Industrial Demilitarized Zone Design Principles

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

Industrial Demilitarized Zone Design Principles

Jason J. Dely, CISSP, CISM

Principal Security Consultant, Network & Security Services

[email protected]


Course Description

There are many organizations and standards bodies that recommend separating the

enterprise zone from the industrial zones by utilizing an industrial demilitarized zone

(iDMZ).

This session will describe the basic principals and strategies of designing an iDMZ to

separate these two zones.

A prior understanding of general Ethernet concepts, or attendance of the Fundamentals

of EtherNet/IP session is recommended.

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3

Agenda

Methodology

What is a DMZ?

Network Segmentation


Industrial Network Convergence Continuing Trend

4

EtherNet/IP - Enabling/Driving Convergence of Control and Information

Converged Plantwide EtherNet/IP Industrial Network Model

Corporate Network

Sensors and other Input/Output Devices

Motors, Drives Actuators

Supervisory Control

Robotics

Back-Office Mainframes and Servers (ERP, MES, etc.)

Office Applications, Internetworking, Data Servers, Storage

Human Machine Interface (HMI)

Safety Controller

Traditional – 3 Tier Industrial Network Model

Corporate Network


Controller


Robotics



Control Network Gateway


Supervisory Control

Camera

Phone

Industrial Network Industrial Network

Safety I/O

I/O

Controller


Industrial Network Convergence Continued Trend – Demilitarized Zone (DMZ)

5

Converged Plantwide EtherNet/IP Industrial Network Model

Corporate Network



Supervisory Control

Robotics




Safety Controller

Camera

Phone

Industrial Network

Safety I/O

I/O

Controller

DMZ Standby Active

Link for

Failover

Firewalls for separation

Unified Threat Management

Authentication & Authorization

Application & Data Sharing via

replication or terminal services

Patch Management

Remote Access Services

Application Mirrors

Anti-Virus Servers


Demilitarized Zone (DMZ)

Sometimes referred to a perimeter network that exposes an

organizations external services to an untrusted network. The purpose of

the DMZ is to add an additional layer of security to the trusted network

UNTRUSTED

TRUSTED

BROKER DMZ

Internet

Web Proxy


Controlling Access to the Manufacturing Zone

No Direct Traffic Flow from Enterprise to Manufacturing Zone

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services Patch Management AV Server

Historian Mirror Web Services Operations Application Server

Router Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

FactoryTalk® Application Server

FactoryTalk Directory

Engineering Workstation

Domain Controller

FactoryTalk Client

Operator Interface

FactoryTalk Client

Engineering Workstation

Operator Interface

Batch Control Discrete Control Drive Control Continuous Process Control Safety

Control

Sensors Drives Actuators Robots

Enterprise Zone

DMZ

Manufacturing Zone

Cell/Area Zone

Web E-Mail CIP

Firewall

Firewall

Site Manufacturing Operations and Control

Area Supervisory Control

Basic Control

Process


Agenda

Methodology

What is a DMZ?



Methodology

9

Develop a scientific method to develop repeatable, measureable and

maintainable solution(s)

Look at the problem “holistically” and drill down to each system


DMZ / Network Reconnaissance (Design Pre-work)

10

Identify Assets

Or

Asset Classes

Identify Asset

Owners

Identify “types” of Assets in Manufacturing Zone and those that support Manufacturing

Document Assets by documentation, interviews and network scanning

ACTION

Identify “who” owns the hardware and software on the asset.

Document Asset Owners and Schedule Interviews

ACTION

Requirements

Phase Architectural

Phase

Tech. Design

Phase Implement Maintain

Design Phase Recon Phase


Classify Asset Types

11

Goal: Identify assets that support manufacturing process. Goal: Identify if asset belongs in the Mfg. or Enterprise Zone.


Diagram Data Sources Feeding Higher Level Assets

12


Identify System Owners / Users

13


Interview Process

14

Interview process identifies

how the owners and

clients of the assets

Operate

Configure

Patch

Upgrade

Identifies where the data is

produced and consumed

This process is used to

gather requirements


DMZ / Network Design Methodology

15

Requirements

Phase

Architectural

Phase

Technical Design

Phase Implementation Maintain

Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard 1220-1994)

Interview all system owners to gather requirements for operations, configuration and maintenance.

ACTION

High level architectural recommendations that are proposed to meet the customer requirements.

Produce high level documentation and drawings to meet every requirement

ACTION

Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture.

Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACL’s

ACTION

The system components are brought together and tested during this phase per the testing plan

Verify, “was the product built right” and Validate, “was the right product built” process

ACTION

System has been Verified and Validated and is maintained by Operations and Maintenance

Modify configurations and assets to fix anomalies or required operational changes.

ACTION


High Level Architecture

16


How to Derive High Level Architecture

17

Enterprise

Manufacturing

Actor

Historian

Client MES

No Control Protocols Through the Firewall(s)

Industrial DMZ

QC Systems

Order Entry


Move the Assets Around To Minimize Cross Zone Traffic – Especially Control Protocols

18

Enterprise

Manufacturing

Actor

Historian

Client MES

Industrial DMZ

QC Systems

Order Entry

Historian

Historian

Mirror

Data

Proxy


High Level Architecture – Review All Use Cases and Meet All Requirements

19

Remote Desktop Gateway

Use Case – Configure

Historian from

Enterprise


High Level Architecture – Review Use Cases

20

Historian Mirror

Use Case – Move

Data From

Manufacturing

Historian to Enterprise

Historian


DMZ / Network Design Methodology

21

Requirements

Phase

Architectural

Phase

Technical Design

Phase Implementation Maintain

Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard 1220-1994)

Interview all system owners to gather requirements for operations, configuration and maintenance.

ACTION

High level architectural recommendations that are proposed to meet the customer requirements.

Produce high level documentation and drawings to meet every requirement

ACTION

Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture.

Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACL’s

ACTION

The system components are brought together and tested during this phase per the testing plan

Verify, “was the product built right” and Validate, “was the right product built” process

ACTION

System has been Verified and Validated and is maintained by Operations and Maintenance

Modify configurations and assets to fix anomalies or required operational changes.

ACTION


Agenda

Methodology

What is a DMZ?



Manufacturing Zone – Architecture to support DMZ

Division of plant into functional areas for secured access

ISA-SP99 “Zones and Conduit” model

OEM’s Participation

IP Address

VLAN ID’s

Access layer to Distribution layer cooperation

System design requires full cooperation of all System Integrators, OEM’s, IT and Engineering

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.


Catalyst 3750 StackWise

Switch Stack

FactoryTalk Application Servers • View • Historian • AssetCentre • Transaction Manager

FactoryTalk Services Platform • Directory • Security/Audit

Data Servers

Gbps Link for Failover Detection

Firewall (Active)

Firewall (Standby)

I/O

Levels 0–2

HMI

Cell/Area Zones



Enterprise Zone Levels 4 and 5

Rockwell Automation Stratix 8000

Layer 2 Access Switch

Cisco ASA 5500

Cisco Catalyst Switch

Industrial Zone Site Operations and Control

Level 3

Remote Access Server

Catalyst 6500/4500

Patch Management Terminal Services Application Mirror AV Server

ERP, Email, Wide Area Network (WAN)

Network Services • DNS, DHCP, syslog server • Network and security mgmt

Drive

Controller

HMI

Controller

Drive

Controller

Drive

HMI

I/O I/O

VLAN 102

VLAN 101

VLAN 103 VLAN 104

VLAN 105

VLAN 42

VLAN 43 VLAN 44

VLAN 41

Cell/Area #1 Cell/Area #2 Cell/Area #3

Layer 2 Access Link

Layer 2 Interswitch Link/ 802.1Q Trunk

Layer 3 Link

Security

Availability

Data Link / Network Layers

Security

Availability

Control Systems are

Designed

with Availability

Requirement First!


Structure and Hierarchy Network Segmentation: Building Block for Availability

• The Cell/Area zone is a Layer 2 network for a functional area of the plant floor. Key network considerations include:

– Structure and hierarchy using smaller Layer 2 building blocks

– Logical segmentation for traffic management and policy enforcement to accommodate time-sensitive applications

Levels 0–2

Level 1 Controller

Layer 3 Distribution Switch

Drive

Controller

HMI I/O

Cell/Area Zones




Switch Stack

Level 0 Drive

Level 2 HMI Layer 2 Access Switch

Media & Connectors

Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency

Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP)

Cell/Area Zone #3 Bus/Star Topology

I/O

I/O

Drive

Drive

Controller

Controller

HMI HMI

Layer 2 Building Block




Security

Availability


Machine Types Building Blocks for Security Specifications

26

Security

Availability

Drive

Controller

HMI

HMI

I/O

HMI

Cell/Area Zones Levels 0-2




Switch Stack

Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency

Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP)

Cell/Area Zone #3 Bus/Star Topology

I/O

I/O I/O

Controller

Controller

Drive Drive

• Availability Requirements

• Networking, Routing

• Information Requirements

• Interfaces

• Controller data structure

• Security Requirements (C,I,A)

Machine or

Cell Level

Interfaces

Historian

OS Patch

AV Server

Workstations

Remote Session Hosts

HMI Servers


We care what you think!

On the mobile app:

1. Locate session using

Schedule or Agenda Builder

2. Click on the thumbs up icon on

the lower right corner of the

session detail

3. Complete survey

4. Click the Submit Form button

27

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

2

3

4

1

Thank you!!


www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Questions?

Technology

Industrial Demilitarized Zone Design Principles