Professional Documents
Culture Documents
Brkiot 2555
Brkiot 2555
Brkiot 2555
and Technologies
• Industrial Networking
• A Quick Introduction
• Applications and Protocols
• Products and Architectures: Wired and Wireless
• Availability and Resilience: REP, MRP and PRP
• CyberSecurity: Firewalling and ISE
• Q&A
• Recommended Resources
Agenda
• Industrial Networking
• A Quick Introduction
• Applications and Protocols
• Products and Architectures: Wired and Wireless
• Availability and Resilience: REP, MRP and PRP
• CyberSecurity: Firewalling and ISE
• Q&A
• Recommended Resources
In the beginning…
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
…then along came the
PLC…
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
…which could be “networked”
(but not with Ethernet!)
Corporate Network
Motors, Drives
Robotics
Actuators
Sensors and other
Input/Output Devices
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Control Loops Could Not Tolerate This
Legacy 10BASE2/10BASE5 Ethernet: Lots of CSMA/CD Collisions
The reason Ethernet got a bad reputation for determinism…
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Evolution of Ethernet
10BASE-T, Fibre and Beyond: Full Duplex Switched
Major Improvements. Add QoS, non-blocking, but still not completely deterministic…
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
A Plethora of Standards and Protocols
Familiar story – lots of “standards” everywhere
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Agenda
• Industrial Networking
• A Quick Introduction
• Applications and Protocols
• Products and Architectures: Wired and Wireless
• Availability and Resilience: REP, MRP and PRP
• CyberSecurity: Firewalling and ISE
• Q&A
• Recommended Resources
Industrial sector ‘definitions’
Discrete is about making ‘objects’ that can be returned to
constituent parts
The final product may be produced out of single or multiple inputs
based on a Bill Of Materials.
Examples: automotive, white goods, electrical devices
Some industries may be hybrid and contain both discrete and process.
E.g. Pharmaceuticals ..
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Industrial Networking Lexicon
Talk the OT Language
MES - Manufacturing Execution System. Collection of software..
Applications
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Common Industrial Automation Protocols
Not exhaustive, see: http://en.wikipedia.org/wiki/List_of_automation_protocols
• CIP - Common Industrial Protocol. Application layer common to DeviceNet, CompoNet, ControlNet and EtherNet/IP
• EtherCAT - an open high performance Ethernet-based fieldbus system.
• EtherNet/IP - IP stands for "Industrial Protocol". An implementation of CIP (Common Industrial Protocol.)
• Ethernet Powerlink – a deterministic open protocol managed by the Ethernet POWERLINK Standardization Group.
• FOUNDATION fieldbus – H1 & HSE – L2 serial standard to coincide with Profibus/Modbus etc.
• HART Protocol - Used to communicate over legacy 4-20 mA analogue instrumentation wiring.
• Modbus RTU or TCP
• PROFIBUS/PROFINET – by PNO, Siemens centric.
• SERCOS – Primarily used by drive systems. Ethernet-based version is SERCOS III
• OPC – OLE for Process Control.
• CC-Link Industrial Networks, supported by CC-Link Partner Association. CC-Link IE is Ethernet based.
• DNP3 – Distributed Network Protocol. Used in large scale process networks, e.g. water and electricity.
• IEC 61850 - A standard for the design of electrical substation automation, including protocols.
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Ethernet/IP
What is EtherNet/IP and CIP
Common Industrial Protocol
• Standard to integrate I/O control, device configuration and
data collection in automation and control systems
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Ethernet/IP – CIP Extensions
CIP Motion
• Deterministic, Real-time,
Closed Loop Motion Control
• Full Standard Ethernet/IEEE Safety Controller
802.3 and TCP/IP HMI
Controller
Compliance
Servo Drive Safety I/O
VFD
• Uses IEEE-1588 PTP
(Precision Time Protocol)
Synchronisation I/O
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cisco Ethernet/IP Considerations (IE Switches)
• CIP Protocol is off by default – Must be enabled
• CIP can only be enabled on one VLAN
Switch(config)#interface vlan 20
Switch(config-if)#cip enable
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
PROFINET
The PROFIBUS Family
PROFIBUS DP PROFIBUS PA PROFINET
Decentralised Periphery Process Automation Industrial Ethernet Protocol
• Low cost, simple high speed field • Based on PROFIBUS DP • High speed, highly deterministic
level communications • Developed specifically for the networking with a “real-time” channel
• Generally designed for internal use process industry to replace 4-20mA and TCP/IP for “non-real time”
– i.e. cabinet mounted transmissions communication
• It can use different physical layers • Two-wire connection carrying both • Standard IEEE802.3 Ethernet at
such as RS-485, wireless or fibre power and data 100Mbps with copper or fibre
optics. RS-485 is most common. • Generally designed for outdoor use • Generally designed for internal use,
• Defined at L1, L2 and L7. – i.e. field mounted like PROFIBUS DP
• Support for hazardous and • It is not PROFIBUS over Ethernet!
explosive environments
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
PROFINET Defines Two Application Classes
PROFINET CBA PROFINET IO
• Component Based Automation • Connection between distributed IO Devices and
Controllers.
• Built on DCOM (Distributed Component Object Model)
and RPC (Remote Procedure Call) technologies • Defines three communication channels
• PROFINET NRT – Non-Real-Time
• Object oriented approach to communications between
distributed islands of automation • PROFINET RT – Real-Time
• PROFINET IRT – Isochronous Real-Time
• Provides a scalable architecture for dealing with
complex distributed automation and control systems • IP application protocols for configuration and
maintenance functions: DHCP, DNS, SNMP, HTTP/S
=
TCP/UDP/IP Ethernet UDP / Ethernet
Time-Sync Ethernet
Non Real-time Real-time Isochronous Real-time
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
PROFINET IO – Communication Channels
Simplified OSI Stack
• PROFINET NRT (Non Real-Time) PROFINET CBA PROFINET IO
• Response (cycle) times of typically <100ms HTTP(S), SNMP, FTP, VoIP, etc RT IRT
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
PROFINET IO – Communication Channels
Simplified OSI Stack
• PROFINET RT (Real Time or Soft Real-Time) PROFINET CBA PROFINET IO
• Cycle times of typically <10ms HTTP(S), SNMP, FTP, VoIP, etc RT IRT
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
PROFINET IO – Communication Channels
Simplified OSI Stack
• PROFINET IRT (Isochronous Real-Time) PROFINET CBA PROFINET IO
• Cycle times of up to 1ms with less than 1μs jitter HTTP(S), SNMP, FTP, VoIP, etc RT IRT
• All device clock/bus cycles synchronised
• Standard L2 Frame TCP/UDP
-adj
1. Having the same time duration; equal in time
2. Occurring at equal time intervals; having a uniform period
of vibration or oscillation
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Cisco PROFINET Considerations
• PROFINET uses GSD file (General Station Description) to describe functions of field devices.
• GSD files are pre-installed on Cisco IE switch flash
(e.g. flash:/ie2000-universalk9-mz.150-1.EY/)
• VLAN ID = 0 VID: 0
• PCP (COS) = 6
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Cisco PROFINET VLAN 0 Considerations
Two methods to accept VLAN 0 packets
Configure the port as a trunk, change native VLAN
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan xxx
switchport mode trunk
spanning-tree portfast trunk
interface GigabitEthernet1/0/1
switchport access vlan xxx
switchport mode access
spanning-tree portfast
switchport voice vlan xxx
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ModbusTCP
Modbus - History
• Modicon (Schneider Electric) introduced ModbusRTU in 1979
• Development managed by Modbus Organization since 2004
• Master-slave/client-server. RS485 multi-drop network
• ModbusRTU/ASCII – Simple frame format: address, function, data
• ModbusTCP – Same frame format over TCP/IP, Port 502
• Truly open and royalty free. Widely deployed.
• Simplicity lends itself to
• Building automation
• Simple telemetry
• Low bit rate applications – e.g. O&G telemetry over UHF/VHF radio
Highly Insecure! BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Cisco ModbusTCP Considerations
• Cisco Industrial Products (check IOS version) allow ModbusTCP client to read
certain information – Known as registers. E.g. IOS version, port statistics,
system temperature etc.
• Cannot write to any registers (i.e. make changes!)
• Enabling Modbus Server
• Switch(config)#scada modbus tcp server <port>
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Agenda
• Industrial Networking
• A Quick Introduction
• Applications and Protocols
• Products and Architectures: Wired and Wireless
• Availability and Resilience: REP, MRP and PRP
• CyberSecurity: Firewalling and ISE
• Q&A
• Recommended Resources
Cisco IOT System Overview Fog Computing
Network Connectivity
Data Analytics
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Industrial Compliance
General Specifications Industry Specific
• UL/CSA 60950-1 • UL 508
• EN60950-1 • CSA C22.2 No.142
Safety • CB to IEC 60950-1
• NOM to NOM-019-SCF1 • EN 61131-2 (Programmable Controllers)
And • Protective Coating
• CE Marking
Hazard • ANSI/ISA 12.12.01 (Class 1, Div 2 A-D) • Substation (IEEE 1613, IEC 61850-3)
• IEC 60079-0, -15 (Class1, Zone 2 A-D) KEMA
• EN 60079-0, -15 ATEX certification (Class I, Zone 2 A-D)* • Marine (DNV)
EMC • FCC, IEC/EN 61000-4, RoHS, World wide EMC • Railway EN 50155
• IEC 60068-2-27 (Operational Shock: 30G 11ms, half sine) • NEMA TS-2
Shock • IEC 60068-2-27 (Non-Operational Shock 55-75G, trapezoidal) • ODVA Industrial EtherNet/IP
• IEC 60068-2-6, IEC 60068-2-64 (Operational Vibration 2g@10- • PROFINETv2
and 500Hz)
• ISO-12944-6
Vibration • IEC 60068-2-6, IEC 60068-2-64 (Non-operational Vibration)
• IEC-60068-2-6
• Storage altitude: 15,000 ft (4,570 m)
• IEC 60068-52-2 (salt Fog Mist, Test Kb) Marine environments
Relative • IEC 60068-2-3
Humidity • IEC 60068-2-30
• Relative Humidity of 5% or 95% Non-condensing
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
IE SwapDrive
• “Zero-config” replacement
• Simple switch replacement in case of a failure
• No networking expertise required
• IE SwapDrive ensures fast recovery
• Files stored on the SwapDrive
• IOS Image – (tar, html) – 2 sets
• Config text
• VLAN dat
• Other devices configs
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Device Manager – Direct Web Management
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Wired Architecture
Converged Plant-wide Ethernet Architecture
Internet
Enterprise/IT Integration
Enterprise Network Collaboration
Levels 4–5 Wireless
Web Apps DNS FTP Application Optimisation
Patch Management, Terminal
Services, Application Mirrors,
AV Servers Gbps Link for
Application and Data share
Failover Detection Demilitarised Zone
Firewall Access Control
(Standby) (DMZ) Firewalls
Firewall
Cisco Threat Protection
(Active) ASA 5500
Manufacturing Zone Site Operations and Control
Cisco Catalyst Cisco
SCADA Application Level 3 Multi-Service Networks
6500/4500 Catalyst
and Services Servers Switch Network and Security
Cisco Cat. 3750X Distribution and Core
Network Services Management
StackWise
Switch Stack Routing
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Built on Industry Standards
Purdue Reference Model, ISA95
Enterprise Zone Enterprise Network Level 5
Process Level 0
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Security Framework, ISA99 / IEC 62443
Strong Segmentation
Purdue Reference Model, ISA-95
Level 5 Enterprise Network
Enterprise
Basic Control
Cell/Area
Level 1 Batch Discrete Drive Control
Continuous
Safety
Zone
Process Control
Control Control Control
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Wireless Architecture
CPwE 3.5 Overall Architecture with Wireless
• Wide Area Network (WAN) Catalyst
Internet Enterprise/IT Integration
Switch
• Physical or Virtualised Servers Active Directory Fedrated Services
Collaboration
• ERP, Email ISE 34xx PAN, MnT, IPN Cisco WLC
Wireless
Cisco
• Active Directory (AD), AAA – Radius WLC Web DNS FTP
Si Si Application Optimisation
Enterprise Zone Levels 4 - 5
• Call Manager, etc. Anchor Outside
Catalyst
Patch Management Plant Firewalls: Application and Data share
2960-X
Remote Desktop Gateway Server IDMZ • Inter-zone traffic segmentation Access Control
Data Share • ACLs, IPS and IDS Threat Protection
Cisco Video Surveillance Data Share IDMZ • VPN Services – Remote Site Access
Catalyst
Application Mirror 2960-X • Portal and Remote Desktop Services proxy
AV Server Failover Industrial Demilitarised Zone
ASA 55xx-X ASA 55xx-X
FactoryTalk AssetCentre (Active) Inside
FactoryTalk View Server, Clients & View Studio
(Standby) Level 3
FactoryTalk Batch Catalyst Catalyst Site Operations
FactoryTalk Historian 2960-X 2960-X Multi-Service Networks
RSLinx Enterprise Catalyst
FactoryTalk Security Server Network and Security Management
Cisco Video Surveillance Manager 4500/6500 Routing
1588 Precision Time Protocol Service Cisco 5500 WLC
Active Directory Federated Services
Remote Access Server ISE Policy Service Node
Studio 5000
Catalyst 4500E Catalyst 3750-X
Industrial Zone
Si Real–Time Control
Fast Convergence
Traffic Segmentation and Management
IO
Ease of Use
Controller
I/O I/O
Drive Controller
AP
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Wireless Overview
Challenges
• Half-duplex shared medium
• Only one device can transmit at a time
• Wireless coverage area cannot be precisely defined
• Site survey is required
• Signal may reach beyond the intended area
• Signal quality may change over time
• Interference sources and obstructions
• Higher latency and packet loss compared to wired Ethernet
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Technology Overview
Choosing the Right Wireless Architecture for Industrial Automation
Unified WLAN Architecture Autonomous WLAN Architecture
• Large number of APs (>10) • Small number of APs (<10)
• Plant-wide coverage • Larger number of WGBs per AP
• Existing infrastructure, IT practices and • Stand-alone applications
security policies that call for Unified • Applications with no roaming
architecture
• WLAN is managed mostly by control
• Applications that require fast wireless engineers – lower level of expertise
roaming
• WLAN is managed jointly by IT and
control engineers – greater level of
expertise
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
RF Design Recommendations Country
examples
5 GHz Channels
No DFS DFS
U.S., 9 12
• RF survey is critical. Prolonged monitoring required. Canada,
Australia
• 5 GHz frequency band is recommended Europe 4 15
• 2.4 GHz band: 3 channels in U.S. (1, 6, 11) China 5 0
• 5 GHz band: based on regulatory domain
Just an example:
• Avoid DFS channels (Dynamic Frequency Selection) free space signal propagation
• Use channels 36-48 or 149-165 (if available) Radio sensitivity -85 dBm
• Weather / military radars cause disruption of service in other channels Transmit power 5 dBm
• If DFS channels are used, RF monitoring is required Tx / Rx antenna 4 dBi
gain
• Reserve a channel exclusively if possible Re-use distance 350 meters
(5180 MHz)
• Use static channel assignment
• Do not reuse channels for critical applications unless complete signal
separation can be reliably achieved
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
WLAN Design Considerations Traffic Type DSCP Queue
QoS Recommendations PTP event
PTP management
59
47
Voice
CIP class 0 / 1 55
• 802.11 uses statistical QoS to give preference to certain classes (I/O, P/C, Safety, Motion)
47 Video
43
of traffic 31
• Still half-duplex media: cannot transmit while someone is using the CIP class 3 (MSG, HMI) 27
Best
channel Unclassified 0
Effort
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Agenda
• Industrial Networking
• A Quick Introduction
• Applications and Protocols
• Products and Architectures: Wired and Wireless
• Availability and Resilience: REP, MRP and PRP
• CyberSecurity: Firewalling and ISE
• Q&A
• Recommended Resources
Industrial Network Topologies
Cell/Area Zone Topology Options
Redundant Star Ring Star/Bus Linear
Flex Links Resilient Ethernet
EtherChannel Catalyst 3750 Stackwise Protocol (REP) Catalyst 3750 Catalyst 3750
Switches Stackwise Switches Stackwise Switches
Cell/Area Zone Cell/Area Zone Cell/Area Zone
Cisco
Catalyst 2955
HMI HMI
Controller Controllers
HMI Controllers
HMI
Source: ARC Advisory Group BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Network Resiliency Protocols
Selection Is Application Driven
Resiliency Mixed Redundant Net Conv Net Conv Net Conv
Ring Layer 3 Layer 2
Protocol Vendor Star >250 ms 50-100 ms < 10 ms
STP (802.1D) X X X X
RSTP (802.1w) X X X X X
MSTP (802.1s) X X X X X
PVST+ X X X X
REP X X X
EtherChannel
X X X X
(LACP 802.3ad)
MRP (IEC 62439-2) X X X X X
Flex Links X X X
DLR
X X X X
(IEC & ODVA)
HSRP X X X X
VRRP
X X X X X
(IETF RFC 3768)
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Network Resiliency Protocols
Selection Is Application Driven
Resiliency Mixed Redundant Net Conv Net Conv Net Conv
Ring Layer 3 Layer 2
Protocol Vendor Star >250 ms 50-100 ms < 10 ms
STP (802.1D) X X X X
MSTP (802.1s) X X X X X
PVST+ X X X X
Flex Links X X X
DLR
X X X X
(IEC & ODVA)
PRP (IEC 62439-3 Clause 4) X X X X X X
HSRP X X X X
VRRP
X X X X X
(IETF RFC 3768)
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Network Resiliency Protocols
Selection Is Application Driven
Resiliency Mixed Redundant Net Conv Net Conv Net Conv
Ring Layer 3 Layer 2
Protocol Vendor Star >250 ms 50-100 ms < 10 ms
STP (802.1D) X X X X
RSTP (802.1w) X X X X X
MSTP (802.1s) X X X X X
PVST+ X X X X
REP X X X
EtherChannel
X X X X
(LACP 802.3ad)
MRP (IEC 62439-2) X X X X X
Flex Links X X X
DLR
X X X X
(IEC & ODVA)
PRP (IEC 62439-3 Clause 4) X X X X X X
HSRP X X X X
VRRP
X X X X X
(IETF RFC 3768)
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Resilient Ethernet Protocol (REP)
Resilient Ethernet Protocol
Benefits Limitations
• Provides a fast and predictable L2 • Does not replace Spanning Tree for
convergence (50ms - fibre) even in large complex layer 2 networks (mesh, tree)
rings with high number of nodes
• Cisco proprietary
• Supported on a large range of Cisco
products, including all IE switches and • Supported on Layer 2 Trunk Ports and
CGR 2010 ESM Etherchannel only
• Very easy to configure and troubleshoot • Does not protect against dual failure in
the ring
• Co-existence with Spanning Tree (TCN
from REP to STP)
• Optimal bandwidth utilisation (VLAN
Load balancing)
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Resilient Ethernet Protocol
How it Works
Segment (ID
1)
REP Segment Segment
(ID 3)
Segment
(ID 2)
Link
Edge Port Alternate Port Edge Port
Failure
• A REP segment is a chain of ports with the same segment ID. REP guarantees there is no
connectivity between two edge ports on a segment
• The ports where the segment terminates is called the Edge Ports
• Alternate port blocks traffic to prevent loops. May be any interface in the REP ring
• When all interfaces in the segment are UP, the alternate port is blocking
• When a link or switch failure occurs, the blocked port goes forwarding
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
REP Segment 1 - Basic Configuration
IE2000
IE2000
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Media Redundancy Protocol (MRP)
Media Redundancy Protocol - MRP
MRC MRC
MRM MRM
MRC MRC
MRC MRC
MRC MRC
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Switch(config)# license right-to-use activate mrp-client
Cisco MRP Configuration Switch(config)# license right-to-use activate mrp-manager
interface FastEthernet1/1
switch mode access
mrp ring 1 Global: mrp ring 1
mode client
profile 200ms
interface FastEthernet1/2 vlan-id
switch mode access domain-ID
MRP Ring mrp ring 1 domain-name
Interface FastEthernet1/1
switch mode access
mrp ring 1
Interface FastEthernet1/2
switch mode access
mrp ring 1
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Parallel Redundancy Protocol (PRP)
PRP Overview
• Parallel Redundancy Protocol: IEC 62439-3 Clause 4
• Two versions so far: PRP-0 (2010) and PRP-1 (2012) and they are not
compatible. Cisco supports PRP-1
• Two independent and arbitrary LANs must exist (any topology)
• Two copies of each packet are delivered over these LANs
• Seamless switchover and recovery in case of single LAN failure
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Parallel Redundancy Protocol
Benefits Limitations
• Zero packet loss when single LAN fails • Double of network components and
cost…
• Designed for mission critical applications
• More complex design
• Supports any network topology: tree,
mesh, ring, etc
• Allows devices that are not PRP aware
• Transparent to upper layer protocols and
applications (ARP, DHCP, TCP/IP, etc)
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
PRP Terminology
• SAN — Singly Attached Node,
connected to only one LAN
• DAN — Double Attached Node
implementing PRP, connected to
both LANs
• RedBox — Redundancy Box,
connected to both LANs, a special
DAN, proxy of SANs connected to
it
• VDAN —Virtual DAN, SAN
connected to RedBox
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
PRP – How it works
• A PRP network is effectively two similar
LAN’s
• Arbitrary topologies and designs
• DANs are responsible for duplication and
de-duplication of packets onto both LANs
• De-duplication is done at the Link-Layer
• STP/RSTP/REP can be implemented on the
LANs in conjunction with PRP
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Communications between Nodes
• A SAN can communicate with a SAN
attached to the same LAN but not to
a SAN attached to different LAN
• A SAN can communicate with DAN
or VDAN
• A DAN is supposed to send only one
copy of a frame to a SAN
• RedBox is supposed to send only
one copy of a frame from a VDAN to
a SAN through either LAN A or B,
but not both
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Considerations on Cisco IE Switches
• Supported on IE2000(U), IE4000, IE4010 and IE5000
• Switches act as RedBoxes and PRP only supported on uplinks
• On IE2000, only supported on 8 and 16 port models
• Configuration creates a port-channel which represents connections to LAN A+B
• Not tested with 3rd party RedBoxes
• CDP/LLDP must be disabled on PRP interface
• PRP increases the frame size. Must configure all switches on LAN A and B to
support MTU size of at least 1536 bytes
• Switch(config)#system mtu 1536 - for all ports
• Switch(config)#system mtu jumbo 1536 - For just Gig ports
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
IE 4000 PRP Example RedBox
VDANs
interface
GigabitEthernet0/1
switchport
VDANs
switchport mode access
switchport vlan 2 system mtu 1536
no ptp enable system mtu jumbo 1536
no cdp enable RedBox RedBox
prp-channel-group 1
LAN A LAN B
interface DANs
GigabitEthernet0/2
switchport
switchport mode access IE4000 as RedBox also
switchport vlan 2 extends PRP benefits to
no ptp enable Protection Relays or Servers
no cdp enable without PRP functionalities
prp-channel-group 1
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Agenda
• Industrial Networking
• A Quick Introduction
• Applications and Protocols
• Products and Architectures: Wired and Wireless
• Availability and Resilience: REP, MRP and PRP
• CyberSecurity: Firewalling and ISE
• Q&A
• Recommended Resources
A Renewed Focus on Security
Why Must IoT and OT Security Change?
400 14
350 12
300
10
250
8
Vulns
200
Stux News
6
Black Hat
150
4
100
50 2
0 0
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
350 12
300
10
Trends in
250
discovery and 8
Vulns
correlation with 200
Stux News
external events. 6
Flame
Black Hat
150
Shamoon
4
100
Duqu
50 2
0 0
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
A Renewed Focus on Security
The Problem with SCADA / DCS Runs Deep…
• An ICS-CERT advisory released Apr 14 identifies vulnerability on Vendor X’s
products
• Product has FTP backdoor allowing unauthenticated access allowing attacker to
crash device and run arbitrary code.
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
A Renewed Focus on Security
The Problem with SCADA / DCS Runs Deep…
• An ICS-CERT advisory released Apr 14 identifies vulnerability on Vendor X’s
products
• Product has FTP backdoor allowing unauthenticated access allowing attacker to
crash device and run arbitrary code.
• From the advisory:
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
A Renewed Focus on Security
The Problem with SCADA / DCS Runs Deep…
• And from the Mitigation section (paraphrased):
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
A Renewed Focus on Security
The Problem with SCADA / DCS Runs Deep…
• And from the Mitigation section (paraphrased):
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Example - Compressor
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How do we Implement Industrial Cyber Security?
Follow ISA99 / IEC 62443 Security Guidelines
Recommends:
Documented Controls Security Policy
Physical Security
http://isa99.isa.org/ISA99%20Wiki/Home.aspx BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Industrial Security - ISA 3000
• Industrial, Energy, Marine, Railway • DIN Rail mounting with optional Rack
Compliance Mounting
• Services include Firewall, VPN and • Connectors: Management Interface (RJ45
SourceFire IPS, DHCP, and NAT and USB); Power supports 24-12 AWG;
Factory Reset
• Two Configurations
• Copper: 4x10/100/1000BaseT; • Thermals: -40C to 60C no airflow; -40C to
2x10/100/1000BaseT 70C with 40LFM; -34C to 74C with 200LFM
• Fiber: 2x1GbE (SFP)
• Hazloc with nA protection
• LED scheme is OT Ready
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Security Architecture
Level 5
Enterprise Network
First Stage –
Enterprise
Secured Connectivity
Site Business Planning & Zone
Level 4
Logistics Network
E-Mail, Intranet, etc.
Zone Segmentation
Controlled Conduits
Terminal Server RDP Server App Server Patch Mgmt. DMZ
Second Stage –
Site Manufacturing Operations
Secured Visibility &
FactoryTalk FactoryTalk Engineering Domain and Control Manufacturing
Level 3 App Server Directory Workstation Controller
Zone Control
FactoryTalk Engineering HMI Magelis Operator Area Supervisory Control
Application Control
Level 2 Client Workstation HMI Interface
Threat Control
Level 1 Batch Discrete Drive Continuous Safety Basic Control
Cell/Area Third Stage –
Control Control Control Process Control Zone
Control Converged Security
& Depth
Level 0 Sensors Drives Actuators Robots Process
Stratix
Firewall(ISA 3000) used to filter traffic within or 5700
between Cell/Area Zones.
Stratix Stratix
ISA3000 ISA3000
5900 5900
Machine #1 Machine #2
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Summary
In Summary
We’ve discussed…
• Industrial Networking Basics
• Convergence, IP everywhere
• Industrial Protocols
• Ethernet/IP, PROFINET, ModbusTCP
• Design Considerations
• Wired and wireless considerations
• Redundancy Mechanisms (REP / MRP)
• Security
• Follow published industrial standards
• Use Cisco embedded security features as 1st step
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Agenda
• Industrial Networking
• A Quick Introduction
• Applications and Protocols
• Products and Architectures: Wired and Wireless
• Availability and Resilience: REP, MRP and PRP
• CyberSecurity: Firewalling and ISE
• Q&A
• Recommended Resources
Q&A
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Recommended Resources
• Converged Plant-Wide Ethernet DIG
BRKIOT-2555 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Thank You