INDUSTRIAL AUTOMATION AND CONTROL SYSTEM (IACS) networks are generally open by default, so the need for openness facilitates both technology coexistence and IACS device interoperability. But openness also requires that IACS networks be secured by configuration, architecture and most importantly, defend the edge.

Many organizations and standards bodies recommend segmenting business system networks from plantwide networks by using an Industrial Demilitarized Zone (IDMZ). The IDMZ exists as a separate network located at a level between the Industrial and Enterprise Zones, commonly referred to as Level 3.5. An IDMZ environment consists of numerous infrastructure devices, including firewalls, VPN servers, IACS application mirrors and reverse proxy servers, in addition to network infrastructure devices such as switches, routers and virtualized services.

Converged Plantwide Ethernet (CPwE) is the underlying architecture that provides standard network services for control and information disciplines, devices and equipment found in modern IACS applications. The CPwE architecture provides design and implementation guidance to achieve the real-time communication, reliability, scalability, security and resiliency requirements of the IACS.

The CPwE Industrial Network Security Framework, which uses a defense-in-depth approach, is aligned to industrial security standards such as ISA/IEC-62443 (formerly ISA-99) Industrial Automation and Control Systems (IACS) Security and NIST 800-82 Industrial Control System (ICS) Security.

Designing and implementing a comprehensive IACS network security framework should serve as a natural extension to the IACS. Network security should not be implemented as an afterthought. The industrial network security framework should be pervasive and core to the IACS. However, for existing IACS deployments, the same defense- in-depth layers can be applied incrementally to help improve the security stance of the IACS.

CPwE defense-in-depth layers include technology solutions and collaboration of key groups:

• Control System Engineers: IACS device hardening (for example, physical and electronic), infrastructure device hardening (for example, port security), network segmentation, IACS application authentication, authorization and accounting (AAA)
• Control System Engineers in collaboration with IT Network Engineers: zone-based policy firewall at the IACS application, operating system hardening, network device hardening (for example, access control, resiliency), wireless LAN access policies
• IT Security Architects in collaboration with Control Systems Engineers: Identity Services (wired and wireless), Active Directory (AD), Remote Access Servers, plant firewalls, Industrial Demilitarized Zone (IDMZ) design best practices

Industrial demilitarized zone high-level concepts.
Industrial demilitarized zone

Sometimes referred to as a perimeter network, the IDMZ is a buffer that enforces data security policies between a trusted network (Industrial Zone) to an untrusted network (Enterprise Zone). The IDMZ is an additional layer of defense-in-depth to securely share IACS data and network services between the Industrial and Enterprise Zones. The demilitarized zone concept is commonplace in traditional IT networks, but is still in early adoption for IACS applications.

For secure IACS data sharing, the IDMZ contains assets that act as brokers between the zones. Multiple methods to broker IACS data across the IDMZ exist:

• Use an application mirror, such as a PI-to-PI interface for FactoryTalk Historian
• Use Microsoft Remote Desktop Gateway (RD Gateway) services
• Use a reverse proxy server

These broker methods, which help to hide and protect the existence and characteristics of the Industrial Zone servers from clients and servers in the Enterprise Zone, are covered in CPwE IDMZ.

High-level IDMZ design principles include:

• All IACS network traffic from either side of the IDMZ terminates in the IDMZ. No IACS traffic directly traverses the IDMZ. There is no direct path between the Industrial and Enterprise Zones, and no common protocols in each logical firewall.
• EtherNet/IP IACS traffic does not enter the IDMZ; it remains within the Industrial Zone.
• Primary services are not permanently stored in the IDMZ.
• All data is transient; the IDMZ will not permanently store data.
• Set-up functional sub-zones within the IDMZ to segment access to IACS data and network services (for example, IT, Operations and Trusted Partner zone).
• A properly designed IDMZ will support the capability of being unplugged if compromised, while still allowing the Industrial Zone to operate without disruption.

Converged Plantwide Ethernet IDMZ

The CPwE IDMZ Cisco Validated Design (CVD) outlines key requirements and design considerations to help with successfully designing and deploying an IDMZ. IACS data and network services between the Industrial and Enterprise Zones include:

• An IDMZ overview and key design considerations
• A resilient CPwE Architectural Framework: including redundant IDMZ firewalls and redundant distribution/aggregation of Ethernet switches.
• Methodologies to securely traverse IACS data across the IDMZ: including application mirror, reverse proxy and remote desktop gateway services.
• Methodologies to securely traverse network services across the IDMZ.
• IACS applications: for example, Secure File Transfer, FactoryTalk applications (FactoryTalk Historian, FactoryTalk VantagePoint, FactoryTalk View Site Edition (SE), FactoryTalk ViewPoint, FactoryTalk AssetCentre, Studio 5000)
• Network services: for example, Active Directory (AD), Identity Services Engine (ISE), wireless LAN controller (WLC) control and provisioning of wireless access points (CAPWAP), Network Time Protocol and Secure Remote Access
• Important steps and design considerations for IDMZ implementation and configuration

Note: This release of the CPwE architecture focuses on EtherNet/IP, which is driven by the ODVA Common Industrial Protocol (CIP). Refer to the IACS Communication Protocols section of the CPwE Design and Implementation Guide.

Technology report by Rockwell Automation & Cisco Systems.