Network design fundamentals for the connected...
Transcript of Network design fundamentals for the connected...
2/15/2016 Automation Basics: Network design fundamentals for the connected world ISA
https://www.isa.org/intech/201504basics/ 1/4
Gateway physical segmentation example:two NICs for network segmentation.
Network design fundamentals for theconnected worldBy Dan McGrath, P.E
The benefits of converging industrial andinformation networks with a validatedsecure architecture based on standardInternet Protocol (IP) technologies arewell established. The benefits includegreater connectivity and integrationacross plants, easier data sharing acrossthe enterprise, and better visibility intorealtime operations.
Bringing together information technology(IT) and operations technology (OT)networks is complex because of the grayarea between IT and OT roles andresponsibilities within the company. ITand OT professionals must have acommon understanding of a host oftechniques and technologies toovercome this complexity and establish aconverged infrastructure that is secureand manageable by all criticalstakeholders.
The techniques and technologies used in network design can be simplified by leveraging theISA/IEC62443 Zones and Conduits Model developed by the ISA99 committee. The three designareas are:
cell or area zone
production site operations
enterprise zone integration
Designing for the cell or area zoneSeveral considerations must be made to ensure the network infrastructure addresses your data,security, and availability requirements at the cell or area network level. Machines and process skidsare seeing high growth in number and criticality of IP connections. One of those considerationsshould be logical segmentation, which is the process of dividing end points into subnets and virtuallocal area networks (VLANs). A key recommendation for industrial networks is to create smallerlayer 2 networks to improve performance with the maximum of 200 devices within a zone or VLAN.
Home › ISA Publications › InTech Magazine › 2015 / MarApr › Automation Basics: Network design fundamentals for the connected world
About the AuthorDan McGrath, P.E., solutionsmanager for Panduit, helps leadIndustrial IP Advantage, which isa coalition launched by Panduit,Cisco, and Rockwell Automationpromoting standard, unmodifiedEthernet and Internet protocols forindustrial applications. McGrathhas more than 25 years ofexperience in automation andindustrial networking for globalmanufacturing operations. Heholds a B.S. degree in electricalengineering and has attainedprofessional engineer and ASQcertified quality engineercertifications. For moreinformation and educationalresources, visit www.industrialip.org.
More Automation BasicsBasics of continuous levelmeasurements
Distillation column loop tuning
Proper motor protection with IECversus NEMA
Control valves – an update
The Art of instrument selection
An hour with Doctor Flowmeter
Hybrid temperature controllersoffer more versatility
Thermocouples versus RTDs
See all Automation BasicsArticles
Reader FeedbackWe want to hear from you! Pleasesend us your comments andquestions about this topic [email protected].
MEMBERSHIP TRAINING & CERTIFICATIONS
STANDARDS & PUBLICATIONS
CONFERENCES & EVENTS
NEWS & PRESS RELEASES RESOURCES TECHNICAL
TOPICSPROFESSIONAL DEVELOPMENT STORE
2/15/2016 Automation Basics: Network design fundamentals for the connected world ISA
https://www.isa.org/intech/201504basics/ 2/4
VLAN spanning multiple switches
Segmentation allows for smaller layer 2 domains, which helps constrain broadcast and multicasttraffic. It also helps manage the network’s realtime communication properties and supports thenetwork’s trafficflow requirements. With segmentation, manufacturers and industrial operators canmeet their security requirements by limiting remote expert or original equipment manufacturernetwork access to only specified machines.
Organizations often accomplish physical segmentation within the cell/area zone network by usingseparate cabling and switches. This common approach in Ethernet networks can become ahindrance to network performance if not properly planned. For example, physically separatinginput/output (I/O) and humanmachine interface traffic without connecting the I/O traffic to aninterconnected layer 3 switch can limit overall connectivity and even cause delays. Networksshould, at a minimum, be connected to a layer 2 or layer 3 switch, rather than a controller, tointerconnect.
VLANs are a very effective way to execute segmentation: specifically, for segmenting different traffictypes—industrial and nonindustrial—as well as creating smaller layer 2 networks. Establish VLANsin a onetoone relationship with subnets to make routing easier and more straightforward. Deviceson a single VLAN are typically assigned IP addresses from the same subnet, and they do notrequire a layer 3 switch or router to communicate among each other within the VLAN. Using a layer3 switch or managed switches with layer 2/3 functionality allows communication between VLANs. Amanagement VLAN should be established for management across multiple cell/area zones.
Additionally, using structured cabling for interswitch links and more critical runs in your cell/areazone is a best practice network design approach. Pointtopoint cabling is the norm for connectingendpoint devices in close proximity. However, more critical connections can benefit from usingindustry standards designed to ensure a testable, scalable infrastructure. A structured cablingapproach has better organization and testability with patching fields, permanent links, and patchcords that are validated as a highperformance system for rising data rates and high availability.Structured cabling built on TIA1005 or ENXXX standards have the bandwidth and noise immunityfor challenging cell or area zone deployments to ensure uptime.
Designing for production site operationsThe Internet of Things (IoT) has created an explosion of smart IP–enabled devices that were nottraditionally connected to the network. This has created an opportunity to deploy a more flexiblearchitecture with mobile access to data and connectivity within the production environment.Wireless network technology is one of the key enablers for realizing the value of IoT. Wirelesstechnology offers new capabilities, such as “bring your own device” and wireless security cameras,to protect assets and lower installation and operational costs.
Wireless local area networks are significantly different from wired LANs, and they should bedesigned for your security, reliability, bandwidth, and throughput requirements. For example, WiFiProtected Access 2 with Advanced Encryption Standard encryption is the only mechanismrecommended for control and automation wireless applications, and it should be used incombination with other security methods, such as preshared key authentication.
Wireless channel packet rates should be limited to 2,200 packets per second to help avoid packetdelays, and they should be reduced in areas that experience interference and radiofrequencyissues. Also, avoid the more heavily used 2.4GHz band for industrial control applications becauseyou may encounter interference. The 5GHz band provides dedicated bandwidth and lessinterference. Conducting a site survey will also help you identify and curtail other potentialinterference within a production environment.
2/15/2016 Automation Basics: Network design fundamentals for the connected world ISA
https://www.isa.org/intech/201504basics/ 3/4
Virtualization is another key network technology in the connected industrial enterprise.Virtualization breaks the previously unbreakable link between hardware and software, so you cankeep industrial applications running beyond the life cycle of their hardware. Virtualization alsoabandons the traditional onetoone approach, meaning multiple applications and operatingsystems can run from a single server.
Important considerations when designing a virtual environment include your applications’ RAM,CPU, and disk I/O requirements, as well as how many applications will be deployed in the virtualenvironment and the kind of network switching. Take into account your current needs, but alsodesign for growth in the next five to 10 years.
You can engineer and build a virtualized system from scratch, but this approach can be costly andtime consuming. You will need to purchase equipment from multiple vendors and spend weeksassembling, installing, and testing the system. An alternative approach is to purchase a bundledvirtualization system with preassembled, tested, and validated hardware. Bundled systems alsooften come with support services, including onsite configuration and integration, which can shavedays or even weeks off the deployment process compared to the buildfromscratch approach.
Keep in mind, however, that bundled virtualization systems are produced for a range of industries. Itis important to select a system that is custom built for the demands of the industrial environment.
Enterprise integrationA truly converged IT and OT network architecture achieves seamless integration both horizontally,across multiple sites, and vertically, from the shop floor to the top floor. Doing this requires anunderstanding of the key techniques that bridge the gap between historically separate networks.
Using fully standard IP networks throughout the architecture, such as EtherNet/IP for automationcommunication, eases future application design. Only an IPcentric network infrastructure can helpyou better use the Internet of Things—which is the proliferation of connected industrial andcommercial devices—because it is a unified digital communications fabric on which these IPenabled devices can talk to each other. A fully standard IP network means your network design ismore future proof and can deploy new services or applications without specialized gateways orcommunication stacks that create integration challenges.
2/15/2016 Automation Basics: Network design fundamentals for the connected world ISA
https://www.isa.org/intech/201504basics/ 4/4
Cloud computing also helps integrate the enterprise. Moving data centers to the cloud simplifiesimplementation and maintenance, reduces costs, and improves an organization’s agility. However,the cloud still requires a robust physical infrastructure. Factoring in important design considerations—such as deciding what kind of cloud you will use and identifying your bandwidth and cablingrequirements—will help you make the most of your cloud investment.
Enterprise integration also cannot occur without considering security. Given the expansion of thenetwork fabric, increased access to sensitive data, and the breadth of cybersecurity threats,designing in multiple layers of protection should be considered a security best practice. This“defenseindepth” approach builds a system of safeguards for both digital and physical security,putting multiple security measures in place to counter each individual threat.
Digital security measures include device authentication according to the 802.1X standard, policiesthat ensure the most recent antivirus updates and security patches are installed, monitoring keynetwork statistics and log files for signs of intrusion, configuring network switches to manage trafficand access, and tightly controlling software used for remote access.
Physical security includes pass codes and access cards to limit personnel access to rooms andconnected machines. USB block outs help prevent unauthorized network access, the removal ofsensitive information, and the threat of spreading a virus. Lockin/blockout devices can preventunwanted plugging and unplugging for copper and fiber connections.
Lastly, an industrial demilitarized zone can be a crucial barrier of protection between the enterpriseand industrial zones. It serves as a choke point for all traffic between zones and can help bettermanage access, such as with authentication enforcement or by monitoring traffic for known threats.