ImageVerifierCode 换一换
格式:PDF , 页数:48 ,大小:989.40KB ,
资源ID:437011      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-437011.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ANSI ISA TR100.15.01-2012 Backhaul Architecture Model Secured Connectivity over Untrusted or Trusted Networks.pdf)为本站会员(confusegate185)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ANSI ISA TR100.15.01-2012 Backhaul Architecture Model Secured Connectivity over Untrusted or Trusted Networks.pdf

1、 TECHNICAL REPORT ANSI/ISA-TR100.15.01-2012 A Technical Report prepared by ISA and registered with ANSI Backhaul Architecture Model: Secured Connectivity over Untrusted or Trusted Networks Approved 29 October 2012 ANSI registration effective 22 March 2015 ANSI/ISA-TR100.15.01-2012 Backhaul Architect

2、ure Model: Secured Connectivity over Untrusted or Trusted Networks ISBN: 978-1-937560-66-9 Copyright 2012 by ISA. All rights reserved. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or b

3、y any means (electronic mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709 3 ANSI/ISA-TR100.15.01-2012 Preface This preface, as well as all footnotes and annexes

4、, is included for information purposes and is not part of ANSI/ISA-TR100.15.01-2012. This document has been prepared as part of the service of ISA towards a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic r

5、eview. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549 -8411; Fax (919) 549-8288; E-mail: standardsisa.or

6、g. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users o

7、f ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, th is Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices, an

8、d technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing ISA; 67 Alexander Drive; P. O. Box 12277; Research 77 Triangle Park, NC 27709. 78 This technical report is of wide

9、applicability because it provides a common framework enabling 79 multiple industrial communication protocols to run over a shared wireless backhaul network in 80 process automation systems. 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 This page intentionally left blank. 96 97 98 99 100 101 9 ANSI/IS

10、A-TR100.15.01-2012 1 Scope 1.1 General This document presents an architecture model for interconnecting automation system elements over untrusted backhaul networks. The focus is on wireless physical la yer but is not limited to wireless. B a c k h a u ln e t w o r kM a n u f a c t u r i n g c e l lM

11、 o b i l e w o r k e rS e c u r i t y c a m e r a sR e a l - t i m e l o c a t i o n s e r v i c eL o g i s t i c sW o r k e rs a f e t yV o I PP r o d u c t i o n o p e r a t i o n sP L CP u m pa c t u a t o rT a n k l e v e ls e n s o rC o n t r o l c e n t e rV o I P P B XS e c u r i t y v i d e

12、o s y s t e mR T L S s e r v e r sFigure 1 Example applications using a shared backhaul network Figure 1 provides an example of the variety of (potentially simultaneous) uses for backhaul networks. In this example, the “Backhaul Network” cloud could represent a short-distance network such as the use

13、r-owned network within a building or site, or it could represent a potentially heterogeneous long-distance network (for example, satellite or cellular communication networks) that are provided as a service effectively by multiple third parties. These backhaul links may be provided by one or more com

14、mercial providers such as satellite communications providers, cellular, LTE (see Clause 3), WiMax data services, etc. Alternatively, the backhaul may also be provided by the userfor example, Wi-Fi services, point-to-point microwave links, etc. 1.2 Wireless vs. wired backhaul networks There is nothin

15、g in this architecture that precludes the use of wired network technologies (for example, Ethernet) for backhaul networks. ANSI/ISA-TR100.15.01-2012 10 1.3 Specific goals 1.3.1 Provide an architecture model One of the primary goals of this document is to create an architecture model that insulates t

16、he industrial control system elements from the variety of protocols and interfaces associated with various backhaul technologies and providers. Conversely, this architecture model is also intended to insulate the backhaul providers from many of the technical issues associated with specific industria

17、l control systems vendors, protocols, and interfaces. 1.3.2 Define a common vocabulary This generalized architecture model describes elements and interfaces associated with using backhaul services; the resulting model and vocabulary provide a common framework by which industrial control system vendo

18、r, user, and backhaul provider communities can better communicate and collaborate in this rapidly evolving space. 1.3.3 Anticipate backhaul technology evolution Backhaul network technologies continue to evolve rapidly. For example, new protocols and capabilities for cellular data backhauls continue

19、to emergeas evidenced by the recent introduction of WiMax and LTE service offerings. Similarly for Wi-Fi, a succession of technologies and standards has emerged over time (for example, IEEE 802.11b, 802.11g, 802.11a, 802.11n, etc.). 1.3.4 Allow for mixed use of a shared backhaul In collecting backha

20、ul network use cases, the authors documented a strong demand from the automation user community for general-purpose backhaul utilization beyond that of just transporting industrial control system data. Specifically, as illustrated in Figure 1, many of the use cases drive the need to use the backhaul

21、 to support general data services such as security cameras, voice over internet protocol (VoIP) telephony, emergency first responders, and real-time location services. These use cases also drive the need to support industrial application data service models such as client/server, event multicast, an

22、d publish/subscribe. This mixed use of the backhaul network means this model also needs to address automation needs regarding backhaul security, backhaul management, backhaul flow control, backhaul user mobility, etc. 1.3.5 Provide a framework for future profile specifications As a non-normative doc

23、ument, this architecture has insufficient authoritative detail to enable separate implementers to create products that interoperate. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated r

24、eferences, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7498-1, Information technology Open Systems Interconnection Basic Reference Model: The Basic Model ISO/IEC 62443-1-1, Industrial communication

25、networks Network and system security Part 1-1: Terminology, concepts and models IETF RFC 2205, Resource reservation protocol (RSVP) Version 1 functional specification IETF RFC 2474, Definition of the differentiated services field IETF RFC 2475, An architecture for differentiated services 11 ANSI/ISA

26、-TR100.15.01-2012 3 Terms, definitions and abbreviations 3.1 Terms and definitions 3.1.1 access point device that allows wireless devices to connect to a wired network 3.1.2 accounting tracking of network resource consumption by users for the purpose of capacity and trend analysis, and cost allocati

27、on 3.1.3 availability assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them 3.1.4 authentication process where an entitys identity is authenticated, typically by providing evidence that it holds a specific digital

28、 identity such as an identifier and the corresponding credentials 3.1.5 authorization process of determining whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service 3.1.6 application specific implemen

29、tation or instantiation of this architecture that is designed to address the specific needs of a given installation 3.1.7 backhaul network communication link between industrial control system elements as well as local and remote field networks Note 1 to entry: The backhaul may be provided by one or

30、more commercial providers such as satellite communications data services, cellular data services, WiMax data services, etc. Alternatively, the backhaul may also be provided by the user itselffor example, Wi-Fi services, point-to-point microwave links, etc. 3.1.8 backhaul interface interface between

31、a Characterized Control Domain and a Backhaul Service Provider Note 1 to entry: In the nomenclature of IEC 62443, this is a type of edge device. 3.1.9 backhaul service provider communications infrastructure that provides connectivity between Characterized Control Domains 3.1.10 characterized control

32、 domain designated set of control equipment ANSI/ISA-TR100.15.01-2012 12 3.1.11 channel logical or physical point-to-point or point-to-multipoint data flow between components in one zone to one or more components in another zone SOURCE: IEC 62443-1-1 3.1.12 conduit logical grouping of channels, conn

33、ecting two or more zones that share common security requirements Note 1 to entry: A conduit is allowed to traverse a zone as long as the security of the channels contained within the conduit is not impacted by the zone. SOURCE: IEC 62443-1-1 3.1.13 confidentiality assurance that information is share

34、d only among authorized persons or organizations 3.1.14 connection association established between two or more end points which support the establishment of a session SOURCE: IEC 62443-1-1 3.1.15 configuration, security and management domain logical entity that contains the network and security mana

35、gement functions 3.1.16 demilitarized zone common, limited network joining two or more zones for the purpose of controlling data flow between zones Note 1 to entry: Demilitarized zones are typically used to avoid direct connections between different zones. SOURCE: ISO/IEC 62443-3-3 3.1.17 differenti

36、ated services specification for a simple, scalable and coarse-grained mechanism for classifying and managing network traffic and providing Quality of Service (QoS) on modern IP networks SOURCE Wikipedia 3.1.18 differentiated services code point six-bit field in the IP header for packet used classifi

37、cation purposes in Differentiated Services Note 1 to entry: This field is part of the Type of Service octet in the case of IPv4, and the Traffic Class octet in the case of IPv6. SOURCE: IETF RFC 2474 3.1.19 dynamic host configuration protocol protocol used on IPv4 networks that allows the IPv4 addre

38、ss for a device to be assigned automatically Note 1 to entry: The protocol may be used to support a central database which keeps track of devices that have been connected to the network and prevents two devices from accidentally being configured with the same address. 13 ANSI/ISA-TR100.15.01-2012 3.

39、1.20 edge device communication security asset, within a zone or conduit, that provides an interface between a zone and a conduit SOURCE: IEC 62443-1-1 3.1.21 edge router router existing at the edge of a Flow Control Domain 3.1.22 extended service set identifier name that identifies a particular 802.

40、11 wireless LAN SOURCE: IEEE 802.11 3.1.23 extensible access control markup language declarative access control policy language and a processing model, describing how to interpret authorization policies SOURCE: OASIS Extensible Access Control Markup Language, v2.0 (http:/www.oasis-open.org/committee

41、s/xacml/) 3.1.24 extensible authentication protocol authentication framework providing for the transport and usage of keying material and parameters generated by Extensible Authentication Protocol methods 3.1.25 flow control domain administrative domain for configuring and managing flow control para

42、meters 3.1.26 Fieldbus Foundation/ISA cooperation cooperative project between the Fieldbus Foundation and ISA to develop a wireless backhaul architecture model 3.1.27 field network local area networks that consist of sensors, valves, mobile workers, etc. 3.1.28 integrity assurance that the informati

43、on is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose 3.1.29 interface for metadata access points client/server protocol specification published by the Trusted Computing Group as one of the core protocols of the Trusted Network Connect

44、 open architecture Note 1 to entry: Interface for Metadata Access Points provides a common interface between a database server acting as a clearinghouse for information about security events and objects, and other elements of the Trusted Network Connect architecture. See http:/www.trustedcomputinggr

45、oup.org/resources/tnc_ifmap_binding_for_soap_specification 3.1.30 interface conceptual point of interaction between architectural components that allows components to function independently ANSI/ISA-TR100.15.01-2012 14 3.1.31 Internet protocol primary protocol in the network layer of the most common

46、 Internet protocol suite, which has the task of delivering datagrams (also known as packets or connectionless messages) from the source host to the destination host, based solely on their addresses Note 1 to entry: For this purpose, each specific version of the Internet protocol defines correspondin

47、g addressing methods and structures for datagram encapsulation. 3.1.32 Internet protocol version 4 1981 version of the Internet network protocol 3.1.33 internet protocol version 6 1998 version of the Internet network protocol 3.1.34 jitter variation of latency from message to message 3.1.35 human-ma

48、chine interface interface by which human users interact with a computerized system 3.1.36 Kerberos computer network authentication protocol that uses “tickets“ to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner Note 1 to entry: Kerberos u

49、ses symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography by utilizing asymmetric key cryptography during certain phases of authentication. 3.1.37 local area network communication network that connects computers and devices in a limited geographical area such as home, school, computer laboratory, office building or automation facility 3.1.38 latency delay between transmission and reception of a message 3.1.39 loss message non-receipt or corruption 3.1.40 long term evolution standard in th

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1