Industrial Machine Network Setup?

russg · Apr 28, 2020

Hi,

I'm investigating into what is the proper way to design a factory machine network. My current understanding is that the machine-to-machine communications should have it's own network, but machine to something like an MES / SCADA server should be on a separate network.

Does anyone have any information / blogs / info they could share that would help me understand the best practices, ideally with some topology diagrams?

Many thanks

Russ

cardosocea · Apr 28, 2020

You're not wrong although I've also seen this achieved with VLAN's... which has some limitations when it comes to maintenance and the hidden complexity of the network.

The "bible" for these things is usually the document below:

https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf

It's written by CISCO and Rockwell.

James Mcquade · Apr 28, 2020

When setting up a network in a plant, there are 2 different networks that you MUST consider. the corporate side (network 1) and the plant side (Network 2). the corporate side has the full firewall rules and everything, the plant side does not have a firewall and allows communications between plc's, scada, and SQL.
corporate never needs access to the plant side, management does not understand the workings of a machine and will want to change timers, counters, setpoints, and other items and will create a big mess, (been there done that).

if corporate wants to see data, set up an interface table that is populated by the plant side and can be seen from the corporate side.

james

James Mcquade · Apr 28, 2020

in addition,
any plant side pc's that have scada / rsview / wonderware will need a separate virus software server to get updates. KEEP the plant side away from the internet due to the lack of firewall and other security matters that will prevent communications between the plant systems. if you must have remote access from outside the plant, use a firewall system such as Kerio control. you must log into that system to gain access to the plant network.

james

russg · May 14, 2020

This is great. Thank you. A lot to get through there.

russg · May 14, 2020

"separate virus software server to get updates"

So this software server can get updates from the internet? For example when windows updates is needed.

Dravik · May 14, 2020

If you have the infrastructure for it -

Corp Network (Enterprise Side)
Firewall -
DMZ - Servers that handle patching, AV, backups can live here. Also, Servers that allow controlled access to the MFG side like a Citrix Farm or a Terminal Server cluster.
Firewall -
MFG Network (Plant Side)

Then you allow FW rules such that -
Enterprise may talk to the DMZ in a limited fashion.
DMZ may talk to the Enterprise and the MFG in a limited fashion.
MFG may talk to the DMZ in a limited fashion.
Enterprise may NOT talk to the MFG directly and vice versa.

As a starting point.

Dravik · May 14, 2020

Further below that - You can segment the MFG network via subnets/vlans/etc to limit the crosstalk between unrelated devices.
YMMV on how much of this you want/need to do.

russg · May 29, 2020

Dravik said:
Further below that - You can segment the MFG network via subnets/vlans/etc to limit the crosstalk between unrelated devices.
YMMV on how much of this you want/need to do.

Thanks for the information. Great help, although I've struggled to understand all the acronyms.

TWS · May 29, 2020

This web page: https://www.cisco.com/c/en/us/solut...facturing/landing_ettf.html?dtid=osscdc000283. will provide you with a lot of information you need to make decisions. Resilient architecture and time sensitive networking, Purdue model ect.

Jim3846 · May 29, 2020

On plant floor level unit operations. If both machines are the same usually what OEMs do is have a private 192.168.xxx.xxx network. Then have them put a NAT switch Device to bring critical IPs mapped to the plant side network.

NAT device just has a table to map private IPs to plant IPs

Private >> Plant
192.168.1.10 >> 10.5.2.1

russg · Jun 2, 2020

TWS said:
This web page: https://www.cisco.com/c/en/us/solut...facturing/landing_ettf.html?dtid=osscdc000283. will provide you with a lot of information you need to make decisions. Resilient architecture and time sensitive networking, Purdue model ect.

Thanks TWS. I've been looking at a couple of documents of theirs due to someones earlier reply. Definitely the most helpful documents I've seen and have a lot of sway in IT due to Cisco co-writing them.

russg · Jun 2, 2020

Jim3846 said:
On plant floor level unit operations. If both machines are the same usually what OEMs do is have a private 192.168.xxx.xxx network. Then have them put a NAT switch Device to bring critical IPs mapped to the plant side network.

NAT device just has a table to map private IPs to plant IPs

Private >> Plant
192.168.1.10 >> 10.5.2.1

Thanks Jim. Do you have any documentation to elaborate on this?

Dravik · Jun 2, 2020

https://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp032_-en-e.pdf

That's specific to Rockwell and that switch, but the basic concepts are the same.

Industrial Machine Network Setup?

russg

Member

cardosocea

Member

James Mcquade

Member

James Mcquade

Member

russg

Member

russg

Member

Dravik

Member

Dravik

Member

russg

Member

TWS

Member

Jim3846

Member

russg

Member

russg

Member

Dravik

Member

Similar Topics