ABCs OF INDUSTRIAL NETWORKS FINDING THE RIGHT SOLUTION
HORIZON SOLUTIONS, A REXEL BANNER Page 2 The ABCs of Industrial Networking Decoding Jargon and Learning Key Concepts The world has become more connected, more information-driven—and manufacturing is no exception. Industrial networks are a means to transfer data on a large scale, connecting various devices. These networks are integral for plant-wide communication between computers and machines, across large spaces, and throughout your organization. As important as a sound industrial network architecture is to modern manufacturing, finding the right solutions can be a challenge. This eBook is designed to demystify much of the jargon around industrial networking and provide information and advice. In the first part of this book, we break down the many acronyms that make up networks. The subsequent sections consist of a series of articles tackling key industrial network topics.
REXELUSA.COM Page 3 Finding the Right Solutions Breaking Down the Acronyms Page 05 Getting to Know Ethernet/IP Basics Page 08 Increase Efficiency with DHCP Page 10 NAT Makes Operations More Effective Page 12 Reduce Network Noise with a VLAN Page 14 What is Converged Plantwide Ethernet? Page 18 Networking with Ring Topology Page 20 6 Parts of a Secure Industrial Network Page 24 What is CIP Security? Page 26 Networking with Remote Connectivity Page 28 Collect Data with HMI and SCADA Page 30 What is a FactoryTalk? Page 34 Networking & Security Solutions from Horizon Solutions, a Rexel Company Page 36
HORIZON SOLUTIONS, A REXEL BANNER Page 4
REXELUSA.COM Page 5 Breaking Down the Acronyms With so many combinations of capital letters out there, networking manuals can look more like alphabet soup than instructions. The following list is not comprehensive, but it does cover the acronyms you’re likely to see as you build your industrial network. CIP (Common Industrial Protocol) – An open industrial protocol governed by the ODVA (Open DeviceNet Vendors Association). There are subsets of CIP protocol standards, CIP sync, CIP safety, CIP motion, CIP energy, and recently, CIP security. CPwE (Converged Plantwide Ethernet) – Developed by Rockwell Automation® and Cisco®, CPwE globalizes operations, standardizes devices, normalizes network processes, and closely integrates IT/OT with existing automation systems. CVD (Cisco Validated Design) – A foundation for system design based on common use cases or engineering system priorities, incorporating a broad set of technologies, features, and applications. DCS (Distributed Control System) – A computerized control system for a process or plant in which autonomous controllers are distributed throughout without a central operator supervisory control. DCS increases reliability while reducing installation costs. DH+ (Digital Highway Plus) – A local area network designed to support remote programming and messaging between computers and controllers for factory-floor applications. DHCP (Dynamic Host Configuration Protocol) – A network management protocol for Internet protocol (IP) networks. A DHCP server dynamically assigns an IP address and other configuration parameters to devices on the network, allowing them to communicate with other IP networks. DiD (Defense in Depth) – An information security concept which consists of multiple security control layers (defense) placed throughout an IT system. The goal is to provide redundancy. DLR (Device Level Ring) – A type of ring topology. DLR allows automation devices to be placed in a ring with a convergence time of fewer than three milliseconds, eliminating lag time. DMZ (Demilitarized Zone) – An additional security layer, a DMZ is a physical or logical subnetwork containing and exposing a company’s external-facing services to an untrusted network (e.g., the Internet). DTLS (Datagram Transport Layer Security) – A communications protocol that prevents eavesdropping, tampering, or message forgery. This security measure is based on TLS protocol (see below) and is intended to provide similar guarantees. HMI (Human Machine Interface) – HMI allows users to communicate with the systems they oversee, typically involving physical input hardware (e.g., a keyboard) and output hardware (e.g., computer monitor).
HORIZON SOLUTIONS, A REXEL BANNER Page 6 IACS (Industrial Automation and Control Systems) – A collection of control systems, networks, SCADA (see below) systems, and other systems that can affect or influence the secure, reliable operation of industrial processes. [Also known as ICS (Industrial Control System)] IIoT (Industrial Internet of Things) – Interconnected instruments, sensors, and other networked devices, allowing data collection, exchange, and analysis. IIoT has the potential to facilitate improvements to productivity and efficiency. IP (Internet Protocol) – Enabling Internetworking, IP is the principal communications protocol for relaying datagrams across network boundaries. It’s routing function essentially establishes the Internet. LAN (Local Area Network) – A computer network in a limited area, interconnecting computers within a residence, facility, or organization. LLC (Logical Link Control) – A communication protocol layer that is the upper sublayer of the data link layer of the OSI model (see below), interfacing between the MAC (see below) and network layers. MAC (Medium Access Control) – A sublayer that controls the hardware responsible for interaction with the optical, wired, or wireless transmission medium. The MAC and The LLC make up the data link layer. [Also known as Media Access Control] NAT (Network Address Translation) – NAT is a feature that takes one IP address (typically a public 10.10.10.X) and converts it to a private IP address (192.168.1.X). OSI Model (Open Systems Interconnection Model) – A conceptual model for characterizing and standardizing communication functions of computing or telecommunication systems for the interoperability of diverse communication systems. PLC (Programmable Logic Controller) – Ruggedized and adapted for manufacturing process control, PLCs are industrial digital computers. They can be designed in many arrangements, including digital and analog I/O (input/output). PRP (Parallel Redundancy Protocol) – Proving seamless failover against failure, PRP is a network protocol standard for Ethernet. The redundancy provided is invisible to the application, and PRP can be implemented entirely in software. REP (Resilient Ethernet Protocol) – A type of ring topology. REP is a Cisco proprietary protocol that provides a way to control loops, handle failures, and increase convergence time (typically 15ms). RPI (Requested Packet Interval) – The RPI is the period at which data updates over a connection. It is generally measured in milliseconds. SCADA (Supervisory Control and Data Acquisition) – A control system architecture for process management and operation. SCADA is a hardware and software system that allows users to control processes, gather data, interact with devices, and more.
REXELUSA.COM Page 7 TCP (Transmission Control Protocol) – One of the main protocols of the Internet protocol suite, TCP provides ordered, reliable, and error-checked delivery of a stream of bytes between applications. [Also known as TCP/IP] TLS (Transport Layer Security) – A cryptographic protocol providing communications security over a computer network, TLS secures all communications between servers and web browsers. VLAN (Virtual Local Area Network) – A LAN is a local area network. The virtual component allows a group of Ethernet devices (subnet) to be physically separated by many Ethernet switches but communicate as if they were connected to the same physical Ethernet switch. VPN (Virtual Private Network) – An Internet encrypted connection from a device to a network, ensuring that sensitive data is safely transmitted. A VPN can prevent unauthorized eavesdropping while allowing the user to conduct work remotely. WAN (Wide Area Network) – A WAN is a larger network with Internet access and connections to numerous LAN’s. An example of a WAN would be the network provided to you by your Internet Service Provider or ISP. What these acronyms mean is less important than what they can do for your facility. We’ve identified and written articles about some of the more important acronyms and concepts for networking in manufacturing and industrial settings. The following sections are designed to help you find the right industrial networking solutions for your facility.
HORIZON SOLUTIONS, A REXEL BANNER Page 8 Getting to Know Ethernet/IP Basics Industrial Networking Basics (Q & A) We field a lot of questions about the Ethernet/IP basics. Here is an example. Question: Can I connect my Ethernet device to this Rockwell Automation controller? Answer: Does it support Ethernet/IP protocol? That’s a very important question. Ethernet/IP Protocol So, what is Ethernet/IP protocol? In simple terms, think of the network as a transport mechanism be it a phone line (now called POTS, Plain Old Telephone Service), serial twisted pair, Ethernet or some other physical layer, and the protocol as the language used on that network. For example, it is possible to pick up your telephone and dial Tokyo. What happens? The call is received because the networks are compatible. You hear “Moshi Moshi” come across the earpiece. What does that mean? I don’t know, I do not speak Japanese. [Roughly translated: “Hello,” it’s the common way to answer the phone in Japan.] The same thing happens on Ethernet. The transport mechanism TCP/IP is the standard for Ethernet devices like printers, bar-code readers, computers, COTS (Commercial Off the Shelf technologies), Rockwell Automation Ethernet products, and a host of other devices. For our Tokyo example:
REXELUSA.COM Page 9 ⏹ The phone line is analogous to the TCP/IP network. ⏹ The language translation is analogous to the communication via CIP ⏹ If your device supports Ethernet/IP protocol, it speaks both English and Japanese Make sense? Ethernet/IP is an important element for any automated process running on an industrial network Ethernet/IP Open Protocol Ethernet/IP is an open protocol meaning anyone can download the specifications and develop a product that is Ethernet/IP compatible. The protocol is managed by ODVA. To be more specific and accurate, Ethernet/IP is actually the network name, and the underlying protocol is actually CIP, which is media independent. Without getting too deep, CIP resides in the application layer of TCP/IP communication stack. The same application layer protocol can reside on ControlNet™ and DeviceNet™ as well, even though they are not TCP/IP. The advantage of the common application layer is the ability to bridge through the different transport technologies without gateway or protocol converters. Data is transparently routed across those networks. So, if the device is Ethernet/IP compatible, not only will it be happy on the network (TCP/IP), but it will also able to communicate (CIP). What if your device does not speak Ethernet/IP, what can you do? Rockwell Automation controllers support TCP/IP sockets, which is a message-based communications protocol. It is much more involved than the plug-and-play nature of Ethernet/IP. And now you know the Ethernet/IP basics.
HORIZON SOLUTIONS, A REXEL BANNER Page 10 Increase Efficiency with DHCP Dynamic Host Configuration Protocol When you walk into your house, your phone, tablets, and laptops automatically connect to your WiFi without having to set an IP address. That automatic connection is DHCP at work. In today’s world, just about every device we own is somehow able to connect to the Internet. Without DHCP, you would have to manually set the IP address of every device before it could connect to your network. This process is very similar to configuring your PLC, PowerFlex®, or Kinetix® drives. A DHCP server has a pool of IP addresses that the server can assign to a DHCP client. The process is quite simple: 1. A DHCP enabled client (PowerFlex drives, Logix PLCs) sends a signal requesting an IP address 2. The DHCP server receives the request and leases out an available IP address from the pool 3. The DHCP client receives the leased IP address and sends an acceptance signal back to the server 4. The DHCP client is now connected to the network While this process is incredibly useful in commercial settings, this doesn’t particularly help us in the world of industrial automation. What DHCP Means for Industrial Users DHCP is another way to improve efficiency in industrial settings, improving the efficiency of the plant overall. There are two more specific ways to look at efficiency:
REXELUSA.COM Page 11 ⏹ The amount of time and effort it takes engineering and IT departments to set up networks and connect equipment properly ⏹ The amount of time and effort plus the average chance of failure involved with ongoing plant floor maintenance When you are designing and building machinery, you will need to integrate componentry into networks, and there are various ways to set a network IP address. You could use RSLinx® software, another programming software, or DHCP. Which of these is most efficient? It depends. Designers have some variables to consider when making this decision: How isolated or integrated is this network? How extensive is this network? What are the required and relevant IT and company policies and procedures for this plant floor network? Let’s consider isolated networks and/or large networks. It can be more convenient and efficient to use a DHCP server rather than the programming software or RSLinx software. This, typically, can result in a more efficient installation. But that is just start up. Maintenance may be more challenging since the devices will have an IP address from a pool of addresses. CPwE and DHCP You should be aware of the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide. This document gives recommendations for using both DHCP and statically addressing IP addresses. While DHCP can be more efficient on start up, there are considerations for troubleshooting and maintenance and security. Using a mix of DHCP persistence and statically setting an IP address is typically a best practice and often our recommendation. Having static IP addresses for your PLC, drives, and other Ethernet-enabled devices is critical for communications and operations. For example, when you create a Logix program, your drives must have an IP address to which the PLC can send messages. If we were to use DHCP, the IP addresses of the drives would be different every time, and therefore the PLC and drives would not communicate with one another. However, by using DHCP Persistence in a Stratix® 5700 switch, this issue can be resolved. It’s Good to Be Persistent DHCP Persistence is a process in which you statically assign an IP address to a port on a switch. For example, Port 4 will be given an IP address of 192.168.1.54 with DHCP Persistence. Any DHCP enabled device that is connected to Port 4 will receive an IP address 192.168.1.54. When used in congruence with ADC (Automatic Device Configuration) enabled devices such as an IO-Link Master or PowerFlex drives, a true plug-and-play environment can be created. Remember, DHCP is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.
HORIZON SOLUTIONS, A REXEL BANNER Page 12 NAT Makes Operations More Effective Network Address Translation NAT brings value to both OEMs and manufacturers of all kinds. Simply put, NAT is a feature that takes one IP address (typically a Public 10.10.10.X) and converts it to a private IP address (192.168.1.X). The configuration is as easy as filling out a small table. Using this feature, the IP address convention can be the same for all your machines on the private/machine level while maintaining a separate IP address on the public plant network. See the figure on page 13 from Rockwell Automation for more information. The Real World Importance of NAT So how does this help OEMs and manufacturers? From an OEM standpoint, you can set the IP addresses of the PLC, drives, distributed I/O (input/output, etc.) however you want. Simply fill out the public side of the NAT table with the IP addresses that your customer provides. This also means that if your customer needs to change the IP addresses of the devices on your machine, you won’t need to go to each device and manually change them. Edit the public side of the NAT table, and call it a day. From a manufacturer’s point of view, NAT is a great way to hide certain parts of a machine from the plant network. In other words, by using one entry in the NAT table, only the PLC will be visible on the plant network and not the other devices on the machine. This is a great way to easily collect data from a PLC without reconfiguring multiple IP addresses. The network address translation feature can be found in certain models of the Stratix 5700 switch and the 1783- NATR device. Those links will open PDF files, allowing you to see exact hardware specifications like the number of ports, CIP compatibility, and NAT compatibility.
REXELUSA.COM Page 13 The figure above is © Rockwell Automation.
HORIZON SOLUTIONS, A REXEL BANNER Page 14 Reduce Network Noise with a VLAN What is a VLAN? It stands for virtual local area network. Most people have heard of a LAN (local area network), a network you may have in your home to connect your laptops, cell phones, etc. Every device is part of the same LAN, also referred to as a network or subnet. The network traffic is typically handled by a single device that performs several functions: wireless access point, Internet router, NAT, and Ethernet switch. What do VLANs do?
REXELUSA.COM Page 15 The obvious question becomes what does this “virtual” adjective mean. In a nutshell, VLANs allow a group of Ethernet devices (subnet) to be physically separated by many Ethernet switches while communicating as if they were all connected to the same physical Ethernet switch. In the example on page 14, the three VLANs have devices located on separate floors. For the engineering computers to be on the same network across multiple building floors, VLANs are used to isolate this traffic from marketing and accounting computers. Devices in different VLANs cannot communicate when only using layer 2 switches. Layer 2 devices only inspect the destination MAC addresses of Ethernet frames. A MAC address is tied to a physical piece of hardware. In other words, a layer 2 switch allows devices in the same VLAN or subnet to communicate. Any VLAN to VLAN communication will not be permitted with just a layer 2 switch. Keep in mind that modern Ethernet switches often blur the lines between layer 2 and layer 3 capabilities. You may be thinking: Ok, so VLANs allow physical separation and a virtual LAN to work over several Ethernet switches. That’s all great, but I can do that by placing all devices on the same LAN. What are the benefits? VLANs allow physical separation and a virtual LAN to work over several Ethernet switches. What benefits do VLANs have over making it all one large subnet? Summed up, the question is: Why not create a large subnet instead of smaller VLANs or LANs? A single subnet is simple to understand and implement but creates problems as the network grows. By creating smaller subnets, this limits the broadcast domain traffic. Think of broadcast traffic as one device making an announcement to the rest of the devices in the network like a person speaking to a large audience, but in networking, every device can talk simultaneously. As more devices are added to a subnet, the noise or broadcast traffic increases. This may cause more latency and devices to repeat messages. When creating smaller subnets, devices that need to communicate regularly are placed on the same VLAN or subnet. For example, a PLC and its distributed I/O, drives, etc. would be placed on the same VLAN due to the high bandwidth, multicast traffic, and fast messaging demands. Other devices that seldom require connecting to a PLC or drive would be placed in a separate VLAN. InterVLAN ROUTING Now, you may be thinking, I understand that smaller VLANs or subnets are suitable for separating broadcast domains, but what happens when devices in different VLANs need to communicate? A device called a router handles requests for devices to communicate when not belonging to the same VLAN. This function is called interVLAN routing. The router will have programmed an IP address on each of its connected VLAN networks. This IP address will typically be the default gateway IP address for each device on the network. The router performs the layer 3 function of inspecting the destination IP address, subnet, and VLAN. Based on the router’s information about connected networks and routes, it will forward along packets appropriately.
HORIZON SOLUTIONS, A REXEL BANNER Page 16 1:1:1 RELATIONSHIP A best practice is to have your subnet, broadcast domain, and VLAN relationship all be the same. That’s why these terms are interchanged frequently. They are not required to be the same, but industry standards have made it this way over time. So, don’t make them different. ADDITIONAL BENEFITS Devices with single Ethernet interfaces like CompactLogix™ 5370 controllers can communicate to local I/O devices and higher-level software on other networks when using VLANs and routing. Access to all devices is possible, unlike using physical segmentation like a CIP bride with two Ethernet cards using ControlLogix® controllers (see an example below). Modern network design with small VLANs and routing allow fewer network interface cards while maintaining segmentation. Segmentation is logically controlled because VLANs cannot communicate inherently without assistance from layer 3 devices allowing rules to be created for what devices and VLANs can communicate. CPwE You can learn more about network architecture and get recommendations for network architectures proven to perform in the industrial controls network from Cisco and Rockwell Automation.
REXELUSA.COM Page 17
HORIZON SOLUTIONS, A REXEL BANNER Page 18 What is Converged Plantwide Ethernet ? CPwE Ethernet/IP has been readily adopted as a network solution for control and information exchange in industrial applications. Part of this adoption includes focusing on globalizing your operations, standardizing devices, normalizing network processes, and closely integrating IT/OT with existing automation systems. Developed by Rockwell Automation and Cisco, CPwE encompasses all of this and more. Any project that requires standardization, normalization, and integration will have challenges. A robust, modern network increases visibility, minimizes risk, and helps achieve overall profitability. The benefits are truly immense. CVD: Cisco Validated Design CVD is an important one for any dedicated CPwE effort. Technology is continually changing, and that means constantly navigating new, innovative solutions. What new technology is available? Cisco Validated Design combined with Rockwell Automation’s experience in the industrial world helps you balance proven success versus new opportunities when it comes to networking. Key Initiatives Rockwell Automation and Cisco are engaged in a strategic alliance to deploy best practices in both IT and OT systems. This includes four key initiatives: Common Technology View – A single system architecture is paramount for visibility, flexibility, and efficiency in a competitive manufacturing environment, using open, industry-standard networking technologies.
REXELUSA.COM Page 19 Converged Plantwide Ethernet Architectures – Providing users with the foundations for success with manufacturing-focused architectures, deploying the latest technology by addressing topics relevant to both IT and engineering professionals. Joint Product and Solution Collaboration – Incorporating the best of Cisco and Rockwell Automation with Stratix 8000 industrial Ethernet switches. People and Process Optimization – Facilitating manufacturing and IT convergence through education and services to allow successful architecture deployment and increased efficiency. These four key initiatives are covered in the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide. The digitization of manufacturing requires the connection of isolated production systems and processes to support modern IoT technologies. Rockwell Automation and Cisco work closely to leverage best practices from both operational technology (OT) and information technology (IT) with jointly developed resources, products, and training.
HORIZON SOLUTIONS, A REXEL BANNER Page 20 Networking with Ring Topology REP or DLR REP and DLR are two of the most popular ring topology protocols. Let’s dig into how they work as we explore some of the reasons why a facility might choose one ring or the other. Before we inspect the rings closer, there are a few key terms we need to understand. ⏹ Resiliency – The ability for a network to recover from a fault (break in the cable, missed connection, etc.) ⏹ Convergence Time – The time it takes for a network to heal itself ⏹ RPI – How quickly data is updated over a connection It is also important to note that resiliency is not the same as redundancy. You would have multiple physical paths and equipment in a truly redundant network resulting in zero convergence time. For most applications, this type of topology is not necessary. However, if your application calls for this type of redundancy (medical, aerospace, etc.), we recommend investigating PRP and using the 1756-EN2TP ControlLogix module. Resilient Ethernet Protocol REP is a Cisco proprietary protocol that provides a way to control loops, handle failures, and increase convergence time (typically 15ms). This ring protocol is used primarily in layer 2 Cisco switch (including Stratix 5700/5400/8000 switches) topologies and does not work on the device level layer. In other words, REP is used between switches only. Additionally, multiple REP rings can exist on a switch. The REP ring is configured by assigning ports certain roles on the switch: primary, edge, no-neighbor, no-neighbor primary, transit, or none. You can find more information in the reference links on page 22.
REXELUSA.COM Page 21 Pictured: An example of a possible REP type ring topology. Device Level Ring DLR is a ring protocol used by modern Rockwell Automation devices such as PowerFlex drives, Ethernet/ IP communication adapters, ControlLogix and CompactLogix controllers, and Stratix switches. DLR allows automation devices to be placed in a ring with a convergence time of less than 3ms. In other words, if your RPI is above 3ms, it will seem like nothing ever happened on the network—you will only receive a ring fault but not lose connection to your devices. DLR is incredibly simple to set up. You only need to designate a ring supervisor (an actual checkbox in Studio 5000® design software) and connect the ring. The ring supervisor simply watches the ring and checks for faults. If there is a case where a device is not DLR compatible (third-party device, older Rockwell Automation device with one Ethernet port), an Ethernet/IP Tap with 3 copper ports (1783-ETAP) can be added to allow that device to be placed on the DLR ring.
HORIZON SOLUTIONS, A REXEL BANNER Page 22 Pictured: An example of a possible DLR type ring topology (© Rockwell Automation). Finding the Right Ring If you are looking at connecting switches together, REP is the best approach to take. However, down at the device level, where the fastest convergence time is necessary, DLR is your best bet. Based on your equipment, your facility, and your existing network—it depends. We’re including some resources below that provide further details and clarification to help you make your choice. ⏹ Resource #1: REP Design Guide, Deploying the Resilient Ethernet Protocol ⏹ Resource #2: DLR, Ethernet/IP Embedded Switch Technology ⏹ Resource #3: The Converged Plantwide Ethernet (CPwE) Design and Implementation Guide ⏹ Resource #4: Stratix 5700, Industrial Managed Ethernet Switch **NOTE*** For even more resiliency, DLR, REP, and multiple Stratix switches can be used in combination with a new Redundant Gateway feature in the Stratix 5700 switch.
REXELUSA.COM Page 23 Pictured: An example of a possible DLR type ring topology (© Cisco and Rockwell Automation).
HORIZON SOLUTIONS, A REXEL BANNER Page 24 6 Parts of a Secure Industrial Network IT/OT Convergence The convergence of IT and OT has allowed for many advances in the world of industrial automation. For instance, the ability to control multiple disciplines (motion, safety, I/O) through one robust network (Ethernet/ IP) is now a standard for most manufacturing companies. This convergence has also brought long-existing knowledge and best practices of the IT world to the automation space. Companies like Cisco can apply their resiliency and security protocols to industrial applications and improve efficiencies and decrease downtime. However, a common issue from both the IT and OT disciplines lies within network security. Adjusting to Ethernet/IP Automation Engineers are often tasked with keeping the plant running and reducing downtime. So, legacy protocols have often been left open to allow for technological coexistence between devices, as well as for the ease of connectivity. This school of thought has prevailed for quite some time. Even after Ethernet/IP became more of a standard on the plant floor, this philosophy remained, leaving many manufacturing facilities insecure. Forming a Secure Industrial Network In a way, network security can be a lot like safety; too much security and your production may suffer a hit; too little security and you leave yourself exposed to cyber-attacks. There needs to be a balance between maintaining high overall equipment effectiveness (OEE) and mean time to repair (MTTR) levels with network protection.
REXELUSA.COM Page 25 The Converged Plantwide Ethernet Deployment guide (CPwE) recommends a defense-in-depth approach, meaning there is no single policy, software, nor firewall that will completely protect you. To achieve a more flexible secure industrial network, you must use a combination of the six security areas below. #1. POLICIES AND PROCEDURES You need a plan of action regarding human interaction with devices on an industrial network as well as ongoing risk management. Policies or procedures can sometimes be a quick fix for another area lacking security, but they are only as good as the actions and technology that enforces them. #2. PHYSICAL SECURITY You must document and implement operational and procedural controls to manage access to particular areas (control panels, data rooms, control room, etc.), locking out unused ports on switches (as well as software disabling them) using Panduit® devices. #3. NETWORK SECURITY Use a combination of hardware and software designed to block communications paths and services that are not authorized. Think firewalls, UTM devices (Stratix 5950 switch), and integration protection in switches and routers. Tripwire is a network security software that will be able to assist in your network security needs. #4. COMPUTER HARDENING Computer hardening includes patch management, anti-virus software, and eliminating insecure communications protocols (serial, DH+). #5. APPLICATION SECURITY Use change management, authorization, and authentication software to track changes and user access. FactoryTalk® Security and FactoryTalk AssetCentre software are great tools to utilize when looking into application security. #6. DEVICE HARDENING Device hardening involves restricting physical access to authorized personnel only, disabling remote programming, restricting access to routines, and encrypting communications. The new license-based source protection of CompactLogix and ControlLogix controllers, as well as FactoryTalk Security software, can assist in hardening your devices.
HORIZON SOLUTIONS, A REXEL BANNER Page 26 What is CIP Security? Recently, Rockwell Automation released the first phase of their CIP secure enabled products. With the trend of embedding IP addresses in all industrial automation devices (IACs) for a connected enterprise, Industrial Internet of Things (IIoT), or Industry 4.0, more and more plant floors are networked. While there are many advantages, this trend exposes facilities to greater security risks. The good news with CIP security is that there is a way to implement security at the device level. How CIP Security Works CIP is an open industrial protocol governed by the ODVA. There are subsets of standards in the CIP protocol. Referring to the cybersecurity onion model with the defense in layers concept, CIP security is at the core of the onion or the IAC level. CIP security protects data using transport layer security (TLS) for explicit messages and datagram transport layer security (DTLS) for implicit I/O messages. As an Internet user, you are using TLS every time you go to a secure website; just look for the lock icon in the URL. TLS and DTLS use encryption and certificates to reject data that has been altered (integrity), messages sent by untrusted people or untrusted devices (authenticity), and messages that request actions that are not allowed (authorization). CIP SECURE ENABLED DECEIVES Today Rockwell Automation’s 5580 family of ControlLogix and GuardLogix® controllers with V32 release, FactoryTalk Linx V6.11, 1756-EN4TR Ethernet scanner, Kinetix® 5700 servo drive, and the soon to be released PowerFlex 755T drives are CIP secure enabled. To secure legacy products, a whitelist function is also available. To manage this technology, Rockwell Automation has embedded FactoryTalk Policy Manager into FactoryTalk Services Platform V 6.11. Policy Manager software manages the configuration of the system, and once deployed, it is then no longer required unless changes to the system are necessary.
REXELUSA.COM Page 27 Effective network security requires a Defense in Depth (DiD) model. And protecting the manufacturing zone from the outside world demands the use of firewalls at the DMZ (demilitarized zone). In the manufacturing zone, the implementation of FactoryTalk Security for authentication and rights protect against unauthorized access with role- or user-based privileges. And now, with CIP security, we can keep unauthorized devices from making a connection, deny data snooping, and disallow tampering or modification of data.
HORIZON SOLUTIONS, A REXEL BANNER Page 28 Networking with Remote Connectivity Recently, Rockwell Automation released the first phase of their CIP secure enabled products. With the trend remote connectivity is more critical than ever. Many of us faced with new and unusual challenges with the pandemic-related lockdowns of the country and the world. Many manufacturers were deemed essential and were in production while the engineering and support staff worked from remote sites. Remote connection challenges include connecting into the plant control network for monitoring, troubleshooting, and making modifications to procedural issues. From POTS to Ethernet There are a few different remote connectivity technologies to remote into a network or controller. In the old days, we had dial-up modems that require a POTS dedicated line. That connection was direct, and security was not as much a concern. In today’s modern times, connections are Ethernet-based, opening many security concerns. Remote Connectivity with VPN Secure virtual private networks (VPN) are secure connections over public networks that allow remote connectivity. Many companies have VPNs for employees to access business systems, email, and typical office functions. If you want to VPN into your Rockwell Automation® Ethernet network, the firewall must be configured to allow that traffic. Rockwell Automation knowledgebase tech note QA54467 defines ports that need to be unblocked.
REXELUSA.COM Page 29 So, what if your IT department refuses to open the firewall ports so you can connect to your control system? What are your other remote connectivity options? Remote desktop is where you connect your remote PC to a PC connected to the network inside the firewall. These software packages, while free for personal use, do require a subscription or perpetual license for commercial use. Remote desktop is just that. When connected to the remote PC, all the resources must reside on that remote PC. If you want to go online with a Logix controller on Ethernet, the PC must be connected to that network with an activated copy of Studio 5000 design software. Cloud-Based Appliances Many manufacturers make cloud-based VPN appliances to promote remote connectivity. Let’s use an Ewon® product as an example. Cloud-based VPNs use an outbound connection on ports 443 or 1194. For port 443, if you do not recognize it, it’s is the port to the World Wide Web (WWW) via HTTPS. This is the exact same secure port you might use to sign-in to your online banking portal. Appliances have a connection to a cloud-based server (WAN) and a connection to the local network (LAN). Using the client software, a secure encrypted outbound connection is established. The Advantages of Remote Connectivity There are several advantages to using a remote access appliance. First, only a connection to the web is required, as they typically work with existing firewall rules. Second, only the devices connected to the LAN side may be accessed remotely. Lastly, they work with most major brands of control systems. With the Ewon solution, you can also control the remote connectivity from the factory floor using a physical key switch. The switch can be paired with an email or text notification, so both the equipment manufacturer and the end-user are notified that a remote connection is active. Finally, ensure that whatever VPN solution you choose has third-party cybersecurity certifications and has undergone penetration testing. Security by obscurity is not a strategy!
HORIZON SOLUTIONS, A REXEL BANNER Page 30 Collect Data with HMI and SCADA One of the biggest benefits of industrial networking is the ability to gather data and make informed decisions. Both HMI and SCADA can help you collect and leverage data. Automation Data Collection The industrial automation industry has turned its sights on data collection to make smarter business decisions over the past few years. Concepts such as live data, mobility, automatic reporting, and historical data have become a reality in most plants today. HMI and SCADA are key to building data collection. Depending on your role, you have different data collection needs. A Controls Engineer might be trying to tie diverse HMI and SCADA devices together into one machine. A Plant Manager might want to view individual historical data for process equipment or production lines on demand. A Production Supervisor may need to analyze batch operations for an individual site against existing benchmark production parameters. For Rockwell Automation users, the FactoryTalk family provides these manufacturing intelligence and analytics solutions. Here’s an analogy, think of FactoryTalk software as Microsoft® Office. Whereas Microsoft Office has programs like Microsoft Excel, Rockwell Automation provides FactoryTalk Historian software. Whereas Microsoft Office has programs like Microsoft PowerPoint, Rockwell Automation provides FactoryTalk Analytics. Historian and Analytics software are part of the FactoryTalk suite.
REXELUSA.COM Page 31 Pictured above, an example data collection and analysis screenshot from the FactoryTalk suite of software. The Challenges of Outdated Software RSView®32™ HMI is an integrated, component-based HMI for monitoring and controlling automation machines and processes. RSView32 HMI was launched many years ago and still offers a great solution for many users, but you may find that the FactoryTalk family provides functionality more in line with current demands. There are still several plants that are utilizing RSView32 HMI as their HMI/SCADA software platform today. While this software may fall into the “if it’s not broken, don’t fix it” category, some risks are involved with using
HORIZON SOLUTIONS, A REXEL BANNER Page 32 this software. The issue is with the compatibility of Window’s operating systems: RSView32 v7.6 HMI is not supported on anything above Windows 7 Professional SP1 (32-bit), with the majority of versions not being supported above Windows XP. This means that if you were to lose a computer with Windows XP installed, you would need to find a way to obtain a computer with XP installed. Microsoft stopped supporting Windows XP in 2014. Pictured below: an example data collection and analysis screenshot from the FactoryTalk suite of software. Data Increases Efficiency Support and compatibility are compelling reasons why moving to something more current might make sense. There is another reason why moving to a FactoryTalk system can benefit your plant. To help explain this, we will be utilizing a device in your pocket right now: your smartphone. Let’s imagine you want to conduct three very simple actions: send a text message to a co-worker, check your inbox, and finally check your bank statement. These three actions would probably take you less than five minutes to conduct—all from one device. The
REXELUSA.COM Page 33 utilization of apps makes your everyday life more efficient. It is important to note that this ease of access to data has now become a technological norm. Pictured below: an example data collection and analysis screenshot from the FactoryTalk suite of software. Now let’s take a step back to the early aughts. You probably have a flip phone of some kind, right? Imagine doing the same three tasks using this flip phone. Yes, you could absolutely send a text message, but it may take longer without a keypad. There is a chance you could check your email, but it may not be as organized or streamlined. As far as checking your bank account goes, you are either going to have to access that on a computer, go to the bank, or call them and provide your information. Not very efficient by today’s standard, but it was the best technology available at the time. That same analogy can be applied to an RSView32 system and a FactoryTalk system. RSView32 HMI was the best technology available at the time and could meet the industry’s technological demand. The demands have changed, and so has technology. A FactoryTalk system can more efficiently do everything RSView32 HMI could do and more. FactoryTalk View SE software (HMI platform) acts as the base, and other products such as VantagePoint, Historian, Metrics, or AssetCentre software act as apps to make your plant more efficient.
HORIZON SOLUTIONS, A REXEL BANNER Page 34 What is a FactoryTalk? “Please quote me a FactoryTalk.” We get that request from time to time. FactoryTalk software is not a product with a catalog number. Looking at the portfolio of Rockwell Automation software, there are products with catalog numbers like FactoryTalk View software, FactoryTalk Historian software, FactoryTalk Mettics software, FactoryTalk VantagePoint software, and etc. etc. etc. Notice the common denominator? So, just suppose there was a FactoryTalk product you could purchase, what would you get? Well, looking at the naming pattern of the Rockwell Automation software offering products with FactoryTalk as the prefix, they all have a common set of services that allow the suite of FactoryTalk-enabled products to efficiently share resources. Understanding FactoryTalk Services The following will help you understand the various FactoryTalk services. FactoryTalk Directory software can be “local” where all the FactoryTalk enabled products reside on a single computer or “network” where the products can be distributed across multiple computers in a domain or workgroup. The directory is like a phonebook for the system directing resources and managing user and group security policies. FactoryTalk Security software defines who can do what from where policies. FactoryTalk Activation software allows central management of software licenses as well as license borrowing and tracking. FactoryTalk Diagnostics and FactoryTalk Audit software are central repositories that record system messages and errors as well as communication errors. They tag, read, and write activity along with operator comments and actions.
REXELUSA.COM Page 35 FactoryTalk Live Data software is the data transport via FactoryTalk Linx. FactoryTalk Linx can be the central data server for all FactoryTalk-enabled products, thus eliminating multiple requests and connections to processors. It is included in all products for no additional charge and easily configurable for redundancy for a fault-tolerant system. FactoryTalk Alarms and Events software allows alarm management across a distributed visualization architecture, and you can also make alarms published instead of polled by each device. All FactoryTalk-enabled products share these services, allowing for central management.
HORIZON SOLUTIONS, A REXEL BANNER Page 36 Network & Security Solutions Improve Your Network and Protect Your Facility The internet of things makes your Internet-connected devices nimbler and more responsive than ever. With these advancements comes the need for cyber security. Potential threats run the gamut from bad-actor hackers to well-intentioned mistakes, and events can impact availability, operations, and productivity. Our network and security services allow you to enjoy the benefits of networking while avoiding the threat of digital disasters. Stay Connected with a Reliable Infrastructure Our team of trusted experts is here to help you innovate and prosper with the power of a secure, connected enterprise. We partner with industry leaders such as Rockwell Automation, Panduit, Cisco, VMware, Microsoft, and others to provide the end-to-end services you need to ensure your facility is both well-networked and secure. And we’ll save you time and reduce stress with one number to call for world-class support. SOLUTIONS TO INCREASE SECURITY AND PERFORMANCE Our networking and security services include: ⏹ Cloud Services ⏹ Industrial Data Center Design, Build and Monitoring ⏹ IT / OT Training ⏹ Network Logical Assessments, Designs and Implementations ⏹ Networking Infrastructure Assessments, Designs, and Installations through Panduit Certified Installers
REXELUSA.COM Page 37 ⏹ Network Infrastructure and Security Management ⏹ Network Security Assessments ⏹ Switch Configurations ⏹ Virtualization Services Network & Security Services We can help you design and implement the right networking solutions for your facility. Horizon Solutions, a Rexel company, is an Authorized Allen-Bradley® Distributor and Rockwell Automation Service Provider. We offer a comprehensive suite of products, services, and solutions to help increase security, efficiency, and productivity. Contact our team of Automation Specialists today! We are Your Industrial Network Partner Through our partnership with Rockwell Automation, we offer a unique combination of expertise in both the IT and industrial automation spaces. We can help you manage your network infrastructure and security throughout the entirety of its life cycle. NETWORK CONSULTING Improve your industrial network and avoid security breaches with Network Consulting. We take a holistic approach. Our team of experts will evaluate your current conditions, highlighting any issues you need to address as well as potential problems that may arise. And we include recommended steps toward resolution. NETWORK DESIGN AND IMPLEMENTATION Design an efficient, secure network. We partner with Rockwell Automation and Panduit to offer the complete Network Design and Implementation service you need with as much or as little support your project requires. Our scalable, secure designs will allow you to maximize your network uptime now and in the future. NETWORK SECURITY Protect your industrial network against accidental interference and malicious threats. Our Network Security services have you covered. From architecture design to access points, our networking portfolio includes enclosures, patch cords, I/O modules, network switches, and more. And we also offer more advanced options, including rugged connectors and extended temperature switches for harsh environments that exceed typical operating ranges for information technology equipment. NETWORK TROUBLESHOOTING
HORIZON SOLUTIONS, A REXEL BANNER Page 38 Meet industry standards and your internal requirements. As you add to, change, and upgrade your networks, issues may arise. Our Network Troubleshooting service eliminates your network and security system issues. Our specialists collaborate with Rockwell Automation to identify and address current problems and take proactive steps to avoid future obstacles. Request a Quote. STRATIX SWITCH CONFIGURATION Pre-configured and ready to use. With our Stratix Switch Basic Configuration and Stratix Switch Advanced Configuration services, your switch will be expertly set up for your industrial network. You can purchase a new Stratix switch that we pre-configure to meet your needs, or we can configure a basic switch you’ve already purchased. All we need is the part number to get the process started. Let Us Help Your Realize Networking Benefits Optimize performance while increasing protections with our networking and security services. The Horizon Solutions, a Rexel company, automation team combines deep product knowledge and industry trends with a customer-focused approach. Let us help you design a custom networking solution to meet your unique needs — Contact us today at [email protected]
REXELUSA.COM Page 39
Email: [email protected] www.Rexelusa.com ©2023 Horizon Solutions, a Rexel Company. All Rights Reserved. All supplier trademarks are the property of their respective owners. – 2/6/2023