Enterprise Layer - GE Mark VIe System Manual

Hide thumbs Also See for Mark VIe:

Instruction manual (19 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

Table of Contents

3.6 Enterprise Layer

The Enterprise layer allows access to specific control system data or communication sources for facility-wide or group asset

management systems. The Enterprise layer can include the following features:

•

Additional firewalls, routers, and security features

•

Interface to customer network

•

GE Demilitarized Zone (DMZ) for hosting GE assets to be accessed external from customer site facility

•

Interface to other GE Wide Area Network (WAN), Atlanta Data Higway (ADH) for GE Monitoring and Diagnostics

(M&D) services

The Industrial Internet Gateway (IIG) option consists of a firewall appliance that is inserted as a barrier between the ICS

VLAN and any other external devices. The firewall establishes security regions, or zones, as defined in the IEC standard

62443 or ISA 99. Equipment is allocated to each zone based on their function and relative security risk to the Mark VIe

control system. For diagnostic or analysis purposes, access to specifically tagged control system data or communications can

be allowed from outside the plant. Since any outside communications represent a significant risk to the integrity and security

of the control system, establishing a DMZ that terminates the outside networks and then only allows specific authenticated

traffic to flow from the DMZ to specific hosts behind the DMZ is recommended.

Outside Plant Facility

Virtual local area networks (VLANs)

Mark VIe Integrated Control System (ICS)

Enterprise Layer Example (does not represent an actual installation)

The IIG establishes four interfaces to connect from the firewall: Customer, ADH, DMZ, and ICS VLAN. The Customer

interface typically connects to an additional upstream router or firewall provided by the customer. The ADH is used by GE

M&D to provide remote services for the customer, for example analytics or troubleshooting. The DMZ has a rule set or policy

that is implemented by GE to enable remote access to key resources. These resources are able to collect specifically

configured control system data or perform specifically configured control system functions. The ICS VLAN connects from

the IIG firewall to a switch that terminates at two routers and then into the root switch and on to the edge switch. Refer to the

section

Mesh Architecture

for more information.

Ethernet Networks

GE Wide Area Network (WAN) to ADH

Firewall

Public Information

Customer Enterprise Network

GE demilitarized zone (DMZ)

GEH-6721_Vol_I_BP System Guide 93

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

This manual is also suitable for:

Mark vies

Enterprise Layer - GE Mark VIe System Manual

3.6 Enterprise Layer

Hide quick links:

Related Manuals for GE Mark VIe

Related Content for GE Mark VIe

This manual is also suitable for:

Table of Contents