Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.
Industrial networking is the future. When I say Industrial networking, I do not literally mean networking just in an industrial environment, I am referring to networks that have devices for process or manufacturing i.e PLC controllers, sensors, drives and robots.
That's right, I said robots - cool right? Well, it is. Don't get too excited as we don't get to actually control the robots - however the network you will build will ultimately support the people who do.
In industrial networks it is important your process devices are in a completely segregated and secure network. Why? Lets say for example you have a controller which controls the "on" and "off" status of a conveyor belt moving large objects in a production environment, and these controllers and the system that controls it are on your corporate day to day business network.
Suddenly, your $100 firewall/router combo gets compromised and floods your network with malicious software. While this is happening, your conveyor belt is on shutdown for maintenance and people are actively working on physically repairing some parts for it. The system which controls the on & off switch is now compromised and enables the on button... you can see where this is going....people's lives are at risk.
So how to prevent this? In the industrial networking world, we follow a networking model called the "Purdue networking model" formally known as the "ISA-99 model" It looks something like this:
This is a picture I pulled from google which gives a nice visual color breakout of the levels involved. I will attempt to simplify the levels as basic as possible so you can understand the fundamentals.
Level 5 - Enterprise Zone
This level is called the enterprise zone or "corporate zone". This is where your corporate level applications are used to support the corporate business and basic users access. Items or peripherals found in this zone, include Exchange servers, access points, web servers, corporate directory architectures, document management systems, vpn end points and HR systems. This is your typical day to day enterprise/global business operations layer where 90% of your business will function.
Level 4 - Enterprise Zone #2
This Level is part of the Enterprise zone, but has more specific to a business unit or local office. In this zone, you will find; local file and print servers, local phone systems, site directory replicas, site specific remote access solutions, security event aggregators and site specific access points. Just remember - this is your local office site, not your global company network.
Level 3.5 - DMZ
This layer is by far the most complicated layer. Not shown in the diagram as level 3.5, but this is the known name in the industry. This DMZ layer provides a series of functions for specific zones where services and data can be shared between the zones. So for example, you may have a data center in both your corporate AND your process network.
Your corporate users may require some access to functions within your process network, and users in the process network may require access to some functions in your corporate network. The necessary VM's providing these services would sit in the 3.5 DMZ layer where they are logically segregated from the rest of their data center VM's but still accessible as required.
Items typically found in this zone include; Patch management servers, Anti-virus management systems, site specific application servers, jump host environments, business intelligence systems, back end databases for site specific applications and development systems.
Level 3 - Manufacturing Zone or Operations Support
This zone includes the functions involved in managing operations with in the process environment. Items typically found in this zone include operations scheduling resources, reliability tracking tools, operation simulation and modelling tools, contingency analysis tools, data historians and data virtualization utilities. There would also most likely be dedicated operations specific IT services such as DHCP,LDAP,DNS, File servers ect.
Level 2 - Supervisory Control LAN
This is where the diagram does not show the break down of the final few levels. I will though.
Level 2 includes functions involved with operating the real time control systems with in your process or manufacturing network. Items found in this zone typically consist of; control center operation workstations. Human machine interfaces (HMI's), engineering workstations, security event collectors, operation alarm systems, communication front ends, data historians and network / server administrator workstations.
Level 1 - Control Devices
Level 1 includes the functions involved at site specific operating environments. This includes; dedicated operator workstations, PLC controllers, control processors, programmable relays, remote terminal units, process specific micro controllers.
Level 0 - Process
If you made it reading this far and you're still awake, great - because here comes the robot portion!
Level 0 is your process zone, this zone includes the functions involved in transitioning from "cyber" to physical and from physical to "cyber" (basically where your computer world meets physical working world)
This zone includes; sensors, motors, field instrumentation devices; automation machinery like robots!
So now you have read through all of the zones, I would like to point out that level 3 and 4 are divided by a firewall. This is to prevent your corporate based network being integrated and potentially causing risk to your process control network.
I could go into the in depth firewall requirements and configuration of the ISA-99 model, however this article is for the fundamental knowledge of Industrial based networking. But i will tell you this; these firewall rules have to be locked down to deny all and allow only the necessary ports and IP addresses.
Beyond the firewall configuration, your process network including your DMZ should be logically segregated as much as possible. Your DMZ will have traffic flow rules to ensure data from your process network is only entering the DMZ to a shared service which then processes your request. Process devices have no direct contact with your corporate network, and the same logic applies to your corporate workstations.
If you enjoyed reading about the fundamentals of a process technology network, please leave a comment and let me know if you would like to know more in depth information about Industrial networking.
For now, I will leave you with the basics and hopefully this jump starts your knowledge in this exciting future of robot networking.....!
Feel free to leave feedback (constructive criticism happily accepted)
If you liked it - give it a thumbs up!
If you didn't like it, comment and tell me why - or hit your back button
|IPsec VPN Configuration On Cisco IOS XE - Part 3 - Route Based VPN||390|
|IPsec VPN Configuration On Cisco IOS XE - Part 7 - Single Tier Dynamic Multipoint VPN (DMVPN) Cloud||184|
|IPsec VPN Configuration On Cisco IOS XE - Part 8 - Single Tier Phase 3 Dynamic Multipoint VPN (DMVPN) Cloud||207|
|IPsec VPN Configuration On Cisco IOS XE - Part 9 - Dual Hub Phase 3 Dynamic Multipoint VPN (DMVPN) Cloud||183|