Professional Documents
Culture Documents
Architecting a Robust
Manufacturing Network
for the Internet of Things
Network Reference Architecture
August 2015
Contents
03 Abstract
03 The forces of change
03 Pace of change
03 Opportunity for competitive agility
04 The IoT and II
14 Conclusion
15 Glossary
17 Further Reading
17 Contacts
Table of Figures
05 Figure 1: Overall Plant Network Architecture
07 Figure 2: Plant Network Segmentation
08 Figure 3: Plant Network Security Logical Architecture
09 Figure 4: Plant Network Security Virtualization
10 Figure 5: Plant Network Dynamic Port Provisioning
11 Figure 6: Plant Network Physical Architecture
12 Figure 7: Plant Network Wireless Architecture
Predictive
Analytics Plant Server Room
Legend
DCS VLAN
Carpeted
(Perdue Level 1) Security Space Ethernet
Plant/Site
PAN VLAN Firewall/IPS
(Perdue Level 2) Core Network
Data Diode
Operator/DMZ VLAN Carpeted
(Perdue Level 3) Space Wi-Fi
Biz Systems VLAN
(Perdue Level 4)
UC VLAN
FAN
OPC, Admin PC Env Operator Corporate BYOD UC
FAN DCS DCS Sensor Edge HMI or Cell/Zone PC or PC or PC or
I/O I/O Mesh Compute Control Historian Devices
SCADA Handheld Pwr Mgmt Handheld Handheld Handheld
Legend
DCS VLAN
Carpeted
(Perdue Level 1) Security Space Ethernet
Plant/Site
PAN VLAN Firewall/IPS
(Perdue Level 2) Core Network
Data Diode
Operator/DMZ VLAN Carpeted
(Perdue Level 3) Space Wi-Fi
Biz Systems VLAN
(Perdue Level 4)
UC VLAN
FAN
OPC, Admin PC Env Operator Corporate BYOD UC
FAN DCS DCS Sensor Edge HMI or Cell/Zone PC or PC or PC or
I/O I/O Mesh Compute Control Historian Devices
SCADA Handheld Pwr Mgmt Handheld Handheld Handheld
Figure 2 highlights how the plant Firewall, IPS The Cisco ASA firewall protects against
architecture can be logically segmented advanced threats while reducing
to address operational, regulatory and and data diodes complexity and cost. The ASA also
security concerns. By utilizing VLANs, Boundary protection is a requirement integrates Sourcefire IPS to deliver
differentiated services can be applied for a converged manufacturing network. integrated threat defense across the entire
to equipment of common capability. For OT teams typically desire isolation attack continuum, including “out-of-the-
example, equipment belonging to the between cells/zones/stages of the box” support for common protocols used
same Perdue Level 1 group would be manufacturing floor, whether as a security by GE devices, and is extensible to support
connected to the same VLAN plant-wide. or operational boundary. However, custom industrial protocol definitions. The
“East-West” communication among the isolation cannot accommodate the need ASA can be deployed in a stand-alone
members of this group is guaranteed, to collect, aggregate, analyze and utilize configuration—with separate boxes at
while “North-South” communication can manufacturing data for business and every layer—as shown in figure 3. The
be restricted through various methods logistics needs. Using firewalls and other ASAs protect and limit traffic between
(detailed later). security appliances provides connectivity manufacturing VLANs.
while at the same time protecting
manufacturing assets.
DCS VLAN
(Perdue Level 1)
PAN VLAN
(Perdue Level 2)
Operator/DMZ VLAN
(Perdue Level 3)
UC VLAN
Data Diode
The ASA can also be deployed in multiple firewall appliance trunked into the core
context modes, as shown in figure 4. In switches as shown in figures 1 and 2.
this model, an ASA appliance is logically There are some manufacturing use
separated into multiple virtual firewall/ cases that require data diodes to
IPS instances. Each virtual instance has its guarantee one-way data transfer (from
own independent configuration and has no the machine to higher-level software).
awareness of or dependence on any other Whereas neither Cisco nor GE make data
firewall or IPS instance running on the diodes, our reference network model for
same hardware. Using multiple contexts, manufacturing certainly supports them, as
it is possible to use a single high-scale ASA seen in figures 3 and 4.
Identity networking The technician’s system should be Identity Services Engine (ISE) and 802.1X
recognized as unauthorized to connect on network infrastructure, differentiated,
Modern plant operations require to any port on the network other than identity-based connectivity can be
identifying the right person on the right the service port for the machine. achieved.
device on the right network at the right
time. Service access ports for machines Conversely, an administrator using a ISE provides a rules-based, attribute-
are an example of this. When a technician corporate-owned computer, up to date driven policy model for creating flexible
enters the plant to fix a problem, the on all security software and using the and business-relevant access control
technician’s PC should not be given correct credentials, should be allowed policies. It provides the ability to create
unfettered access to the network — just to to connect to any network (wired or via fine-grained policies by pulling attributes
the machine in question. Wi-Fi) and access any system. Using Cisco from predefined dictionaries.
UC VLAN
VLAN Trunk
Factory Operations
ISE
IE Switch
Machine/Process
User
Sensor Engineer AP PLC
::::74:CE (Sally) ::::AF:03
WAP
Nexus 9K
These sources include information about The example in figure 5 shows how ISE can For example, Sally the Engineer may
user and endpoint identity (e.g., GE PLCs), be used to provide differentiated access be assigned to the Office VLAN using
role-based security, posture validation, on a plant floor. The ISE configuration her PC, but may be assigned to the PAN
authentication protocols, location or other has user Sally the Engineer assigned to VLAN when connecting via Wi-Fi using a
external attributes from Active Directory, the Office VLAN based on her credentials corporate-controlled handheld device on
LDAP, RADIUS, RSA OTP and certificate and devices used, while the GE PLC with the shop floor.
authorities. GE Software products MAC address :::AF:03 is assigned to the
feature S95-standard data models with DCS VLAN. As users / devices attempt to
the ability to identify accessibility to connect, ISE is consulted and the network
equipment, certification requirements, infrastructure assigns VLANs accordingly.
and system / capability access. A Furthermore, ISE can be configured for
manufacturing enterprise could use these conditional connectivity.
data models as a baseline reference for its
ISE policy.
Operator/DMZ VLAN
(Perdue Level 3) Network Core
Biz Systems VLAN
(Perdue Level 4)
UC VLAN
VLAN Trunk
Switch
IE Switch
WLC5508
ASA Firewall
Machine/Process
User
Office/Carpeted Space Leaf Architecture Shop Floor Standard Leaf Architecture
Video
Surveillance
WAP
Shop Floor Ring or Linear Chain Topology
Nexus 9K
Encryption support DNS/DHCP (e.g., devices where Chain Topology” may have the identical
the IP address is set through dip switches). hard-coded IP address. They may have
Data encryption is a good practice in most In other cases, the traditional convention both been put on this VLAN during a
industries, but is mandated in regulatory- dictates that hard-coded IP addresses are retooling of the shop floor. Normally,
controlled environments such as more reliable because they do not require the IP address conflict would cause
U.S. Export Control. There are multiple upper-level services. communication challenges or failures
methods for encrypting data at rest (OS- to both machines, but administrators
level encrypted volumes for example). Until DNS / DHCP is considered robust
enough for industrial applications, can enable the L2 NAT feature on the
Similarly, data in flight can be encrypted IE switches to have one or both of the
through multiple methods. Cisco offers administrators must design around their
absence. Figure 6 shows a more detailed machines translated to a new address to
link-layer, hop-by-hop encryption (e.g., resolve conflicts and ease deployment of
MACsec for Ethernet or WPA for wireless), physical-level representation of the plant
network described in figures 1 through the GE control system more quickly.
as well as end-to-end encryption (e.g.,
IPSEC VPN). IPSEC is particularly useful for 4. The overall architecture is spine-leaf Similarly, both the DCS VLAN and the PAN
long-haul (WAN) data integrity to address or collapsed-core, with traditional Cisco VLAN may be using the same subnet for
regulatory and corporate policy needs. switches servicing office space and Cisco historical reasons at a particular factory.
Industrial Ethernet (IE) switches on the For example, both may be 192.168.1.0/24
plant floor. network. Again, using NAT on the
IP address reuse As described earlier, VLANs for common network infrastructure can translate the
processes / capabilities span the entire subnet to a new address range if
In industrial networks, the task of
infrastructure. The machine on the DCS necessary. Another method, connected
assigning and reassigning IP addresses
VLAN in the “Shop Floor Standard Star routing, can also be employed to work
can be very cumbersome, as few industrial
Topology” and the machine on the DCS around the overlapping range problem.
applications use DNS or DHCP. In some
cases, equipment is literally too old to VLAN in the “Shop Floor Ring or Linear
VLAN Trunk
Switch
IE Switch
WLC5508
ASA Firewall
Machine/Process
User Office/Carpeted Space Leaf Architecture Shop Floor Standard Leaf Architecture
WAP
Nexus 9K
Contacts
GE: ge.com/digital/contact
Cisco: cisco.com/go/offices
Imagination at work
GE Intelligent Platforms, Inc. is a subsidiary of the General Electric Company. The GE brand and logo are trademarks of the General Electric Company.
© 2015 GE Intelligent Platforms, Inc. Microsoft, Windows and Excel are registered trademarks of Microsoft Corporation. PCI Express is a registered
trademark of PCI-SIG. CompactPCI is a registered trademark of the PCI Industrial Computer Manufacturers Group. ExpressCard is a trademark of
PCMCIA. All other trademarks are the property of their respective owners.
IND029-R102313