Industrial Demilitarized Zone

Design Principles
Jason J. Dely, CISSP, CISM
Principal Security Consultant, Network & Security Services
jdely@ra.rockwell.com
PUBLIC INFORMATION

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Course Description
There are many organizations and standards bodies that recommend separating the
enterprise zone from the industrial zones by utilizing an industrial demilitarized zone
(iDMZ).
This session will describe the basic principals and strategies of designing an iDMZ to
separate these two zones.
A prior understanding of general Ethernet concepts, or attendance of the Fundamentals
of EtherNet/IP session is recommended.

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Agenda
What is a DMZ?
Methodology
Network Segmentation

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Industrial Network Convergence

Continuing Trend
Corporate Network

Corporate Network
Back-Office Mainframes and
Servers (ERP, MES, etc.)

Control Network
Gateway

Human Machine
Interface (HMI)

Office
Applications,
Internetworking,
Data Servers,
Storage

Controller

Supervisory
Control

Phone

Controller

Robotics

Office
Applications,
Internetworking,
Data Servers,
Storage

Back-Office Mainframes and

Servers (ERP, MES, etc.)

Camera

Supervisory
Control

Robotics

Motors, Drives
Actuators

I/O
Sensors and other
Input/Output Devices

Industrial Network

Traditional 3 Tier
Industrial Network Model

Motors, Drives
Actuators

Safety
Controller

Safety
I/O

Human Machine
Interface (HMI)

Sensors and other

Input/Output Devices

Industrial Network

Converged Plantwide EtherNet/IP

Industrial Network Model

EtherNet/IP - Enabling/Driving
Convergence of Control and Information
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Industrial Network Convergence

Continued Trend Demilitarized Zone (DMZ)
Corporate Network
Office
Applications,
Internetworking,
Data Servers,
Storage

Back-Office Mainframes and

Servers (ERP, MES, etc.)

Link for
Patch Management
Remote Access Services
Application Mirrors
Anti-Virus Servers

Failover

Active

Standby

Firewalls for separation

Unified Threat Management
Authentication & Authorization
Application & Data Sharing via
replication or terminal services

DMZ

Controller
Phone
Camera

Supervisory
Control

Robotics
I/O

Motors, Drives
Actuators

Safety
Controller

Safety
I/O

Human Machine
Interface (HMI)

Sensors and other

Input/Output Devices

Industrial Network

Converged Plantwide EtherNet/IP

Industrial Network Model
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Demilitarized Zone (DMZ)

Sometimes referred to a perimeter network that exposes an
organizations external services to an untrusted network. The purpose of
the DMZ is to add an additional layer of security to the trusted network
Internet

Web
Proxy

UNTRUSTED
BROKER

DMZ

TRUSTED

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Controlling Access to the Manufacturing Zone

Level 5
Level 4

Enterprise Network

Router
E-Mail, Intranet, etc.

Site Business Planning and Logistics Network

Terminal Services

Patch Management

Historian Mirror

Level 3

Level 2

FactoryTalk
Application
Server

Enterprise
Zone

Web Services Operations

FactoryTalk
Directory

Engineering
Workstation

FactoryTalk
Client

Firewall

AV
Server

Web
E-Mail
CIP

Application
Server

Firewall

Domain
Controller

Manufacturing
Zone

Site Manufacturing Operations

and Control
Area Supervisory
Control

FactoryTalk
Client
Operator
Interface

Engineering
Workstation

Operator
Interface
Basic Control

Level 1
Level 0

Batch Control

Sensors

Discrete Control

Drives

DMZ

Drive Control

Actuators

Continuous
Process Control

Robots

Safety
Control

Cell/Area
Zone

Process

No Direct Traffic Flow from Enterprise to Manufacturing Zone

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Agenda
What is a DMZ?
Methodology
Network Segmentation

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Methodology

Develop a scientific method to develop repeatable, measureable and

maintainable solution(s)
Look at the problem holistically and drill down to each system

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

DMZ / Network Reconnaissance

(Design Pre-work)
Identify types of
Assets in
Manufacturing Zone
and those that
support
Manufacturing

Identify who owns

the hardware and
software on the
asset.

Recon Phase
Identify Assets
Or
Asset Classes

Identify Asset
Owners

ACTION

ACTION

Document Assets by
documentation,
interviews and
network scanning

Document Asset
Owners and
Schedule Interviews

Design Phase
Requirements Architectural Tech. Design
Implement
Phase
Phase
Phase

Maintain

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

10

Classify Asset Types

Goal: Identify assets that support manufacturing process.

Goal: Identify if asset belongs in the Mfg. or Enterprise Zone.
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

11

Diagram Data Sources Feeding Higher

Level Assets

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

12

Identify System Owners / Users

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

13

Interview Process
Interview process identifies
how the owners and
clients of the assets
Operate
Configure
Patch
Upgrade
Identifies where the data is
produced and consumed
This process is used to
gather requirements

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

14

DMZ / Network Design Methodology

Detailed information
usually written by the
coder or implementer
that describes how
the system or product
will be programmed,
configured to meet
the customer
requirements and the
high level
architecture.

The system
components are
brought together and
tested during this
phase per the testing
plan

System has been

Verified and Validated
and is maintained by
Operations and
Maintenance

Technical Design
Phase

Implementation

Maintain

ACTION

ACTION

ACTION

ACTION

Produce high level

documentation and
drawings to meet
every requirement

Produce detailed
documentation such
as drawings, switch
configurations, VLAN,
IP Address, Firewall
ACLs

Requirements are a
statement identifying
a capability, physical
characteristic or
quality factor that
bounds a product or
process problem for
which a solution will
be pursued. (Source:
IEEE Standard 12201994)

High level
architectural
recommendations
that are proposed to
meet the customer
requirements.

Requirements
Phase

Architectural
Phase

ACTION
Interview all system
owners to gather
requirements for
operations,
configuration and
maintenance.

Verify, was the

Modify configurations
product built right
and assets to fix
and Validate, was anomalies or required
the right product built operational changes.
process

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

15

High Level Architecture

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

16

How to Derive High Level Architecture

Enterprise
Client

Actor

Historian

MES

Order Entry
QC Systems

No Control Protocols
Through the Firewall(s)

Industrial
DMZ

Manufacturing

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

17

Move the Assets Around To Minimize Cross

Zone Traffic Especially Control Protocols
Enterprise
Client

Actor

Order Entry

MES

Historian

Historian

Data

Mirror

Proxy

Industrial
DMZ

Manufacturing
Historian

QC Systems

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

18

High Level Architecture Review All

Use Cases and Meet All Requirements
Use Case Configure
Historian from
Enterprise

Remote Desktop Gateway

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

19

High Level Architecture Review Use

Cases
Use Case Move
Data From
Manufacturing
Historian to Enterprise
Historian

Historian Mirror

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

20

DMZ / Network Design Methodology

Detailed information
usually written by the
coder or implementer
that describes how
the system or product
will be programmed,
configured to meet
the customer
requirements and the
high level
architecture.

The system
components are
brought together and
tested during this
phase per the testing
plan

System has been

Verified and Validated
and is maintained by
Operations and
Maintenance

Technical Design
Phase

Implementation

Maintain

ACTION

ACTION

ACTION

ACTION

Produce high level

documentation and
drawings to meet
every requirement

Produce detailed
documentation such
as drawings, switch
configurations, VLAN,
IP Address, Firewall
ACLs

Requirements are a
statement identifying
a capability, physical
characteristic or
quality factor that
bounds a product or
process problem for
which a solution will
be pursued. (Source:
IEEE Standard 12201994)

High level
architectural
recommendations
that are proposed to
meet the customer
requirements.

Requirements
Phase

Architectural
Phase

ACTION
Interview all system
owners to gather
requirements for
operations,
configuration and
maintenance.

Verify, was the

Modify configurations
product built right
and assets to fix
and Validate, was anomalies or required
the right product built operational changes.
process

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

21

Agenda
What is a DMZ?
Methodology
Network Segmentation

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

22

Manufacturing Zone Architecture to

support DMZ
Division of plant into
functional areas for
secured access

ISA-SP99 Zones and

Conduit model

OEMs Participation

IP Address
VLAN IDs
Access layer to Distribution
layer cooperation

System design requires full

cooperation of all System
Integrators, OEMs, IT and
Engineering
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Copy

Data Link / Network Layers

Control Systems are
Designed
with Availability
Requirement First!

Security
Availability

ERP, Email,
Wide Area Network (WAN)

Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)

Patch Management
Terminal Services
Application Mirror
AV Server

Gbps Link
for Failover
Detection

Cisco
ASA 5500

Firewall
(Standby)

Firewall
(Active)

Demilitarized Zone (DMZ)

FactoryTalk Application Servers

Security
Availability

VLAN 101
VLAN 41

View
Historian
AssetCentre
Transaction Manager

Catalyst
6500/4500

FactoryTalk Services
Platform

Remote
Access
Server

Directory
Security/Audit

Data Servers

Catalyst 3750
StackWise
Switch Stack

Cell/Area #1

Layer 2 Access Link

Layer 2 Interswitch Link/
802.1Q Trunk
Layer 3 Link

Network Services

DNS, DHCP, syslog server

Network and security mgmt

Rockwell Automation
Stratix 8000
Layer 2 Access Switch

Cell/Area Zones
Levels 02

Cell/Area #3

Cell/Area #2

Drive

Industrial Zone
Site Operations and Control
Level 3

Cisco
Catalyst Switch

HMI

Controller
HMI

Controller
HMI

VLAN 102

I/O

VLAN 42

I/O

Drive

Drive
I/O

Controller

VLAN 103

VLAN 43

VLAN 104

VLAN 44

VLAN 105
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Structure and Hierarchy

Network Segmentation: Building Block for Availability
Layer 3
Distribution
Switch
Layer 2
Access Switch

Layer 2
HMI Block
I/O
Building
Media &
Connectors

Cell/Area Zone #1
Redundant Star Topology
Flex Links Resiliency

Availability

Catalyst 3750
StackWise
Switch Stack

Layer 3
Building Block
Rockwell Automation
Stratix 8000
Layer 2 Access Switch

Drive
Controller

Security

HMI

Layer 2
I/O
Drive
Building Level
Block
1
Controller

Controller

Cell/Area Zone #2
Ring Topology
Resilient Ethernet Protocol (REP)

Cell/Area Zones
Levels 02
Level 2 HMI

Controller

HMI

Drive

Layer 2
Building
Block
I/O
Level 0
Drive

Cell/Area Zone #3
Bus/Star Topology

The Cell/Area zone is a Layer 2 network for a functional area of the plant floor.
Key network considerations include:
Structure and hierarchy using smaller Layer 2 building blocks
Logical segmentation for traffic management and policy enforcement to accommodate timesensitive applications
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Machine Types
Security

Building Blocks for Security Specifications

Availability Requirements

Historian
OS Patch
AV Server
Workstations
Remote Session Hosts
HMI Servers

Networking, Routing

Availability

Information Requirements

Interfaces

Controller data structure

Catalyst 3750
StackWise
Switch Stack

Security Requirements (C,I,A)

Machine or
Cell Level
Interfaces

Cell/Area Zones
Levels 0-2

HMI

Rockwell Automation
Stratix 8000
Layer 2 Access Switch

Drive

Controller
HMI

Controller
HMI

I/O

Drive

I/O
Controller

Cell/Area Zone #1
Redundant Star Topology
Flex Links Resiliency

I/O

Cell/Area Zone #2
Ring Topology
Resilient Ethernet Protocol (REP)

Drive
I/O
Cell/Area Zone #3
Bus/Star Topology
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

We care what you think!

Please take a couple minutes to complete a quick
session survey to tell us how were doing.
On the mobile app:
1. Locate session using
Schedule or Agenda Builder
2. Click on the thumbs up icon on
the lower right corner of the
session detail
3. Complete survey
4. Click the Submit Form button

Thank you!!

4
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

27

Questions?

PUBLIC INFORMATION

Follow RSTechED on Facebook & Twitter.

Connect with us on LinkedIn.
www.rsteched.com
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.