Post on 21-Jan-2018
Security and Network Protection are difficult challenges for Industrial Internet and for Industrial Internet Of Things (IIOT)Enzo M. Tieghi etieghi@servitecno.it
Is still possible to define a perimeter?ICT Security & Control System Protection: where?
3
ANSI/ISA95 Functional Hierarchy www.isa.org
Level 4
Level 1
Level 2
Level 3
Business Planning & Logistics
Plant Production Scheduling,Operational Management, etc
Manufacturing Operations Management
Dispatching Production, Detailed ProductionScheduling, Reliability Assurance, ...
BatchControl
DiscreteControl
ContinuousControl
1 - Sensing the production process, manipulating the production process
2 - Monitoring, supervisory control and automated control of the production process
3 - Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process.
Time FrameDays, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -production, material use, delivery, and shipping. Determining inventory levels.
Time FrameMonths, weeks, days
Level 0 0 - The actual production process
Level 4
Level 1
Level 2
Level 3
Business Planning & Logistics
Plant Production Scheduling,Operational Management, etc
Manufacturing Operations Management
Dispatching Production, Detailed ProductionScheduling, Reliability Assurance, ...
BatchControl
DiscreteControl
ContinuousControl
1 - Sensing the production process, manipulating the production process
2 - Monitoring, supervisory control and automated control of the production process
3 - Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process.
Time FrameDays, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -production, material use, delivery, and shipping. Determining inventory levels.
Time FrameMonths, weeks, days
Level 0 0 - The actual production process
Say no to ”flat networks” with:Seg/Seg:
Segment+ Segregate=Secure?
Follow the Zones & Conduits model (according to ISA99/IEC62443)
DataServer
File/PrintServer
App.Server
WorkstationLaptop computer
Router
Plant A Zone
Controller Controller
I/O I/O
App.Server
DataServer
Maint.Server
Plant A Control ZoneFirewall
DataServer
File/PrintServer
App.Server
WorkstationLaptop computer
Router
Plant B Zone
DataServer
File/PrintServer
App.Server
WorkstationLaptop computer
Router
Plant C Zone
MainframeWorkstationLaptop computer Server Server
Enterprise Zone
Firewall
Enterprise Conduit
Plant Control Conduit
Controller Controller
I/O I/O
App.Server
DataServer
Maint.Server
Plant B Control ZoneFirewall
Firewall
Plant Control Conduit
Controller Controller
I/O I/O
App.Server
DataServer
Maint.Server
Plant C Control ZoneFirewall
Firewall
Plant Control Conduit
Here is an example taken from tech literature
Enterprise Control Network
Manufacturing Operations
Network
Perimeter Control Network
Control System
Network
Process Control Network
Source: Siemens
Zone & Conduits with Firewalls protection (multilayered defence)
Corporate Firewall
Industrial Firewall
Source: Byres - Tofino
Process plant with remote connection
8
Local Network protection (batch production)
9
Wired vs Wi-Fi
Il wireless arriva in fabbrica
Smart Control Systems
Smart Analytical
Smart FinalControl
Smart AssetOptimization
Smart Safety
Smart Measurement
Smart MachineryHealth
Smart Wireless
11
SCADAServer
Client Scada-Historian-KPI
1
3
4
67
Mobile BI- KPI/ Allarmi
RTU onAPNPrivate/Public
2
5
Datacenter/HistorianServer
KPI/ALM Server
CLOUD, MOBILE, BYOD….
questions?
Enzo M. Tieghi etieghi@servitecno.it