Assignment – Topology

Jeffrey Ryan
I chose a sanitized version of the network topology we use at the power generation facility I
work at. This type of network layout could be used in a number of industrial control system
environments like oil and gas, manufacturing, and water treatment facilities.
A good way to describe our overall ICS network is using the Purdue Reference Model,
referenced in Figure 1 below.

Figure 11
The ICS network diagram below (Figure 2) does not show all individual networks within. It
would be too much detail for a such a high-level drawing and beyond the scope of this
assignment.

Figure 2
Level 0 – Process
The process control network at the Field Bus Module (FBM) level is a Bus network. FBMs take
all Input/Output readings from the field and send them to control processors (CP) in Level 1.
Level 1 – Basic Control
The next level up in the process control network is a partially connected Mesh network. CPs
provide the basic control of all FBMs and actually run the units based on the readings from the
field. CPs are connected to mesh switches laid out in a redundant fashion for each unit. The unit
1 switches connect to unit 2 and unit 3 switches. Unit 3 switches then connect to common area
switches.
Level 2 – Area Supervisory Control
Unit and common area workstations are made up of operator HMIs, engineering workstations,
and historian servers. All of the workstations at this level are dual homed – connected to the
Level 1 mesh switches and secondary network switches. The secondary network switches are
configured as an extended star network, unit 1/2 being one star network and unit 3/common areas
being another star network. The secondary network switches are connected together with fiber
between their uplink ports.
Level 3 – Site Operations and Control
There are some supporting servers in this level connected to one of the secondary switches in a
star network topology. Active directory domain controllers, network monitoring servers, and
endpoint protection management servers for the level 2 and level 3 hosts reside here.
The supplemental firewall’s only purpose to allow the network monitoring server SNMP access
to the Level 1 switches to monitor their status and port usage.
Note that AV definitions and patches needed by hosts at this level are pulled from hosts in the
DMZ Antivirus/Patching Zone. There is no Internet access from hosts at this level and lower.
DMZ
The Demilitarized Zone is another extended star network topology with a single firewall at the
center containing multiple zones.
The Staff Workstations/Support Servers Zone consists of several VMs with a virtual switch in a
star network topology that are used as “jumpboxes”, workstations used to manage some hosts in
layers 2 and 3. The support servers are a DMZ Active Directory domain controller and database
server used to track all field devices.
The Security Information and Event Management (SIEM) Zone contains a single server with
access to other DMZ zones and layer 2/3 hosts. It forwards log files to a host on the corporate
network and alerts if certain conditions are detected, i.e. several failed login attempts in a short
period of time.
The NAS Zone contains network attached storage devices holding backup data used in disaster
recovery procedures.
The Test Bed Zone contains a virtualized replica of a unit used for operator training. Security
patch testing is also performed on these operator HMIs before applying them to the production
environment.
Antivirus/Patching Zone contains a server for endpoint protection management of hosts in the
DMZ. It also holds repositories of AV definitions and patches that the Level 3 server pulls from.
This server is not Internet facing and goes through a DMZ proxy just to get access to the
corporate network.
The VM Management Zone contains a single server used for managing the staff VMs and other
server VMs in the DMZ.
The DMZ firewall is located downstream of another firewall from a different manufacturer that
provides one more layer of protection from the Corporate Zone. It is very unlikely that a
vulnerability found in one brand of firewall is also in another brand.
Level 4 and 5 – Enterprise Network
Corporate hosts and applications including perimeter facing firewall(s), web servers, etc.

1. (October 13, 2013) Converged Plantwide Ethernet (CPwE) Design and Implementation Guide.
Retrieved from
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/CPwE_DIG/CPwE_chapter2.ht
ml