Build an Organized, Secure Plant Network with Network Segmentation

On a recent blog, we discussed best practices for industrial network design, reviewing the structure and benefits of Converged Plantwide Ethernet (CPwE) network design for combining information technology with operational technology in a secure and organized manner. A primary method for organizing a network lies in proper network segmentation.

At French Gerleman we understand that plant network design is essential for keeping all processes running in a smooth and timely fashion. We support a top down, bottom up, systematic approach and believe that the plant process should define the network. Processes are the main driver on how to set up a network, determining which protocols to be aware of and how the design should unfold to meet the needs of the plant. DO NOT build a network and then hook in devices. Rather, the devices dictate how to build.

This approach allows for an easy understanding of the network, segmented and organized in a manner which allows for the ability to more seamlessly troubleshoot or grow it in the future.

Our methodology is as follows.

Line Design

The French Gerleman team begins with the plant design itself. Regardless of how many lines a plant may have, or how many buildings the manufacturing may be spread across, our process and approach remains the same.

Each line is segmented into the PLC and the devices it controls.  There are cases where PLCs report to a master PLC. For this article, we will use Prep, Process, and Packaging as the three parts of the plant line for which we are creating the network.  If a building houses more than one line, then each line will follow the same pattern. The structure is clear and easy to understand and offers the flexibility and ease to add more lines and/or PLC processes if future growth takes place. Each individual line is connected via a switch which keeps the lines separated and prevents leakage of data between lines/processes and connectivity issues.

Virtual Local Area Network (VLAN) Design

A VLAN is described as any broadcast domain that is partitioned and isolated in an ethernet network at the data link layer. For our purposes, it serves as another term for an IP address subnet or broadcast domain. We believe that segmenting and organizing the plant’s VLAN design in a logical manner is the best way to build and maintain and scale the plant network today and into the future.

To accomplish this, the French Gerleman team uses a system of consistent nomenclature and labeling so that everything is easily identifiable, troubleshooting is much more straightforward, and expansion happens in an organized fashion. For example, if we are working with three VLAN for the prep, process and packaging structure we describe above, the network is labeled accordingly:

VLAN 10

VLAN 20

VLAN 30

We then assign the prep, process and packaging the same tens digit.

VLAN 10 VLAN 20 VLAN 30
Prep 11 21 31
Process 12 22 32
Packaging 13 32 33

 

The system is clear – all prep ends in 1, all processing in 2, all packaging in 3. (We avoid using VLAN 1 for process and security reasons.) This system makes all of the lines independent and prevents any traffic from leaking to another line.

PRIVATE IP ADDRESS RANGES AND WHY IT MATTERS

When setting up a plant network, it is important to use private IP addresses. Private IP address are addresses that will not route onto the public internet.  This is essential for security reasons. Under no circumstances would we ever recommend using a public IP address in the plant process.

We begin the process with the following ranges that the IANA (Internet Assigned Numbers Authority) has assigned for Private IP addresses:

10.X.X.X

172.16 – 31. X. X

192.168.X.X

We then use a similar labeling structure to clearly delineate the lines, buildings and the processes.

Example:

10.30.10.0

In this example, the first 10 signifies that it is a private IP address, 30 delineates the building, the second 10 is the line number, and 0 is the individual device IP address.

This is a clear system which when implemented alleviates troubleshooting headaches down the road.

VLAN Design:

A similar scheme of labeling and assigning is put into place for VLAN design. At French Gerleman, we use a VLAN range of 1-4095, but do not use VLAN 1 as mentioned previously. 1000- 1006 are not used for historical reasons.

As with all of our approaches to the various aspects of plant network design, the labeling for the VLAN design is organized in a logical, repeatable and expandable fashion. Consider this example:

In the case of VLAN 310, we follow the logic that 3 is the building, 1 is the line, and 0 is the subline. This pattern can be used for all of the VLAN pieces of the network so that everything makes good operational sense.

SITE PROCESS CELL LAYOUT

This process starts from Control Building. From there, a systematic approach is taken to build out the layout and follows all of the same numbering schemes we’ve outlined above to make for a logical, organized network. Because we lay out the entire network prior to deploying it, we can ensure that addresses and numbering schemes are not cross contaminated. This uniform approach means that the devices are easy to identify and troubleshoot.

The following example illustrates our approach:

  • Control Building VLAN/Subnet
  • VLAN per controller
  • VLAN for process server

IP Address to VLAN Mapping

  • 10.10. 0/24 – VLAN 110
  • 10.20.0/24 – VLAN 120
  • 10.30.0/24 – VLAN 130

We also start to deploy a system of address ranges for all the IP addresses.

.1   – Gateway

.10    – PLC

.20 – .29  – Drives

.50 – .59 –  I/O

.100 – .110  – HMI

.200 – .219  – Server/thin client

Once this system is in place and documented, it is clear and easy to follow for all plant managers.

French Gerleman, in cooperation with our partners at Rockwell Automation, focuses on the goal of consistently implementing plant network systems that offer simplified design, quick deployment, and reduced risk. What we’ve outlined above is just one of the ways we can help you with your plant network design that is safe, secure and forward thinking.

We look forward to the opportunity to serve you and address your needs. Please contact us with any questions you may have, or reach out to your French Gerleman Account Manager to start the conversation about how you can benefit from an organized, secure plant network.

Connected Enterprise CPwE IIOT Industrial Network Industry 4.0 Internet of Things Network Security Plant Network Rockwell Automation Smart Manufacturing