3.6
Enterprise Layer
The Enterprise layer allows access to specific control system data or communication sources for facility-wide or group asset
management systems. The Enterprise layer can include the following features:
•
Additional firewalls, routers, and security features
•
Interface to customer network
•
GE Demilitarized Zone (DMZ) for hosting GE assets to be accessed external from customer site facility
•
Interface to other GE Wide Area Network (WAN), Atlanta Data Higway (ADH) for GE Monitoring and Diagnostics
(M&D) services
The Industrial Internet Gateway (IIG) option consists of a firewall appliance that is inserted as a barrier between the ICS
VLAN and any other external devices. The firewall establishes security regions, or zones, as defined in the IEC standard
62443 or ISA 99. Equipment is allocated to each zone based on their function and relative security risk to the Mark VIe
control system. For diagnostic or analysis purposes, access to specifically tagged control system data or communications can
be allowed from outside the plant. Since any outside communications represent a significant risk to the integrity and security
of the control system, establishing a DMZ that terminates the outside networks and then only allows specific authenticated
traffic to flow from the DMZ to specific hosts behind the DMZ is recommended.
GE demilitarized zone (DMZ)
Customer Enterprise Network
GE Wide Area Network (WAN) to ADH
Firewall
Outside Plant Facility
Virtual local area networks (VLANs)
Mark VIe Integrated Control System (ICS)
Enterprise Layer Example (does not represent an actual installation)
The IIG establishes four interfaces to connect from the firewall: Customer, ADH, DMZ, and ICS VLAN. The Customer
interface typically connects to an additional upstream router or firewall provided by the customer. The ADH is used by GE
M&D to provide remote services for the customer, for example analytics or troubleshooting. The DMZ has a rule set or policy
that is implemented by GE to enable remote access to key resources. These resources are able to collect specifically
configured control system data or perform specifically configured control system functions. The ICS VLAN connects from
the IIG firewall to a switch that terminates at two routers and then into the root switch and on to the edge switch. Refer to the
section
for more information.
Ethernet Networks
GEH-6721_Vol_I_BP System Guide 93
Public Information
Содержание Mark VIe
Страница 61: ...Example UCSx Controller Label Control System Overview GEH 6721_Vol_I_BP System Guide 61 Public Information ...
Страница 66: ...Notes 66 GEH 6721_Vol_I_BP GEH 6721_Vol_I Mark VIe and Mark VIeS Control Systems Volume I Public Information ...
Страница 74: ...Notes 74 GEH 6721_Vol_I_BP GEH 6721_Vol_I Mark VIe and Mark VIeS Control Systems Volume I Public Information ...
Страница 116: ...Notes 116 GEH 6721_Vol_I_BP GEH 6721_Vol_I Mark VIe and Mark VIeS Control Systems Volume I Public Information ...
Страница 164: ...Notes 164 GEH 6721_Vol_I_BP GEH 6721_Vol_I Mark VIe and Mark VIeS Control Systems Volume I Public Information ...
Страница 198: ...Notes 198 GEH 6721_Vol_I Mark VIe and Mark VIeS Control Systems Volume I Public Information ...
Страница 201: ......
Страница 202: ...Public Information ...