We have multiple zones or buildings which have processes going on site, and we also have IT devices. Each zone is 100-200 meters apart. Our job is to make a secure connection between the IT layer and OT layer using the Purdue model and then connect them with each other.
We will start with the zone 1, where we have Industrial equipment (layer 0) connected to PLC or RTU (layer 1) to control the equipment. We will use an OT switch to connect the multiple PLCs, HMI screens and engineering stations to a single network. This will ensure communication between HMI and PLCs for operators.
We are utilizing the PROFINET(green cable) protocol. We will be establishing the same communication with the zone 2,3 and onward. As a result, we will have three different OT networks for each zone, OT network 1,2,3.
Now we can either choose to connect these OT switches with each other to establish a connection between OT networks of different zones, or we can wait and connect these zones on the IT layer.
I will choose to connect them on the OT layer because let's say the operator is in zone 2 and wants to operate the pump (zone 1), the request will go all the way from the OT layer of zone 2 to the IT layer of zone 2 and from there to IT layer of zone 1 to OT layer of zone 1, this is a long process just to start a pump and also has a number of disadvantages.
To establish connectivity, we will first make different VLANs on each OT switch, and then we will use a router to enable communication between VLANs. We can decide to include a hardware firewall between the router and switches for extra security, but instead, I will use VLANs and a software firewall. I have also added redundant cables (dark blue) to connect the switches to the router.
Moving to IDMZ (Industrial demilitarized zone), we have an OPC (Open Platform Communication) server, Data historian, and control system database. On top, we have our IT network with IT switches, Desktop, and IP phones. Once again, I am using redundancy to connect IT networks with the Internet.
