Segmenting Networks for Security

Historically, there has been little convergence between manufacturing and enterprise in the plant network. Instead, there are multiple, separate Network Locksnetworks – one network may run fieldbus protocol at the device level, another network may run ControlNet protocol for machine-to-machine
communications, while a third protocol, such as Ethernet, or a proprietary network, links the machines to data acquisition and storage units for reporting or archiving. Meanwhile, a separate network, often an extension of the office Ethernet network, is on the plant floor, enabling workstation access to work orders and task instructions.

A separate network approach is often selected as the solution for maintaining the security and independence of the manufacturing controls network apart from networks intended to distribute order management, quality and security operations systems to areas within the plant.

Attempts to converge and simplify deployment of separate networks have taken many forms, more typically using the same cabinets with separate cabling and hardware to deploy divergent networks, but increasingly using virtual local area networks (VLANs) over a common infrastructure in order to better utilize switches and servers. However, the risk of circumventing plant network security layers through simple cross-patching or other installation errors, remains in all cases, which can create gaping security holes in a plant network.

Answering the Challenge

The potential for these security holes has led to the development of an architecture which addresses security and simplifies convergence within the plant using a standards-based Ethernet network. The Converged Plant-wide Ethernet architecture, a logical networking architecture, was developed by Rockwell Automation and Cisco, and extended to the physical layer as described in the Panduit Industrial Ethernet Physical Infrastructure Reference Architecture Design Guide. These resources are proposed as a model for unifying the many disparate plant networks into a single network which helps to address the challenges around implementing, maintaining and scaling the factory network. The CPwE architecture uses VLANs to efficiently segment traffic across the Layer 2 and Layer 3 network infrastructure, however all plant control traffic stays below the Demilitarized Zone (DMZ) layer, while any information needed in the enterprise zone is accessed through a server in the DMZ rather than allowing direct traffic between the enterprise and manufacturing compute systems.

The implementation of this architecture has a significant impact on the physical layer requirements, because a unified architecture can be best deployed on a unified physical layer. A unified plant physical network, or network fabric, built to support an EtherNet/IP architecture offers an alternative approach to physically separate networks providing a robust infrastructure that is easily scalable, can be segmented, and addresses security concerns.

The Role of Managed Switches and Zone Systems for security in a Unified Plant Network

The plant network architecture can be planned to enable effective and efficient management and scaling. A good place to start is by segmenting the automation cell or process control system requiring Ethernet connectivity into sub-systems where there is significant interaction between nodes, or where nodes are placed in close proximity.  At this level of the plant, zone systems with industrial managed switches operating Common Industrial Protocol (CIPTM) technology provide an effective means to both physically and virtually segment traffic over a unified network infrastructure.

A key value to using managed switches within a zone architecture is to be able to localize traffic (using VLANs) to a single cell or manufacturing area, reducing security risk. A key value of the zone system itself is its ability to secure the physical layer, providing a scalable platform to deploy industrial switches with controlled physical access (with lockable cabinet), and port security (ability to physically block ports and lock-in connections), reducing physical security risks and inadvertent mistakes by personnel on the plant floor. The zone system also provides an effective platform to deploy additional hardware allowing secure remote access to certain systems, using devices such as services routers or firewalls in the cell/zone area level.

IDF Product for IAProduct for IA 2Product for IA 3

Integrated Network Zone systems and Physical Network Security solutions can provide a scalable platform to deploy industrial switches with controlled physical access (with lockable cabinet), and port security (ability to physically block ports and lock-in connections.)

Learn more about deploying secure networks within a unified plant network in the Scaling the Plant Floor White Paper.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.