ISA TR100 15 01-2012 Backhaul Architecture Model Secured Connectivity over Untrusted or Trusted Networks.pdf

1、 TECHNICAL REPORT ANSI/ISA-TR100.15.01-2012 A Technical Report prepared by ISA and registered with ANSI Backhaul Architecture Model: Secured Connectivity over Untrusted or Trusted Networks Approved 29 October 2012 ANSI registration effective 22 March 2015 ANSI/ISA-TR100.15.01-2012 Backhaul Architect

2、ure Model: Secured Connectivity over Untrusted or Trusted Networks ISBN: 978-1-937560-66-9 Copyright 2012 by ISA. All rights reserved. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or b

3、y any means (electronic mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709 3 ANSI/ISA-TR100.15.01-2012 Preface This preface, as well as all footnotes and annexes

4、, is included for information purposes and is not part of ANSI/ISA-TR100.15.01-2012. This document has been prepared as part of the service of ISA towards a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic r

5、eview. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549 -8411; Fax (919) 549-8288; E-mail: standardsisa.or

6、g. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users o

7、f ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, th is Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices, an

8、d technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing ISA; 67 Alexander Drive; P. O. Box 12277; Research 77 Triangle Park, NC 27709. 78 This technical report is of wide

9、applicability because it provides a common framework enabling 79 multiple industrial communication protocols to run over a shared wireless backhaul network in 80 process automation systems. 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 This page intentionally left blank. 96 97 98 99 100 101 9 ANSI/IS

10、A-TR100.15.01-2012 1 Scope 1.1 General This document presents an architecture model for interconnecting automation system elements over untrusted backhaul networks. The focus is on wireless physical la yer but is not limited to wireless. B a c k h a u ln e t w o r kM a n u f a c t u r i n g c e l lM

11、 o b i l e w o r k e rS e c u r i t y c a m e r a sR e a l - t i m e l o c a t i o n s e r v i c eL o g i s t i c sW o r k e rs a f e t yV o I PP r o d u c t i o n o p e r a t i o n sP L CP u m pa c t u a t o rT a n k l e v e ls e n s o rC o n t r o l c e n t e rV o I P P B XS e c u r i t y v i d e

12、o s y s t e mR T L S s e r v e r sFigure 1 Example applications using a shared backhaul network Figure 1 provides an example of the variety of (potentially simultaneous) uses for backhaul networks. In this example, the “Backhaul Network” cloud could represent a short-distance network such as the use

13、r-owned network within a building or site, or it could represent a potentially heterogeneous long-distance network (for example, satellite or cellular communication networks) that are provided as a service effectively by multiple third parties. These backhaul links may be provided by one or more com

14、mercial providers such as satellite communications providers, cellular, LTE (see Clause 3), WiMax data services, etc. Alternatively, the backhaul may also be provided by the userfor example, Wi-Fi services, point-to-point microwave links, etc. 1.2 Wireless vs. wired backhaul networks There is nothin

15、g in this architecture that precludes the use of wired network technologies (for example, Ethernet) for backhaul networks. ANSI/ISA-TR100.15.01-2012 10 1.3 Specific goals 1.3.1 Provide an architecture model One of the primary goals of this document is to create an architecture model that insulates t

16、he industrial control system elements from the variety of protocols and interfaces associated with various backhaul technologies and providers. Conversely, this architecture model is also intended to insulate the backhaul providers from many of the technical issues associated with specific industria

17、l control systems vendors, protocols, and interfaces. 1.3.2 Define a common vocabulary This generalized architecture model describes elements and interfaces associated with using backhaul services; the resulting model and vocabulary provide a common framework by which industrial control system vendo

18、r, user, and backhaul provider communities can better communicate and collaborate in this rapidly evolving space. 1.3.3 Anticipate backhaul technology evolution Backhaul network technologies continue to evolve rapidly. For example, new protocols and capabilities for cellular data backhauls continue

19、to emergeas evidenced by the recent introduction of WiMax and LTE service offerings. Similarly for Wi-Fi, a succession of technologies and standards has emerged over time (for example, IEEE 802.11b, 802.11g, 802.11a, 802.11n, etc.). 1.3.4 Allow for mixed use of a shared backhaul In collecting backha

20、ul network use cases, the authors documented a strong demand from the automation user community for general-purpose backhaul utilization beyond that of just transporting industrial control system data. Specifically, as illustrated in Figure 1, many of the use cases drive the need to use the backhaul

21、 to support general data services such as security cameras, voice over internet protocol (VoIP) telephony, emergency first responders, and real-time location services. These use cases also drive the need to support industrial application data service models such as client/server, event multicast, an

22、d publish/subscribe. This mixed use of the backhaul network means this model also needs to address automation needs regarding backhaul security, backhaul management, backhaul flow control, backhaul user mobility, etc. 1.3.5 Provide a framework for future profile specifications As a non-normative doc

23、ument, this architecture has insufficient authoritative detail to enable separate implementers to create products that interoperate. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated r

24、eferences, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7498-1, Information technology Open Systems Interconnection Basic Reference Model: The Basic Model ISO/IEC 62443-1-1, Industrial communication

25、networks Network and system security Part 1-1: Terminology, concepts and models IETF RFC 2205, Resource reservation protocol (RSVP) Version 1 functional specification IETF RFC 2474, Definition of the differentiated services field IETF RFC 2475, An architecture for differentiated services 11 ANSI/ISA

26、-TR100.15.01-2012 3 Terms, definitions and abbreviations 3.1 Terms and definitions 3.1.1 access point device that allows wireless devices to connect to a wired network 3.1.2 accounting tracking of network resource consumption by users for the purpose of capacity and trend analysis, and cost allocati

27、on 3.1.3 availability assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them 3.1.4 authentication process where an entitys identity is authenticated, typically by providing evidence that it holds a specific digital

28、 identity such as an identifier and the corresponding credentials 3.1.5 authorization process of determining whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service 3.1.6 application specific implemen

29、tation or instantiation of this architecture that is designed to address the specific needs of a given installation 3.1.7 backhaul network communication link between industrial control system elements as well as local and remote field networks Note 1 to entry: The backhaul may be provided by one or

30、more commercial providers such as satellite communications data services, cellular data services, WiMax data services, etc. Alternatively, the backhaul may also be provided by the user itselffor example, Wi-Fi services, point-to-point microwave links, etc. 3.1.8 backhaul interface interface between

31、a Characterized Control Domain and a Backhaul Service Provider Note 1 to entry: In the nomenclature of IEC 62443, this is a type of edge device. 3.1.9 backhaul service provider communications infrastructure that provides connectivity between Characterized Control Domains 3.1.10 characterized control

32、 domain designated set of control equipment ANSI/ISA-TR100.15.01-2012 12 3.1.11 channel logical or physical point-to-point or point-to-multipoint data flow between components in one zone to one or more components in another zone SOURCE: IEC 62443-1-1 3.1.12 conduit logical grouping of channels, conn

33、ecting two or more zones that share common security requirements Note 1 to entry: A conduit is allowed to traverse a zone as long as the security of the channels contained within the conduit is not impacted by the zone. SOURCE: IEC 62443-1-1 3.1.13 confidentiality assurance that information is share

34、d only among authorized persons or organizations 3.1.14 connection association established between two or more end points which support the establishment of a session SOURCE: IEC 62443-1-1 3.1.15 configuration, security and management domain logical entity that contains the network and security mana

35、gement functions 3.1.16 demilitarized zone common, limited network joining two or more zones for the purpose of controlling data flow between zones Note 1 to entry: Demilitarized zones are typically used to avoid direct connections between different zones. SOURCE: ISO/IEC 62443-3-3 3.1.17 differenti

36、ated services specification for a simple, scalable and coarse-grained mechanism for classifying and managing network traffic and providing Quality of Service (QoS) on modern IP networks SOURCE Wikipedia 3.1.18 differentiated services code point six-bit field in the IP header for packet used classifi

37、cation purposes in Differentiated Services Note 1 to entry: This field is part of the Type of Service octet in the case of IPv4, and the Traffic Class octet in the case of IPv6. SOURCE: IETF RFC 2474 3.1.19 dynamic host configuration protocol protocol used on IPv4 networks that allows the IPv4 addre

38、ss for a device to be assigned automatically Note 1 to entry: The protocol may be used to support a central database which keeps track of devices that have been connected to the network and prevents two devices from accidentally being configured with the same address. 13 ANSI/ISA-TR100.15.01-2012 3.

39、1.20 edge device communication security asset, within a zone or conduit, that provides an interface between a zone and a conduit SOURCE: IEC 62443-1-1 3.1.21 edge router router existing at the edge of a Flow Control Domain 3.1.22 extended service set identifier name that identifies a particular 802.

40、11 wireless LAN SOURCE: IEEE 802.11 3.1.23 extensible access control markup language declarative access control policy language and a processing model, describing how to interpret authorization policies SOURCE: OASIS Extensible Access Control Markup Language, v2.0 (http:/www.oasis-open.org/committee

41、s/xacml/) 3.1.24 extensible authentication protocol authentication framework providing for the transport and usage of keying material and parameters generated by Extensible Authentication Protocol methods 3.1.25 flow control domain administrative domain for configuring and managing flow control para

42、meters 3.1.26 Fieldbus Foundation/ISA cooperation cooperative project between the Fieldbus Foundation and ISA to develop a wireless backhaul architecture model 3.1.27 field network local area networks that consist of sensors, valves, mobile workers, etc. 3.1.28 integrity assurance that the informati

43、on is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose 3.1.29 interface for metadata access points client/server protocol specification published by the Trusted Computing Group as one of the core protocols of the Trusted Network Connect

44、 open architecture Note 1 to entry: Interface for Metadata Access Points provides a common interface between a database server acting as a clearinghouse for information about security events and objects, and other elements of the Trusted Network Connect architecture. See http:/www.trustedcomputinggr

45、oup.org/resources/tnc_ifmap_binding_for_soap_specification 3.1.30 interface conceptual point of interaction between architectural components that allows components to function independently ANSI/ISA-TR100.15.01-2012 14 3.1.31 Internet protocol primary protocol in the network layer of the most common

46、 Internet protocol suite, which has the task of delivering datagrams (also known as packets or connectionless messages) from the source host to the destination host, based solely on their addresses Note 1 to entry: For this purpose, each specific version of the Internet protocol defines correspondin

47、g addressing methods and structures for datagram encapsulation. 3.1.32 Internet protocol version 4 1981 version of the Internet network protocol 3.1.33 internet protocol version 6 1998 version of the Internet network protocol 3.1.34 jitter variation of latency from message to message 3.1.35 human-ma

48、chine interface interface by which human users interact with a computerized system 3.1.36 Kerberos computer network authentication protocol that uses “tickets“ to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner Note 1 to entry: Kerberos u

49、ses symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography by utilizing asymmetric key cryptography during certain phases of authentication. 3.1.37 local area network communication network that connects computers and devices in a limited geographical area such as home, school, computer laboratory, office building or automation facility 3.1.38 latency delay between transmission and reception of a message 3.1.39 loss message non-receipt or corruption 3.1.40 long term evolution standard in th