Connected Factory Architecture Theory and Practice

Transcription

1

2 BRKIOT-2108 Connected Factory Architecture Theory and Practice Arun Siddeswaran, Solution Engineering Manager Frank Baro, Solution Architect

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkiot Cisco and/or its affiliates. All rights reserved. Cisco Public

4 BRKIOT-2108 Source: Cisco and/or its affiliates. All rights reserved. Cisco Public

5 Agenda Connected Factory Architecture Cisco Reference Architecture Factory Network Factory Wireless Factory Security Cisco Kinetic Connected Factory in Practice Introduction Factory Security Case Study Enabling Analytics Factory Wireless AGV Roaming Conclusion Recommended Resources

6 Connected Factory Reference Architectures

7 Connected Factory Reference Architectures Converged Plantwide Ethernet (CPwE) Tested, validated and documented reference architectures Developed from use cases - customer and application Tested for performance, availability, repeatability, scalability and security Comprised of Cisco and Rockwell Automation Validated Designs Built on technology and industry standards Future-ready network design Content relevant to both OT and IT Engineers Deliverables Recommendations, best practices, design and implementation guidance, documented test results and configuration settings Simplified design, quicker deployment, reduced risk in deploying new technology BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 12

8 Built on Industry Standards cont. Purdue Reference Model Level 5 Level 4 , Intranet, etc. Enterprise Network Site Business Planning and Logistics Network Enterprise Security Zone Remote Gateway Services Patch Management AV Server Application Mirror Web Services Operations Application Server Firewall Firewall Industrial DMZ Level 3 FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server Site Operations and Control Industrial Zone Level 2 Level 1 FactoryTalk Client Batch Control Operator Interface FactoryTalk Client Engineering Workstation Discrete Control Drive Control Continuous Process Control Operator Interface Safety Control Area Supervisory Control Basic Control Cell/Area Zone Level 0 Sensors Drives Actuators Robots Process BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 13

9 Converged Plantwide Ethernet (CPwE) Reference Architecture Wide Area Network (WAN) Data Center - Virtualized Servers ERP - Business Systems , Web Services Security Services - Active Directory (AD), Identity Services (AAA) Network Services DNS, DHCP Call Manager Identity Services Enterprise External DMZ/ Firewall Internet Enterprise Zone Levels 4-5 Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server ASA 5500 ASA 5500 Plant Firewalls Active/Standby Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Remote Desktop Services proxy Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers FactoryTalk Application Servers and Services Platform Network & Security Services IND, DNS, AD, DHCP, Identity Services (AAA), MSE Storage Array Level 3 - Site Operations (Control Room) Cisco Kinetic (IoT Platform) Wireless LAN Controller (WLC) Active Standby Identity Services Remote Access Server Core Distribution Switch Stack Distribution Switch Stack Access Switches Cell/Area Zone Levels 0 2 Access Switches Cell/Area Zone Levels 0 2 Industrial Zone Levels 0 3 (Plant-wide Network) IFW LWAP IFW Camera Phone SSID 5 GHz WGB LWAP 2.4 GHz WGB LWAP SSID 2.4 GHz IFW Industrial Ethernet Switch HMI Soft Starter Safety Controller Safety I/O AP SSID 5 GHz WGB Instrumentation Controller Controller Controller Drive I/O Servo Drive HMI Robot Safety I/O Cell/Area Zone - Levels 0 2 Redundant Star Topology - Flex Links Resiliency Unified Wireless LAN (Lines, Machines, Skids, Equipment) Cell/Area Zone - Levels 0 2 Ring Topology - Resilient Ethernet Protocol (REP) Unified Wireless LAN (Lines, Machines, Skids, Equipment) Cell/Area Zone - Levels 0 2 Linear/Bus/Star Topology Autonomous Wireless LAN (Lines, Machines, Skids, Equipment)

10 Connected Factory - Designed for Digital Manufacturing BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 15

11 Factory Network

12 Cell/Area Zone Overview Layer 2 Access Switch Layer 3 Distribution Switch Media and Connectors Legend: Level 2 HMI HMI Controller Controller Level 1 Controller IE Switch VFD Layer 2 Interswitch Uplink-VLAN Trunk, Layer 2 Resiliency Level 0 Device (Drive) IE Switch HMI Layer 2 Access Link-Single VLAN Assigned to Port Cell/Area Zone Distributed IO Controller Controller Cell/Area Zone Cell/Area Zone - Functional Area of a Production Facility. Considerations Include: Environmental constraints Range of device intelligence Time-sensitive applications BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 17

13 Industrial Network Topologies Cell/Area Zone Topology Options Star/Bus Linear Distribution Switch Ring Resilient Ethernet Protocol (REP) Distribution Switch Redundant Star Flex Links EtherChannel Distribution Switch Cell/Area Zone Cell/Area Zone Cell/Area Zone Cisco Catalyst 2955 HMI Controllers HMI Controllers Controller HMI HMI Controllers, Drives, and Distributed I/O Controllers, Drives, and Distributed I/O Controllers, Drives, Cell/Area and Distributed ZoneI/O Linear Ring Redundant Star Cabling Requirements Ease of Configuration Implementation Costs Bandwidth Redundancy and Convergence Disruption During Network Upgrade Readiness for Network Convergence Overall in Network TCO and Performance Worst OK Best BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 19

14 Performance Requirements Industrial Automation & Control System Applications Process Automation Discrete Automation Loss Critical Function Information Integration, Slower Process Automation Time-critical Factory Automation Multi-axis Motion Control Comm. Technology.Net, DCOM, TCP/IP Industrial Protocols, CIP, Profinet Hardware and Software solutions, e.g. CIP Motion, PTP Period 1 second or longer 1 ms to 100 ms 100 µs to 10 ms Industries Oil & Gas, chemicals, energy, water Auto, food and bev, electrical assembly, semiconductor, metals, pharmaceutical Utilities Subset of Discrete automation Applications Pumps, compressors, mixers; monitoring of temperature, pressure, flow Material handling, filling, labeling, palletizing, packaging; welding, stamping, cutting, metal forming, soldering, sorting Life/equipment safety, Synchronization of multiple axes: printing presses, wire drawing, web making, picking and placing Source: ARC Advisory Group BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 20

15 Network Resiliency Protocols Selection is Application Driven Resiliency Protocol STP (802.1D) RSTP (802.1w) MSTP (802.1s) PVST+ REP EtherChannel (LACP 802.3ad) MRP (IEC )* Flex Links PRP/HSR (IEC 62439)* DLR (IEC & ODVA) StackWise HSRP VRRP (IETF RFC 3768) Mixed Vendor Ring Redundant Star Net Conv >250 ms Net Conv ms Net Conv < 0~10 ms Process and Information Time Critical Layer 3 Layer 2 Loss Critical * Not part of CPwE BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public

16 Factory Network Layer 2 NAT

17 Challenge - Ethernet Growing Pains Ethernet networks continue to grow: Each machine adds another 5-50 EtherNet/IP enabled devices Every line adds another 250-1,000 EtherNet/IP enabled devices How do I connect all these machines into a plant network to gain the advantages? BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 23

18 Solution - Layer 2 Network Address Translation (NAT) Outside Subnet (ex x) One to One (1:1) NAT Many Outside IP addresses (One per device wishing to be accessible from the Outside Subnet NAT Enabled Device Many Inside IP addresses (One per connected device) Inside Subnet (ex x) BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 24

19 Layer 3 vs Layer 2 NAT Layer 3 Layer 2 Typically a software implementation NAT device acts as the default gateway (router) for the devices on the inside network NAT device will intercept traffic, perform translation, and route traffic Translations are handled by the NAT CPU Performance of translation directly tied to the loading of the NAT CPU Hardware based implementation NAT device does not act as a router and utilizes 2 translations tables inside to outside & outside to inside Performance is at wire speed throughout switch loading Supports multiple VLANs through NAT boundary enhancing segmentation flexibility (Communication between VLANS requires a separate layer 3 device) BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 26

20 Trunk Layer 2 NAT Design Scenario #1 Single-Cell, Single VLAN per Switch Line Controller OUTSIDE VLAN10 Aggregation switch Inside to Outside NAT Table Outside to inside NAT Table Inside Outside Outside Inside INSIDE VLAN10 Inside Address IES Machine BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 27

21 Layer 2 NAT Design Scenario #3 Multi-Cell, Single Switch, Multi-VLAN Aggregation switch VLAN40 VLAN40 Work Station OUTSIDE IP Address: X Line Controller VLAN10 IES NAT VLAN30 IP Address: X INSIDE IP Address: X VLAN20 INSIDE IP Address: X IES IES IES BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 29

22 Layer 2 NAT Design Scenario #3 Multi-Cell, Single Switch, Multi-VLAN Aggregation switch VLAN40 VLAN40 Work Station OUTSIDE IP Address: X Line Controller VLAN10 IES NAT VLAN30 IP Address: X INSIDE IP Address: X VLAN20 INSIDE IP Address: X IES IES IES Machine 1 NAT Table Inside Outside Machine 2 NAT Table Inside Outside Machine 3 NAT Table Inside Outside BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 30

23 Layer 2 NAT Design Scenario #3 Multi-Cell, Single Switch, Multi-VLAN Aggregation switch VLAN40 VLAN40 Work Station OUTSIDE IP Address: X Line Controller VLAN10 IES NAT Multiple Instance of NAT per VLAN VLAN30 IP Address: X INSIDE IP Address: X VLAN20 INSIDE IP Address: X IES IES IES Machine 1 NAT Table Inside Outside Machine 2 NAT Table Inside Outside Machine 3 NAT Table Inside Outside BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 31

24 Layer 2 NAT Design Scenario #3 Multi-Cell, Single Switch, Multi-VLAN Aggregation switch VLAN40 VLAN40 Work Station OUTSIDE IP Address: X Line Controller VLAN10 IES NAT Multiple Instance of NAT per VLAN VLAN30 IP Address: X INSIDE IP Address: X VLAN20 INSIDE IP Address: X IES IES IES Machine 1 NAT Table Inside Outside Machine 2 NAT Table Inside Outside Machine 3 NAT Table Inside Outside BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 32

25 Factory Network Network Management for OT

26 Current Challenges IT Operations IT Staff Supporting OT Line Operator/ Technician Control Systems/ Design Engineer Plant/ Facility Manager IT or a person with hybrid IT and OT talents Day to day operations of control system Designs and maintains the automation and control system Plant/Facility uptime is top of mind Network experts Lack tools that provide network visibility in an operations context BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 34

27 Current Challenges IT Operations Operations IND Target Users IT Staff Supporting OT Line Operator/ Technician Control Systems/ Design Engineer Plant/ Facility Manager IT or a person with hybrid IT and OT talents Day to day operations of control system Designs and maintains the automation and control system Plant/Facility uptime is top of mind Network experts Lack tools that provide network visibility in an operations context BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 35

28 Cisco Industrial Network Director Network Management, Simplified & Automated Native industrial protocol support Dashboard for monitoring system health, metrics, and traffic statistics Plug-and-Play Day-0 configuration Alarm management with real-time alerts of network events Plug-and-Play for Zero-Touch Switch Commissioning Improved Industrial Asset Visibility Network Troubleshooting with Automation Context APIs for Integration with Automation Systems BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 36

29 Cisco Plug and Play Zero-Touch Commissioning and Replacement Pre-provision configuration and software for automated network commissioning Cisco Industrial Network Director PnP-Server Switch Configuration Help ensure consistent network design and security policy XML PnP Protocol Software Image Swap hardware when switch fails and recover with automated configuration and software image replacement Open protocol based on XMPP and HTTP with publically available schema Cisco Industrial Ethernet Switch PnP-Agent BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 37

30 Plug and Play Implementation on IND Experts pre-define configuration through templates Simplify and Automate with Plug and Play Lightweight Can run on a laptop Workflow tailored for industrial use cases such as machine builders Profiles can be exported across instances for multiparty provisioning scenarios Technicians commissioning switches do not need to understand networking Technicians commission switches onsite with laptop Export BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 38

31 Factory Wireless

32 Wireless Overview Benefits of industrial wireless network Connection to hard-to-reach and restricted areas Integration of machines / skids Remote diagnostics Intelligent assets Lower installation and operational costs Cabling reduction, elimination of cable failures Equipment mobility New and more efficient machine designs BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 41

33 Wireless Overview Benefits of industrial wireless network Workforce mobility improves effectiveness Operators can trend/write back from a mobile device when they step away from machine Engineering and Maintenance can see and react to system alarming and production data from anywhere, anytime Industrial IT provide secure infrastructure and multi-platform support Equipment wireless IEEE Wireless connectivity for critical Industrial Automation and Control System (IACS) applications Asset Tracking Track assets to optimize cost and for safety BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 42

34 Wireless Overview Challenges of wireless communication Half-duplex shared medium: Only one radio can transmit on a particular wireless channel A radio cannot transmit and receive at the same time on the same channel Higher latency, jitter and packet loss compared to wired Ethernet Media contention, collisions and interference Can be minimized but not eliminated BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 43

35 Wireless Overview Challenges of wireless communication Wireless coverage area cannot be precisely defined Site survey is required Spectrum sharing and security concerns Signal quality may change over time Interference sources and obstructions Unauthorized transmissions Wireless advantages > challenges when WLAN is designed and maintained properly Used for appropriate applications BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 44

36 Factory Wireless Equipment to Equipment

37 Equipment to Equipment Use Cases Wireless Mobility Types Static equipment Permanent location Wire replacement for hard-to-reach places Examples: process control, condition monitoring, standalone OEM machines AP WGB BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 47

38 Equipment to Equipment Use Cases Wireless Mobility Types Nomadic equipment Stays in place while operating Moves to a new location in the shutdown state Examples: process skids, storage tanks, reactors, portable manufacturing equipment AP AP WGB BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 48

39 Equipment to Equipment Use Cases Wireless Mobility Types Mobile equipment (no roaming) Changes position while operating Remains connected to the same AP Examples: rotary platforms, manufacturing machines with tracks, overhead cranes with small spans AP WGB BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 49

40 Equipment to Equipment Use Cases Wireless Mobility Types Mobile equipment (fast roaming) Connects to multiple APs while operating Does not drop application connections Examples: AGVs, ASRS, overhead cranes, train cars, entertainment ride vehicles AP Site survey and architecture selection are critical WGB BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 50

41 Unified WLAN Architecture Overview Identity Services Engine (ISE) Connected Mobile Experiences (CMX) Cisco Prime Infrastructure WLC WGB LWAP SSID1 5 GHz LWAP WGB (Roaming) LWAP WGB SSID2 5 GHz WGB LWAP SSID3 2.4 GHz BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 51

42 Wireless Access Asset Tracking

43 Device Wireless Infrastructure Applications and Management Real Time Location Services (RTLS) Architecture Cisco Kinetic Single Pane of Glass for Cockpit Dashboard Partner Applications Access Point Cisco Identity Services Engine (ISE)/ Cisco Prime TM Network Wireless LAN Controller Enterprise Network Access Point Mobility Services Engine Access Point Open Ecosystem Scalable Infrastructure Leverage Common Wireless Infrastructure Track Any Wi-Fi Device or Tag Chokepoint Integration Chokepoint BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 53

44 Factory Security IDMZ

45 Controlling Access to the Industrial Zone Continued Trend - Industrial Network Security Level 5 Level 4 , Intranet, etc. Enterprise Network Site Business Planning and Logistics Network Enterprise Security Zone Remote Gateway Services Application Mirror Patch Management Web Services Operations AV Server Application Server Firewall Firewall Web CIP Industrial DMZ Level 3 Level 2 Level 1 Application Server Client Batch Control Directory Operator Interface Discrete Control Engineering Workstation Client Drive Control Remote Access Server Engineering Workstation Continuous Process Control Site Operations and Control Area Supervisory Control Operator Interface Safety Control Basic Control Industrial Security Zone Cell/Area Zone Level 0 Sensors Drives Actuators Robots Process Logical Model Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 60

46 Industrial Demilitarized Zone (IDMZ) Best practices All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Industrial Zone Limit outbound connections from the IDMZ Be prepared to turn-off access via the firewall Disconnect Point Replicated Services Disconnect Point Trusted? Untrusted? Enterprise Security Zone Industrial Security Zone Trusted IDMZ No Direct Traffic BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 62

47 IDMZ Replicated Data and Services Wide Area Network (WAN) Physical or Virtualized Servers ERP, Active Directory (AD), AAA Radius Call Manager Firewall (Inspect Traffic) Core switches WLC (Enterprise) ISE (Enterprise) Enterprise Zone Levels 4-5 Physical or Virtualized Servers Patch Management Remote AV Server Desktop Application Mirror Gateway Remote Desktop Gateway Server Firewall (Inspect Traffic) Web Proxy Firewalls (Active/Standby) Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers FactoryTalk Application Servers & Services Network Services e.g. DNS, AD, DHCP, AAA Call Manager Storage Array Level 3 Site Operations Remote Access Server VantagePoint Distribution switch Core switches ISE WLC (Active) WLC (Standby) Industrial Zone Levels 0-3 LWAP PAC WGB Levels 0-2 Cell/Area Zone FactoryTalk Client IO Drive MCC PAC PAC BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 63

48 IDMZ Replicated Data and Services Permit Secure Remote Access to Industrial Assets Wide Area Network (WAN) Physical or Virtualized Servers ERP, Active Directory (AD), AAA Radius Call Manager Firewall (Inspect Traffic) Physical or Virtualized Servers Patch Management Remote AV Server Desktop Application Mirror Gateway Remote Desktop Gateway Server Firewall (Inspect Traffic) Physical or Virtualized Servers FactoryTalk Application Servers & Services Network Services e.g. DNS, AD, DHCP, AAA Call Manager Storage Array Engineer Remote Access Level 3 Site Operations Permit Remote Access Server Web Proxy Permit VantagePoint Distribution switch Core switches Firewalls (Active/Standby) Core switches WLC (Enterprise) ISE (Enterprise) ISE WLC (Active) WLC (Standby) Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Industrial Zone Levels 0-3 LWAP PAC WGB Levels 0-2 Cell/Area Zone FactoryTalk Client IO Drive MCC PAC PAC BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 64

49 IDMZ Replicated Data and Services Permit Secure Remote Access to Industrial Assets Permit Data from the Industrial Zone to Enterprise Stakeholders Wide Area Network (WAN) Physical or Virtualized Servers ERP, Active Directory (AD), AAA Radius Call Manager Firewall (Inspect Traffic) Physical or Virtualized Servers Patch Management Remote AV Server Desktop Application Mirror Gateway Remote Desktop Gateway Server Firewall (Inspect Traffic) Physical or Virtualized Servers FactoryTalk Application Servers & Services Network Services e.g. DNS, AD, DHCP, AAA Call Manager Storage Array Engineer Remote Access Level 3 Site Operations Web Reports Permit Remote Access Server Web Proxy Plant Manager Permit VantagePoint Distribution switch Core switches Firewalls (Active/Standby) Core switches WLC (Enterprise) ISE (Enterprise) ISE WLC (Active) WLC (Standby) Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Industrial Zone Levels 0-3 LWAP PAC WGB Levels 0-2 Cell/Area Zone FactoryTalk Client IO Drive MCC PAC PAC BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 65

50 IDMZ Replicated Data and Services Permit Secure Remote Access to Industrial Assets Permit Data from the Industrial Zone to Enterprise Stakeholders Wide Area Network (WAN) Physical or Virtualized Servers ERP, Active Directory (AD), AAA Radius Call Manager Firewall (Inspect Traffic) Physical or Virtualized Servers Patch Management Remote AV Server Desktop Application Mirror Gateway Remote Desktop Gateway Server Firewall (Inspect Traffic) Physical or Virtualized Servers FactoryTalk Application Servers & Services Network Services e.g. DNS, AD, DHCP, AAA Call Manager Storage Array Engineer Remote Access Level 3 Site Operations Web Reports Permit Remote Access Server Web Proxy Plant Manager Permit Block Untrusted VantagePoint Block Untrusted Access to Industrial Zone Distribution switch Core switches Firewalls (Active/Standby) Core switches WLC (Enterprise) ISE (Enterprise) ISE WLC (Active) WLC (Standby) Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Industrial Zone Levels 0-3 LWAP PAC WGB Levels 0-2 Cell/Area Zone FactoryTalk Client IO Drive MCC PAC PAC BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 66

51 IDMZ Replicated Data and Services Permit Secure Remote Access to Industrial Assets Permit Data from the Industrial Zone to Enterprise Stakeholders Wide Area Network (WAN) Physical or Virtualized Servers ERP, Active Directory (AD), AAA Radius Call Manager Firewall (Inspect Traffic) Physical or Virtualized Servers Patch Management Remote AV Server Desktop Application Mirror Gateway Remote Desktop Gateway Server Firewall (Inspect Traffic) Physical or Virtualized Servers FactoryTalk Application Servers & Services Network Services e.g. DNS, AD, DHCP, AAA Call Manager Storage Array Engineer Remote Access Level 3 Site Operations Web Reports Permit Remote Access Server Web Proxy Plant Manager Permit Block Untrusted VantagePoint Block Untrusted Access to Industrial Zone Block Distribution switch Core switches Firewalls (Active/Standby) Core switches WLC (Enterprise) ISE (Enterprise) ISE WLC (Active) WLC (Standby) Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Industrial Zone Levels 0-3 Block Untrusted Access to Enterprise Zone Levels 0-2 Cell/Area Zone Untrusted PAC FactoryTalk Client IO Drive MCC PAC LWAP PAC WGB BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 67

52 Factory Security OT Intent-based Security for Industrial Networks

53 Cisco Identity Services Engine (ISE) Delivering Visibility, Context, and Control to Secure Network Access NETWORK / USER CONTEXT DEVICE PROFILING FEED SERVICE Who What When Where How REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN Guest Access Contractor + Vendor (e.g. RBAC) Employee Access BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 72

54 Secure Access Consolidating access for employee/contractors/vendors Who? Employee Attacker Guest What? Personal Device Company Asset How? Wired Wireless VPN plant 1, zone 2 Headquarters When? Weekends (8:00am 5:00pm) PST BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 73

55 Defining security policies without visibility is complex Security Platforms C a m e r a P r i n t e r L a p t o p P h o n e?????????? Enterprise Assets Industrial Assets BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 74

56 Operational challenges due to IT-OT dependency Centralized IT Centralized IT team OT engineers to make adds, moves, and changes to the control system for day-to-day operations IT Enterprise Dependency on a centralized IT team to modify security policies. Plant-1 Plant-2 Plant-n OT OT OT OT distributed across plants BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 75

57 Operational challenges due to IT-OT dependency VISIBILITY INTENT BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 76

58 IoT Threat Defense C O N T E X T OT Platform IT Platform SGT dacl IE Switching V I S I B I L I T Y I N T E N T C O N T E X T pxgrid SXP IND ISE pxgrid NGFW C O N T E X T Quarantine StealthWatch BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 77

59 Visibility in Industrial Networks Security starts with Visibility Context Enhances Security Discover Industrial Assets using CIP, PROFINET, Modbus, BACNet Protocols Who What When Where Bob Rockwell PLC 11:00 AM EST on April 10 th Extrusion, Zone-2, Cell-1 Visualize connectivity between automation and networking assets Industrial Network Director pxgrid Identity Services Engine How Compliance Threat Vulnerability Wired Access Yes None CVSS score of 6 IND shares industrial asset identity with ISE over pxgrid this Visibility combined with Context, becomes a force-multiplier for Security BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 78

60 Industrial Asset Visibility with IND IND Asset Inventory ISE Profiler Attributes pxgrid Identity Services Engine iotmacaddress iotipaddress iotname iotvendor iotproductid iotserialnumber iotdevicetype iotswrevision iothwrevision iotprotocol iotconnectedlinks iotcustomattributes ISE profiling rules based on attributes like Make, Model, Serial Number, Device Type etc. instead of just IP address Custom Attributes allows IND to signal higher order information that is common to a group of assets BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 79

61 OT user intent driven policy updates Putting OT in the driver s seat Tag assets as Cell-1 IND Topology UI PxGrid attribute Cell-1 matches profiling policy-x and triggers Authorization policy-y N E W dacl pxgrid Update N E W SGT OT User Cell-1 ISE N E W VLAN OT personnel use with IND UI to express intent pxgrid update results in automatic policy update IT manages ISE. OT uses IND to express intent to influence the IT owned Security Policy BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 80

62 Use Case#1 - Cell Segmentation Segmentation Requirement Segment the industrial network OT user have the ability classify the assets into segments IT User Level 3 ISE MES Level 0-2 OT User IND BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 81

63 Use Case#1 - Cell Segmentation Segmentation Requirement Segment the industrial network OT user have the ability classify the assets into segments Security Policy Pre-Staging IT and OT decide on the segmentation policy IT configures ISE with Secure Group Tags (SGT), TrustSec policy to match rules IT User ISE MES Level 3 Level 0-2 OT User IND BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 82

64 Use Case#1 - Cell Segmentation Segmentation Requirement Segment the industrial network OT user have the ability classify the assets into segments Security Policy Pre-Staging IT and OT decide on the segmentation policy IT configures ISE with Secure Group Tags (SGT), TrustSec policy to match rules Workflow during Asset Classification IT User ISE MES Level 3 1. OT user selects assets and groups them in IND as Cell-1 and Cell-2 OT User IND Level OT user assigns a tag to C2-PLC 1 3. IND sends OT user intent and asset details to ISE in pxgrid BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 83

65 Use Case#1 - Cell Segmentation Segmentation Requirement Segment the industrial network OT user have the ability classify the assets into segments Security Policy Pre-Staging IT and OT decide on the segmentation policy IT configures ISE with Secure Group Tags (SGT), TrustSec policy to match rules Workflow during Asset Classification IT User ISE MES Level 3 1. OT user selects assets and groups them in IND as Cell-1 and Cell-2 OT User IND Level OT user assigns a tag to C2-PLC IND sends OT user intent and asset details to ISE in pxgrid BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 84

66 Use Case#1 - Cell Segmentation Segmentation Requirement Segment the industrial network OT user have the ability classify the assets into segments Security Policy Pre-Staging IT and OT decide on the segmentation policy IT configures ISE with Secure Group Tags (SGT), TrustSec policy to match rules Workflow during Asset Classification pxgrid 3 C O N T E X T IT User ISE MES Level 3 1. OT user selects assets and groups them in IND as Cell-1 and Cell-2 OT User IND Level OT user assigns a tag to C2-PLC IND sends OT user intent and asset details to ISE in pxgrid BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 85

67 Use Case#1 - Cell Segmentation Segmentation Requirement SGT 33 SGT 100 SGT 200 Segment the industrial network OT user have the ability classify the assets into segments Security Policy Pre-Staging SGT 33 SGT 100 SGT 200 IT and OT decide on the segmentation policy IT configures ISE with Secure Group Tags (SGT), TrustSec policy to match rules Workflow during Asset Classification pxgrid 3 C O N T E X T IT User ISE 4 SGT 33 MES Level 3 1. OT user selects assets and groups them in IND as Cell-1 and Cell-2 OT User IND SGT 100 SGT 200 SGT 33 Level OT user assigns a tag to C2-PLC IND sends OT user intent and asset details to ISE in pxgrid 4. Profiling policy match in ISE results TrustSec policy distribution BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 86

68 Use Case#1 On-Demand Remote Access Remote Access Requirement Only specific asset in the machine must be accessible No dependency on IT AnyConnect to check security posture, establish VPN, and collect application telemetry info Track user session in ISE along with SGT role. AnyConnect OEM ASA RDP DMZ Level 3 IT User ISE Level 0-2 IND OT User BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 87

69 Use Case#1 On-Demand Remote Access Remote Access Requirement Only specific asset in the machine must be accessible No dependency on IT Security Policy Pre-Staging 1. IT user pre-defines profiling rules in ISE to match custom attributes AnyConnect to check security posture, establish VPN, and collect application telemetry info Track user session in ISE along with SGT role. ASA AnyConnect RDP OEM DMZ 2. IT user pre-defines SGT firewall rules in ASA to allow remote Access IT User ISE Level 3 Level 0-2 IND OT User BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 88

70 Use Case#1 On-Demand Remote Access Remote Access Requirement Only specific asset in the machine must be accessible No dependency on IT Security Policy Pre-Staging 1. IT user pre-defines profiling rules in ISE to match custom attributes AnyConnect to check security posture, establish VPN, and collect application telemetry info Track user session in ISE along with SGT role. ASA AnyConnect RDP OEM DMZ 2. IT user pre-defines SGT firewall rules in ASA to allow remote Access Workflow during Maintenance Window 1. During machine maintenance, OT user changes asset attribute tag in IND which denotes intent to allow remote access IT User 1 IND ISE Level 3 Level 0-2 OT User BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 89

71 Use Case#1 On-Demand Remote Access Remote Access Requirement Only specific asset in the machine must be accessible No dependency on IT Security Policy Pre-Staging 1. IT user pre-defines profiling rules in ISE to match custom attributes AnyConnect to check security posture, establish VPN, and collect application telemetry info Track user session in ISE along with SGT role. ASA AnyConnect RDP OEM DMZ 2. IT user pre-defines SGT firewall rules in ASA to allow remote Access Workflow during Maintenance Window 1. During machine maintenance, OT user changes asset attribute tag in IND which denotes intent to allow remote access IT User 1 2 C O N T E X T IND ISE Level 3 Level IND sends OT user intent and asset details to ISE in pxgrid, which results in asset reauthorization OT User BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 90

72 Use Case#1 On-Demand Remote Access Remote Access Requirement Only specific asset in the machine must be accessible No dependency on IT Security Policy Pre-Staging 1. IT user pre-defines profiling rules in ISE to match custom attributes AnyConnect to check security posture, establish VPN, and collect application telemetry info Track user session in ISE along with SGT role. 3 SGT 777 S X P ASA AnyConnect RDP OEM DMZ 2. IT user pre-defines SGT firewall rules in ASA to allow remote Access Workflow during Maintenance Window 1. During machine maintenance, OT user changes asset attribute tag in IND which denotes intent to allow remote access IT User 1 2 C O N T E X T IND ISE Level 3 Level IND sends OT user intent and asset details to ISE in pxgrid, which results in asset reauthorization OT User SGT ISE distributes new TrustSec policy to Firewall and access switches to enable remote access BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 91

73 Use Case#1 On-Demand Remote Access Remote Access Requirement Only specific asset in the machine must be accessible No dependency on IT Security Policy Pre-Staging 1. IT user pre-defines profiling rules in ISE to match custom attributes AnyConnect to check security posture, establish VPN, and collect application telemetry info Track user session in ISE along with SGT role. 3 SGT 777 S X P ASA AnyConnect RDP OEM DMZ 2. IT user pre-defines SGT firewall rules in ASA to allow remote Access Workflow during Maintenance Window 1. During machine maintenance, OT user changes asset attribute tag in IND which denotes intent to allow remote access IT User 1 2 C O N T E X T IND ISE Level 3 Level IND sends OT user intent and asset details to ISE in pxgrid, which results in asset reauthorization OT User SGT ISE distributes new TrustSec policy to Firewall and access switches to enable remote access BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 92

74 Use Case#3 Flow Based Anomaly Detection Requirement Group assets in communication trust zones and detect anomalous traffic behavior Easily detect the source of anomaly H O S T G R O U P S Level 3 ISE Stealth Watch IT User C O N T E X T OT User IND N E T F L O W Level 0-2 Cell-1 Cell-2 BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 93

75 Use Case#3 Flow Based Anomaly Detection Requirement Group assets in communication trust zones and detect anomalous traffic behavior Easily detect the source of anomaly Security Policy Pre-Staging Assets grouped in IND by OT user, automatically creates Host Groups in StealthWatch H O S T G R O U P S Level 3 IT defines Alarms in StealthWatch for Host Group zone map violations C O N T E X T ISE Stealth Watch IT User IT configures policies in ISE to quarantine devices on violations Level 0-2 OT User IND N E T F L O W Cell-1 Cell-2 BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 94

76 Use Case#3 Flow Based Anomaly Detection Requirement Group assets in communication trust zones and detect anomalous traffic behavior Easily detect the source of anomaly Security Policy Pre-Staging Assets grouped in IND by OT user, automatically creates Host Groups in StealthWatch H O S T G R O U P S Level 3 IT defines Alarms in StealthWatch for Host Group zone map violations C O N T E X T ISE Stealth Watch IT User IT configures policies in ISE to quarantine devices on violations Workflow 1. Compromised Camera in Cell-2 initiates Port Scan OT User Cell-1 IND Port Scan 1 N E T F L O W Level 0-2 Cell-2 BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 95

77 Use Case#3 Flow Based Anomaly Detection Requirement Group assets in communication trust zones and detect anomalous traffic behavior Easily detect the source of anomaly Security Policy Pre-Staging Assets grouped in IND by OT user, automatically creates Host Groups in StealthWatch H O S T G R O U P S Level 3 IT defines Alarms in StealthWatch for Host Group zone map violations C O N T E X T ISE Stealth Watch 2 IT User IT configures policies in ISE to quarantine devices on violations Workflow 1. Compromised Camera in Cell-2 initiates Port Scan 2. StealthWatch raises Recon Alarm, and zone map violation alarm OT User Cell-1 IND Port Scan 1 N E T F L O W Level 0-2 Cell-2 BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 96

78 Use Case#3 Flow Based Anomaly Detection Requirement Group assets in communication trust zones and detect anomalous traffic behavior Easily detect the source of anomaly Security Policy Pre-Staging Assets grouped in IND by OT user, automatically creates Host Groups in StealthWatch H O S T G R O U P S Level 3 IT defines Alarms in StealthWatch for Host Group zone map violations C O N T E X T ISE Q u a r a n t i n e 3 Stealth Watch IT User 2 IT configures policies in ISE to quarantine devices on violations Workflow 1. Compromised Camera in Cell-2 initiates Port Scan 2. StealthWatch raises Recon Alarm, and zone map violation alarm OT User Cell-1 IND Port Scan 1 N E T F L O W Level 0-2 Cell-2 3. StealthWatch sends quarantine request to ISE BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 97

79 Use Case#3 Flow Based Anomaly Detection Requirement Group assets in communication trust zones and detect anomalous traffic behavior Easily detect the source of anomaly Security Policy Pre-Staging Assets grouped in IND by OT user, automatically creates Host Groups in StealthWatch H O S T G R O U P S Level 3 IT defines Alarms in StealthWatch for Host Group zone map violations C O N T E X T ISE Q u a r a n t i n e 3 Stealth Watch 2 IT User IT configures policies in ISE to quarantine devices on violations Workflow 1. Compromised Camera in Cell-2 initiates Port Scan OT User Cell-1 IND C o A 4 N E T F L O W Level 0-2 Cell-2 2. StealthWatch raises Recon Alarm, and zone map violation alarm 1 3. StealthWatch sends quarantine request to ISE 4. ISE moves camera access port to isolated VLAN to quarantine BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 98

80 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Standby Level 3 Site Operations Distribution Switch Stack FactoryTalk Client Level 2 Area Supervisory Control SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 99

81 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Level 3 Site Operations Distribution Switch Stack FactoryTalk Client Level 2 Area Supervisory Control SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 100

82 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Level 3 Site Operations Distribution Switch Stack FactoryTalk Client Level 2 Area Supervisory Control SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 101

83 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Level 3 Site Operations Distribution Switch Stack FactoryTalk Client Level 2 Area Supervisory Control SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 102

84 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Level 3 Site Operations Distribution Switch Stack FactoryTalk Client Level 2 Area Supervisory Control SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 103

85 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Level 3 Site Operations Distribution Switch Stack FactoryTalk Client Level 2 Area Supervisory Control SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 104

86 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Level 3 Site Operations Distribution Switch Stack FactoryTalk Client Level 2 Area Supervisory Control SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 105

87 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Distribution Switch Stack SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 106

88 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Distribution Switch Stack SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 107

89 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Distribution Switch Stack SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 108

90 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Distribution Switch Stack SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 109

91 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Distribution Switch Stack SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 110

92 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Standby Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Distribution Switch Stack SSID 2.4 GHz IFW Controller Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 111

93 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) IT Security Architects in Collaboration with Control Systems Engineers Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Controller Distribution Switch Stack IFW Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process Standby SSID 2.4 GHz SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 112

94 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) IT Security Architects in Collaboration with Control Systems Engineers Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Controller Distribution Switch Stack IFW Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process Standby SSID 2.4 GHz SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 113

95 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) IT Security Architects in Collaboration with Control Systems Engineers Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Controller Distribution Switch Stack IFW Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process Standby SSID 2.4 GHz SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 114

96 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) IT Security Architects in Collaboration with Control Systems Engineers Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Controller Distribution Switch Stack IFW Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process Standby SSID 2.4 GHz SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 115

97 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) IT Security Architects in Collaboration with Control Systems Engineers Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Controller Distribution Switch Stack IFW Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process Standby SSID 2.4 GHz SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 116

98 Industrial Network Security Framework CPwE - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN Controller (WLC) Active Control System Engineers Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) IT Security Architects in Collaboration with Control Systems Engineers Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Controller Distribution Switch Stack IFW Controller Level 1 - Controller I/O Soft Starter LWAP MCC Level 0 - Process Standby SSID 2.4 GHz SSID 5 GHz I/O WGB Drive BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 117

99 Cisco Kinetic IoT Platform & Vertical use cases

100 Cisco Kinetic Platform Extract Data Compute Data Move Data IoT Data Fabric Gateway Management Module Edge & Fog Processing Module Data Control Module BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 119

101 Cisco Kinetic Platform Sensors Sensors IoT Devices Business Business Intelligence Intelligence Business Applications Intelligence Applications Applications BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 120

102 Cisco Kinetic Platform Sensors Sensors IoT Devices Protocol Translation SW Protocol Translation SW Protocol Translation SW Sensors Sensors IoT Gateway Extract Data Business Business Intelligence Intelligence Business Applications Intelligence Applications Applications BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 121

103 Cisco Kinetic Platform Sensors Sensors IoT Devices Protocol Translation SW Protocol Translation SW Protocol Translation SW Edge Compute SW Sensors Edge Compute SW Sensors Edge Compute SW IoT Gateway Extract Data Compute Data Business Business Intelligence Intelligence Business Applications Intelligence Applications Applications BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 122

104 Cisco Kinetic Platform Sensors Sensors IoT Devices Protocol Translation SW Protocol Translation SW Extract Data Compute Data Move Data Edge Compute SW Sensors Edge Compute SW Sensors Protocol Translation SW Edge Compute SW IoT Gateway Business Business Intelligence Intelligence Business Applications Intelligence Applications Applications Visualization SW Cisco Solutions+ (DGLux5) BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 123

105 Cisco Kinetic Platform Sensors Sensors IoT Devices Protocol Translation SW Protocol Translation SW Extract Data Compute Data Move Data Edge Compute SW Sensors Edge Compute SW Sensors Protocol Translation SW Edge Compute SW IoT Gateway Business Business Intelligence Intelligence Business Applications Intelligence Applications Applications IoT Data Fabric Visualization SW Cisco Solutions+ (DGLux5) Gateway Management Module Edge & Fog Processing Module Data Control Module BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 124

106 Energy Monitoring Solution Manufacturing workflow apps API Cisco Kinetic Capabilities Real-time monitoring of energy consumption Consumption data by machine, line, area and building Automated policy to notify factory staff potential about peak power or issues before they occur Secure Data Delivery Cisco Kinetic Edge and Fog Processing Solution Benefits Data Capture & Normalization Real-time visibility Policy automation to improve energy optimization: identify leaks, inefficient machines, peak loads Nitrogen Flow Meters Equipment Power Meters Compressed Air Flow Meters Thermal Sensors Easy-to-use, accurate cost reporting for compliance Simplified deployment BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 125

107 Equipment Health Monitoring Solution Manufacturing workflow apps Cisco Kinetic Capabilities Real-time monitoring of equipment state and condition Easy to read trending data Automated policy to notify factory staff potential issues before they occur Secure Data Delivery Cisco Kinetic EFM Solution Benefits Real-time visibility Enables steps toward predictive maintenance Improved issue response time Simplified deployment and meter deployment Vibration Sensors Pressure Sensors Power Sensors PLCs BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 126

108 Key Takeaways Connected Factories reference architectures - Simplified design, quicker deployment, reduced risk in deploying new technology to achieve business outcomes Factory Network: Secure, scalable and resilient network infrastructure Factory Wireless: Enables mobility, secure personnel access, equipment to equipment communication and asset tracking Factory Security: Defense-in-depth security for multiple layers of threat detection and prevention Cisco Kinetic: IoT Platform to Extract, Compute and Mode data BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 127

109 Connected Factory in Practice Achieving Business Outcomes

110 INDUSTRIE 4.0 Technology Progress Smart Devices 18 th Century Steam 20 th Century Mass Production 70 s Robots Today Digitization/Cyber- Physical Cyber-physical systems monitor physical processes, create a virtual copy ( Digital Twin ) of the physical world, and make decision decentralized decisions Cyber-physical systems communicate and cooperate with each other and with humans in real time Internal and cross-organizational services are offered and used by participants of the value chain Includes soft topics like work/life balance BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 129

111 IoT, IIoT, Industrie 4.0 and the Connected Factory Connected Factory BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 130

112 Drivers for the Connected Factory Becoming an Insight-Driven Manufacturer Have the Ability to Accurately Track Machine Utilization (e.g. OEE) Facilitate the Use of Advanced Sensor Technologies and Enabling Predictive Maintenance Continuously Innovating Products, Services, and Relationships Create Connected Environments Inclusive of Partners (Internal and External ones) Becoming Agile While Maintaining Control of the Business We Want New Operational and Business Models BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 131

113 Connected Factory - Achieving Business Outcomes Reduce Costs (Optimize Operations) Increase Revenues (More Capabilities) Meet Responsibilities (Environmental, Safety, Regulatory) Production Automation Inventory Management Quality Control Cost Management Workforce Enablement Product Enhancement Applications Building Management Facilities Management SCADA Ind. Access & Control Safety Unified Application Layer (Any Device - Any Application) Security Real Time Location Services Manu. Execution Systems Ent. Resource Planning Reports Analytics Internet Collab. Networks Automation Network Unified Network Management Layer (Deployment + Service Management) Management Network Collaboration Network (IT) Devices Sensors Robots Supply Chain Tracking Personal Energy Devices Voice Video BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 132

114 Connected Factory in Practice Factory Security Case Study

115 Hope is NOT a Strategy Manufacturing is the most targeted category and small to medium manufacturers are the most targeted. 40 percent of manufacturing companies ended up affected by cyber incidents in the past 12 months, 38 percent of those that felt the effects indicated cyber breaches resulted in damages in excess of $1 million, BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 134

116 Industrie 4.0 Driving the Connected Factory OEM Enterprise-wide Systems Supplier Corporate Headquarters Other Plant Customer Plant-wide Systems Receiving Processing Material Handling Control Room Utilities Batching/ Blending Packaging Shipping Lower Total Cost of Ownership Faster Time to Market Better Asset Optimization Broader Risk Management BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 135

117 Industrie 4.0 Driving the Connected Factory Connect OEM Enterprise-wide Systems Supplier Corporate Headquarters Other Plant Customer Control Room Utilities Plant-wide Systems Receiving Processing Material Handling Batching/ Blending Packaging Shipping Lower Total Cost of Ownership Faster Time to Market Better Asset Optimization Broader Risk Management BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 136

118 Industrie 4.0 Driving the Connected Factory Connect OEM North Enterprise-wide Systems Supplier Corporate Headquarters Other Plant Customer West Control Room East Utilities Plant-wide Systems Receiving Batching/ Blending Processing Packaging Material Handling South Shipping Lower Total Cost of Ownership Faster Time to Market Better Asset Optimization Broader Risk Management BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 137

119 Industrie 4.0 Driving the Connected Factory Connect OEM North Enterprise-wide Systems Supplier Corporate Headquarters Other Plant Customer Plant-wide Systems Protect & Detect West Receiving Batching/ Blending Processing Packaging Material Handling South Lower Total Cost of Ownership Faster Time to Market Better Asset Optimization Broader Risk Management Control Room Shipping East Utilities BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 138

120 Industrie 4.0 Driving the Connected Factory Connect OEM North Enterprise-wide Systems Supplier Corporate Headquarters Other Plant Customer Plant-wide Systems Protect & Detect West Receiving Batching/ Blending Processing Packaging Material Handling South Lower Total Cost of Ownership Faster Time to Market Better Asset Optimization Broader Risk Management Control Room Shipping East Utilities BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 139

121 Industrie 4.0 Driving the Connected Factory Connect OEM North Enterprise-wide Systems Supplier Corporate Headquarters Other Plant Customer Plant-wide Systems Protect & Detect West Receiving Batching/ Blending Processing Packaging Material Handling South Lower Total Cost of Ownership Faster Time to Market Better Asset Optimization Broader Risk Management Control Room Shipping East Utilities Collect BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 140

122 Security is NOT a Product but a Process Where do I Begin? NIST Cybersecurity Framework MFG Profile BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 141

123 Assess the Threats Targeted of Not Employee carelessness Employee(&former employee sabotage Internet Phishing Infected CD Infected PDF file Infected memory stick A printer Threats from Cloud Services and Internet Internet Cloud Systems Exfiltration attacks Threats from Infected HMI s or PLC s Enterprise Network IDMZ Web Server Supervisory Network SCA DA Control System Network HM I PLCs App Threats Server from Unauthorized Control Uncontrolled Access Databas e Histori an Histor ian Threats through Remote Access VP N Threats from Unauthorized Control Remote Facility Field Network PLCs BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 142

124 Develop the Transformation Current State Security through Obscurity Flat and Open IACS Network Infrastructure BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 143

125 Develop the Transformation Current State Security through Obscurity BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 144

126 Develop the Transformation Current State Security through Obscurity Future State Flat and Open IACS Network Infrastructure Structured and Hardened IACS Network Infrastructure BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 145

127 Develop the Transformation Current State Security through Obscurity Future State Flat and Open IACS Network Infrastructure Structured and Hardened IACS Network Infrastructure BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 146

128 Strategic Factory Security Approach Secure Network Environment Phase 1 Factory(OT) Architecture IDMZ (IT OT Separation) Secure Remote Access to OT OT Network Segmentation Secure Visibility & Control Phase 2 OT Identity Base Network (ISE) OT Dedicated Security Appliances at Major Demarcation OT Network Security Monitoring Phased Factory Security Maturity Advanced Industrial Security Phase 3 Convergence of IT and OT Network Security Cyber-Security Overlays Enhance Protections Content BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 147

129 Factory Security Challenge Need to connect machines from the factory floor for visibility, but have Security by Obscurity posture. Need protect IT from OT and OT from IT. Reduced Risk Reduced Downtime Solution Factory Cyber Security Assessment Industrial DMZ Defense in Depth Framework Business Outcomes Reduced downtime Protect brand reputation Minimize cyber theft Increase Visibility to Factory Floor

130 Why Segmentation? manages attacks Securing Environment Segment infrastructure Protect inbound and outbound communications and each other Scalable software defined segmentation Separate systems and users based on role and policy. Reducing security complexity Identity based access Restrict connection to known systems and devices Profiling IoT Evaluate and determine characteristics and posture to see if a device is Misbehaving BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 149

131 Map out IDMZ Traffic Flow Requirements for the network services and application data flow Applications and protocols may have to be allowed A certain network services may be allowed to communicate directly while ICS applications use IDMZ assets to exchange data. BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 150

132 IDMZ Implementation- Current State Connected Factory - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Layer 3 Internet Implement Purdue model with level segmentation via firewall with routing controls Layer 2 Proper configuration and maintenance on Firewalls and ACL s Build and commission a DMZ at level 3.5 for IT services, agents, patch management etc. Distribution Switch Stack Controller Controller Level 1 - Controller I/O Soft Starter MCC Level 0 - Process 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151

133 IDMZ Implementation- Interim Connected Factory - Holistic Defense-in-Depth Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Identity Services Enterprise External DMZ/ Firewall Layer 3 Layer 2 Internet Industrial Zone: Levels 0-3 Core Switches Layer 3 Layer 2 Distribution Switch Stack Controller Controller Level 1 - Controller I/O Soft Starter MCC Level 0 - Process 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152

134 IDMZ Implementation- Access Migration Connected Factory - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Identity Services Industrial Zone: Levels 0-3 Core Switches Layer 3 Layer 2 Distribution Switch Stack Controller Controller Level 1 - Controller I/O Soft Starter MCC Level 0 - Process 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 153

135 IDMZ Implementation- Server Migration Connected Factory - Holistic Defense-in-Depth Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Level 3 Site Operations Distribution Switch Stack Controller Controller Level 1 - Controller I/O Soft Starter MCC Level 0 - Process 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 154

136 Protect Critical Infrastructure: Through Network Segmentation Zone Definition 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

137 How TrustSec Simplifies Network Segmentation Traditional Segmentation TrustSec IDC Servers IDMZ Firewall / Switch Static ACL Routing Redundancy Factory Network Micro/Macro Segmentation Central Policy Provisioning Factory Network ISE DHCP Scope Address VACL Aggregation Layer No Topology Change No VLAN Change Policy VLAN Access Layer Access Layer Non-Compliant Machine Employee Supplier BYOD Machine Non-Compliant Employee Supplier BYOD Quarantine VLAN Machine VLAN Data VLAN Guest VLAN BYOD VLAN Employee Tag Machine VLAN Data VLAN Security Policy based on Topology High cost and complex maintenance Supplier Tag Non-Compliant Tag Use existing topology and automate security policy to reduce OpEx BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 156

138 Factory Device Segmentation Example Software-Defined Segmentation- TrustSec SF Operator SF Device SF Development Vendor/Con SF Operator SF Device SF Development Vendor/Con Switch automatically downloads all policies from ISE for only devices connected MES Server Data Center Historian SGACL Policy SF Operator SF Development DC FW TrustSec Policy (SGACL) configured and provisioned by ISE SF Device Factory FW ISE Vendor/Contactor Factory Backbone Shop Floor Device SW 2 (SGACL) SW 1 SF Operator SF Development SF Device Vendor/Contactor Engineering Workstation Vendor / Contractor BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 157

139 Factory Device Segmentation Example Software-Defined Segmentation- TrustSec SF Operator SF Device SF Development Vendor/Con SF Operator SF Device SF Development Vendor/Con Switch automatically downloads all policies from ISE for only devices connected MES Server Data Center Historian SGACL Policy SF Operator SF Development DC FW TrustSec Policy (SGACL) configured and provisioned by ISE SF Device Factory FW ISE Vendor/Contactor Factory Backbone Traffic filtered even in same VLAN Shop Floor Device SW 2 (SGACL) SW 1 SF Operator SF Development SF Device Vendor/Contactor Engineering Workstation Vendor / Contractor BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 158

140 Factory Data Access Control using TrustSec Software-Defined Segmentation- TrustSec ASA Firewall Policy MES Server Data Center Historian SF Operator SF Development SF Device MES MEServer MES Server Historian SW 2 Factory Backbone DC FW SW 1 Factory FW (SGFW) Access Privilege Authorization with Security Group ISE OS Type: Windows XP Embedded User: Frank AD Group: Shop Floor Device Group: Eng Workstation Security Group = Shop Flr Device OS Type: Windows 8.1 User: contractor123@acme.com AD Group: None Device Group: BYOD Laptop Security Group = Contractor Engineering Workstation Vendor / Contractor BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 159

141 Factory Data Access Control using TrustSec Software-Defined Segmentation- TrustSec ASA Firewall Policy MES Server Data Center Historian SF Operator SF Development SF Device MES MEServer MES Server Historian SW 2 Factory Backbone DC FW SW 1 Factory FW (SGFW) Access Privilege Authorization with Security Group ISE OS Type: Windows XP Embedded User: Frank AD Group: Shop Floor Device Group: Eng Workstation Security Group = Shop Flr Device OS Type: Windows 8.1 User: contractor123@acme.com AD Group: None Device Group: BYOD Laptop Security Group = Contractor Engineering Workstation Vendor / Contractor BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 160

142 Factory Data Access Control using TrustSec Software-Defined Segmentation- TrustSec ASA Firewall Policy MES Server Data Center Historian SF Operator SF Development SF Device MES MEServer MES Server Historian SW 2 Factory Backbone DC FW SW 1 Factory FW (SGFW) Access Privilege Authorization with Security Group ISE OS Type: Windows XP Embedded User: Frank AD Group: Shop Floor Device Group: Eng Workstation Security Group = Shop Flr Device OS Type: Windows 8.1 User: contractor123@acme.com AD Group: None Device Group: BYOD Laptop Security Group = Contractor Engineering Workstation Vendor / Contractor BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 161

143 Factory Data Access Control using TrustSec Software-Defined Segmentation- TrustSec ASA Firewall Policy MES Server Data Center Historian SF Operator SF Development SF Device MES MEServer MES Server Historian SW 2 Factory Backbone DC FW SW 1 Factory FW (SGFW) Access Privilege Authorization with Security Group ISE OS Type: Windows XP Embedded User: Frank AD Group: Shop Floor Device Group: Eng Workstation Security Group = Shop Flr Device OS Type: Windows 8.1 User: contractor123@acme.com AD Group: None Device Group: BYOD Laptop Security Group = Contractor Engineering Workstation Vendor / Contractor BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 162

144 Introduction into Data and Analytics: Insight Driven Operations

145 Data in Manufacturing - Two Distinct Viewpoints Manufacturing has always had Big Data. We have been collecting data with historians, and MES systems for decades. Big Data Analytics Selected data Manufacturing is an untapped market for Big Data. There is lots of data, lots of different types of data, and hardly any of it is being used for analysis today. Ethernet Switch Edge Compute Edge Compute Data with context & quality flag PLC Cisco Kinetic Data with modeling & logic applied I/O BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 164

146 Data Opportunities and Challenges in Manufacturing Opportunities Challenges Intelligence Improve quality and increase throughput Better insights into root cause of manufacturing issues Reduce machine failure and downtime Extreme composition of data require new approaches, infrastructure, and tools Data scientist nor business analysts required Little time to for refining data models, massaging analytical tools, and teasing out insight Need simple intuitive analytical tools and dashboards Lack of expertise derive algorithm to predictively models. BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 165

147 Can analytics system answer questions we didn t know to ask? Data Data and Analytics can bring together: Structured Time series Unstructured data Artificial intelligence (AI) based analytics on top these are the solutions answering unasked questions to drive real and unexpected value Big Data Data New Answers to Old Questions Old Answers to Old Questions New Answers to New Questions New Answers to Old Questions Analytics Analytics Machine Learning Analytics BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 166

148 Analytics Maturity Data into Action Data analytics applied to factory equipment and sensors can bring operational efficiencies and cost savings to manufacturing processes. Analytics Descriptive What happened? Human Input Required Data Diagnostic Why did it happen? Predictive What will happen? Decision Action Prescriptive What should I do? Decision Support Decision Automation BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 167

149 Data and Decision Time within the Purdue Model Level 5 Level 4 Planning Decision: Month/Year Business Systems Decision: Days/Weeks Network: Enterprise Network: Enterprise Level 3 Level 2 Level 1 Level 0 Manufacturing Operation Management Decision: Seconds/Minutes/Hours Network: Plant/Enterprise Equipment and Process Control Decision: Sub-second Network: Plant Sensors, Instrumentation, and Data Collection Decision: Sub-second Network: Plant Production Assets BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 168

150 Manufacturing Data Examples Data is characterized by huge data sets with varied data types, which can be classified as structured, realtime structured, or unstructured Real-Time Structured Data Sensors(vibration, pressure, value, and acoustics), Relays RFID Direct from PLCs, Motor and Drives Direct from motion controllers, robot arm Manufacturing historians(time series data structure) Unstructured Data Operator shift reports Machine logs Error logs Texts Vision Images Audio/Video Manufacturing collaboration social platforms Structured Data RDBMS database NoSQL Enterprise data warehouse Files stored in manufacturing PC Spreadsheets BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 169

151 Data Types and Sizes Manufacturing generate massive data files Limits the ability to store, analyze, and extract useful information from them using conventional methods. Extremely hard to even visualize the information in large data sets from various sources DATA TYPES Machine Parameters and error logs Machine events Defect images from vision equipment DATA SIZE (per week) ~5 GB per machine ~10 GB per machine ~50 GB per unit or 750 GB per lot EXAMPLES Used to monitor machine performance: dispense height, placement(x,y,z),belt speed, flow rate, over temperature, laser power, etc Used to measure process time: start dispense,end dispense, start setup, and end setup Used to identify root cause of failure modes, defect commonality, defect mapping BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 170

152 What problems are we solving for customers? Environmental Sensing Remote Visibility Efficiency through Process Automation Plant Hazard Awareness Pollution Security Condition Monitoring Preventive & Predictive Maintenance Asset Health Cost Reduction Efficiency Consistency Business Outcomes Business Outcomes Business Outcomes Safety Cost Avoidance Increased up time Compliance Reliability Faster and accurate decision BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 171

153 Plantwide Alarms & Alerts ZDT Other Analytics DSLink DSLink IoT Data Fabric MRP On Prem Analytics Wireless Location IE DSLink 4K w/ IOx IOx MES / Historian Energy Monitoring PLCs PLCs PLCs Vibration Monitoring Vibration Monitoring FANUC ZDT IE MTConnect 4K w/ IOx IOx CNC / Milling Interface Energy Monitoring Energy Reduction Asset Tracking Cisco Networking Manufacturing Visibility Equipment Health Cisco Intent-Based Networking Predictive Maintenance Connected Machine Plant Efficiency BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 174

154 Factory Wireless Autonomous Guided Vehicle(AGV) Roaming

155 Factory Wireless Use Cases Wireless tooling Monitoring hard-to-reach and restricted areas PLCs and automated guided vehicles (AGVs) Key Enabling IW3702 Features Seamless roaming at low to moderate speeds Supports prioritized PROFINET traffic for industrial applications PRP (Parallel Redundancy Protocol) over wireless for high resilience 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

156 Factory Wireless WGB Roaming Evolution Basic WGB roaming Fast WGB roaming PRP enhanced roaming Low to moderate speed Limited Scanning of channels High speed v BSS Fast Transition on WGB RSSI smoothing filter Optimized rateshifting algorithm Highest speed PRP over wireless Dual radios enables always-bestconnected Roaming coordination prevents two radios from roaming at the same time BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 178

157 Parallel Redundancy Protocol (PRP) over Wireless Wireless Network Without PRP PRP Enabled Wireless Network PRP RedBox PRP RedBox Data Frame Each data transmission goes through single radio path RF interference, hand off results in packet loss Data Frame PRP over wireless creates redundant radio path for data transmission Zero recovery time in event of temporary failure PRP is defined in the International Standard IEC and designed to provide hitless redundancy (zero recovery time after failures) in networks BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 179

158 PRP over Wireless Redundancy Options Dual WGBs, Dual Radios - WLC 8.4 Single WGB, Dual Radios - WLC 8.5 5GHz 5GHz WGB WGB 2.4GHz 5GHz PRP Switch as RedBox WGB as RedBox External PRP switch as RedBox (redundancy box) performs packet duplication/duplication discard function Application examples: Industrial automation and AGV applications WGB as RedBox (redundancy box) performs packet duplication/duplication discard function Application examples: Autonomous vehicles and straddle carriers and mission critical applications etc. BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 180

159 Roaming Coordination Gi1.51 VLAN 51 Gi1.51 AP1 AP2 WGB1 Direct Wired Connection or through a Switch WGB2 2.4GHz 5GHz WGB Gi0/2 Gi0/1 Switch WGB sends an indication to the other WGB indicating it wants to start roam Other WGB shall wait for 100ms (configurable) by default if it also needs to roam Once the roam event on the WGB is complete or if the timeout expires, the other WGB is free to roam BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 181

160 Sample Topology for Dual WGBs PRP Function 801 Data frame AP1 Data frame WGB1 Data frame SSID A (LAN_A) Aggregate Switch 801 Data frame 802 Data frame 5GHz SSID B (LAN_B) PRP Switch Data frame Data frame Data frame 802 5GHz PRP Switch AP2 Data frame WGB2 Data frame Client VLAN Data frame Data frame WLC Client VLAN Infrastructure Side Mobile Client Side Client VLAN: 800 LAN_A: 801 LAN_B: 802 Infrastructure Side An aggregate switch in the infrastructure side carries the duplicated packets APs in flex connect mode The APs transmits/receives the redundant data traffic over different SSIDs, tag with different VLANs Mobile Client Side Each WGB associates to different SSIDs and locates in different VLANs Roaming Coordination WGBs are connected to provide roaming coordination function, preventing both WGBs from roaming at the same time BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 182

161 Conclusion: Measure Twice, Cut Once Availability / Resiliency / Performance Protocol Awareness (Prioritize and Protect) Wireless: Capacity and Access Holistic Security: Threat Centric Approach (Discover, Detect and Remediate) Asset Tracking and Network Management Energy Source (Battery? PoE?) Virtual vs. Physical (e.g. ownership and policies) Traffic Patterns Beyond Local System (WAN, Cloud, Uni/Bi-Directional) Data Aggregation and Storage (Local, Remote, Transit) Day-2 Support Model (Enable your Successor) BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 184

162 Recommended Resources Reference Architectures Websites Design Zone Industry Solutions Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Securing Manufacturing Computer and Controller Assets Achieving Secure Remote Access to plant-floor Applications and Data Design Considerations for Securing Industrial Automation and Control System Networks For your reference BRKIOT Cisco and/or its affiliates. All rights reserved. Cisco Public 185

163 Q & A 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

164 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkiot Cisco and/or its affiliates. All rights reserved. Cisco Public

165 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public