0%$
?0J$
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Level 3!
N4,'&;&%)'#b34'#
7<b#
027#Q##
<84:F85,:&%4T#b34'#
021#Q#
2'((#Q#K&'8#b34'#
0+8,KI$L"DD$
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco 819H ISR (Rockwell Stratix 5900) Feature Highlights
Security features: •! *,8,'F:(#E4);'5634#]%&'?8((#•! b34'#W8)'=#]%&'?8((#•! E4,&:)%34#0&'['4634#*+),'-#DE0*H#•! 7+48-%5#<:(6;3%4,#/01#D7</01H#•! YN>/01#•! E0)'5#•! l:8(%,+#3F#)'&[%5'#Dl3*H#•! fXG#`(,'&%4T#•! k%TC#K[8%(8W%(%,+#F3&#>20#W8)'=#)'&[%5')#D:)'F:(#F3&#)'&[%5')#(%@'#<3=W:)Q>20H#
Industrial Characteristics •! 13#]84#•! k8&='4'=#•! E4T&'))#0&3,'5634#
© 2014 Cisco and/or its affiliates. All rights reserved.
!! Integrates and extends the #1 deployed gateway content security technology to protect from viruses, spyware, spam, phishing, and employee productivity impacting websites
Market-Leading Content Security
!! Integrates and extends the #1 deployed IPS and IDS technology from the Cisco IPS 4200 Series
!! Provides comprehensive security from directed attacks and many other threats including signatures for DNP3, modbus, ICCP
Market-Leading IPS Services
!! Integrates and extends the #1 deployed remote access VPN technology from Cisco VPN 3000 Concentrators and Cisco PIX Security Appliances, offering both SSL and IPsec VPN services
Market-Leading VPN Services
!! Integrates and extends the #1 deployed firewall technology from Cisco PIX Security Appliances
!! Built upon the experience of over one million PIX deployed worldwide and 10+ years of innovation
Market-Leading Firewall Services
Cisco ASA 5500 Adaptive Security Appliances Delivering Leading Threat Defense and VPN Services
Provides Converged Threat Defense, Flexible Secure Connectivity, Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats
Market-Leading Secure Unified Communications !! Comprehensive access control, threat protection, network policies, service protection and voice/video confidentiality for
real-time Unified Communications traffic
© 2014 Cisco and/or its affiliates. All rights reserved.
Identity Service Engine ‘Context-Aware Security’
I want to allow guests into the network
I need to allow/deny iPADs in my network (BYOD)
I want to allow only authorized users access to my network
I need a scalable way of authorizing users or devices in
the network
I need to ensure my endpoints don’t become a threat vector
How can I set my firewall policies based on identity instead of IP addresses?
Y:'),#G%F'5+5('#<848T'-'4,#
0&3`(%4T#*'&[%5')#
03),:&'#*'&[%5')#
K:,C'4658634#84=#K:,C3&%^8634#
*'5:&%,+#Y&3:;#K55'))#<848T'-'4,#
E='46,+9W8)'=#]%&'?8((#
M'N&2$$?0J$
Secure Remote Access
© 2014 Cisco and/or its affiliates. All rights reserved.
Employ Secure Remote Access Techniques SSL Clientless VPN
§ No VPN client needs to be installed on remote client
§ Access to internal network through one point entry
§ Uses a standard web browser, platform independent: Internet Explorer, Firefox
§ Can access web applications http, https, Common Internet File Sharing (CIFS), File Transfer Protocol (FTP)
§ Client-Server Plug-ins for Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), Secure Shell (SSH) access, Telnet and Citrix
§ VPN appliance gives web-based look and feel for the application access (customizable) through content rewrite process
© 2014 Cisco and/or its affiliates. All rights reserved.
Secure Remote Access – Clientless SSL VPN via ASA 55xx
!! O)@2+)$)*3'*))8$28$A,8+*)8$)N+,1-'N7)N$PQR$+2$&28A28,+)$*)+=28:S$,&&)NN$'N$8)N+8'&+)($+2$?Q$,((8)NN$2T$A-,*+$U<V$W8)=,--$
!! Q28+,-$2*$A-,*+$W8)=,--$)*,1-)N$,&&)NN$+2$?%M0$(,+,E$W-)N$,*($,AA-'&,K2*N$$?*+8HN'2*$A82+)&K2*$NXN+)@$Y?Q0Z$2*$
A-,*+$W8)=,--$()+)&+N$,*($A82+)&+N$,3,'*N+$,[,&:N$T82@$8)@2+)$72N+$
!! >'8)=,--$A82I')N$,$&-')*+$N)NN'2*$+2$8)@2+)$$,&&)NN$N)8\)8$
!! %&&)NN$+2$,AA-'&,K2*N$2*$8)@2+)$,&&)NN$N)8\)8$'N$8)N+8'&+)($+2$NA)&'W)($A-,*+$]228$?%M0$8)N2H8&)N$+782H37$?%M0$,AA-'&,K2*$N)&H8'+X$$
Enterprise WAN
Enterprise Data Center
Gbps Link Failover
Detection
Firewall (Active)
Firewall (Standby)
Patch Management Terminal Services Application Mirror AV Server
Cisco ASA 5500
Remote Access Server !!RSLogix 5000 !!FactoryTalk View Studio
Catalyst 6500/4500
Remote Engineer or Partner
Enterprise Connected Engineer
Enterprise Edge Firewall
k>>0*#
Cisco VPN Client
X'-3,'#7')@,3;#0&3,353(#DX70H#
Catalyst 3750 StackWise
Switch Stack
N,C'&1',QE0#
E# 0#*# N#2# /#0#1#
*#*#G#/#0# 1#
]85,3&+>8(@#K;;(%58634#*'&['&)#!!/%'?#!!k%),3&%84#!!K))',2'4,&'#!! >&84)85634#<848T'&#]85,3&+>8(@#*'&[%5')##0(8m3&-#n!7%&'5,3&+#n!*'5:&%,+QK:=%,#78,8#*'&['&)#
Internet
Enterprise Zone Levels 4 and 5
Demilitarized Zone (DMZ)
Enterprise Zone Levels 4 and 5
Cell/Area Zones
Manufacturing Zone Site Manufacturing
Operations and Control Level 3
Q & A
© 2014 Cisco and/or its affiliates. All rights reserved.
1. Identify all connections to SCADA networks 2. Disconnect unnecessary connections to the SCADA network 3. Evaluate and strengthen the security of any remaining connections to the SCADA network 4. Harden SCADA networks by removing or disabling unnecessary services 5. Do not rely on proprietary protocols to protect your system 6. Implement the security features provided by device and system vendors 7. Establish strong controls over any medium that is used as a backdoor into the SCADA network 8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring 9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns 10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios 12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users 13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection 14. Establish a rigorous, ongoing risk management process 15. Establish a network protection strategy based on the principle of defense-in-depth 16. Clearly identify cyber security requirements 17. Establish effective configuration management processes 18. Conduct routine self-assessments 19. Establish system backups and disaster recovery plans 20. Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance 21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls
21 Steps to securing a SCADA network
7[A^__===`2)`*)+-`(2)`32\_(2&N_A8)A,8)_./N+)AN122:-)+`A(T$$