Copyright 2015 Rockwell Automation, Inc All Rights Reserved 2 스마트팩토리

보안네트워크인프라 어디서부터시작할것인가? 스마트팩토리참조모델 정보시스템 고객지원 / 관리 시각화솔루션핵심네트워크인프라지능형제어시스템지능형자산 데이터정의 (WDC, 상황화데이터 ) 경영관리생산관리운영엔지니어링유지보수 공급망통합 납기단축 품질관리 재고관리 생산성향상 자산활용도향상 환경및안전 지적자산보호 개발시간단축 원격감시 예지보전 공장전반에걸친모니터링 고도화 Rev 5058-CO900F Copyright 2015 Rockwell Automation, Inc All Rights Reserved 8

Transactional data( 업무처리데이터 ): 주문, 공급망, 제품디자인 전사적자원관리 (ERP) 재무인사물류품질고객관리 IT CONVERGENCE OT Real-time data( 실시간데이터 ): 제어, 안전, 보안 + 알람, 이벤트, 상태, 에너지, 진단, INDUSTRIAL THINGS SENSORS, ACTUATORS CONTROLLERS MATERIAL & TRANSPORT MACHINES & EQUIPMENT LABELERS & PRINTERS Rev 5058-CO900F IT 와 OT 융합의필수요건 : 네트워크인프라 Copyright 2015 Rockwell Automation, Inc All Rights Reserved 9

제조영역과기업네트워크의컨버전스 Technology Convergence Network Convergence Business Innovation Model 비지니스모델혁신 신속한비지니스의사결정 경쟁적우위확보 Organizational Convergence Cultural Convergence Ethernet 확산 비지니스요구사항증가 조직적문화적문제가존재하며, 업무간구분이불명확함 커다란문화적충돌이발생 통상 IT 주도형으로나타남 부서간또는업무간에커다란단절이발생 서로벽을허물고하나로통합될필요가있음 Cisco/Rockwell Automation Customer Innovation Council Sept 2006/2007 Rev 5058-CO900F Copyright 2011 Rockwell Automation, Inc All rights reserved 11

12 Cisco 와 Rockwell Automation 의협력 공통의기술적관점 Achieve flexibility, visibility and efficiency through a single system architecture, using open, industry standard networking technologies, such as EtherNet/IP 참조아키텍처 : Converged Plant-wide Ethernet Reference Architectures: Plant-wide / site-wide focused reference architectures, comprised of Rockwell Automation and Cisco expertise, provide a foundation to successfully deploy the latest technologies optimized for both industrial automation and IT professionals 제품및솔루션개발협력 : Stratix 5900 security appliance, Stratix 5000 and 8000 families of Industrial Ethernet managed switches combine the best of both Rockwell Automation and Cisco to address IT and plant-wide / site-wide priorities 사람과프로세스의최적화 : Services and education to facilitate industrial automation and information technology convergence, successful architecture deployment and efficient operations, so that critical resources can focus on increasing innovation and productivity

13 참조아키텍터 Converged Plantwide Ethernet Reference Architectures 로크웰과시스코가공동개발 테스트되고검증된아키텍처 성능 (Performance), 강건함 (robustness), 가용성 (availability), 반복성 (repeatability), 보안 (security) 시스코에서검증한설계 산업표준을기반으로설계 미래에대비된 네트워크디자인 포함내용및기대효과 설계지침및권고사항 문서화된시스템구성 (configuration) 및장치설정 (settings) 단순화된설계작업, 신속한구현, 위험감소 IT 네트워크와산업자동화엔지니어모두에게필요한정보제공

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 15 IT 와 OT 융합네트워크장치 : Stratix 시리즈 IT 와 OT 의구체적협력수단제공 시스코의핵심기술 기업네트워크와안전한통합 시스코운영체계 (IOS TM ) 탑재 시스코의 Catalyst TM 제품군의구조와기능가짐 IT 전문가들에게친숙한관리도구제공 : CLI (command line interface), CNA, Device Manager + 로크웰오토메이션의핵심기술 통합아키텍처인터페이스 (CIP) 제공 RSLogix 5000 설정프로파일 (AOP) 제공 진단을위한로직태그기본제공 FactoryTalk View Faceplates 제공 + 공장환경에최적화 간편한시스템통합및유지보수성제공 자동화고객을위한기본설정제공 (Globals and Smartports) 쉽고빠른하드웨어교체를위해착탈식 Compact Flash를이용한설정방식채택 제조환경을기업네트워크에통합하기위한네트워크인프라제품군

DLR - Device Level Ring ( 산업용이더넷토폴로지지원 : IT/ 방상형 OT/ 선형 ) EtherNet/IP 통신에스타외에데이지체인, 링등의다양한토폴로지적용가능 자동화장치를위한초고속복구링 (50 노드기준최대 3msec 이내 ) 별도의설정없이자동화를위한기본설정내장 선형구조를통한케이블비용절감 1756-ETAP(3-port 내장형스위치 ) 을이용하여기존의이더넷장치연결가능 이중화알고리즘공개 제 3 업체에서사용가능 1783-ETAP1F ETAP with one Fibre 장치연결포트 (1 개 ) Linear Device-Level Ring 네트워크연결포트 (2 개 ) 광또는구리선지원 구리선 광케이블 장치수준에서설비운전을유지하기위한수밀리초수준의복원력제공 Rev 5058-CO900F Copyright 2015 Rockwell Automation, Inc All Rights Reserved 16

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 17 Stratix 제품군포트폴리오 ( 산업용네트워크인프라구축솔루션 ) Stratix 5700 POE Stratix 8000 SFP & PoE Expansion Stratix 2000 Expanded Portfolio (Phased) Expanded Fiber Portfolio Stratix 5410 1RU Switch Platform Stratix 5400 Switch Stratix Security Appliance (DPI) & Management Software Stratix 5900 Services Router Stratix 5100 Wireless Access Point ArmorStratix 5700 Stratix 5700 DLR EN2FF/PA CN2FF/PA Device Manager Enhancements EN2DNR IP 20 & 67 NAT Router w/dlr Network Management- Asset Health

CISCO MODE SYST RPS STAT DUPLX SPEED PoE CISCO MODE SYST RPS STAT DUPLX SPEED PoE 1X 2X 1X 2X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 POWER OVER ETHERNET 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 POWER OVER ETHERNET 11X 12X 13X 14X 11X 12X 13X 14X 23X 24X Catalyst 2960 Series PoE-8 1 2 23X 24X Catalyst 2960 Series PoE-8 1 2 SYST RPS MASTR STAT DUPLX SPEED STACK MODE SYST RPS MASTR STAT DUPLX SPEED STACK MODE 1 2 3 4 5 6 7 8 9 10 11 12 1X 2X POWER STATUS ACTIVE VPN FLASH 1 2 3 4 5 6 7 8 9 10 11 12 1X 2X 11X 12X 11X 12X 13 14 15 16 17 18 19 20 21 22 23 24 13X 14X CISCO ASA 5510 SERIES Adaptive Security Appliance 13 14 15 16 17 18 19 20 21 22 23 24 13X 14X 23X 24X 23X 24X Catalyst 3750 SERIES 1 2 3 4 Catalyst 3750 SERIES 1 2 3 4 POWER STATUS ACTIVE VPN FLASH CISCO ASA 5510 SERIES Adaptive Security Appliance LINK SERVICE ACT CONSOLE STATUS ALARM PS1 PS2 LINK ACT LINK ACT UTILITY 1 2 Cisco 4400 Series WIRELESS LAN CONTROLLER MODEL 4402 12 AP 2 G 4 A H Rx - Tx GHzANTENNA z ANTENNA Tx - Rx A 2 4 ETHERNET 2 C G 4 Rx - Tx GHzANTENNA 2 4 CI S C O H STATUS z ANTENNA Tx - Rx C RADIO 4 2 H G A 2 Rx - Tx GHzANTENNA z ANTENNA Tx B H G 4 - Rx Rx - Tx GHzANTENNA z ANTENNA A 2 Tx 4 - Rx B 2 4 ETHERNET 4 2 C H G Rx - Tx GHzANTENNA STATUS z ANTENNA Tx - Rx C 2 4 CI S C O RADIO 4 2 B H G Rx - Tx GHzANTENNA z ANTENNA Tx - Rx B 2 4 참조아키텍처기반의시스템구성사례 Enterprise Zone ERP, Email, Wide Area Network (WAN) Network Enterprise Cisco Adaptive Security Appliance (ASA) 5520 Firewall DMZ Manufacturing Zone 8000 Managed Layer 2 Switch Patch Management Terminal Services Application Mirror AV Server FactoryTalk Applications and Services 링토폴로지 Cisco 2960 Layer 2 Access Switch Cisco 3750G Stackwise Layer 3 Distribution Switch Cisco 4402 Wireless LAN Controller (WLC) Cisco 1252G 80211n Dual Band Access point Lightweight AP (LWAP) Mobile User AP as Workgroup Bridge (WGB) Rev 5058-CO900F ETAP - Embedded Layer 2 Switch Ring Topology Embedded Layer 2 Switch Linear Topology 6000 Managed Layer 2 Switch Star Topology Copyright 2015 Rockwell Automation, Inc All Rights Reserved 18

19 네트워크통합모델 현재 : 미래 ( 지향모델 )

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 20 산업용네트워크요구사항 - CCC 제어 (Control) 기계또는공정에대하여빠르고정확한의사결정과조치를지시하기위해제어요소사이에데이터를교환하기위한효과적인수단 설정 (Config) 시운전또는운영중에기기또는시스템의설정을위한시간에민감하지않은 (non time critical) 데이터교환수단 수집 (Collect) HMI, 트렌드, 또는분석을위해정기적인간격또는요구에따라데이터나정보를끌어내는것

OSI Reference 모델로본 EtherNet/IP OSI Reference Model / 5 Layer TCP/IP Model Layer Name Layer No Function Examples CIP: Common Industrial Protocol Application Layer 7 Network Services to User App Presentation Layer 6 Encryption/Other processing CIP Session Layer 5 Manage Multiple Applications Transport Layer 4 Reliable delivery/error correction TCP - UDP Network Routers Layer 3 Logical addressing - Routing IP Data Link Switches Layer 2 Media Access Control IEEE 8023 Physical Cabling Layer 1 Specifies voltage, pin-outs, cable TIA - 1005 IEEE 8023/8021 Ethernet UDP/IP & TCP/IP at transport & network CIP at the application Layer Protocol Rev 5058-CO900F EtherNet/IP = Ethernet + IP + CIP

객체모델링사용 CIP 는장치를기술하기위해객체모델링을사용 모든장치는객체들의집합으로구성 객체는장치의기능을논리적으로연계된일련의집합으로분류 어플리케이션객체 아이덴터티객체 어셈블리객체 메시지라우터 명시적메시지 I/O 메시지 UCMM 연결 네트워크

객체지향모델사례 : CIP Energy Energy Aware Machine Energy Aware Plant Energy Enable d Energy Enable d Energy Aggregator and Energy Management Energy Intelligence CIP Energy on EtherNet/IP Energy Enable d Energy Enable d Safety Loop Machine Control Loop Power Monitor Energy Aggregator and Low-Power Energy Policy Loop CIP Energy on DeviceNet

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 25 산업용네트워크보안규격검증된산업용보안표준 Interntional Society of Automation ( 자동화국제학회 ) ISA-99 Industrial Automation and Control System (IACS) Security Defense-in-Depth DMZ Deployment National Institute of Standards and Technology ( 국립표준기술연구소 ) NIST 800-82 Industrial Control System (ICS) Security Defense-in-Depth DMZ Deployment Department of Homeland Security ( 국토안보부 ) DHS INL/EXT-06-11478 Control Systems Cyber Security: Defense-in-Depth Strategies Defense-in-Depth DMZ Deployment

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 26 산업보안심층방어 (Defense-in-Depth) 모델 Physical Network Computer Application Device Defense in Depth 물리적보안 권한을가진사람에게만물리적접근을허용 : 구역, 제어판넬, 장치, 케이블링, 제어룸 방문객은이동경로를안내하고추적함 네트워크보안 인프라프레임워크 예 ) 침입탐지 / 방지시스템 (IDS/IPS) 을갖춘방화벽, 스위치와라우터와같은네트워크장치들에대한통합보호 컴퓨터강화 패치관리, 백신설치 사용하지않는프로그램, 프로토콜, 서비스제거 어플리케이션보안 인증 (Authentication), 권한부여 (Authorization) 감사 (Audit) 소프트웨어 장치강화 변경이력관리, 접근통제

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 27 보안을포함한네트워크설계지침참조아키텍처 (Reference Architecture) Level 5 Level 4 E-Mail, Intranet, etc Enterprise Network Site Business Planning and Logistics Network Enterprise Security Zone Terminal Services Gateway Application Mirror Patch Management Web Services Operations AV Server Application Server Firewall Firewall Web E-Mail CIP DMZ Level 3 Level 2 Level 1 FactoryTalk Application Server FactoryTalk Client Batch Control FactoryTalk Directory Operator Interface Discrete Control Engineering Workstation FactoryTalk Client Drive Control Remote Access Server Engineering Workstation Continuous Process Control Site Operations and Control Area Supervisory Control Operator Interface Safety Control Basic Control Industrial Security Zone Cell/Area Zone Level 0 Sensors Drives Actuators Robots Process

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 28 보안품질 (Security Quality) 관리보안품질관리프로세스를운영하는것이중요 접수 검토및평가 (Evaluate and Assess) 완화및조치 (Mitigate and Remediate) 종료 Communications 제품취약성 (Product Vulnerabilities): We expect them 취약성예견 We plan for them 취약성에대비 We work to avoid them 취약성을회피 We support our customers 고객을지원 참조 : Knowledge Base article 54102 : 제품취약성에대한최신정보를제공

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 29 보안기능제공 : 산업보안핵심요소 조작감지 보호된 (Secured) 네트워크인프라 내용보호 (Content Protection) 접근제어및정책관리 어플리케이션대한의도되지않은행위와수정을감지하고기록 네트워크에대한접근제어, 의도되지않은접근및행위를감지 제어시스템의내용물의특정부분을보거나, 편집하거나, 사용하는것을방지 언제, 어디서, 누가, 어떤어플리케이션이나장치에대해서무엇을할것인지를관리 산업용보안은 반드시시스템으로구현되어야함

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 30 예시 ) 조작감지사례 로크웰솔루션 펌웨어디지털사인 데이터변경이력감사 (FactoryTalk AssetCentre Auditing) 컨트롤러변경감지및로깅 고무결성 AOI (High Integrity AOIs) 조작감지 어플리케이션대한의도되지않은행위와수정을감지하고기록

Copyright 2015 Rockwell Automation, Inc All Rights Reserved 31 예시 ) 접근제어및정책관리 로크웰솔루션 컨트롤러태그데이터접근통제 FactoryTalk Security 컨트롤러 CPU Lock Tool 컨트롤러통신경로슬롯지정 FactoryTalk Directory Authenticate the User Authorize Use of Applications Authorize Access to Specific Devices 접근제어및정책관리 언제, 어디서, 누가, 어떤어플리케이션이나장치에대해서무엇을할것인지를관리 (All FactoryTalk Security enabled software)

32 A new go-to resource for educational, technical and thought leadership information about industrial communications Standard Internet Protocol (IP) for Industrial Applications Coalition of like-minded companies wwwindustrialiporg