Plantwide benefits of EtherNet IP Seminar

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.

Industrial IoT in ActionPhil George – Solution Architect

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.

Ethernet

SQL

Cloud

BIG DATA EthernetEthernetVirtualization

MobilityMobilitySocial Media


PodcastChatroom

Inflection Point

“an event that changes the way we think and act” Andy Grove, Intel Co-founder

Infotainment

Sidebar

GeekLandline

Speed Dating

App

Buzzword

WidgetWebinar

Cyber grieving

ping

Blog

hashtagBFF

LOL

phishing

Flash drive

Tagging

firewall

JPG

Flat screen

informationalize TweetTweetGoogle

UnfriendUnfriend

Wiki

IMIMIMIM

CloudCloudCloudCloud


SECUREConnected Enterprise

Unprecedented Value

Disruptive Technologies

Faster Time-to-Market

Lower Total Cost of OwnershipImproved Asset Utilization

Enterprise Risk Management

INFL

ECTI

ON

Now!

$$$$

Cloud

Ethernet

Mobility

Big Data

Business Analytics

CloudCloud

EthernetEthernet


$$$$$Faster Time to Market

Improved Asset Utilization

Enterprise Risk Management

Lower Total Cost of Ownership

Enterprise Risk Enterprise Risk Management


Will exceed 7.6 billion

More than 70 million annually will cross into the middle class

Middle class adding $8 trillion to consumer spend

Global POPULATIONGlobal POPULATIONtrends (2020)

11

Source: McKinsey


EMERGING MARKET CONSUMERISM RESOURCE PRODUCTIVITY INVESTMENT

Increased Demand on Industrial Production

$1T

Source: McKinsey

150%More Energy150%

More Water30%30% 100%

More Vehicles100%

GLOBAL POPULATION TRENDS INCREASE DEMAND FOR

Manufacturing

80%More Steel

150%0%Resources

Infrastructure

12

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 13

Supply Chain

Optimized for Rapid Value CreationOptimized for Rapid Value Creation

Optimized for Rapid Value CreationOptimized for Rapid Value Creation Supply Chain Integration

Supply Chain IntegrationSupply Chain IntegrationSupply Chain IntegrationSupply Chain IntegrationSupply Chain IntegrationCollaborative, Demand Driven

Collaborative, Demand DrivenCompliant and Sustainable

Collaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCompliant and SustainableCompliant and Sustainable

Collaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand DrivenCollaborative, Demand Driven Compliant and SustainableCompliant and SustainableCompliant and SustainableCompliant and SustainableCompliant and Sustainable

AGILITY

PRODUCTIVITY

Enterprise

Supply Supply Distribution Distribution Distribution Distribution Center

Smart Grid

PRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITYPRODUCTIVITY

Enterprise

Customers

ChainChainSupply Supply

Smart Grid

ChainChainSupply Supply

COMPANY CONFIDENTIAL

THE CONNECTED ENTERPRISE

SUSTAINABILITY


Customer Demand

Industrial Processes

Customer Demand

Supply Chain

INDUSTRIALInternet of Things

Raw data > Contextualized Data >

Business System

14

Customer Demand

Business System

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Actuators Intelligent Motor Control Terminals Audio VideoSensors VideoVideo


Enterprise Infrastructure

Automation Infrastructure

One Common Environment

CONVENTIONAL: SEPARATE IT & AUTOMATION FUTURE: UNIFIED INFRASTRUCTURE

TRANSFORMATIONINTEGRATED CONTROL AND INFORMATION

16

ENABLER Common Secure Ethernet Infrastructure


2011 2012

# of ReCoats reduced due to real-time alerts

Oven temperatures accessed real-time

$302k/yr Eliminated by Contract Dispatch

Allows all to access EPA data

Visibility into loss of production faults lead to root cause identification

@ PAINT LABKENTUCKY FACILITYKENTUCKY FACILITY

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Copyright ©Copyright © 2013 Rockwell 2013 Rockwell Automation, Inc. All Automation, Inc. All Rights ReservedRights Reserved.

Fundamentals of Ethernet/IP

Designing the Physical Layer

Industrial & IT Network Convergence

Ethernet/IP Product Selection

Securing Automation Networks

Plant-wide Benefits of Ethernet/IP

18

Agenda

www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.


www.rockwellautomation.com/connectedenterprise

Fundamentals of EthernetIP OSI and CIP.pptx

Fundamentals of EthernetIP OSI and CIP.pptx

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

EtherNet/IP OverviewBenefits of EtherNet/IP Seminar Series

Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 2

Industrial Networks NeedsLong Term Trends

Open network

Converged network technologies (information sharing, common design)

Better asset utilization - lean initiatives (training, support, and inventory)

Future ready – to maximize investments and minimize risks


Industrial Applications ConvergenceIndustrial Network Trends

3

InformationI/O

DriveControl

SafetyApplications

ProcessPower

Control

Multi-discipline Industrial Network Convergence

HighAvailability

EnergyManagement

Controller

Drive NetworkSafety NetworkI/O NetworkPlant/Site Network

Disparate Network Technology

Controller

Drive NetworkSafety NetworkI/O NetworkPlant/Site Network


Safety I/O

Single IndustrialNetwork TechnologyCamera

Controller

VFDDriveHMI

I/OPlant/Site

Instrumentation


EtherNet/IP is the global leader: 5M+ nodes sold, 300+ vendors, 1000s product linesEtherNet/IP is the global leader: 5M+ nodes sold, 300+ vendors, 1000s product lines

Control System Engineer Enable future-ready, high performance Use an established, widely accepted

network technology supported by leading industry vendors

IT Network Engineer Use standard Ethernet and TCP/IP Utilize common network

infrastructure assets & tools

System Integrator Enable seamless plant-wide /

site-wide information sharing Converge industrial and non-

industrial traffic

Equipment Builder Enable convergence-ready

solutions Use a single multi-discipline

control and information platform

EtherNet/IP - One Standard Industrial Network Technology For….

4


EtherNet/IP: “IP” - Industrial ProtocolSingle Industrial Network Technology

ODVA Supported by global industry leaders such as Cisco Systems®,

Omron®, Schneider Electric®, Bosch Rexroth AG®,Endress+Hauser and Rockwell Automation

Conformance & Performance Testing Standard

IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588) IETF - Internet Engineering Task Force, standard Internet Protocol (IP) ODVA - Common Industrial Protocol (CIP) IEC - International Electrotechnical Commission – IEC 61158

IT Friendly and Future-Ready (Sustainable) Multi-discipline control and information platform Established - products, applications and vendors

www.odva.org

http://www.odva.org/


OSI 7-Layer Reference ModelSingle Industrial Network Technology

6

Application

Presentation

Session

Transport

Network

Data Link

Physical

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer 2

Layer 1

Network Services to User App

Encryption/Other processing

Manage Multiple Applications

Reliable End-to-End DeliveryError Correction

Packet Delivery, Routing

Framing of Data, Error Checking

Signal type to transmit bits,pin-outs, cable type

CIPIEC 61158

IETF TCP/UDP

IETF IP

IEEE802.3/802.1

TIA - 1005

Routers

Switches

Cabling

Layer Name Layer No. Function Examples

What makes EtherNet/IP industrial?

Physical LayerHardening

Infrastructure DeviceHardening

Common ApplicationLayer Protocol

5-Layer TCP/IP Model

CIPIEC 61158

Open Systems Interconnection


OSI Reference ModelProtocol Stack

7

Application

Presentation

Session

Transport

Network

Data Link

Physical

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer 2

Layer 1 TIA - 1005

Layer NameLayer No. FunctionCIP

ApplicationLayers

Data TransportLayers

IETF TCP/UDP

IETF IP

IEEE802.3/802.1


OSI Reference ModelOpen Systems Interconnection

8

Application

Presentation

Session

Transport

Network

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Vendor Specific

Vendor Specific

Layer NameLayer No. Function

Data Link

Physical

Layer 2

Layer 1

IEEE802.3/802.1

TIA - 1005

Limits Portability and Routability,may require additional assets

to forward information throughoutthe plant-wide / site-wide architecture


OSI Reference ModelOpen Systems Interconnection

9

Vendor Specific

Vendor Specific

Function

Vendor Specific

TIA - 1005

Non standard Ethernet,will require additional assets

to connect intothe plant-wide / site-wide architecture

Application

Presentation

Session

Transport

Network

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer NameLayer No.

Data Link

Physical

Layer 2

Layer 1


OSI Reference ModelNetwork Independent

10

Layer 7

Layer 4

Layer 3

Layer 2

Layer 1

Layer No.

NetworkIndependent


Industrial Applications ConvergenceIndustrial Network Trends

11

Safety I/O

Single IndustrialNetwork TechnologyCamera

Controller VFD

DriveHMI

I/OPlant/Site

Instrumentation

Multiple Network Technologies Topology Limits Physical Segmentation Data Duplication

MultipleMultiple 1 Network Technologies Topology Limits Physical Segmentation Segmentation Options Data Duplication



The Alternative“Islands of Automation”

12


Micro Data Center Racks Patching Cable Management Copper/Fiber

Collaboration of PartnersNetwork Technology Convergence

13

Logical FrameworkPhysical Framework

Noise Mitigation Control Panel Network Zone

Catalyst 3750StackWise

Switch Stack

Gbps Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

MCC

Levels 0–2

HMI

Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency

Cell/Area Zone #3Bus/Star Topology

Cell/Area Zones

IndustrialDemilitarized Zone

(IDMZ)

Enterprise ZoneLevels 4 and 5

Rockwell AutomationStratix 8000

Layer 2 Access Switch

CiscoASA 5500

Industrial Zone Site Operations and Control

Level 3

Remote AccessServer

Catalyst6500/4500

Phone

Controller

Camera

Safety Controller

RobotSoft

Starter

Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)

I/O

Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server

proxy

Physical or Virtualized Servers• Patch Management• Remote Gateway Services• Application Mirror• AV Server

Physical or Virtualized Servers• FactoryTalk Application Servers & Services Platform• Network Services – e.g. DNS, AD, DHCP, AAA• Remote Access Server (RAS)• Call Manager• Storage Array

Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email, Call Manager• Active Directory (AD)• AAA – Radius

EnterpriseWAN

SafetyI/O

ServoDrive

InstrumentationI/O

Copper, Fiber, Wireless Testers

Network Discovery Protocol Statistics

Network Discovery Protocol Statistics

Common Toolsets


Enterprise Infrastructure

Automation Infrastructure

One Common

Environment

CONVENTIONAL: SEPARATE IT & AUTOMATION

FUTURE: UNIFIED INFRASTRUCTURE

TRANSFORMATIONINTEGRATED CONTROL AND INFORMATION

14

ENABLER Common Secure Ethernet Infrastructure


Industrial Networks Summary Open networks are in demand

Broad availability of products, applications and vendor support for Industrial Automation Network standards for coexistence and interoperability of industrial automation devices

Convergence of network technologies Reduce the number of disparate networks in an operation and create seamless

information sharing throughout the plant-wide / site-wide architecture Use of common network design, deployment and troubleshooting tools across the plant-

wide / site-wide architecture; avoid special tools for each application Better asset utilization to support lean initiatives

Common network infrastructure assets, while accounting for environmental requirements Reduce training, support, and inventory for different networking technologies

Future-ready – maximizing investments and minimizing risks Support new technologies and features without a network forklift upgrade

Reduce Risk Simplify Design Speed Deployment


A new ‘go-to’ resource for educational, technical and

thought leadership information about industrial communications

Standard Internet Protocol (IP) forIndustrial Applications

Coalition of like-minded companieswww.industrialip.org

http://www.industrialip.org/


Agenda Plant-wide Benefits of Ethernet/IP

17

Fundamentals of Ethernet/IP

Designing the Physical Layer

Industrial & IT Network Convergence

Ethernet/IP Product Selection

Securing Automation Networks


www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.

EtherNet/IP OverviewBenefits of EtherNet/IP Seminar Series

Will your Physical Layer perform?

Plantwide EtherNet/IP Ecosystem Design and Deployment

Panduit’s Distributor Partner

Vision: Unified Physical Infrastructure

Office: Data Center Solution

Building: Connected Buildings Solution

Manufacturing:Industrial Automation Solution

Critical Manufacturing Assets are at Risk!

• Downtime

• Security lapses

• Performance degradation

3

Installation pitfalls

3. This makes it impossible to manage, maintain and troubleshoot

2. No matter the hardware, shoddy cable installation

will result in a poor network

1. Proper cable installation is critical

Importance of the Physical Layer

“A significant portion of network

downtime, approx. 80%, is attributed

to Physical Layer Connections.” Sage Research

Designing the Physical Layer for Ethernet/IP

What do Physical Layer Reference Architecture based best practices look like?

Physical Layer Design Considerations

• Design and implement arobust physical layer

• Environment Classification - MICE

• More than cable

– Connectors

– Patch panels

– Cable management

– Grounding, Bonding and Shielding(noise mitigation)

• Standard Physical Media

– Wired vs. Wireless

– Copper vs. Fiber

– UTP vs. STP

– Singlemode vs. Multimode

– SFP – LC vs. SC

• Standard Topology Choices

– Switch-Level & Device-Level

Cable SelectionENET-WP007

LAN Troubleshooting Guide

Industrial Ethernet Physical Infrastructure Reference Architecture Design Guide

ODVA Guide

7

http://www.flukenetworks.com/fnet/en-us/search/searchresult.htm?mode=ShowAll&query=frontline

http://www.panduit.com/Solutions/IndustrialAutomation/index.htm

http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00148R0_EtherNetIP_Media_Planning_and_Installation_Manual.pdf

8

Rockwell/Cisco RARockwell/Cisco RA

Logical

De-Militarized Zone (DMZ)

Enterprise Zone (EZ)

De-Militarized Zone (DMZ)

Manufacturing Zone

Manufacturing Zone

Cell/Area Zone

FIREWALL(ACTIVE)

FIREWALL(STANDBY)(STANDBY

GE Link for Failover Detection

Windows 2003 Servers• Remote Desktop

Connection• VNC• PCAnywhere

LAYER 3 ROUTER

LAYER 3 ROUTER

LAYER 3 SWITCHLAYER 3

SWITCH

LAYER 3 SWITCH

ROUTER

Automation Apps• Historian• Data Distribution• Asset Security• Engineering Applications• Databases

Network Services• DNS, DHCP, Syslog Server• Network & Security Management

(Redundant Star Topology) (Ring Topology)

Cell/Area Zone

(Bus/Star Topology)

SWITCH

Network & Security ManagementSWITCHSWITCH

http://www.ab.com/drives/powerflex/images/PowerFlex4/Pflex4_0000.jpg


http://www.automationwestburnebc.com/ranews.htm


http://www.ioselect.com/ioSelect/Products - microPLCs.htm












Enterprise Zone

FIREWALL(ACTIVE)

FIREWALL(STANDBY)(STANDBY

(Ring Topology) (Bus/Star Topology)

LAYER 3 ROUTER

LAYER 3 ROUTER

LAYER 3 SWITCHLAYER 3

SWITCH

LAYER 3 SWITCH

ROUTER











Reference IN-SolutionIN-Frastructure

IN-Route

IN-Panel

HM

I

CTR

LR

DR

IVE

DIS

T i/

O

IN-Field

Enterprise Zone

FWA FWB

DMZ

IN-Room

L3R L3R

L3S L3SPaS

DB

Manufacturing Zone

Cell/Area Zones

Physical

L2S

L2S

L2S

L2S

Panduit Industrial Automation 5 Core Solutions

ININ-IN-ROOMROOMTM

Control Room, Data Center, Telco Closet

ININ-IN-PANELPANELTM

Control Panels, Electrical Panels and MCC

ININ-IN-FIELDFIELDTM

On the Machine, In the Process Area, or Outdoors

ININ-IN-FRASTRUCTUREFRASTRUCTURETM

Power Distribution, Lighting, HVAC Security, Safety

ININ-IN-ROUTEROUTETM

Industrial Pathways, Network Zone Enclosures

Simplify with validated building blocksPhysical Layer Design ConsiderationsLayer Design Considerations

Micro Data Center

Zone Enclosures

Control Panel Solutions

Micro Data Center – IN-Room Solution

Enterprise/OfficePatchfield used to uplink switch

to level 4 & 5 Enterprise

Server PatchingCross connect between production

servers and switch servers and switch

Firewall and DMZLogical buffer zone between theEnterprise and Manufacturing

Manufacturing ZonePatchfield used to connect layer 3 switch to layer 2 switches used on

plant floor

ININ-IN-ROOMROOMTM

Physical Network Security

• Keyed solutions for copper and fiber

• USB Type A, B Ports• Lock-in, Blockout products

secure connections

ININ-IN-ROOMROOMTM




Micro Data Center Simplification - Organize, Secure, and Standardize

Challenges: • Disorganized • Network performance issues• Frequent moves, adds & changes

Solutions: • Structured approach• Media selection/security • Visual identification

BEFORE AFTER

Micro Data Center SolutionsPhysical Layer Design Considerations

15ININ-IN-ROOMROOMTM

IN-Route - Getting from “Point A” to “Point B”

Built-In Failure Points


17Environmental Focus – M.I.C.E.

Office Industrial

Increased Environmental Severity

TIA/EIA 1005

Electromagnetic

Climatic

Chemical

C

Ingress• Water• Dust

Ingress

Mechanical• Shock• Vibration

echanical

Vibration

E1

C1

I1

M1

E2

C2

I2

M2

E3

C3

I3

M3

You can’t choose components without knowing the Environment

19IN-Route - Zone Cabling Methods

TR

Centralized Cabling – Home runs from each node back to the tele-communication room.

TR

Z

Z

Z

Z

Z

ZZ

Zone Cabling – Provides for Reduced home-run wiring, easy moves / adds / changes and reduced size of tele-communication room


Pathways

• Overhead cable tray routing system

• Designed to route and manage copper, fiber optic, or power cables


Fiber PathwaysININ-IN-ROUTEROUTETM

Dielectric Conduited Fiber Cable (DCF)22

KEY BENEFIT:

Easier to install fiber cable

(eliminates conduit & grounding) with rugged, crush resistant construction

SOLUTION COMPONENTS1. 12 part numbers.

• Fiber Counts: 2, 4, 8, & 12

• Fiber Types: OS1/OS2, OM1, OM2

2. Compatible with OptiCam connectors


Zone Enclosures – Pre-configured

Best way to structure manufacturing network

•Leverages Cisco/RA recommended architecture for best network performance

•Built for capability of rapid network expansion

•Touch-safe for Facility IT access

•Significantly reduces lead time to deploy

23ININ-IN-ROUTEROUTETM

Zone Enclosures – Optimized for StratixPhysical Layer Design Considerations

• Pre-configured, Pre-tested for Stratix 8300, 8000 and 5700 switches

• Safe, Secure, Thermally tested

• Save time/cost/risk:

– IT/controls convergence point

– Machine Builders


Robust, Secure, Future-Ready Network Distribution

Challenges: • Scalability issues• Diagnostics & troubleshooting• Evolving cable mgmt

Solutions: • Zone enclosure• Media selection & security• Cable routing

BEFORE AFTER

IN-Route: Network Distribution SimplificationPhysical Layer Design Considerations

25ININ-IN-ROUTEROUTETM

IN-Panel - Understanding the Problem

There are several market trends that are exerting pressure on the design and architecture of a Control Panel.

– Space Optimization

– Terminations

– Network Cabling

– Noise Mitigation

– Safety/Security


EtherNet in the Control Panel

• Additional requirements and solutions are required with the addition of EtherNet into the Control Panel.


Planning for networking in the panel

• What are common networking challenges in the panel?

– Overall concerns• Diagnostics/troubleshooting

• Maintenance

• Future system upgrades

– Performance in potentially high noise environment

• Zoned layouts

• Shielding

– Finding panel space for new components

Clean Noisy Very Noisy

N


Noise Mitigation DemoININ-IN-PANELPANELTM

Panduit Confidential Information - not for Distribution

Polymer Coated Fiber (PCF) Cable, LC Connector, Termination Tool Kit

KEY BENEFITS: Ease of field termination (CRIMP, CLEAVE AND LEAVE), Performance, Noise Immunity

SOLUTION COMPONENTS

1. Polymer Coated Fiber (PCF) cable (zip cord and break-out cables)

2. Field-attached LC connector for 50/200/230µm & 62.5/200/230µm PCF fiber

3. Field termination tool kit



Terminating Fiber Using PCF Crimp-On Connectors

No-Voiceover



• Maximizes panel space utilization• Easier to design for future system upgrades• Provide up to 30% space savings

Panduit PanelMax™ Offering:

Space Optimization Increases Design FlexibilityPhysical Layer Design Considerations

Corner Wiring Duct

Utilizes space typically unusable in

enclosure corner

DIN Rail Wiring DuctUses enclosure depth to save

panel footprint space ;improve component access

Shielded Wiring DuctMitigates EMI noise to reduce

wire separation distance

Shielded Wiring DuctConventionalWiring Duct

DesignFlexibility

All of these products contribute to cost savings


Panduit Network Solutions for the Control PanelPhysical Layer Design Considerations

• Optimized solutions for Machine Builder Stratix 5700 deployments

DIN Rail Mount AdapterModular DIN rail mounting for

Copper or Fiber connectivity

Patch PanelFacilitate testing, and future Moves, Adds and Changes

Fiber, Cat6 Patch CordsPerformance guaranteed

Insert product photo


http://www.panduit.com/Support/Search/index.htm?Nao=5&D=fiber patch cord&Ntx=mode matchallpartial&Dx=mode matchallpartial&Ntk=All&Nty=1&sid=1336405F4E11&Ne=1&Ntt=fiber patch cord&N=5000001+3005866&recName=F6E10A-10AM1

http://www.panduit.com/Support/Search/index.htm?Nao=5&D=fiber patch cord&Ntx=mode matchallpartial&Dx=mode matchallpartial&Ntk=All&Nty=1&sid=1336405F4E11&Ne=1&Ntt=fiber patch cord&N=5000001+3005866&recName=F6E10A-10AM1

IN-Panel: Optimized with PartnersPhysical Layer Design Considerations

• Leverage power of EtherNet/IP and eco-system partners

– Panduit Fiber, Patching, Noise Mitigation, Space Optimization, Grounding/Bonding

– RA Stratix 5700 for machine builder

– RA 1585 patch cords

– Test with Fluke Networks

• EtherNet/IP connects to Zone Enclosures and Micro Data Center for convergence aligned with Cisco/RA CPwE


IN-Field Challenges

• High MICE levels

– Vibration

– Chemical

– Temperature

– Wash down

• Wire management rated for environment

• Food safety

ON Machine or Process areas


IN-Field Solutions: Manage and Protect

• Harsh rated cable management

and identification

• Abrasion protection

• Grounding/Bonding

Metal detectable wire management for Food industry


IN-Frastructure: Challenges

• Facility Grounding/Bonding, Power

• Costs of safety incidences

• Lockout/Tagout implementation


http://www.google.com/imgres?imgurl=http://www.uwec.edu/jolhm/EH3/Group2/Pictures/lightning.jpg&imgrefurl=http://www.uwec.edu/jolhm/EH3/Group2/background.html&usg=__K8cJNdxJHdBXiVTtyKl2Qsqyb7o=&h=600&w=800&sz=69&hl=en&start=3&um=1&itbs=1&tbnid=Z7FUmpMkVF71UM:&tbnh=107&tbnw=143&prev=/images?q=lightning&um=1&hl=en&sa=G&tbs=isch:1

http://www.google.com/imgres?imgurl=http://www.uwec.edu/jolhm/EH3/Group2/Pictures/lightning.jpg&imgrefurl=http://www.uwec.edu/jolhm/EH3/Group2/background.html&usg=__K8cJNdxJHdBXiVTtyKl2Qsqyb7o=&h=600&w=800&sz=69&hl=en&start=3&um=1&itbs=1&tbnid=Z7FUmpMkVF71UM:&tbnh=107&tbnw=143&prev=/images?q=lightning&um=1&hl=en&sa=G&tbs=isch:1

http://ohshub.com/wp-content/uploads/2009/11/arc_flash.jpg

http://ohshub.com/wp-content/uploads/2009/11/arc_flash.jpg

IN-Frastructure: Solutions

• Grounding/Bonding components and solutions

• Safety labels and signage

• Lockout/Tagout systems


http://www.google.com/imgres?imgurl=http://www.premierautoworkers.com/images/warning-potential-arc-flash.jpg&imgrefurl=http://www.premierautoworkers.com/arc-flash.htm&usg=__0NeoeK7sweJFEQSnzxgQnm6gmL4=&h=344&w=462&sz=36&hl=en&start=2&itbs=1&tbnid=XC3oP6SecUxgwM:&tbnh=95&tbnw=128&prev=/images?q=arc+flash+safety&hl=en&sa=G&gbv=2&tbs=isch:1

http://www.google.com/imgres?imgurl=http://www.premierautoworkers.com/images/warning-potential-arc-flash.jpg&imgrefurl=http://www.premierautoworkers.com/arc-flash.htm&usg=__0NeoeK7sweJFEQSnzxgQnm6gmL4=&h=344&w=462&sz=36&hl=en&start=2&itbs=1&tbnid=XC3oP6SecUxgwM:&tbnh=95&tbnw=128&prev=/images?q=arc+flash+safety&hl=en&sa=G&gbv=2&tbs=isch:1

SM

Application Guides

Network SecurityNetwork SecurityNetwork SecurityNetwork Security

SM

Control Panel Layout Whitepaper

• Best practices = reduced call backs, problems..greater solution sales

SM

http://www.industrial-ip.org

41

http://www.industrial-ip.org/

SM

Design your system using cost effective and easy to

troubleshoot Network Architectures

Micro Data Center Zone Enclosure Control Panel SolutionsMicro Data Center Control Panel Solutions

Easy Building Block Approach

SM

43

Industry Level Thought Leadership

Enterprise Functional

Design

Environmental Requirements

(M.I.C.E.)

Logical Level Shared

Architecture

Physical Level Plant Floor

Design

All wrapped up in a 450 page, “How To” manual with contributions from Fluke and Rockwell Automation, on designing and installing the physical infrastructure for an Industrial Ethernet Network

Panduit: Physical Infrastructure Reference Architecture

SM

Design/Spec ToolsPhysical Layer Design Considerations

Design Micro Data Centers in Visio and paste BOM into Proposalworks!

SM

45Plant Floor - “Macro Architecture” summary

MICE 1-1-1-1

MICE 3-2-3-3

MICE 3-1-2-3

MICE 1-1-1-3

MICE 3-3-3-3

MICE 2-1-3-2

MICE 2-2-2-1

SM

2/13/2014

Fiber Optic Application Best Practices for EtherNet/IP

SM

Agenda

Saving Time/Cost with Fiber

Fiber Selection

Physical Infrastructure for Fiber Deployments

SM

• Industrial Networks Must take into consideration the physical challenges of the facilities environment.

• Location, routing and equipment choices should be based on the complete understanding of cause and effect conditions.

• Environmental Focus

– M.I.C.E. (TIA-1005)

Industrial Networks Live in the Real World

Sensor

Drive

I/O

Plant EthernetController

Switch

Ethernet

Plant EthernetController

SM

Fiber that Fits Both the Environment and the ApplicationFiber is now being used in all areas of an Industrial Network Deployment

SM

Converged EthernetManufacturing Network Model

Corporate Network

Sensors and otherInput/Output Devices

Motors, DrivesActuators

SupervisoryControl

Robotics

Back-Office Mainframes andServers (ERP, MES, etc.)

OfficeApplications,Internetworking,Data Servers,Storage

Human MachineInterface (HMI)

Controller

• Fiber is completely noise immune

• Fiber can be used in high M.I.C.E. environments

• Fiber can be rated for indoor, outdoor and transition spaces

• Armored Fiber (available in both metallic and all-dielectric) reduces the need for, and installations costs of, innerduct and conduits

• Smaller footprint of cables (one fiber cable vs. bundle copper (UTP))

• Reliability and speed of installation reduces the total cost of ownership

Benefits of Fiber in an Industrial Space

SM

Key Elements of a Successful EtherNet/IP Network Design

• Understanding application and functional requirements

• Developing a logical framework (roadmap)

• Developing a physical framework

• Determining security requirements and partnering with IT

• Using technology and industry standards, reference models and reference architectures

Catalyst 3750StackWise

Switch Stack

FactoryTalk Application Servers View Historian AssetCentre, Transaction ManagerFactoryTalk Services Platform Directory Security/AuditData Servers

Gbps Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

I/O

Levels 0–2

HMI

Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency

Cell/Area Zone #3Bus/Star Topology

Cell/Area Zones

Demilitarized Zone (DMZ)

Enterprise ZoneLevels 4 and 5

I/O

Rockwell AutomationStratix 8000

Layer 2 Access Switch

CiscoASA 5500

Industrial Zone Site Operations and Control

Level 3

Remote AccessServer

Catalyst6500/4500

ERP, Email,Wide Area Network (WAN)

Network Services DNS, DHCP, syslog server Network and security mgmt

Drive

Controller

HMII/O

Controller

Drive

Controller

Drive

HMI

Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)

I/OI/O

Patch ManagementRemote Gateway ServicesApplication MirrorAV Server Plant Firewall:

Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy

SM

Agenda


Fiber Selection


SM

Selecting the Right Fiber Requires

Knowing the Application Environment.Knowing the Application Environment.Environment.

…

…

…

Knowing the Distance Requirements.

Knowing the Equipment you are connecting to.

SM

Let’s take a sample application and go thru it step-by-step.

Knowing the Capability of Your Equipment

The Equipment – The first step in choosing the right fiber is to look at the capability of your equipment.

• Look at the specifications of the equipment to determine the speed of the connections

• The Fiber you choose should at least be able to handle the fastest mode of the existing system

SM

SFP Stands for “Small Form Pluggable”

Module


The Stratix is a good switch to use as an example because it has both Uplink ports andData ports running at different speeds.

• The uplink port speed is determined by the use of copper or fiber. If it’s fiber the configuration of the “SFP” module determines the speed of the system.

SM


The Stratix is a good switch to use as an example because it has both Uplink ports andData ports running at different speeds.


Module

SFP Stands for “Small SFP Stands for “Small Form Pluggable” Form Pluggable”

ModuleModule


Module

SM

Understanding Your Expansion or Upgrade Path

The following is an example list of specifications for the fiber-optic SFP module connections. It’s IMPORTANT that each port must match the wave-length specifications on the other end of the cable, and for reliable communication, the cable must not exceed the rated maximum cable length.

SFP ModuleType

Cat. No. Wavelength(nm)

Fiber Type Core Size/CladdingSize (micron)

ModalBandwidth(MHz/km)(1)

Cable Distance

100BASE-FX 1783-SFP100FX

1310 MMF 50/12562.5/125

500500

2 km (6562 ft)2 km (6562 ft)

100BASE-LX 1783-SFP100LX

1310 SMF G.6522 10 km (32,810 ft)

1000BASE-SX 1783-SFP1GSX

850 MMF 62.5/12562.5/12550/12550/125

160200400500

220 m (722 ft)275 m (902 ft))500 m (1640 ft)550 m (1804 ft)

1000BASE-LX/LH

1783-SFP1GLX

1310 SMF G.6522 10 km (32,810 ft)

(1) Modal bandwidth applies only to multimode fiber. * Information comes from Stratix Users Manual

SM

Answers Always Lead to More Questions

The Equipment – The result of our equipment investigation is that we learned:

• The max speed for the uplink is 1GBase-T

• The max speed for the data port is 100Base-T

• There are several choices for SFP modulesthat can support both Single and Multimode.

“Is there an existing system of fiber, and what core size is being used?”

The next question:

Core size? ….yes, Core size?

SM

What Makes Up a Fiber Cable?

The Cable – There are two classes of Fiber in use today:• Single Mode – Long Distance Fiber, more expensive technology

• Multi Mode – Shorter Distance, more cost effective for inside plant use.

• To understand the differences between core sizes, and why they matter, you need to know what makes up a fiber cable.

SM

How Big is the Fiber, (relatively)?

9230µm

All sizes expressed In Microns

5062.5

125µm

200µm

Cladding

Core

Buffer

Core size will tell you the OMx of

the Fiber

SM

Single Mode Fiber


9µm

125µm

SM

Multi-Mode Fiber (50 and 62.5 micron)

5062.5

125


SM

Polymer Coated Multi-mode Fiber (PCF)


23050

62.5 200

SM

What Do the OM Ratings Mean?

If you see OM in the Fiber grade it always means Multi-Mode. – The US Adopted a Grading System Invented By ISO, The International Standards

Organization in Geneva, Switzerland. The “Optical Multimode” Rating System

• “OM 1” --- 62.5 Micron (Mostly legacy systems)

• “OM 2” --- 50 Micron (plain vanilla variety)

• “OM 3” --- 50 Micron (Laser optimized to work with VCELS)

• “OM 4” --- 50 micron (Extended Bandwidth – Further refined to reduce pulse spreading and enable longer distances)

And just like with Copper Categories –A bigger number means better cable!

SM

What Do the OS Ratings Mean?

• If you see OS in the Fiber grade it always means Single-Mode.

• “OS 1” --- 9 Micron (Used with wavelengths of 1310 nm)

• “OS 2” --- 9 Micron (Used with wavelengths of 1550 nm)

Why does the core size make such a difference in Fiber performance?

• OS (single-mode) vs. OM (multi-mode).

Think of it like the difference between a rifle shot and a shotgun blast.

SM

A Fabry-Perot LASER

A Cheap, Slow LED

Singlemode – more efficient – goes FURTHER

Multimode – less efficient – doesn’t go as far

Example of Single-mode vs. Multi-mode

SM

• Some of the photons (light particles) go straight, some ricochet around the outside, the further they travel the closer the leading edge from one pulse gets to the trailing edge of the one before it.

• Eventually you can’t tell one pulse from another.

A Cheap Slow LED

Light Pulse Spreading (“Modal Dispersion”)The Enemy of Throughput

SM

What?

You can only go so far with a given grade of multimode fiber before light pulses begin to overlap

The Further You Go, the Worse it Gets.

Hey, I sent a

“1”

SM

ANSI/TIA-568-C.0 (D.3) Optical fiber cabling supportable distances table.

• Table 7 - lists maximum supportable distances and maximum channel attenuation for applications using optical fiber cabling

• The table is based on the minimum performance requirements of 62.5/125 µm, 50/125 µm, 850 nm laser-optimized 50/125 µm, and single-mode fiber established by ANSI/TIA-568-C.3

How the OM/OS Ratings Equate to Distance

SM

Remember the MICE Table?

Where you put the fiber, “The Environment”, determines the type of fiber you choose.

SM

• Indoor Opti-Core Fiber Distribution

• Indoor Opti-Core Interlocking Armor

• Indoor Industrial-Net (PCF) Polymer Clad Fiber

• Indoor Dielectric Conduited Fiber (DCF)

Applications for “Indoor” Fiber

Used when you have sufficient

protection for the fiber

Used when the fiber has to

protect itself

**NEW** Electrician Friendly crimp on connector for direct connect

node to node

**NEW** All the benefits of an armored fiber

without the metal. Use in area suspected of unequal

potential grounds

SM

Applications for “Indoor-Outdoor” Fiber

• Indoor/Outdoor Opti-Core All-Dielectric Fiber Cable

• Indoor/Outdoor Opti-Core Gel-Free Fiber Interlocking Aluminum Armored Cable

Used to transition from indoor to

outdoor in a protected area, tray

or conduit.

Used to transition from indoor to outdoor yet still

protect the cable from harsh mechanical

conditions

SM

Applications for “Outdoor” Fiber

• Opti-Core Gel-Free Fiber Optic Outside Plant All-Dielectric Cable

• Opti-Core Gel-Free Fiber Optic Outside Plant Armored Cable

Allows installation using loose tube

cable methods for aerial and duct

applications

Allows installation using loose tube cable methods for aerial, duct and direct

burial applications

SM

One Last Thought When Choosing a Fiber Type – Choosing the Connector

Traditional Puck and Polish type Connectors (5-7min.)

Traditional Puck and

OptiCam Factory Polished Connectors

(2 - 3min.)

Industrial Strip & Crimp no-Polish Required Fiber

Connectors(aprox 1 min.)

SM

Choosing the ConnectorChoosing the Connector

OptiCam Connector

PCF Connector

SM

Agenda


Fiber Selection


SM

Choosing the Right Fiber Type For the Application Can Save Big $$$ in Materials and Labour

SM

Links From Field Switches to Control Rooms Should Support Higher Speeds and Greater Volume

SM

Electrician Friendly Fiber Can be Used to Install Long Distance Bus Systems

SM

Fiber Optic Infrastructure PlanningPhysical Layer Design Considerations

81 81

New joint application guide

Increase the integrity and availability of EtherNet/IP networks with fiber solutions from trusted partners!

Physical infrastructure

Integrated Architecture, Stratix Switches, ETAPs, more

Higher level switches

Fiber GuideENET-TD003

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td003_-en-e.pdf



SM

Easy to follow Fiber best practices!Physical Layer Design Considerations

• Partner validated application guide

82

SM

Summary

Fiber Selection



Understanding the Environment and the Application

Knowing how to determine equipment and system requirements

Choosing the proper network design for application


Industrial and IT Network ConvergenceEthernet/IP Enables Convergence

Name – Mike LoughranTitle – Solution ArchitectDate – 11th February 2014

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only

Emerging Technologies in OperationsAll the BUZZ…

The Internet The Internet of Things of Things (IoT)Only

The Internet Intelligent devices start

Copyright © Automation, Inc. All rights reserved.

The Internet of Things of Things of Things (IoT)(IoT)The Internet The Internet Intelligent devices start Intelligent devices start to communicate with each

Automation, Inc. All rights reserved.Automation, Inc. All rights reserved.to communicate with each other


What does it all mean?

3

Big Data Large amounts of information is available to

manage the supply chain & complex processes

Cloud Computing & Virtualization Speed up deployment of production, add flexibility,

reduce capital investments & increase access across global operations

Increase longevity, reliability & provide disaster recovery

Mobility & BYOD (Bring Your Own Device) Improve maintainability, uptime, asset longevity,

safety and cost control

Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL 3COMPANY CONFIDENTIAL - Internal Use OnlyInternal Use OnlyDriven Largely by Information

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyright © Driven Largely by Information Driven Largely by Information Technology

Most Most of it is buried on the Most of it is buried on the of it is buried on the production floor

of it is buried on the production floor production floor in production floor historians or production floor in production floor production floor historians or historians or other historians or historians or other other

databases

Centers around Centers around Information Centers around Technology Centers around Information Information Centers around Centers around Technology Technology (IT) more than Technology Technology (IT) more than (IT) more than

Operations/Production Operations/Production management

Technicians, Supervisors, Technicians, Supervisors, Operators are

Technicians, Supervisors, Technicians, Supervisors, Operators are Operators are all mobile Operators are Operators are all mobile all mobile

during their typical work all mobile all mobile

during their typical work during their typical work day


Why are Emerging Technologies soImportant?

4

Important?

Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL 4COMPANY CONFIDENTIAL - Internal Use Only

Automated adaptable Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Automated adaptable processes & decisions


Why are Emerging Technologies so Important?

Empowers companies to grow faster, produce better products and serve customers more effectively

It connects a workforce, analyzes data and allows for continuous improvements

Companies can leverage technological advances as a competitive advantage and must constantly seek newer, faster and better technologies to improve their business

5

Early-adopters typically acknowledge the risk that comes with new technology

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 5COMPANY CONFIDENTIAL - Internal Use Only

Early adopters typically acknowledge the risk that comes with new technologyEarly adopters typically acknowledge the risk that comes with new technology

Keeping abreast of new developments is an ongoing job with Keeping abreast of new developments is an ongoing job with both risks

Copyright ©

Keeping abreast of new developments is an ongoing job with Keeping abreast of new developments is an ongoing job with both risks both risks and rewards


Industrial Network ConvergenceIndustrial Network Trends

6Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL 6

EtherNet/IP EtherNet/IP –– Enabling & Driving COMPANY CONFIDENTIAL - Internal Use

MultiInternal Use

Multi-Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

EtherNet/IP EtherNet/IP Enabling & Driving Enabling & Driving OnlyInternal Use Only

Multi-Multi-Multi discipline Industrial Network Convergence

Process Control

Discrete Control

Information TechnologyProcess ControlProcess Control

Discrete ControlDiscrete ControlIntelligent Motor Control


The Value in Bringing the Information Together

7

Control Systems

HMIs

Production Scheduling Alarms/Events

Other Database Systems

Computerized Maintenance Management Systems

Performance

Quality Systems

Data Historians

Laboratory Information

ManagementSystems

Quality Systems

You need a network technology that is STANDARD, PROVEN and MORE than an FIELDBUS!

ManagementManagement Systems

Automation, Inc. All rights reserved. 7COMPANY CONFIDENTIAL - Internal Use Internal Use Automation, Inc. All rights reserved.Automation, Inc. All rights reserved.

ManagementManagement SystemsManagementManagement SystemsOther Database SystemsDatabase Systems

ManagementManagement

You need a network technology that is SystemsManagement Systems

STANDARDSTANDARD, You need a network technology that is STANDARDSTANDARDDatabase SystemsDatabase Systems

You need a network technology that is You need a network technology that is Database Systems

You need a network technology that is Database SystemsDatabase Systems

You need a network technology that is Database Systems

You need a network technology that is STANDARDSTANDARDSTANDARD, You need a network technology that is STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the Internal Use Only

PROVENPROVENPROVEN and and You need a network technology that is

PROVENYou need a network technology that is You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is

PROVENPROVENPROVENPROVEN and and and and PROVENPROVEN and and information MORE than an You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is

and and and and MORE than an You need a network technology that is

and You need a network technology that is

and You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is

and information and and information and information and information and MORE than an MORE than an MORE than an and and MORE than an MORE than an and MORE than an fastYou need a network technology that is You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is

MORE than an MORE than an MORE than an fastMORE than an MORE than an fastMORE than an MORE than an fastMORE than an MORE than an fastMORE than an fastfastMORE than an fastMORE than an MORE than an fastMORE than an , You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is

MORE than an MORE than an You need a network technology that is

MORE than an You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is

MORE than an fastMORE than an MORE than an fastMORE than an fastMORE than an fastMORE than an , , MORE than an , MORE than an MORE than an fastMORE than an , MORE than an fastMORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an reliablyYou need a network technology that is You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is

MORE than an MORE than an MORE than an MORE than an You need a network technology that is

MORE than an You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is

reliablyreliablyMORE than an reliablyMORE than an MORE than an reliablyMORE than an reliablyMORE than an reliablyMORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an MORE than an and You need a network technology that is STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is STANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARDYou need robust Infrastructure Solutions to deliver the You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is STANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARD

Copyright © 2012 Rockwell Copyright © FIELDBUSFIELDBUS

You need a network technology that is You need a network technology that is You need a network technology that is FIELDBUS

You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is You need a network technology that is You need robust Infrastructure Solutions to deliver the You need a network technology that is and and FIELDBUSand FIELDBUSFIELDBUSand FIELDBUSand FIELDBUSand FIELDBUS

Copyright © 2012 Rockwell FIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUS

Copyright © FIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUSFIELDBUSsecurely

Automation, Inc. All rights reserved.

STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARD2012 Rockwell 2012 Rockwell Automation, Inc. All rights reserved.

FIELDBUSFIELDBUS!!STANDARDSTANDARD

FIELDBUS!STANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARDSTANDARDYou need robust Infrastructure Solutions to deliver the STANDARD

securelysecurely2012 Rockwell

securely2012 Rockwell

FIELDBUSsecurelyFIELDBUSFIELDBUSsecurelyFIELDBUSsecurelysecurely2012 Rockwell

securely2012 Rockwell Automation, Inc. All rights reserved.

securelyAutomation, Inc. All rights reserved.

FIELDBUSsecurelyFIELDBUSFIELDBUSsecurelyFIELDBUSsecurelyFIELDBUSsecurelyFIELDBUSsecurelyFIELDBUSsecurelyFIELDBUS!


From Production to the Enterprise -Rockwell Automation & Cisco Alliance

8

Common Technology View Single system architecture, using open, industry

standard networking technologies – EtherNet/IP Delivering Converged Plantwide Ethernet

(CPwE) Architectures for manufacturing and industrial environments

Best pathway to Operations/IT network convergence with detailed design and implementation guidance

Joint Product and Solution Collaboration Creating an ideal networking environment for both IT

and controls professionals. People and Process Optimization

Education and services to facilitate Manufacturing and IT convergence

Rockwell Automation and Cisco present the most valuable resource in the industry for deploying a converged network infrastructure

Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL 8Copyright © 2012 Rockwell Automation, Inc. All rights reserved.COMPANY CONFIDENTIAL - Internal Use Only

Leadership in IT and Plant Operations


Risks and threats to networked systems

Security risks increase potential for disruption toSecurity risks increase potential for disruption toSystem uptime and Safe operation and a loss of IP

Unintended employee actions

Theft

Unauthorized actions by employees

Unauthorized access

Denial of Service

TheftTheft

Application of Security patches

Unauthorized remote access

Natural or Man-made disasters

Sabotage

Worms and viruses

BusinessBusinessBusinessBusinessRisk

INFORMATION

OPERATIONS


A Vendor’s Perspective

Control System lifecycles are long (20+ years) Products will have vulnerabilities Security is a team sport

Vendors & Customers IT & Engineering Pick your teams (point don’t go it alone)

REMEMBER: Human beings are imperfect Control System safety & security are closely linked Control System security manages variables Managing the security variables enhances uptime

10

UPTIME = PROFITABILITY


Our Approach to Industrial Security

Layered Security ModelShield potential targets behind multiple levels of protection to reduce security risks

Defense in DepthUse multiple security countermeasures to protect integrity of components or systems

OpennessConsideration for participation of a variety of vendors in our security solutions

FlexibilityAble to accommodate a customer’s needs, including policies & procedures

ConsistencySolutions that align with Government directives and Standards Bodies

Layered Security Model

A secure application depends on multiple layers of protection.A secure application depends on multiple layers of protection.Industrial security must be implemented as a system.

ApplicationApplicationComputerComputer

Device Device

PhysicalPhysicalNetworkNetwork

ApplicationApplicationComputerComputer

Device Device

PhysicalPhysicalNetworkNetwork

11

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en


Evolving Global Standards

12

• Building Blocks •

ISA S99 and IEC 62443• Asset Owners • Vendors • Industry Consortia •

NIST 800 NERC-CIPISO 27002 RFC 2196

ISA Security Compliance Institute (ISCI)

Achilles™

ISA Security Compliance Institute (ISCI)Exida.com LLC

Achilles™ test platform

Wurldtech

BronzeSilver

Gold© rockwell automation

Wurldtech

L-1L-2

L-3

WIB

IndependentIndependentReq’s & Certifications

SAL 1SAL 2

SAL 3

WIB 2.0

OD

VA

ConfrmConfrmTest

http://www.isasecure.org/Home.aspx

http://www.isasecure.org/Home.aspx

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=dLMVh_xsMwWvXM&tbnid=kQznUZyRpSFO7M:&ved=0CAUQjRw&url=http://www.mrplc.com/kb/index.php?print=89&ei=b_ZGUYr7F-HWygHxnoGABA&bvm=bv.43828540,d.aWc&psig=AFQjCNGsCOBMAF4cCzX_bssmdhRVocDuMw&ust=1363691498106922

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=dLMVh_xsMwWvXM&tbnid=kQznUZyRpSFO7M:&ved=0CAUQjRw&url=http://www.mrplc.com/kb/index.php?print=89&ei=b_ZGUYr7F-HWygHxnoGABA&bvm=bv.43828540,d.aWc&psig=AFQjCNGsCOBMAF4cCzX_bssmdhRVocDuMw&ust=1363691498106922

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=ZCfksqaWg0SkRM&tbnid=bhnKbh43laQu5M:&ved=0CAUQjRw&url=http://www.securecrossing.com/about/associations/&ei=yvZGUcatEIWMyQGpr4CQAw&bvm=bv.43828540,d.aWc&psig=AFQjCNHQbb7rDHZhNDxwCnwaw84SyCthJQ&ust=1363691584075660

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=ZCfksqaWg0SkRM&tbnid=bhnKbh43laQu5M:&ved=0CAUQjRw&url=http://www.securecrossing.com/about/associations/&ei=yvZGUcatEIWMyQGpr4CQAw&bvm=bv.43828540,d.aWc&psig=AFQjCNHQbb7rDHZhNDxwCnwaw84SyCthJQ&ust=1363691584075660


Design for Security approach

Specifications Audits & GapsEnhance &

ImproveAudits & Gaps

Resiliency & Robustness13


Additional MaterialEducational - Cisco and Rockwell Automation Alliance

Education Series Webcasts What every IT professional should know about Plant-Floor Networking What every Plant-Floor Engineer should know about working with IT Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access

for Plant-Floor Applications and Data Securing Architectures and Applications

for Network Convergence IT-Ready EtherNet/IP Solutions Available Online

http://www.ab.com/networks/architectures.html



Additional MaterialSimplify Design - Rockwell Automation

Networks Website: http://www.ab.com/networks/ EtherNet/IP Toolkit:

http://www.rockwellautomation.com/rockwellautomation/products-technologies/integrated-architecture/tools/overview.page#/tab4

Ethernet Tools

http://www.ab.com/networks/

http://www.rockwellautomation.com/rockwellautomation/products-technologies/integrated-architecture/tools/overview.page

../IET/Ethernet Tools


Additional MaterialSimplify Design - Cisco and Rockwell Automation Alliance

Websites http://www.ab.com/networks/architectures.html

Design Guides Converged plant-wide Ethernet (CPwE)

Application Guides Fiber Optic Infrastructure Application Guide

Education Series http://www.ab.com/networks/architectures.html

Whitepapers Top 10 Recommendations for plant-wide

EtherNet/IP Deployments Securing Manufacturing Computer and Controller

Assets Production Software within Manufacturing

Reference Architectures Achieving Secure Remote Access to Plant-Floor


http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf



http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp022_-en-e.pdf





Additional MaterialSimplify Design - Collaboration

Plant-wide EtherNet/IP Ecosystem Partners Website

Fiber Optic Infrastructure Application Guide

ENET-TD003

http://www.ethernetippartners.net/





Additional MaterialSimplify Design and Speed Deployment - Panduit Corp

Panduit Corp. Website: http://www.panduit.com/

Industrial Automation Solutions: Industrial Automation Product Systems Brochure Industrial Communication Solutions – Interactive Roadmap

http://www.panduit.com/

http://www.panduit.com/stellent/groups/marketing-corp/documents/brochures/cmscont_038270.pdf

http://www.panduit.com/Solutions/IndustrialAutomation/098750


Additional MaterialSpeed Deployment - Fluke Networks

Fluke Networks Websites www.flukenetworks.com www.flukenetworks.com\industrial www.flukenetworks.com\knowledgebase

http://www.flukenetworks.com/

http://www.flukenetworks.com/industrial

http://www.flukenetworks.com/knowledgebase


Reduce design timeProcurement Specifications on-line

http://www.rockwellautomation.com/rockwellautomation/industries/procurement-specifications/overview.page?

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C

A family of high performance Industrial Ethernet switches ideal for the end user and equipment builder

Stratix Ethernet Switch Family

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION

Stratix Portfolio Overview

• Security• Productivity• Safe Operations

• Remote Access• Time to Market• Protecting IP

Routers and switches for: Enabling security to new or existing

architectures Applications for simple to complex networks Monitoring and controlling distributed

devices Plant floor and enterprise integration

Stratix 8000/8300Layer 2, Layer 3

Stratix 2000Unmanaged

Stratix 6000Layer 2

Stratix ETAPs

Stratix 5700Layer 2

Stratix 5100Wireless AP/WGB Stratix 5900

Security Appliance

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION

Family of industrial Ethernet switches that are:• Optimized for configuration, monitoring, security and maintenance• Modular and scalable• Designed for simple to complex Ethernet applications

• IT-ready and IT-friendly solutions• Simplified integration of machine systems in infrastructure• Integrated Architecture programming tools and features• Secure remote access for improved productivity and OEE

• Connected or isolated machine and Process control applications• Plant floor and enterprise integration• Distributed network devices that need to be monitored and controlled

24

The Stratix Family Overview

24Copyright © 2013 Rockwell Automation, Inc. All Rights

Integrating your enterprise and manufacturing PUBLIC INFORMATION

Integrating your enterprise and manufacturing environments

Overview

Key Benefits

Applications

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E

PUBLIC INFORMATIONPUBLIC INFORMATION

Stratix 2000 Unmanaged SwitchesRefresh & Product Line Expansion


Stratix 2000 Unmanaged Switches Overview

Low cost solutions designed for isolated control networks

Recommended for Micro 850 & Micro 820 applications

Unmanaged switches are not recommended for safety or motion applications

Simple “Plug & Play”

Automatically negotiates speed and duplex settings (no configuration required)

Automatically detects cross-over cable Expanded operating temperature from -20ºC to

70ºC to meet a wider variety of application needs for most catalog numbers

Exception: 1783-US5T & 1783-US8T range 0 to 60ºC



Stratix 6000 Fixed Managed Switches

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATIONPUBLIC INFORMATION Copyright

28

Stratix 6000™ Managed Switches

Fixed port managed switch 4 port or 8 port versions with optional fiber optic

uplink (SFP) Control system integrated

CIP communications for: Diagnostics (tags) Configuration (RSLogix 5000) Security

DHCP persistence for automatic end device IP address assignment

Unauthorized User Identification Traffic Level Monitor with Alarms FactoryTalk View Faceplates

Copyright © 2013 Rockwell Automation, Inc. All Rights ReservedPUBLIC INFORMATIONPUBLIC INFORMATION Copy2828Copy28Copy

FactoryTalk View Faceplates

Integrated Tightly Into The Integrated Architecture



Stratix 5700Industrial Managed Switches


The Stratix 5700Layer 2 Managed Switches with Cisco Technology

Premiere Integration to the Integrated Architecture CIP interface

Studio 5000 AOP ControlLogix tags FactoryTalk View faceplates

Built with Cisco technology (IOS) Common feature set with Stratix 8x00 Common IT development tools

(CLI, CNA, DM, CiscoWorks) Simple to Deploy & Maintain

Easy integration Default configurations Common Smartports DHCP per port IP addressing

Easy maintenance Secure Digital card for configuration backup Diagnostics & network management tools

Compact Compact & Scalable

Best of Rockwell Automation & Cisco in a compact size


Stratix 5700 Configurations 3 base platforms offering 20 configurations

6, 10 & 20 port base units 6 copper & 4 copper + 2 SFP slots 8 copper + 2 combo* 16 copper + 2 combo* + 2 SFP slots

2 Gig port option SFP slots support multi & single mode fiber

Wide variety of SFPs available Compatible with other Cisco SFPs

Advanced feature set to address: EtherNet/IP applications Security Resiliency & Redundancy

Two software packages to choose from Lite & Full versions

Conformal coating option for harsh environments *Combo ports can be either copper or SFP

Ideal for simple to complex applications

*Combo ports can be

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

Stratix 8000/8300 - Modular DesignBase Module

(6-port or 10-port)Extension Module A

(8-port Copper)Extension Module B

(8-port Fiber)

Data Ports10/100 Copper

Dual Purpose Uplink Ports10/100/1000 Copper or SFP

8 Extended Data Ports10/100 Copper

8 Extended Data Ports100 Fixed Fiber

SFP Fiber Transceiver100M and 1GMultimode and Singlemode

33

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION (Confidential

Stratix 8300 layer 3 Managed Switch

Layer 3 Routing CapabilitiesDynamic Routing Protocols such as RIP, EIGRP

and OSPF



Stratix 5900Industrial Services Router


The Stratix 5900 Security Appliance

Premiere Routing & Security Services Firewall Virtual Private Network (VPN) Network Address Translation (NAT) 1GE WAN, 4 FE LAN, 1 Serial Port

Built with Cisco technology (IOS) Common features of Stratix Switch Common IT development tools

(CLI, CNA, DM, CiscoWorks, CCP) Ruggedized with Extended Temp, Shock & Vib Compact Size with Din Rail Mount

Best of Rockwell & Cisco in a compact size



Embedded Switch Technology

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 383838

Embedded Switch Technology Embedded Switch Technology enables LINEAR and RING topologies on EtherNet/IP Network traffic is managed to ensure timely delivery of critical data (QoS, IGMP

supported) Open standard (ODVA) allows 3rd party suppliers to develop compatible products

Linear

• Linear Ethernet segments greatly extend the length of the application

• No need to run cables from each device back to a centralized switch

Device-Level Ring (DLR)

• Single fault tolerant network provides resiliency

• Device level ring requires no additional hardware to implement

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 39(Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 39Copyright © 2008 Rockwell Automation, Inc. All rights reserved. 39

1783-ETAP• The 1783-ETAP is a standalone device that allows devices (that do not support the

Embedded Switch Technology) to join a linear or a DLR network. • Other product features:

- Capable of being a Ring Supervisor in a Device Level Ring- Managed switch functions to help manage traffic on the network (i.e.: IGMP and QoS)- Fiber versions available in the future for long distance applications

Device Port – used for connecting single-port Ethernet device

Network Ports (2) – used for connecting to neighboring devices to form a linear or a ring network


DLR Enabled Products

1756-ENT2R, Point, Flex, ArmorPoint, ETAP, CompactLogix, 193-DNENCATR, 1747-AENTR, ArmorBlock, ArmorStart

Copyright

40



Stratix 5100Wireless Access Point


Stratix Wireless Access Points

Product Access Point / Work Group Bridge Autonomous Leveraging the latest 802.11N WiFi

technology MIMO, Packet Aggregation & Spatial

Multiplexing• Higher performance

2.4GHz and 5Ghz radios• Flexibility and segmentation

Support for VLAN, QoS and RADIUS Segmentation, priority handling and

authorization Backward compliant to 802.11a/b/g

CIP enabled Logix for system diagnostics Profile & tags

Value Provides real-time performance

for mission critical applications Eliminates wire & cabling to

reducing installation costs Enables mobility and portability to

people and devices Seamless integration within a

Cisco wireless network


Typical Configurations

Cell/Area Zone #3 Cell/Area Zone #4

FactoryTalk Applications and Services

Ring Topology

Cell/Area Zone #1 Cell/Area Zone #2

Manufacturing Zone

8000 ManagedLayer 2 Switch

ETAP - Embedded Layer 2 SwitchRing Topology

Enterprise ZoneEnterprise

Network

6000 ManagedLayer 2 SwitchStar TopologyEmbedded Layer 2

Switch Linear Topology

Mobile User

Lightweight AP (LWAP)

AP as WorkgroupBridge (WGB)

ERP, Email, Wide Area Network (WAN)

5100802.11n – Dual Band

Access point

8300 Managed Layer 3 Switch

5900 Industrial Services Router


Stratix Family Quick Reference

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1

Invisible Cost to Visible Value

Rob PriceHead of Technical StrategyPartner & Commercial [email protected]

September 2013

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

“I cannot imagine a life without…”

Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V., 2010% of 14 – 29 year olds


Source: BITKOM – Bundesverband Informationswirtschaft, Telekommunikation und neue Medien

• A mobile phone: 97%

% of 14 – 29 year olds


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

• The 2 photos on the right are of St Peters Square during the announcement of the election of last 2 Popes

• In just 8 years mobile devices have become ubiquitous. Everyone carries the internet in their pocket



• The Internet: 84%





• A car: 64%





• My current partner: 43%




http://www.google.co.uk/url?sa=i&rct=j&q=ingestible+sensor&source=images&cd=&cad=rja&docid=5dZtyBHJXfLFJM&tbnid=TRE4p--UYxn4OM:&ved=0CAUQjRw&url=http://mobihealthnews.com/11923/proteus-receives-patent-for-ingestible-sensor/&ei=bgV1UaZzxMU8p-KByAI&bvm=bv.45512109,d.ZWU&psig=AFQjCNEPwsfmjiRo4lXddwdS0ITMIpHLTA&ust=1366709906493855

http://www.google.co.uk/url?sa=i&rct=j&q=ingestible+sensor&source=images&cd=&cad=rja&docid=5dZtyBHJXfLFJM&tbnid=TRE4p--UYxn4OM:&ved=0CAUQjRw&url=http://mobihealthnews.com/11923/proteus-receives-patent-for-ingestible-sensor/&ei=bgV1UaZzxMU8p-KByAI&bvm=bv.45512109,d.ZWU&psig=AFQjCNEPwsfmjiRo4lXddwdS0ITMIpHLTA&ust=1366709906493855


• Will gather 14 ExaBytes of data per day !!

• Will store over 1 PetaByte per day

• Transmit

• Store

• Analyse

*

*1 ExaByte = 1,000,000,000,000,000,000 Bytes

It took until 2004 for internet traffic to pass 1 Exabyte per month

http://www.google.co.uk/url?sa=i&source=images&cd=&cad=rja&docid=FSlS8RqBq4n30M&tbnid=w3PPKNwD2tcLjM:&ved=0CAgQjRwwAA&url=http://www.theaustralian.com.au/news/health-science/australia-must-wait-to-find-out-if-it-has-won-the-rights-to-host-the-square-kilometre-array-radio-telescope/story-e6frg8y6-1226319423772&ei=0at8UvXzIYHcswbpkoHgAQ&psig=AFQjCNFFKANqYlIJaT3PtO_ARYAdvuDbAg&ust=1383988561603680

http://www.google.co.uk/url?sa=i&source=images&cd=&cad=rja&docid=FSlS8RqBq4n30M&tbnid=w3PPKNwD2tcLjM:&ved=0CAgQjRwwAA&url=http://www.theaustralian.com.au/news/health-science/australia-must-wait-to-find-out-if-it-has-won-the-rights-to-host-the-square-kilometre-array-radio-telescope/story-e6frg8y6-1226319423772&ei=0at8UvXzIYHcswbpkoHgAQ&psig=AFQjCNFFKANqYlIJaT3PtO_ARYAdvuDbAg&ust=1383988561603680

//upload.wikimedia.org/wikipedia/commons/1/15/SKA_cores_big.jpg

//upload.wikimedia.org/wikipedia/commons/1/15/SKA_cores_big.jpg


THE NETWORKMOBILITY

BYOD

MOBILITYBYODBYOD

IMMERSIVE COLLABORATION

Pervasive Video

IMMERSIVE IMMERSIVE COLLABORATIONCOLLABORATION

Pervasive Pervasive VideoVideo

CLOUDXaaS | DC / V

CLOUDXXaaSaaS | | DC / VDC / V

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14GREEN, Energy Efficiency

IT PRODUCTIVITY, Service and Network Management

SECURITY, Accelerating Cyber-Threats


How You Worked Depended on This…How You Worked Depended on This…How You Worked Depended on This…Now It Depends on This…

FIXED MOBILE


XaaS

http://www.google.co.uk/url?sa=i&rct=j&q=cloud+computing+images&source=images&cd=&cad=rja&docid=KaJbuS_VgYvdRM&tbnid=b5OBxmAIcrf96M:&ved=0CAUQjRw&url=http://www.blog.qarea.com/cloud-computing/core-features-of-cloud-computing-strategy/&ei=0bd3UeKaJ8vTPNn-gPAG&bvm=bv.45580626,d.ZWU&psig=AFQjCNEqY-1p6s7ohyMQYWZhImumL37ECA&ust=1366886656752104

http://www.google.co.uk/url?sa=i&rct=j&q=cloud+computing+images&source=images&cd=&cad=rja&docid=KaJbuS_VgYvdRM&tbnid=b5OBxmAIcrf96M:&ved=0CAUQjRw&url=http://www.blog.qarea.com/cloud-computing/core-features-of-cloud-computing-strategy/&ei=0bd3UeKaJ8vTPNn-gPAG&bvm=bv.45580626,d.ZWU&psig=AFQjCNEqY-1p6s7ohyMQYWZhImumL37ECA&ust=1366886656752104


Pop Quiz


Thank you.

Securing Controls Networks Protecting against the bad dumb guys ;)

Steve Matthews ([email protected]) Consulting Systems Engineer IoT Sales EMEAR 11th Feb 2014

© 2014 Cisco and/or its affiliates. All rights reserved.

!"#$%&'('))#*+),'-#."#/01#2344'5634#."#7%8(9:;#<3='-#

."#>'(53#1',?3&@#

AB"#>&:),'=#>C%&=908&,+#2344'5634##DE45(:=')#E4F'5,'=#G8;,3;)H#

A."#E4,'&4',#7%&'5,(+#IJ"#/%8#23&;3&8,'#$K1#84=#

L:)%4'))#1',?3&@#

Source of Industrial Security Incidents Source: BCIT (2009)

Average Cost of Manufacturing Downtime = $210,000 per Hour Source: Infonetics (2005)

Industrial Security


How Big Are the Risks? !! Less than 2% of incidents are reported

–! Concern for damage of corporate reputation and stock price !!Risk = Threat Probability X Consequence !! Targets of choice at higher financial risk than targets of opportunity

!"#$%&&'()*+,-$

./#$0,12+,3)$

/.#$%&&'()*+,-$

4#$0,12+,3)#

5#$6+7)8$

0,12+,3)4# 0,12+,3)

5#

0,12+,3)5#$9,&:)8$

;5#$<,-=,8)$

© 2014 Cisco and/or its affiliates. All rights reserved. © 2014 Cisco and/or its affiliates. All rights reserved. *3:&5'M#N&%5#L+&')O#L2E>#

4# 0,12+,3)

>'*,*&',-$?@A,&+$B$C/DDEDDD$ >'*,*&',-$?@A,&+$F$C/DDEDDD$


The Game Changer in 2010.. !! NOT external network

proliferated!

!! Unique 4x 0 day exploits - undetectable

!! USB & print spooler

!! Focussed ONLY on: –! Step 7 –! S7 400 PLC –! & 2 hi freq drives

!! Then ‘duqu’ (related) –! Data mining /stealing

!! Then ‘flame’ (older)

!! Stuxnet is now effectively ‘open source’ ! I#


A breakdown of Stuxnet CP;MQQ???R,'=R53-Q,8(@)Q&8(;CS(84T4'&S5&85@%4TS),:U4',S8SVA),S5'4,:&+S5+W'&?'8;34RC,-(##

X8(;C#G84T4'&##Y'&-84#234,&3(#)+),'-)#)'5:&%,+#534):(,84,##


>G0)&H8)$=8,AGHA$2*$0+HI*)+$CP;MQQ???R+3:,:W'R53-Q?8,5CZ[\T]^8=]E.)53#

#


Common Areas of Vulnerability !! Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup !! Little or no device level authentication !! Poor network design – daisy chains, hubs !!Windows based IA servers – patching, legacy OS !!Unnecessary services running – FTP, HTTP !!Open environment, no port security, no physical security of switch, Ethernet ports !! Limited auditing and monitoring of access to IA devices !!Unauthorised use of HMI, IA systems for browsing, music/movie downloads !! Lack of IT expertise in IA networks, many blind spots

Defense in Depth.


Defense-in-Depth Critical Elements to Security

!! Security is basically two pronged: –! Technical vs. Non-technical –! A balanced Security Program must address both

Technical (technology) and Non-Technical (procedures) Elements

!! Technical controls - Firewalls, Group Policy Objects, Layer 3 ACLs, etc.

!!Non-technical controls - rules for environments, such as policy and procedure, risk management

!! Security is only as strong as the weakest link !! Vigilance and Attention to Detail are KEY to the long-

term security success

_34'9)%^'9`,)98((a#

Technical Non Technical


Defense-in-Depth Multiple Layers to Protect the network and Defend the edge !! Physical Security – limit physical access to authorized

personnel: areas, control panels, devices, cabling, and control room – escort and track visitors

!! Network Hardening – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers

!! End-point Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services

!! Application Security – authentication, authorization, and audit software

!! Device Hardening – change management and restrictive access Defense

in Depth

Computer

Device

Physical

Network

Application


Defense-in-Depth Network Security

!! Security is not a bolt-on component !!Comprehensive Network Security

Model for Defense-in-Depth !! Industrial Security Policy !!DMZ Implementation !!Design Remote Partner Access

Policy, with robust & secure implementation


Security is not a bolt-on component Comprehensive Network Security

Design Remote Partner Access


Defence-in-Depth Physical Security - Examples

•! Keyed solutions for copper and fibre

•! Lock-in, Blockout

products secure connections

Secure Network Architectures for Industrial Control Systems


Purdue model ISA 95 N4,'&;&%)'#b34'#

7<b#

027#c#0&35'))#234,&3(#73-8%4#Q#

<84:F85,:&%4T#b34'#021#c#0&35'))#234,&3(#1',?3&@#Q#

2'((#Q#K&'8#b34'#

Enterprise Network

Site Business Planning and Logistics Network

*%,'#<84:F85,:&%4T#d;'&8634)#84=#234,&3(#

K&'8#*:;'&[%)3&+#234,&3(#

L8)%5#234,&3(#

0&35'))#

7'-%(%,8&%^'=#b34'#c#*C8&'=#K55'))#

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Level 3!

© 2014 Cisco and/or its affiliates. All rights reserved. © 2014 Cisco and/or its affiliates. All rights reserved.

X'8(c>%-'#234,&3(#

]8),#234['&T'45'#

>&8e5#*'T-'4,8634#84=#<848T'-'4,#

N8)'#3F#f)'#

*%,'#d;'&8634)#84=#234,&3(#

<:(69*'&[%5'#1',?3&@)#

1',?3&@#84=#*'5:&%,+#<848T'-'4,#

X3:64T#

K;;(%58634#84=#78,8#)C8&'#

K55'))#234,&3(#

>C&'8,#0&3,'5634#

YW;)#G%4@#F3&#]8%(3['&#7','5634#

]%&'?8((#DK56['H#

]%&'?8((#D*,84=W+H#

*2K7K#K;;(%58634#

84=#*'&[%5')#*'&['&)#

D*,84=W+H#2%)53#

K*K#ggBB#

2%)53#

28,8(+),#*?%,5C#

1',?3&@#*'&[%5')###

2%)53#28,8(+),#

hgBBQIgBB#

2%)53#28,R#!.gBi#

*,85@$%)'#*?%,5C#*,85@#

08,5C#<848T'-'4,O#>'&-%48(#*'&[%5')O#K;;(%58634#<%&&3&)O#K/#

*'&['&)#

2'((QK&'8#jA#DX'=:4=84,#*,8&#>3;3(3T+H#

7&%['#

234,&3(('&#

k<E# 7%),&%W:,'=#EQd#

234,&3(('&#

7%),&%W:,'=#EQd#

234,&3(('&#

7&%['#7&%['#

k<E#

7%),&%W:,'=#EQd#

k<E#

2'((QK&'8#jV#DX%4T#>3;3(3T+H#

2'((QK&'8#j!##DG%4'8&#>3;3(3T+H#

7%),&%W:,'=#EQd#

234,&3(('&#EN!BBBQ!BABQVBBB#

G8+'&#V#K55'))#*?%,5C#

2'((QK&'8#jV#234,&3(('&#

N4,'&;&%)'QE>#E4,'T&8634#23((8W3&8634#$%&'('))#

K;;(%58634#d;6-%^8634#

2'((QK&'8#b34'#

G'['()#BcV#

G8+'&#V#K55'))#

<84:F85,:&%4T#b34'#

G'['(#!#

7%),&%W:634#84=#23&'#

7'-%(%,8&%^'=#b34'#

D7<bH#]%&'?8(()#

N4,'&;&%)'#1',?3&@#

G'['()#Icg#$'W# K;;)# 71*# ]>0#

E4,'&4',#

Converged Plant-wide Ethernet Architecture

AI#

Switch Security Features & Techniques


Defend the Industrial Edge

!! Firewalling and remote access at levels 0-2 (L2 Transparent Mode) with Industrial IPS/IDS

!! Use IT-Approved Access and Authentication –! VPN for secure remote access –! Enterprise Access and Authentication servers (e.g Active

Directory, Radius, etc.)

!! ICS Protocols Stay Home

!! Control the Application !! Remote Access (Terminal) Server !! Application level security

!! No direct traffic through the firewall

!! Only one path in and out of industrial - the firewalls

DMZ and Secure Remote Access Guiding Principals

Enterprise WAN

Enterprise Data Centre

E#0#*#N#2#/# 0#1#*#*# G#/#0# 1#

Levels 0–2 Cell/Area Zones


Manufacturing Zone Site Manufacturing

Operations and Control Level 3

EEEEEEEEEE0000000000**********NNNNNNNNNN2222222222////////// 00000000001111111111 01 001 001 001 001 001 001 001 001 001 0

Internet

Enterprise Zone Levels 4 and 5


Protect the Interior – switch config options..

"!Authentication –! 802.1x Authentication, WebAuth, MAB

"!CISF (Cisco Integrated Security Features): !! Port Security (Limit MACs) !! IPv4 and IPv6 DHCP Snooping (Prevent rogues) !! IP Source Guard (No false IPs) !! Dynamic Arp Inspection (Prevent rogues)

"!Access Control Lists

L2/3 Network Security Features


Protect the Interior – switch config options..

§  Storm Control –  small-frame violation-rate 100 (frames less than 67b) –  storm-control broadcast level pps 5k 4.5k –  Storm-control broadcast level 20% 15% –  storm-control multicast level pps 10k 9.5k –  storm-control unicast level pps 5k 4.5k –  storm-control action shutdown / trap

§ Rate Limiting –  Rate-limit input rate(bps) burst(bytes) –  Rate-limit output rate(bps) burst(bytes)

Traffic Control – Prevent DoS or accidental storms


End-point and Network (Switches) Hardening Procedures

!!Use secure protocols on switches and devices(HTTPS, SCP, SNMPv3, SSH) !!Do not implement shared or “backdoor” accounts/password !! Enable password encryption (service password-encryption) !!Disable password recovery (no service password-recovery) CAUTION !!Disable small servers (tod, hello, etc.)

–! no service tcp-small-servers –! no service udp-small-servers –! no ip finger

!! Enable memory leak detection and threshold alarming !!Comprehensive information here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml


Use secure protocols on switches and devices(HTTPS, SCP, SNMPv3, SSH) Do not implement shared or “backdoor” accounts/password Enable password encryption (service password-encryption) Disable password recovery (no service password-recovery) Disable small servers (

no service no service no

Enable memory leak detection and threshold alarming Comprehensive information here:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml




Cisco Security Logical Framework Strong Segmentation

VB#

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management

AV Server

Application Mirror

Web Services Operations

Application Server

Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

FactoryTalk App Server

FactoryTalk Directory

Engineering Workstation

Domain Controller

FactoryTalk Client

Operator Interface

FactoryTalk Client

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

Continuous Process Control

Safety Control

Sensors Drives Actuators Robots

Enterprise Zone

DMZ

Process Control Domain

Process Control Network

Web E-Mail

CIP

Firewall

Firewall

Site Manufacturing Operations and Control

Area Supervisory Control

Basic Control

Process

Pur

due

Ref

eren

ce M

odel

, IS

A-9

5

Indu

stria

l Sec

urity

Sta

ndar

d IS

A-9

9


Cisco/RA Applied Security – What goes where?

/01#

/7E#

$*K#

E0*#

K*K92i#

%0%$

?0J$

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Level 3!

N4,'&;&%)'#b34'#

7<b#

027#Q##

<84:F85,:&%4T#b34'#

021#Q#

2'((#Q#K&'8#b34'#

0+8,KI$L"DD$


Cisco 819H ISR (Rockwell Stratix 5900) Feature Highlights

Security features: •! *,8,'F:(#E4);'5634#]%&'?8((#•! b34'#W8)'=#]%&'?8((#•! E4,&:)%34#0&'['4634#*+),'-#DE0*H#•! 7+48-%5#<:(6;3%4,#/01#D7</01H#•! YN>/01#•! E0)'5#•! l:8(%,+#3F#)'&[%5'#Dl3*H#•! fXG#`(,'&%4T#•! k%TC#K[8%(8W%(%,+#F3&#>20#W8)'=#)'&[%5')#D:)'F:(#F3&#)'&[%5')#(%@'#<3=W:)Q>20H#

Industrial Characteristics •! 13#]84#•! k8&='4'=#•! E4T&'))#0&3,'5634#


!! Integrates and extends the #1 deployed gateway content security technology to protect from viruses, spyware, spam, phishing, and employee productivity impacting websites

Market-Leading Content Security

!! Integrates and extends the #1 deployed IPS and IDS technology from the Cisco IPS 4200 Series

!! Provides comprehensive security from directed attacks and many other threats including signatures for DNP3, modbus, ICCP

Market-Leading IPS Services

!! Integrates and extends the #1 deployed remote access VPN technology from Cisco VPN 3000 Concentrators and Cisco PIX Security Appliances, offering both SSL and IPsec VPN services

Market-Leading VPN Services

!! Integrates and extends the #1 deployed firewall technology from Cisco PIX Security Appliances

!! Built upon the experience of over one million PIX deployed worldwide and 10+ years of innovation

Market-Leading Firewall Services

Cisco ASA 5500 Adaptive Security Appliances Delivering Leading Threat Defense and VPN Services

Provides Converged Threat Defense, Flexible Secure Connectivity, Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats

Market-Leading Secure Unified Communications !! Comprehensive access control, threat protection, network policies, service protection and voice/video confidentiality for

real-time Unified Communications traffic


Identity Service Engine ‘Context-Aware Security’

I want to allow guests into the network

I need to allow/deny iPADs in my network (BYOD)

I want to allow only authorized users access to my network

I need a scalable way of authorizing users or devices in

the network

I need to ensure my endpoints don’t become a threat vector

How can I set my firewall policies based on identity instead of IP addresses?

Y:'),#G%F'5+5('#<848T'-'4,#

0&3`(%4T#*'&[%5')#

03),:&'#*'&[%5')#

K:,C'4658634#84=#K:,C3&%^8634#

*'5:&%,+#Y&3:;#K55'))#<848T'-'4,#

E='46,+9W8)'=#]%&'?8((#

M'N&2$$?0J$

Secure Remote Access


Employ Secure Remote Access Techniques SSL Clientless VPN

§ No VPN client needs to be installed on remote client

§  Access to internal network through one point entry

§ Uses a standard web browser, platform independent: Internet Explorer, Firefox

§ Can access web applications http, https, Common Internet File Sharing (CIFS), File Transfer Protocol (FTP)

§ Client-Server Plug-ins for Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), Secure Shell (SSH) access, Telnet and Citrix

§  VPN appliance gives web-based look and feel for the application access (customizable) through content rewrite process


Secure Remote Access – Clientless SSL VPN via ASA 55xx

!! O)@2+)$)*3'*))8$28$A,8+*)8$)N+,1-'N7)N$PQR$+2$&28A28,+)$*)+=28:S$,&&)NN$'N$8)N+8'&+)($+2$?Q$,((8)NN$2T$A-,*+$U<V$W8)=,--$

!! Q28+,-$2*$A-,*+$W8)=,--$)*,1-)N$,&&)NN$+2$?%M0$(,+,E$W-)N$,*($,AA-'&,K2*N$$?*+8HN'2*$A82+)&K2*$NXN+)@$Y?Q0Z$2*$

A-,*+$W8)=,--$()+)&+N$,*($A82+)&+N$,3,'*N+$,[,&:N$T82@$8)@2+)$72N+$

!! >'8)=,--$A82I')N$,$&-')*+$N)NN'2*$+2$8)@2+)$$,&&)NN$N)8\)8$

!! %&&)NN$+2$,AA-'&,K2*N$2*$8)@2+)$,&&)NN$N)8\)8$'N$8)N+8'&+)($+2$NA)&'W)($A-,*+$]228$?%M0$8)N2H8&)N$+782H37$?%M0$,AA-'&,K2*$N)&H8'+X$$

Enterprise WAN

Enterprise Data Center

Gbps Link Failover

Detection

Firewall (Active)

Firewall (Standby)

Patch Management Terminal Services Application Mirror AV Server

Cisco ASA 5500

Remote Access Server !!RSLogix 5000 !!FactoryTalk View Studio

Catalyst 6500/4500

Remote Engineer or Partner

Enterprise Connected Engineer

Enterprise Edge Firewall

k>>0*#

Cisco VPN Client

X'-3,'#7')@,3;#0&3,353(#DX70H#

Catalyst 3750 StackWise

Switch Stack

N,C'&1',QE0#

E# 0#*# N#2# /#0#1#

*#*#G#/#0# 1#

]85,3&+>8(@#K;;(%58634#*'&['&)#!!/%'?#!!k%),3&%84#!!K))',2'4,&'#!! >&84)85634#<848T'&#]85,3&+>8(@#*'&[%5')##0(8m3&-#n!7%&'5,3&+#n!*'5:&%,+QK:=%,#78,8#*'&['&)#

Internet




Cell/Area Zones

Manufacturing Zone Site Manufacturing

Operations and Control Level 3


1. Identify all connections to SCADA networks 2. Disconnect unnecessary connections to the SCADA network 3. Evaluate and strengthen the security of any remaining connections to the SCADA network 4. Harden SCADA networks by removing or disabling unnecessary services 5. Do not rely on proprietary protocols to protect your system 6. Implement the security features provided by device and system vendors 7. Establish strong controls over any medium that is used as a backdoor into the SCADA network 8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring 9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns 10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios 12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users 13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection 14. Establish a rigorous, ongoing risk management process 15. Establish a network protection strategy based on the principle of defense-in-depth 16. Clearly identify cyber security requirements 17. Establish effective configuration management processes 18. Conduct routine self-assessments 19. Establish system backups and disaster recovery plans 20. Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance 21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls

21 Steps to securing a SCADA network

7[A^__===`2)`*)+-`(2)`32\_(2&N_A8)A,8)_./N+)AN122:-)+`A(T$$

Plantwide benefits of EtherNet IP Seminar

Technology

Transcript of Plantwide benefits of EtherNet IP Seminar