The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Converged Plantwide Ethernet (CPwE) is a collection of tested and validated architectures that are developed by subject matter authorities at Cisco ® and Rockwell Automation ®. The testing and validation follow the Cisco Validated Design (CVD) and Cisco Reference Design (CRD) methodologies. The content of CPwE, which is relevant to both operational technology (OT) and informational technology (IT) disciplines, consists of documented architectures, best practices, guidance, and configuration settings to help industrial operations with the design and deployment of a scalable, reliable, secure, and future-ready plant-wide industrial network infrastructure. CPwE can also help industrial operations achieve cost reduction benefits by using proven designs that can facilitate quicker deployment while helping to minimize risk in deploying new technology.
Industrial IoT (IIoT) offers the promise of business benefits using innovative technologies such as mobility, collaboration, analytics, and cloud-based services. The challenge for industrial operations is to develop a balanced security stance to take advantage of IIoT innovation while maintaining the integrity of industrial security best practices. Deploying Network Security within a Converged Plantwide Ethernet Architecture CVD (CPwE Network Security), which is documented in this Design and Implementation Guide (DIG), outlines several network security use cases for plant-wide Industrial Automation and Control System (IACS) network infrastructure. CPwE Network Security was tested and validated by Cisco Systems and Rockwell Automation.
This document is composed of the following chapters and appendices.
|
|
---|---|
Provides an overview of prevailing trends in IACS networking and the convergence of network security technology, specifically IACS operational technology (OT) with information technology (IT) network security solutions. |
|
Covers the CPwE Network Security solutions and their various architectures, components, and their relation to each other. |
|
Covers design considerations that must be considered by OT engineers and IT security architects when deploying CPwE network security solutions. |
|
Describes how to configure CPwE Network Security infrastructure components such as Cisco Identity Services Engine (ISE), Cisco Stealthwatch, Cisco and Allen-Bradley® Stratix® industrial Ethernet switches (IES), and Cisco Industrial Network Directory (IND) and Rockwell Automation FactoryTalk® Network Manager (FTNM) network monitoring tool (NMT). |
|
Provides implementation steps for the specified network security use cases. |
|
List of references for CPwE design and implementation guides for network infrastructure services and security. |
|
Hardware and software components used in CPwE Network Security testing. |
|
Appendix D, “About the Cisco Validated Design (CVD) Program” |
Describes the Cisco Validated Design (CVD) process and the distinction between CVDs and Cisco Reference Designs (CRDs). |
More information on CPwE Design and Implementation Guides can be found at the following URLs:
– http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page
– http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-manufacturing/landing_ettf.html
Note This release of the CPwE architecture focuses on EtherNet/IP™, which uses the ODVA, Inc. Common Industrial Protocol (CIP™), and is ready for the Industrial Internet of Things (IIoT). For more information on EtherNet/IP, and CIP Security™, see odva.org at the following URL: