Upload
nelson-kelly
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Manufacturing & IT Network Convergence
Bryce Barnes - Cisco SystemsVertical Solution Architect-Manufacturing
Gregory Wilcox - Rockwell AutomationNetworks Business Development ManagerReference Architectures for Manufacturing
© 2008 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Cisco At A Glance
• Annual Sales: $40 billion
• World Headquarters: San Jose, California
• Trading Symbol: csco
• Employees: About 67,000
• Global Presence
• R&D: $4.5 Billion Annually
The world leader in networking for Internet, Enterprise, Home, and Industry… Changing the way people work, live, play, and learn
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Rockwell Automation At A Glance
• Annual Sales: $5.5 billion
• World Headquarters: Milwaukee, Wisconsin, USA
• Trading Symbol: ROK
• Employees: About 20,000
• Serving customers in 80+ countries
Leading global provider of industrial automation control and information solutions
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Manufacturing and EnterpriseNetwork Convergence
Manufacturing Plantwide Systems
Business Enterprise Systems
SuppliersCustomer Demand
Supply ChainIntegration
Flexible Manufacturing
Lower Total Cost of Ownership | Faster Time to Market | Better Asset Optimization | Broader Risk Management
4
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Converged EthernetManufacturing Network Model
Corporate Network
Traditional – 3 TierManufacturing Network Model
Corporate Network
Convergence of Control and Information5
Sensors and other Input/Output Devices
Motors, DrivesActuators
SupervisoryControl
Robotics
Back-Office Mainframes andServers (ERP, MES, etc.)
OfficeApplications,Internetworking,Data Servers,Storage
Human MachineInterface (HMI)
Sensors and other Input/Output Devices
Controller
Motors, DrivesActuators
SupervisoryControl
Robotics
Back-Office Mainframes andServers (ERP, MES,etc.)
OfficeApplications,Internetworking,Data Servers,Storage
Control NetworkGateway
Human MachineInterface (HMI)
Controller
Manufacturing Network Convergence
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Manufacturing and Enterprise Network Convergence
• Manufacturing Network Requirements– Industrial Protocols– Topologies, Resiliency & Industrial Environments– Determinism, Latency, Jitter, etc.– Motion Control & Safety– IP Addressing - static
• Enterprise Network Requirements– High Availability– Determinism, Latency, Jitter, etc.– Voice, Video, Data applications– Security
• Network Design & Management– Ease of use– Reference models & network designs
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Cultural and Organizational Convergence
Security Policies IT Network Controls Network
FocusProtecting Intellectual
Property and Company Assets
24/7 Operations, High OEE
Priorities
Confidentiality
Integrity
Availability
Availability
Integrity
Confidentiality
Types of Data TrafficConverged Network of Data,
Voice and VideoConverged Network of Data,
Control, Information, Safety and Motion
Access ControlStrict Network Authentication
and Access PoliciesStrict Physical Access
Simple Network Device Access
Implications of a Device Failure
Continues to Operate Could Stop Operation
Threat ProtectionShut Down Access to
Detected ThreatPotentially Keep Operating
with a Detected Threat
UpgradesASAP
During UptimeScheduled
During Downtime
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Cultural Convergence – Common Tools
Device Manager
Command Line Interface
Cisco Network Assistant RSLogix 5000, Add-on Profile
FactoryTalk View, Faceplates
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Cisco and Rockwell Automation, working together
Copyright © 2008 Rockwell Automation, Inc. All rights reserved. 9
To-Date:
Board members of ODVAActive in ISA security and wireless committees
Common Technology View
Support use of open, unmodified standards, with intelligent networking features in automation networks through ODVA, ISA and others
Collaborating on Reference Architectures Available now, free for download
Tested and Validated design and implementation guidance and best practices for a converged network architecture
People and Process OptimizationEducational seminars, white papers and events
Develop process guidelines for help with convergence, facilitate training and dialogue with IT and Manufacturing
Joint Product CollaborationStratix 8000™ switchesDeveloped Industrial Ethernet switches incorporating the best of
Cisco and the best of Rockwell Automation
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management
AV Server
Historian Mirror
Web Services Operations
ApplicationServer
RouterEnterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
FactoryTalkApplication
Server
FactoryTalk Directory
Engineering Workstation
Domain Controller
FactoryTalkClient
Operator Interface
FactoryTalkClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
DriveControl
ContinuousProcessControl
SafetyControl
Sensors Drives Actuators Robots
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
WebE-Mail
CIP
Firewall
Firewall
Site Manufacturing Operations and Control
Area Supervisory
Control
Basic Control
Process
Reference Architectures for Manufacturing
A set of tested and validated design and implementation best practicesCommon reference and common language for IT and manufacturingEducation Series
“With this implementation guide, for the first time IT and manufacturing professionals can share a common document for planning a converged IP network including the factory floor and automation equipment.”
– Harry Forbes, ARC Advisory Group
“With this implementation guide, for the first time IT and manufacturing professionals can share a common document for planning a converged IP network including the factory floor and automation equipment.”
– Harry Forbes, ARC Advisory Group
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Approach to Industrial Ethernet Network Designs
• Understand application and functional requirements– Devices to be connected– Communication patterns, resiliency requirements– Types of traffic – Safety, Motion control, etc.?
• Develop a logical framework – define zones– Place applications and devices in the framework
based on requirements
• Define segmentation• Determine security requirements
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Manufacturing Framework
No Direct Traffic Flow from Enterprise to Manufacturing Zone
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management
AV Server
Historian Mirror
Web Services Operations
ApplicationServer
RouterEnterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
FactoryTalk Application
Server
FactoryTalk Directory
Engineering Workstation
Domain Controller
FactoryTalkClient
Operator Interface
FactoryTalkClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
ContinuousProcess Control
Safety Control
Sensors Drives Actuators Robots
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
WebE-Mail
CIP
Firewall
Firewall
Site Manufacturing Operations and Control
Area Supervisory
Control
Basic Control
Process
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Reference Architectures for Manufacturing
Gbps Link for Failover
Detection
Firewall(Active)
Firewall(Standby)
Layer 3 Router
Layer 3 Switch Stack
Layer 2 Switch
Drive
Controller
Controller
DriveHMI
Controller
Drive
HMI
Distributed I/ODistributed I/O
Level 0–2
HMI
Cell/Area #1(Redundant Star Topology)
Cell/Area #2(Ring Topology)
Cell/Area #3 (Bus/Star Topology)
Cell/Area Zone
Manufacturing Zone Level 3
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Windows 2003 Servers• Remote desktop connection• VPN
FactoryTalk Application Servers• View• Historian• AssetCentre• Transaction ManagerFactoryTalk Services Platform• Directory• SecurityData Servers
Network Services• DNS, DHCP, syslog server• Network and security management
• Design guidance– Methodology – built on
Industry Standards– Best practices and
recommendations– Documented configuration
settings– Tested with Industrial
Applications– Cisco “Validated” network
design
• “Future-ready” network foundation– CIP Safety, CIP Sync, CIP
Motion– Voice, Video
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Manufacturing and EnterpriseSecurity Design
• Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors
• Network Security – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers
• Computer Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services
• Application Security – authentication, authorization, and audit software
• Device Hardening – change management and restrictive access
PerimeterEnforcement
ApplicationApplication
Computer
Device
Physical
NetworkPerimeter
Enforcement
ApplicationApplication
Computer
Device
Physical
Network
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Manufacturing and Enterprise Security Design
Security Services Must NotCompromise Operations of the Cell/Area Zone
Cisco Cat. 3750StackWise
Switch Stack
Level 0—Process
Level 1—Basic Control
Level 2—Area Supervisory Control
Level 3—Site ManufacturingOperations and Control
DMZ
Web, Application,Database Servers
BackupHistorians
ASA 5500
CiscoCat. 6500/4500
HMI
FactoryTalkView
PAC
Drive Distributed I/O
Standard DMZ Design Best Practices
VLANs
ACLsFirewall
IPS
Network InfrastructureProtection, ACLs
Layer 2 Security,Port Security
CS-MARS,CSA, ASDM and
CSAMC
HMI
Controller Hardening,
Physical Security
FactoryTalk Service & Application
Security
VLANsSegmenting
Domains of Trust
• Comprehensive Network Security Model for Defense in Depth - Security is not a bolt-on component
– Manufacturing Security Policy– Demilitarized Zone– Firewalls to defend the manufacturing edge– Protect the interior– Endpoint Hardening– Segment into Domains
of Trust– Physical Security– Security Management, Analysis, &
Response– Remote/Guest Access Policy,
with robust & secure implementation
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Best Practices for Network, Technology and Cultural Convergence
• IT and Manufacturing collaboration on – System architecture design– Service and support models– Manufacturing Security Policy
• Standardization of design & technology
• Consult reference architectures & standards– Network Segmentation– Domains of Trust
• Communicate to IT what protocols and services are being used– TCP/UDP, Managed/Unmanaged
switches, Multicast, IP addressing, VLANs, QoS?
• Communicate to Manufacturing the needs of IT
• Emergence of Manufacturing IT
An open, two-way dialog is critical!
An open, two-way dialog is critical!