Industrial Demilitarized Zone Design Principles

Industrial Demilitarized Zone
Design Principles
Jason J. Dely, CISSP, CISM
Principal Security Consultant, Network & Security Services
jdely@ra.rockwell.com
PUBLIC INFORMATION
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Course Description
There are many organizations and standards bodies that recommend separating the
enterprise zone from the industrial zones by utilizing an industrial demilitarized zone
(iDMZ).
This session will describe the basic principals and strategies of designing an iDMZ to
separate these two zones.
A prior understanding of general Ethernet concepts, or attendance of the Fundamentals
of EtherNet/IP session is recommended.
Agenda
What is a DMZ?
Methodology
Network Segmentation
Industrial Network Convergence

Continuing Trend
Corporate Network
Corporate Network
Back-Office Mainframes and
Servers (ERP, MES, etc.)
Control Network
Gateway
Human Machine
Interface (HMI)
Office
Applications,
Internetworking,
Data Servers,
Storage
Controller
Supervisory
Control
Phone
Controller
Robotics
Office
Applications,
Internetworking,
Data Servers,
Storage

Camera
Supervisory
Control
Robotics
Motors, Drives
Actuators
I/O
Sensors and other
Input/Output Devices
Industrial Network
Traditional 3 Tier
Industrial Network Model
Motors, Drives
Actuators
Safety
Controller
Safety
I/O
Human Machine
Interface (HMI)
Sensors and other

Industrial Network
Converged Plantwide EtherNet/IP

EtherNet/IP - Enabling/Driving
Convergence of Control and Information
Industrial Network Convergence

Continued Trend Demilitarized Zone (DMZ)
Corporate Network
Office
Applications,
Internetworking,
Data Servers,
Storage

Link for
Patch Management
Remote Access Services
Application Mirrors
Anti-Virus Servers
Failover
Active
Standby
Firewalls for separation

Unified Threat Management
Authentication & Authorization
Application & Data Sharing via
replication or terminal services
DMZ
Controller
Phone
Camera
Supervisory
Control
Robotics
I/O
Motors, Drives
Actuators
Safety
Controller
Safety
I/O
Human Machine
Interface (HMI)
Sensors and other

Industrial Network
Converged Plantwide EtherNet/IP

Demilitarized Zone (DMZ)

Sometimes referred to a perimeter network that exposes an
organizations external services to an untrusted network. The purpose of
the DMZ is to add an additional layer of security to the trusted network
Internet
Web
Proxy
UNTRUSTED
BROKER
DMZ
TRUSTED
Controlling Access to the Manufacturing Zone

Level 5
Level 4
Enterprise Network
Router
E-Mail, Intranet, etc.
Site Business Planning and Logistics Network
Terminal Services
Patch Management
Historian Mirror
Level 3
Level 2
FactoryTalk
Application
Server
Enterprise
Zone
Web Services Operations
FactoryTalk
Directory
Engineering
Workstation
FactoryTalk
Client
Firewall
AV
Server
Web
E-Mail
CIP
Application
Server
Firewall
Domain
Controller
Manufacturing
Zone
Site Manufacturing Operations

and Control
Area Supervisory
Control
FactoryTalk
Client
Operator
Interface
Engineering
Workstation
Operator
Interface
Basic Control
Level 1
Level 0
Batch Control
Sensors
Discrete Control
Drives
DMZ
Drive Control
Actuators
Continuous
Process Control
Robots
Safety
Control
Cell/Area
Zone
Process
No Direct Traffic Flow from Enterprise to Manufacturing Zone

Agenda
What is a DMZ?
Methodology
Methodology
Develop a scientific method to develop repeatable, measureable and

maintainable solution(s)
Look at the problem holistically and drill down to each system
DMZ / Network Reconnaissance

(Design Pre-work)
Identify types of
Assets in
Manufacturing Zone
and those that
support
Manufacturing
Identify who owns

the hardware and
software on the
asset.
Recon Phase
Identify Assets
Or
Asset Classes
Identify Asset
Owners
ACTION
ACTION
Document Assets by
documentation,
interviews and
network scanning
Document Asset
Owners and
Schedule Interviews
Design Phase
Requirements Architectural Tech. Design
Implement
Phase
Phase
Phase
Maintain
10
Classify Asset Types
Goal: Identify assets that support manufacturing process.

Goal: Identify if asset belongs in the Mfg. or Enterprise Zone.
11
Diagram Data Sources Feeding Higher

Level Assets
12
Identify System Owners / Users
13
Interview Process
Interview process identifies
how the owners and
clients of the assets
Operate
Configure
Patch
Upgrade
Identifies where the data is
produced and consumed
This process is used to
gather requirements
14
DMZ / Network Design Methodology

Detailed information
usually written by the
coder or implementer
that describes how
the system or product
will be programmed,
configured to meet
the customer
requirements and the
high level
architecture.
The system
components are
brought together and
tested during this
phase per the testing
plan
System has been

Verified and Validated
and is maintained by
Operations and
Maintenance
Technical Design
Phase
Implementation
Maintain
ACTION
ACTION
ACTION
ACTION
Produce high level

documentation and
drawings to meet
every requirement
Produce detailed
documentation such
as drawings, switch
configurations, VLAN,
IP Address, Firewall
ACLs
Requirements are a
statement identifying
a capability, physical
characteristic or
quality factor that
bounds a product or
process problem for
which a solution will
be pursued. (Source:
IEEE Standard 12201994)
High level
architectural
recommendations
that are proposed to
meet the customer
requirements.
Requirements
Phase
Architectural
Phase
ACTION
Interview all system
owners to gather
requirements for
operations,
configuration and
maintenance.
Verify, was the

Modify configurations
product built right
and assets to fix
and Validate, was anomalies or required
the right product built operational changes.
process
15
High Level Architecture
16
How to Derive High Level Architecture

Enterprise
Client
Actor
Historian
MES
Order Entry
QC Systems
No Control Protocols
Through the Firewall(s)
Industrial
DMZ
Manufacturing
17
Move the Assets Around To Minimize Cross

Zone Traffic Especially Control Protocols
Enterprise
Client
Actor
Order Entry
MES
Historian
Historian
Data
Mirror
Proxy
Industrial
DMZ
Manufacturing
Historian
QC Systems
18
High Level Architecture Review All

Use Cases and Meet All Requirements
Use Case Configure
Historian from
Enterprise
Remote Desktop Gateway
19
High Level Architecture Review Use

Cases
Use Case Move
Data From
Manufacturing
Historian to Enterprise
Historian
Historian Mirror
20
DMZ / Network Design Methodology

Detailed information
usually written by the
coder or implementer
that describes how
the system or product
will be programmed,
configured to meet
the customer
requirements and the
high level
architecture.
The system
components are
brought together and
tested during this
phase per the testing
plan
System has been

Verified and Validated
and is maintained by
Operations and
Maintenance
Technical Design
Phase
Implementation
Maintain
ACTION
ACTION
ACTION
ACTION
Produce high level

documentation and
drawings to meet
every requirement
Produce detailed
documentation such
as drawings, switch
configurations, VLAN,
IP Address, Firewall
ACLs
Requirements are a
statement identifying
a capability, physical
characteristic or
quality factor that
bounds a product or
process problem for
which a solution will
be pursued. (Source:
IEEE Standard 12201994)
High level
architectural
recommendations
that are proposed to
meet the customer
requirements.
Requirements
Phase
Architectural
Phase
ACTION
Interview all system
owners to gather
requirements for
operations,
configuration and
maintenance.
Verify, was the

Modify configurations
product built right
and assets to fix
and Validate, was anomalies or required
the right product built operational changes.
process
21
Agenda
What is a DMZ?
Methodology
22
Manufacturing Zone Architecture to

support DMZ
Division of plant into
functional areas for
secured access
ISA-SP99 Zones and

Conduit model
OEMs Participation
IP Address
VLAN IDs
Access layer to Distribution
layer cooperation
System design requires full

cooperation of all System
Integrators, OEMs, IT and
Engineering
Copy
Data Link / Network Layers

Control Systems are
Designed
with Availability
Requirement First!
Security
Availability
ERP, Email,
Wide Area Network (WAN)
Enterprise Zone
Levels 4 and 5
Patch Management
Terminal Services
Application Mirror
AV Server
Gbps Link
for Failover
Detection
Cisco
ASA 5500
Firewall
(Standby)
Firewall
(Active)
FactoryTalk Application Servers
Security
Availability
VLAN 101
VLAN 41
View
Historian
AssetCentre
Transaction Manager
Catalyst
6500/4500
FactoryTalk Services
Platform
Remote
Access
Server
Directory
Security/Audit
Data Servers
Catalyst 3750
StackWise
Switch Stack
Cell/Area #1
Layer 2 Access Link

Layer 2 Interswitch Link/
802.1Q Trunk
Layer 3 Link
Network Services
DNS, DHCP, syslog server

Network and security mgmt
Rockwell Automation
Stratix 8000
Layer 2 Access Switch
Cell/Area Zones
Levels 02
Cell/Area #3
Cell/Area #2
Drive
Industrial Zone
Site Operations and Control
Level 3
Cisco
Catalyst Switch
HMI
Controller
HMI
Controller
HMI
VLAN 102
I/O
VLAN 42
I/O
Drive
Drive
I/O
Controller
VLAN 103
VLAN 43
VLAN 104
VLAN 44
VLAN 105
Structure and Hierarchy

Network Segmentation: Building Block for Availability
Layer 3
Distribution
Switch
Layer 2
Access Switch
Layer 2
HMI Block
I/O
Building
Media &
Connectors
Cell/Area Zone #1
Redundant Star Topology
Flex Links Resiliency
Availability
Catalyst 3750
StackWise
Switch Stack
Layer 3
Building Block
Rockwell Automation
Stratix 8000
Drive
Controller
Security
HMI
Layer 2
I/O
Drive
Building Level
Block
1
Controller
Controller
Cell/Area Zone #2
Ring Topology
Resilient Ethernet Protocol (REP)
Cell/Area Zones
Levels 02
Level 2 HMI
Controller
HMI
Drive
Layer 2
Building
Block
I/O
Level 0
Drive
Cell/Area Zone #3
Bus/Star Topology
The Cell/Area zone is a Layer 2 network for a functional area of the plant floor.
Key network considerations include:
Structure and hierarchy using smaller Layer 2 building blocks
Logical segmentation for traffic management and policy enforcement to accommodate timesensitive applications
Machine Types
Security
Building Blocks for Security Specifications
Availability Requirements
Historian
OS Patch
AV Server
Workstations
Remote Session Hosts
HMI Servers
Networking, Routing
Availability
Information Requirements
Interfaces
Controller data structure
Catalyst 3750
StackWise
Switch Stack
Security Requirements (C,I,A)

Machine or
Cell Level
Interfaces
Cell/Area Zones
Levels 0-2
HMI
Rockwell Automation
Stratix 8000
Drive
Controller
HMI
Controller
HMI
I/O
Drive
I/O
Controller
Cell/Area Zone #1
Redundant Star Topology
Flex Links Resiliency
I/O
Cell/Area Zone #2
Ring Topology
Resilient Ethernet Protocol (REP)
Drive
I/O
Cell/Area Zone #3
Bus/Star Topology
We care what you think!

Please take a couple minutes to complete a quick
session survey to tell us how were doing.
On the mobile app:
1. Locate session using
Schedule or Agenda Builder
2. Click on the thumbs up icon on
the lower right corner of the
session detail
3. Complete survey
4. Click the Submit Form button
Thank you!!
4
27
Questions?
PUBLIC INFORMATION
Follow RSTechED on Facebook & Twitter.

Connect with us on LinkedIn.
www.rsteched.com

Industrial Demilitarized Zone Design Principles

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Industrial Demilitarized Zone Design Principles

Uploaded by

Copyright:

Available Formats

Industrial Demilitarized Zone

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Industrial Network Convergence

Back-Office Mainframes and

Sensors and other

Converged Plantwide EtherNet/IP

Industrial Network Convergence

Back-Office Mainframes and

Firewalls for separation

Sensors and other

Converged Plantwide EtherNet/IP

Demilitarized Zone (DMZ)

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Controlling Access to the Manufacturing Zone

Site Business Planning and Logistics Network

Web Services Operations

Site Manufacturing Operations

No Direct Traffic Flow from Enterprise to Manufacturing Zone

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Develop a scientific method to develop repeatable, measureable and

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

DMZ / Network Reconnaissance

Identify who owns

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Classify Asset Types

Goal: Identify assets that support manufacturing process.

Diagram Data Sources Feeding Higher

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Identify System Owners / Users

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

DMZ / Network Design Methodology

System has been

Produce high level

Verify, was the

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

High Level Architecture

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

How to Derive High Level Architecture

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Move the Assets Around To Minimize Cross

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

High Level Architecture Review All

Remote Desktop Gateway

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

High Level Architecture Review Use

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

DMZ / Network Design Methodology

System has been

Produce high level

Verify, was the

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Manufacturing Zone Architecture to

ISA-SP99 Zones and

System design requires full

Data Link / Network Layers

Demilitarized Zone (DMZ)

FactoryTalk Application Servers

Layer 2 Access Link

DNS, DHCP, syslog server