1.

INTRODUCTION

1.1. PURPOSE OF THIS DOCUMENT

This document is intended to provide an overview for the implementation of

network system including connectivity integration for Teluk Lamong SCADA
Network.

1.2. SCOPE OF THIS DOCUMENT

This FDS document will be submitted as network design of IT Network for

Teluk Lamong SCADA Network System.

REFERENCES
LTG-PGAS-0000-SCD-SP-001 Kerangka Acuan Kerja
LTG-PGAS-0000-SCD-SP-002 Spesifikasi System SCADA
LTG-PGAS-0000-INS-LI-007 System Architecture
XXXX Manual HP
YYYY Manual NUC Intel

1. ABBREVIATIONS

 ADE Advance Database Editor

 AES Advanced Encryption Standard

 AOR Area of Responsibility

 ACL Access Control List

 ATM Asynchronous Transfer Mode

 ADS Active Directory Service

 AI Analog Input

 AO Analog Output

 BCP Business Continuity Plan

 CPU Central Processing Unit

2. FUNCTIONAL DESCRIPTION

2.1. SOLUTION OVERVIEW

What happens if a failure occurs within the networked automation and

control infrastructure, resulting in a sudden and unexpected production
stoppage? For most companies, the time, effort, and costs associated
with recovery, repairs, and restarting the line after a sudden outage are
significant—and, in some businesses, the costs can be astronomical.
Whether a plant is involved in discrete or process operations, ensuring
that production runs smoothly and uninterrupted is critical to the bottom
line.

Network redundancy is like an insurance policy for industrial networks.

Acting as a quick-response backup system, the goal of network
redundancy is to mitigate the risk of unplanned outages and ensure
continuity of operation by instantly responding to and reducing the effects
of a point of failure anywhere along the critical data path. When you
consider the direct and indirect costs of unplanned downtime, it becomes
clear that making the investment in network redundancy is a smart
strategy.

2.1.1 Network redundancy reduces risk, downtime for SCADA

Network redundancy works by creating multiple data paths within a
network, between any and all locations. If a cable, switch, or router
suddenly fails, another pathway will be available to maintain the
communication flow. Redundant systems deliver significant value in a host
of industrial applications and are especially essential to:
 1. Process industries operating 24/7 such as metals, pulp and paper,
water/wastewater
2. Food and beverage and pharmaceutical plants and some
manufacturing in which regulations demand constant data monitoring
and precise process control recordkeeping
3. Industries where one process depends on the output of another and
production stoppage directly impacts downstream and sometimes
upstream operations
4. Any plant where an interruption or outage may lead to significant
product damage, scrap, spoilage, or waste

2.2. TELUK LAMONG NETWORK DESIGN TOPOLOGY

 Layer 2 and layer 3 network technology will be implemented on above network
design, VLAN will be implemented on each switch for segmenting network
virtually, VTP (VLAN Trunking Protocol) for manage VLAN assignment and
Spanning tree to prevent layer 2 looping mechanism. OSPF (Open Shortest Path
First) & STP (Spanning Tree Protocol will be used to handle redundancy and
routing process.

2.2.1. Routing Protocol

Dynamic router is a router that shows the path that is formed automatically
by the router itself in accordance with the configuration made. If there is a
topology change between networks, the router will automatically create a
new path. Dynamic routing is a routing protocol used to find networks and
to update routing tables on routers.

In the Teluk Lamong Network, dynamic routers are the best solution
because one router is the center for controlling data traffic between each
switch, Dynamic routing can update routes by distributing information
through the best path, dynamic routing used is RIP. Routing Information
Protocol (RIP) is a dynamic routing protocol which uses hop count as a
routing metric to find the best path between the source and the destination
network. It is a distance vector routing protocol which has AD value 120
and works on the application layer of OSI model.
 When there is a change in the network, the router does not necessarily
immediately change the entry in the routing table. A certain amount of time
is required so that entries in the routing table can change. The time
needed from the time the network changes until the entry route changes in
the routing table is called the convergence time. The shorter the
convergence time, the better the stability of a network, because when
there is no convergence there are certainly invalid route entries, so
sending packets from one host to another host on a different network will
fail.

2.2.2. Firewall
Firewall is a network security device, either hardware or software
based, which monitors all incoming and outgoing traffic and based on
defined set of security rules it accept, reject or drop that specific traffic.
 Accept : allow the traffic
Reject : block the traffic but reply with an “unreachable error”
Drop : block the traffic with no reply

Firewall establishes a barrier between secured internal networks and

outside untrusted network, such as Internet.

Hillstone Firewall is a Next Generation Firewalls are being deployed these

days to stop modern security breaches like advance malware attacks and
application layer attacks. NGFW consists of Deep Packet Inspection,
 Application Inspection, SSL/SSH inspection and many fuctionalities to
protect the network from these modern threats.

During network communication, a node transmits a packet that is filtered

and matched with predefined rules and policies. Once matched, a packet
is either accepted or denied.

Packet filtering checks source and destination IP addresses. If both IP

addresses match, the packet is considered secure and verified. Because
the sender may use different applications and programs, packet filtering
also checks source and destination protocols, such as User Datagram
Protocol (UDP) and Transmission Control Protocol (TCP). Packet filters
also verify source and destination port addresses.

2.2.3. Redundancy
Implementing a network redundancy strategy will depend on many
factors, largely dictated by the application and the existing network
topology—the physical layout, location of systems, processes and
devices, and the way the cabling infrastructure is run. Certain redundancy
methodologies are more suited for one system configuration than another.

Typically, network redundancy is achieved through the addition of

alternate network paths, which are implemented through redundant
standby routers and switches. When the primary path is unavailable, the
alternate path can be instantly deployed to ensure minimal downtime and
continuity of network services.

on teluk lamong network, the router manages communications for switch

A network and swich network B, By default, communication occurs on
network A, when network A cannot be used, SCADA can run normally
using network B.
 each device requires minimum 2 ethernet cards to operate on the
redundancy network, Eth1 for network A and Eth2 for network B

2.2.4 Trunking Port

A trunk port is a port that is assigned to carry traffic for all the
VLANs that are accessible by a specific switch, a process known as
trunking. Trunk ports mark frames with unique identifying tags – either
802.1Q tags or Inter-Switch Link (ISL) tags – as they move between
switches. Therefore, every single frame can be directed to its designated
VLAN.
 An Ethernet interface can either function as a trunk port or as an access
port, but not both at the same time. A trunk port is capable of having
more than one VLAN set up on the interface. As a result, it is able to
carry traffic for numerous VLANs at the same time.

2.3. NETWORK SYSTEM REQUIREMENT

2.3.1 ORU AREA

Core Switches (G) 18E8292C1707 and (G) 18E8292C1B87 will also be used

for the Backbone environment. These Core Switches are connected to all
switches via a Fiber Optic link. Router 91680A2D942E / 906 will connect to all
SWITCHs by routing. 91680A2D942E / 906 will also configure OSPF. OSPF
will be implemented as a routing protocol on all sites including JETTY. The
path selection mechanism that selects Switch A as the main link and Switch B
as the Backup link will also be handled by OSPF.
Network device that will be implemented in this site is below:

Table 1 Device List ORU

Quantity
No Device Product Number
(Unit)
1 Firewall 1
2 Router 91680A2D942E/906 1
3 Core Switch (G) 18E8292C1707 2
(G) 18E8292C1B87
4 Access Switch for (K) 18E8294460D2 2
Server (K) 18E829445184
5 Access Switch for (K) 18E8294456A6 2
Workstation
6 Access Switch for 2
SCADA PLC
7 Access Switch for 2
SCADA SAFETY

Each device in the table will be assign in redundant connection to (G)

18E8292C1707 and (G) 18E8292C1B87, except CCTV Switch
Port assignment will be same between (G) 18E8292C1707 and (G)
18E8292C1B87 devices, below is those Core switch port assignment:

Table 2 Port Assignment for each Core Switch A

No Interface Name Connection To Description Interface Type

1 Eth1 Router Routed Port GigabitEthernet

Access Switch
2 Sfp1 Trunk Port Fiber Optic
Workstation A
Access Switch
3 Sfp2 Trunk Port Fiber Optic
Server A
Access Switch
4 Sfp3 Trunk Port Fiber Optic
SCADA PLC A
Access Switch
5 Sfp4 Trunk Port Fiber Optic
SCADA Safety A
6 Sfp5 Access Switch Trunk Port Fiber Optic
 CCTV
7 Sfp6 OTB A Trunk Port Fiber Optic
8 Sfp7 OTB A Trunk Port Fiber Optic

Table 2 Port Assignment for each Core Switch B

No Interface Name Connection To Description Interface Type

1 Eth1 Router Routed Port GigabitEthernet

Access Switch
2 Sfp1 Trunk Port Fiber Optic
Server B
Access Switch
3 Sfp2 Trunk Port Fiber Optic
Workstation B
Access Switch
4 Sfp3 Trunk Port Fiber Optic
SCADA PLC A
Access Switch
5 Sfp4 SCADA Safety Trunk Port Fiber Optic
B
6 Sfp7 OTB A Trunk Port Fiber Optic

General IP address allocation for this site can be seen as bellow:

Table 3 general Switch IP address allocation

No General IP Address Allocation Description

1 192.168.10.0 /26 IP Address for Core Switch A
2 192.168.50.0 /26 IP Address for Core Switch B

2.3.2 JETTY AREA

The backbone connection will handle communication between ORU and
JETTY using 12 core fiber optic single mode

Network device that will be implemented in this site is below:

Table 4 Device List ORU

Quantity
No Device Product Number
(Unit)
1 Switch SCADA Safety 2
2 Switch CCTV 1

Each device in the table will be assign in redundant connection to (G)

18E8292C1707 and (G) 18E8292C1B87, except CCTV Switch
3. NETWORK MANAGEMENT SYSTEM
Network Management System has each functional area to increase
the overall effectiveness of current management tools and practices. It
also provides design guidelines for future implementation of network
management tools and technologies. This application will be install in
SNMP Manager.

3.1 Configuration Management System

The function of configuration management is to monitor network
and system configuration information so that the effects on network
operation of various versions of hardware and software elements can be
tracked and managed. With an increasing number of network devices
deployed. It is critical to be able to accurately identify the location of a
network device. This location information should provide a detailed
description meaningful to those tasked with dispatching resources when a
network problem occurs. To expedite a resolution if a network problem
occurs, make certain to have avaible contact information of the person or
department responsible for the devices.
Naming conventions for network device, starting from device name to
individual interface, will be implemented as prt of the configuration
standard. Configuration command parameters will be checked to avoid
mismatches or incompability issues.

3.2 Fault Management System

The main function of fault management is to detect, log, notify

users of, and (to the extent possible) automatically fix network problems to
keep the network running effectively. Because fault can cause downtime
or unacceptable network dedradation.

When a fault or event occurs, a network component will often send a

notification to the network operator using a protocol such as SNMP. An
 alarm is a persistent indication of a fault that clears only when the
triggering condition has been resolved. A current list of problems occurring
on the network component is often kept in the form of an active alarm list
such as is defined in RFC 3877, the Alarm MIB. A list of cleared faults is
also maintained by most network management systems.

A fault management console allows a network administrator or system

operator to monitor events from multiple systems and perform actions
based on this information. Ideally, a fault management system should be
able to correctly identify events and automatically take action, either
launching a program or script to take corrective action, or activating
notification software that allows a human to take proper intervention (i.e.
send e-mail or SMS text to a mobile phone). Some notification systems
also have escalation rules that will notify a chain of individuals based on
availability and severity of alarm.

3.3 Quality Of Service ( QOS )

Quality Of Service ( QOS ) is the description or measurement of the

overall performance of a service, such as a telephony or computer
network or a cloud computing service, particularly the performance seen
by the users of the network. To quantitatively measure quality of service,
several related aspects of the network service are often considered, such
as packet loss, bit rate, throughput, transmission delay, availability, jitter,
etc.

In the field of computer networking and other packet-switched

telecommunication networks, quality of service refers to traffic prioritization
and resource reservation control mechanisms rather than the achieved
service quality. Quality of service is the ability to provide different priority
 to different applications, users, or data flows, or to guarantee a certain
level of performance to a data flow.

Quality of service is particularly important for the transport of traffic with

special requirements. In particular, developers have introduced Voice over
IP technology to allow computer networks to become as useful as
telephone networks for audio conversations, as well as supporting new
applications with even stricter network performance requirements.

3.4 CONFIGURATION PARAMETER

This design document use Redundancy Protocols and high availability
connection in the network infrastructure.

3.4.1 Router Device Configuration

Below configuration is configured on Router Device as needed

Router, RO-MNT-A as LAN1 configuration can be seen below :
a. Login Configuration
 Pada computer workstation Engineering1, buka browser lalu akses
IP 10.10.10.1 lalu login
User : teluklamongnetwork
Password : teluklamong12345

b. Interface
Pada konfigurasi interface dilakukan pengaturan port mikrotik sesuai dengan
perangkat yang terhubung, pengaturan VLAN dilakukan pada interfae untuk
membuat segmentasi pada jaringan Teluk Lamong
Mikrotik SFP port1 diset sebagai port LAN1 yang terhubung ke Switch
Distribusi port SFP1.
Mikrotik SFP port2 di set sebgaia port LAN2 yang terhubung ke Swich
Distribusi port SFP1.
Mikrotik SFP port 1 dan port 2 di set sebagai jalur VLAN A dan VLAN
B

No Port Connect to

2 3 4 5
 1 SFP1 Switch Distribution A
2 SFP2 Switch Distribution B
3 Eth1 Firewall
4 Eth3 NTP Server
5 Eth4 Printer

c. VLAN Router Configuration

Konfigurasi VLAN untuk memudahkan dalam membuat
pengelompokan antar perangkat sehingga pengaturan IP address
pada semua perangkat menjadi lebih terstruktur.
Pada Mikrotik interface, klik menu Interfaces lalu klik tab VLAN
VLAN Table List
No VLAN ID Segment Network
1 VLAN_WST_A 30 192.168.30.0
2 VLAN_WST_B 40 192.168.40.0
3 VLAN_SVR_A 10 192.168.10.0
4 VLAN_SVR_B 20 192.168.20.0
5 VLAN_PCS_A 50 192.168.70.0
6 VLAN_PCS_B 60 192.168.80.0
7 VLAN_SIS_A 70 192.168.90.0
8 VLAN_SIS_B 80 192.168.100.0
9 VLAN_SIS_C 90 192.168.101.0
10 VLAN_SIS_D 100 192.168.102.0
11 VLAN_CCTV_A 30 192.168.50.0
12 VLAN_CCTV_B 40 192.168.60.0
 VLAN Segmentasi Jaringan Teluk Lamong

d. Router Rules Configuration

Rules required to prevent or allow specific ip address,segment or address

list to communicate with another ip address,segment or ip address list.
Please note that source or destination address means either single ip
address or address list. ! means NOT. To change the configuration, login
and go to IP -> Firewall and click tab Filter

No Action Chain Source Destination Protocol Destination

 Port
Address Address
0 Accept Forward 192.168.105.11
Allow any local ip address to communicate with NTP Server
ORU SCADA
1 Drop Forward !server
PROCESS
Block ORU SCADA PROCESS to access any ip except server
Accept Forward ORU SCADA JETTY SCADA
2
SAFETY SAFETY
Accept Forward JETTY SCADA ORU SCADA
3
SAFETY SAFETY
Allow ORU SCADA SAFETY and JETTY SCADA SAFETY to access each other
4 Drop Input !workstation 10.10.10.1 icmp
Prevent any ip address except workstation to ping Router Configuration IP Address
JETTY SCADA
5 Drop Forward !server
SAFETY
Prevent JETTY SCADA SAFETY to communicate to any ip address except server
6 Drop Input !workstation 10.10.10.1 Tcp 80
Prevent any ip address except workstation to open router configuration via web browser
7 Drop Forward workstation !server
Prevent workstation to communicate with any ip except server

3.4.2 Switch Device Configuration

Core Switch, SW-DST-A configuration can be seen below :

a. Unifi Controller Configuration

 Pada browser buka IP address http://192.168.30.9 untuk mengakes
pengaturan Switch dari komputer Workstation Engineering1

Pada menu pengaturan, pilih network lalu daftarkan VLAN ID yang

sudah dibuat di router

Pada setiap Switch yang sudah terdaftar, set pada setiap port Switch
Access yang terhubung ke perangkat operasi sesuai dengan VLAN
yang sudah dibuat

b. VLAN Configuration Switch

 Pilih Switch yang akan dikonfigurasi VLAN kemudian pilih port yang
akan di set VLAN

Pada pilihan profile, pilih VLAN yang sudah di daftarkan di unifi controller
dan sesuaikan dengan perangkat yang akan di daftarkan VLAN
Berikut daftar Switch dan VLAN yang sudah terkonfigurasi
Switch VLAN ID
SW-WST-A VLAN_WST_A 30
SW-WST-B VLAN_WST_B 40
SW-SVR-A VLAN_SVR_A 10
SW-SVR-B VLAN_SVR_B 20
SW-PCS-A VLAN_PCS_A 50
SW-PCS-B VLAN_PCS_B 60
SW-SIS-A VLAN_SIS_A 70
SW-SIS-B VLAN_SIS_B 80
SW-SIS-C VLAN_SIS_C 90
SW-SIS-D VLAN_SIS_D 100
SW-CVT-A VLAN_CCTV_A 30
SW-CTV-B VLAN_CCTV_B 40

Switch A

Switch B

1 2 3 4 5 6
7 8 9 10 11 12
Workstation Switch
13 14 15 16 17 18
19 20 21 22 23 24

1 2 3 4 5 6
7 8 9 10 11 12
Server Switch
13 14 15 16 17 18
19 20 21 22 23 24

1 2 3 4 5 6
PCS Switch 7 8 9 10 11 12
13 14 15 16 17 18
 19 20 21 22 23 24

1 2 3 4 5 6
7 8 9 10 11 12
SIS Oru Switch
13 14 15 16 17 18
19 20 21 22 23 24

1 2 3 4 5 6
7 8 9 10 11 12
SIS Jetty Switch
13 14 15 16 17 18
19 20 21 22 23 24

VLAN Port
TRUNK Port
Unifi Controller Port

Disable Port

Disable port berfungsi untuk mengamankan port yang tidak terpakai untuk
mencegah terjadinya aktifitas yang tidak terautorisasi

3.4.3 Workstation Device Configuration

Pada perangkat Workstation yang terhubung ke Switch SW-WST-A dan
SW-WST-B untuk control komunikasi SCADA
a. Workstation Configuration System

Hostname : WS-EWS-A
IP Address : 192.168.30.11 / 192.168.40.11
Subnet : 255.255.255.192
Gateway : 192.168.30.1 / 192.168.40.1
User Account : Engineer1 / Engineer2

Hostname : WS-EWS-B
IP Address : 192.168.30.12 / 192.168.40.12
Subnet : 255.255.255.192
Gateway : 192.168.30.1 / 192.168.40.1
User Account : Engineer1 / Engineer2

Hostname : WS-OWS-A
IP Address : 192.168.30.13 / 192.168.40.13
Subnet : 255.255.255.192
Gateway : 192.168.30.1 / 192.168.40.1
User Account : Operator1 / Operator2

Hostname : WS-OWS-B
IP Address : 192.168.30.14 / 192.168.40.14
Subnet : 255.255.255.192
Gateway : 192.168.30.1 / 192.168.40.1
User Account : Operator1 / Operator2
b. Access Admin Management
Untuk workstation WS-EWS-A diberikan akses khusus untuk melakukan
konfigurasi admin pada perangkat mikrotik dan firewall.

 Konfig
urasi

Access Management pada Router

Administrator can disable unused services available in router to protect router

and manage which IP addresses that can access those services. To configure the
services, login and go to IP -> Services

N Status Services Port Allowed IP Address

 o Name
0 XI telnet - -
1 ftp 23 Any
2 www 80 Any
192.168.30.11
192.168.30.12
192.168.30.13
192.168.30.14
192.168.30.15
3 Ssh 22
192.168.40.11
192.168.40.12
192.168.40.13
192.168.40.14
192.168.40.15
4 XI Ssl 443 -
5 Api 8728 Any
192.168.30.11
192.168.30.12
192.168.30.13
192.168.30.14
192.168.30.15
6 Winbox 8291
192.168.40.11
192.168.40.12
192.168.40.13
192.168.40.14
192.168.40.15
7 Api-ssl 8729 any

X = Disabled I = Invalid

c. Workstation Storage Management

Workstation Storage menggunakan RAID1 dengan susunan konfigurasi 1TB +
1TB Harddisk untuk menjamin ktiak terjadi kehilangan data apabila salah satu
harddisk yang digunakan mengalami kerusahakan

3.4.4 Server Device Configuration

a. Server Configuration System

Hostname : SV-SCD-A
IP Address : 192.168.10.11 / 192.168.20.11
Subnet : 255.255.255.192
Gateway : 192.168.10.1 / 192.168.20.1
User Account : ScadaServer1 / ScadaServer2

Hostname : SV-SCD-B
IP Address : 192.168.10.12 / 192.168.20.12
Subnet : 255.255.255.192
Gateway : 192.168.10.1 / 192.168.20.1
User Account : ScadaServer1 / ScadaServer2

Hostname : SV-OPC-A
IP Address : 192.168.10.13 / 192.168.20.13
Subnet : 255.255.255.192
Gateway : 192.168.10.1 / 192.168.20.1
User Account : OPC1

Hostname : SV--A
IP Address : 192.168.10.11 / 192.168.20.11
Subnet : 255.255.255.192
Gateway : 192.168.10.1 / 192.168.20.1
User Account : ScadaServer1 / ScadaServer2

b. Access Management

Untuk Server OPC diberikan akses khusus terhubung ke internet melalui firewall
untuk melakukan update antivirus

 Konfigurasi Access Management pada Router

To configure the NAT, go to IP -> Firewall, click on NAT tab

d. Workstation Storage Management

Workstation Storage menggunakan RAID5 dengan susunan konfigurasi 1TB +

1TB + 1TB + 1TB Harddisk untuk menjamin data SCADA menjadi lebih aman
dan ketika terjadi kehilangan data kemudian salah satu harddisk yang digunakan
mengalami kerusahakan, bias dillakukan pergantian harddisk tanpa perlu
mematikan server

Press F10