1 Scope
NOTE This specification covers the design, materials, configuration, segmentation, and cybersecurity hardening of the process control network (PCN) — the operational-technology communications network that interconnects programmable controllers, remote and distributed I/O, networked field instruments, and the supervisory SCADA/HMI layer in industrial, process, and water/wastewater facilities. (1.1)
NOTE The network addressed in this standard is organized on the Purdue / ISA-95 reference model: Level 0 field devices and instruments, Level 1 controllers and I/O, Level 2 supervisory control and local HMI, and Level 3 site operations and the historian, with a demilitarized zone (DMZ) at Level 3.5 separating the OT network from the Level 4 enterprise/IT network. (1.2)
NOTE The boundary of work under this standard is the OT network itself — the switches, routers, firewalls, media converters, gateways, wireless radios, time servers, network cabling between active devices, and the configuration, segmentation, and security hardening that bind them into zones and conduits. (1.3)
NOTE The controllers, the SCADA/HMI software, the field instruments, and the panels that the network connects are each governed by their own standard and are referenced here only at the network interface. (1.4)
1.5Network architecture, zones, and conduits shall comply with the Purdue / ISA-95 reference model as defined in ANSI/ISA-95.00.01 (IEC 62264-1) and the segmentation guidance of NIST SP 800-82.
1.6OT cybersecurity provisions shall comply with the ISA/IEC 62443 series.
1.7Industrial Ethernet protocols and cabling shall comply with the applicable parts of IEC 61158, IEC 61784, IEC 61918, and ANSI/TIA-1005.
1.8Wiring methods, raceways, bonding, and grounding shall comply with NFPA 70 (National Electrical Code), including Article 725 for Class 2 and Class 3 circuits and Chapter 8 for communications circuits.
1.10 Scope Boundaries
NOTE This standard governs the industrial OT network and is distinct from the commercial building automation network. (1.10.1)
NOTE Commercial building automation (BAS/DDC) networks for HVAC and ancillary building systems — including their BACnet and Modbus building field buses — are outside this scope and are governed by
Building Automation System.
(1.10.2) NOTE Enterprise IT networks, office and general-purpose structured cabling, and data-center cabling are outside this scope; the boundary between the OT network and the enterprise network is the DMZ defined in this standard. (1.10.3)
NOTE Sequences of operation and control logic are established on the contract documents and executed by the controllers (
Programmable Logic Controllers); this standard governs the network that carries the data, not the logic that acts on it.
(1.10.4) 2 Referenced Standards
2.1Equipment, materials, configuration, and installation shall comply with the latest adopted edition of each of the following unless a specific edition is cited.
2.2Where conflicts exist between referenced standards, the more stringent requirement shall govern unless the Engineer of Record directs otherwise in writing.
2.3 Standards Table
| Standard |
Title |
| ANSI/ISA-95.00.01 / IEC 62264-1 |
Enterprise-Control System Integration (Purdue / ISA-95 reference model) |
| ISA/IEC 62443-1-1 |
Security for Industrial Automation and Control Systems — Terminology, Concepts, and Models (foundational requirements) |
| ISA/IEC 62443-2-1 |
Establishing an Industrial Automation and Control Systems Security Program |
| ISA/IEC 62443-3-2 |
Security Risk Assessment for System Design (zones and conduits) |
| ISA/IEC 62443-3-3 |
System Security Requirements and Security Levels |
| ISA/IEC 62443-4-2 |
Technical Security Requirements for IACS Components |
| NIST SP 800-82 |
Guide to Operational Technology (OT) Security |
| IEC 61158 |
Industrial Communication Networks — Fieldbus Specifications |
| IEC 61784-1 / 61784-2 |
Industrial Communication Networks — Profiles (fieldbus and real-time Ethernet) |
| IEC 61784-5 |
Industrial Communication Networks — Installation Profiles |
| IEC 61918 |
Industrial Communication Networks — Installation of Communication Networks in Industrial Premises |
| ISO/IEC 11801 / ISO/IEC 24702 |
Generic Cabling for Customer Premises / Industrial Premises (MICE environmental classification) |
| ANSI/TIA-568 |
Telecommunications Cabling Standard (balanced twisted-pair and optical fiber components) |
| ANSI/TIA-1005 |
Telecommunications Infrastructure Standard for Industrial Premises |
| IEC 62541 |
OPC Unified Architecture (OPC UA) |
| IEC 62439-2 |
Media Redundancy Protocol (MRP) |
| IEC 62439-3 |
Parallel Redundancy Protocol (PRP) and High-availability Seamless Redundancy (HSR) |
| IEEE 802.1D / 802.1Q |
Spanning Tree (RSTP) / Bridges and Bridged Networks (VLANs) |
| IEEE 1588 |
Precision Time Protocol (PTP) for Networked Measurement and Control Systems |
| IEEE 802.1AS |
Timing and Synchronization for Time-Sensitive Applications |
| IETF RFC 5905 |
Network Time Protocol Version 4 (NTPv4) |
| IEEE 1815 |
Distributed Network Protocol (DNP3) |
| NFPA 70 |
National Electrical Code (NEC) — Article 725 (Class 2/3) and Chapter 8 (communications) |
3 Submittals
3.1 Action Submittals
3.1.1The Contractor shall submit the following for the Engineer's review and approval prior to procurement and installation.
- Network architecture drawing showing the Purdue / ISA-95 level assignment of every device, the zones and conduits, the DMZ, and the demarcation between the OT network and the enterprise network
- Zone and conduit register identifying each zone, its assets, the conduits connecting it, and the target security level (SL-T) assigned per ISA/IEC 62443-3-2
- IP addressing plan and VLAN schedule, including subnets per zone, management VLAN, and address assignment method (static for OT devices)
- Product data for all active network devices — managed switches, routers, firewalls, media converters, protocol gateways, wireless radios, and time servers — including port count, media type, ring/redundancy protocol support, protocol support, environmental rating, power input, and ISA/IEC 62443-4-2 component certification where claimed
- Protocol schedule listing each industrial protocol in use (EtherNet/IP, PROFINET, Modbus TCP, Modbus RTU, PROFIBUS, OPC UA, DNP3) and the devices and conduits on which each operates
- Media selection schedule identifying copper versus fiber for each network segment with the basis (distance, galvanic isolation, noise immunity, or routing through high-voltage areas)
- Redundancy scheme description identifying the ring or redundancy protocol (RSTP, MRP, DLR, PRP, or HSR), the recovery-time target, and the ring manager assignment
- Time synchronization design identifying the grandmaster/reference clock, the protocol (NTP or PTP), the time source (GPS/GNSS or other), and the distribution path
- Remote-site telemetry design for distributed water/wastewater sites, including the communications bearer (licensed radio, unlicensed radio, or cellular), the telemetry protocol (DNP3 typical), polling and report-by-exception strategy, and store-and-forward behavior on loss of communications
- Cybersecurity hardening plan addressing device hardening, default-credential elimination, account management, port security, firewall/conduit rule set, patch management, backup, and logging/monitoring per ISA/IEC 62443 and NIST SP 800-82
- Bill of materials and cable schedule, coordinated with Conductors And Cables and Raceways And Conduit
☐ Network architecture drawing (Purdue/ISA-95 levels, zones, conduits, DMZ)
☐ Zone and conduit register with target security levels (62443-3-2)
☐ IP addressing plan and VLAN schedule
☐ Active network device product data (62443-4-2 certification where claimed)
☐ Protocol schedule (EtherNet/IP, PROFINET, Modbus, OPC UA, DNP3)
☐ Media selection schedule (copper vs. fiber with basis)
☐ Redundancy scheme (RSTP/MRP/DLR/PRP/HSR) and recovery target
☐ Time synchronization design (NTP/PTP, reference clock)
☐ Remote-site telemetry design (radio/cellular, DNP3)
☐ Cybersecurity hardening plan (62443 / SP 800-82)
☐ Bill of materials and cable schedule
3.1.2Fabrication, procurement, and installation shall not proceed until action submittals have been reviewed and returned.
3.2 Closeout Submittals
3.2.1At substantial completion, the Contractor shall provide the following before the network is accepted.
- As-built network architecture and topology drawings reflecting all field changes, including final port assignments and patch records
- As-configured device configuration files (switch, router, firewall, radio, and gateway) exported and provided in both native and human-readable form
- Final IP addressing and VLAN documentation as commissioned
- Network commissioning and test records, including cable certification, redundancy failover tests, and time-synchronization verification
- Cybersecurity hardening record documenting the as-built device hardening, account list, firewall/conduit rules, disabled services and ports, and firmware versions
- Configuration backup media and the documented restore procedure for each device class
- Operation and maintenance manuals for all active network devices
- Warranty documentation
☐ As-built network architecture and topology drawings
☐ As-configured device configuration files (native and readable)
☐ Final IP addressing and VLAN documentation
☐ Network commissioning and test records
☐ Cybersecurity hardening record (accounts, rules, ports, firmware)
☐ Configuration backup media and restore procedure
☐ Operation and maintenance manuals
☐ Warranty documentation
4 Quality Assurance
4.1 Integrator Qualifications
4.1.1The network integrator shall have a minimum of five years of continuous experience designing and commissioning industrial OT networks of the type and scale specified.
4.1.2Personnel configuring managed switches, routers, and firewalls shall hold current manufacturer certification on the products supplied, and personnel performing fiber-optic termination and testing shall hold a recognized fiber-optic installer certification.
NOTE For water and wastewater projects, the integrator shall demonstrate prior experience with distributed telemetry and DNP3, which differ materially from a single-site plant network. (4.1.3)
4.2 Component Security Certification
○ Required — switches, routers, and firewalls certified to ISA/IEC 62443-4-2
○ Required for security-zone boundary devices (firewalls/routers) only
○ Not required — hardening per project plan in lieu of certification
4.2.1Network infrastructure devices should be certified to ISA/IEC 62443-4-2 for the component type (network device or host device) at the target security level assigned to their zone.
4.2.2Devices forming a zone or conduit boundary (firewalls and security routers) shall provide the technical security capabilities required by ISA/IEC 62443-3-3 for the target security level of the conduit.
NOTE 62443-4-2 certification provides independent evidence that a device has the native security capabilities — authentication, access control, integrity protection, and audit — needed to reach a target security level without relying solely on compensating controls. (4.2.3)
4.3 Factory Acceptance Test
4.3.1Where the network and its active devices are pre-configured and staged off site, a factory acceptance test (FAT) shall verify device configuration, addressing, VLAN segmentation, redundancy failover, and the firewall/conduit rule set before shipment to site.
4.3.2The FAT shall be witnessed by the Engineer or the Owner's representative, or recorded and submitted where remote witnessing is accepted.
4.4 Pre-Installation Conference
4.4.1A pre-installation conference shall be held before network installation begins, attended by the controls integrator, the electrical contractor, the SCADA/HMI integrator, the Owner's OT and IT representatives, and the commissioning agent.
4.4.2The agenda shall include the OT/IT demarcation and DMZ ownership, IP addressing authority, the cybersecurity hardening plan, cable pathway coordination, grounding and bonding, and the commissioning and security-acceptance schedule.
NOTE The boundary between OT and IT responsibility is the most common source of project conflict; the DMZ owner, the firewall rule authority, and the addressing authority shall be agreed in writing at this conference. (4.4.3)
5 Environmental and Service Conditions
5.1 Installation Environment
NOTE Industrial OT network hardware is exposed to temperature extremes, vibration, dust, moisture, and electrical noise that exceed the office environment for which commercial IT switches are designed. (5.1.1)
NOTE The MICE classification of ISO/IEC 11801 and ISO/IEC 24702 (Mechanical, Ingress, Climatic, Electromagnetic) describes the installation environment and is the basis for selecting hardware and cabling rated for it. (5.1.2)
M1 I1 C1 E1 — office/control-room environment (managed IT-grade hardware acceptable)
M2 I2 C2 E2 — general industrial / plant floor (industrially rated hardware)
M3 I3 C3 E3 — harsh / heavy industrial, wet wells, outdoor (hardened hardware, sealed connectors)
5.1.3Active network devices installed outside a conditioned control room shall be industrially hardened, with a wide operating-temperature range, fanless convection cooling, DIN-rail mounting, and redundant DC power input.
5.1.4Devices installed in wet wells, lift stations, outdoor cabinets, or washdown areas shall be rated for the ingress and climatic class of the location, and connectors in those locations shall be sealed (e.g., M12 industrial connectors) rather than standard RJ45.
NOTE Specifying office-grade switches for plant-floor or outdoor service is a frequent and costly error; commercial switches with fans and a narrow temperature range fail early in industrial heat, dust, and vibration. (5.1.5)
5.2 Temperature and Power
0 to +45 (control-room / conditioned space)
-10 to +60 (general industrial)
-40 to +75 (extended industrial / outdoor / unconditioned)
24 VDC — single input
24 VDC — dual redundant inputs
48 VDC
120/240 VAC
Power over Ethernet (PoE/PoE+) for field devices
5.2.1Active network devices should be powered from the same regulated, backed-up DC control power as the controllers they serve, so that a power disturbance does not drop the network while the controllers remain energized.
5.2.2Devices supporting redundant power input shall have both inputs connected to independent supplies where available.
6 Network Architecture and Reference Model
6.1 Purdue / ISA-95 Reference Model
6.1.1The network shall be structured on the Purdue / ISA-95 reference model, with each device assigned to a level: Level 0 (field instruments and final elements), Level 1 (controllers and I/O), Level 2 (supervisory control and local HMI), Level 3 (site operations, historian, engineering workstations), and Level 4 (enterprise/IT, outside this scope).
6.1.2The level assignment of every device shall be shown on the network architecture drawing.
NOTE The Purdue model is the organizing principle for OT network segmentation: traffic flows and trust decrease moving up the levels, and the controls between levels are where security is enforced. (6.1.3)
6.2 OT/IT Demilitarized Zone
6.2.1A demilitarized zone (DMZ) shall be provided at Level 3.5 between the OT network (Levels 0 through 3) and the enterprise/IT network (Level 4).
6.2.2No direct communication path shall exist between the OT network and the enterprise network; all cross-domain data exchange shall traverse the DMZ.
6.2.3Data shared with the enterprise (historian replication, reporting, remote read-only views) shall be brokered by a server or data diode located in the DMZ, so that no enterprise host initiates a connection directly into the control network.
NOTE The DMZ is the single most important architectural control for protecting the control network; a flat network with the OT and enterprise systems on the same broadcast domain has no defensible boundary and is the condition that lets IT-side malware reach controllers. (6.2.4)
Firewalled DMZ with broker server (historian/reporting replica in DMZ)
Firewalled DMZ with data diode (one-way OT-to-enterprise only)
Dual-firewall DMZ (separate OT-side and IT-side firewalls)
Air-gapped — no enterprise connection
6.3 Zones and Conduits
6.3.1The network shall be partitioned into security zones and conduits in accordance with ISA/IEC 62443-3-2.
6.3.2Each zone shall group assets that share common security requirements, and each conduit shall be the controlled communications path between zones.
6.3.3A target security level (SL-T) shall be assigned to each zone and conduit based on a documented risk assessment, and the network controls shall be selected to meet that level.
6.3.4Inter-zone traffic shall pass only through a conduit with an enforcing device (firewall or security router); intra-zone traffic shall not be required to traverse the boundary.
NOTE Zones and conduits convert an abstract risk assessment into concrete firewall rules and VLAN boundaries; without them, every device implicitly trusts every other device on the network. (6.3.5)
6.4 Network Segmentation
VLANs on managed switches with inter-VLAN firewall/routing
Physically separate switches per zone
VLANs plus physically separate switches at zone boundaries
6.4.1The control network shall be segmented from the plant business systems and from other zones using VLANs (IEEE 802.1Q) on managed switches, physically separate switches, or a combination, as required to enforce the zone model.
6.4.2Broadcast and multicast traffic, which several industrial protocols rely on, shall be contained within the appropriate zone so that a multicast storm in one zone does not degrade another.
6.4.3Inter-VLAN traffic shall be routed and filtered by a Layer 3 device or firewall, not bridged.
7 Industrial Protocols
7.1 Ethernet-Based Control Protocols
NOTE The primary control protocol on the Ethernet network shall be selected to match the controller platform and the installed base, and shall be one of the open industrial Ethernet protocols. (7.1.1)
NOTE EtherNet/IP (managed by ODVA, built on the Common Industrial Protocol) is common with one major controller family and uses standard Ethernet with CIP at the application layer. (7.1.2)
NOTE PROFINET (IEC 61158 / IEC 61784, managed by PI) is common with another major controller family and provides real-time and isochronous classes. (7.1.3)
NOTE Modbus TCP is a simple, widely supported register-based protocol used for device integration and for equipment that lacks a native EtherNet/IP or PROFINET interface. (7.1.4)
○ EtherNet/IP (ODVA / CIP)
○ PROFINET (IEC 61158/61784)
○ Modbus TCP
○ Mixed — multiple protocols gatewayed to a common layer
7.1.5The primary control protocol shall be applied consistently within a zone; mixing real-time control protocols within a single zone without a documented reason complicates redundancy, time sync, and troubleshooting.
7.1.6Where multiple protocols are unavoidable, they shall be bridged at a defined gateway, not by allowing unrelated protocols to share a control VLAN.
7.2 Serial and Legacy Protocols
NOTE Modbus RTU and PROFIBUS DP serve serial-connected and legacy field devices and shall be brought onto the Ethernet network through a gateway at a defined point rather than extended as long serial trunks. (7.2.1)
☐ Modbus RTU (RS-485)
☐ PROFIBUS DP (RS-485)
☐ PROFIBUS PA (IEC 61158-2, process automation)
☐ Proprietary serial (vendor-specific, behind a gateway)
☐ None — all devices natively Ethernet
7.2.2Serial multidrop segments (RS-485) shall be wired in a daisy-chain (not star) topology, terminated at both ends with the characteristic impedance, and biased per the device requirements.
7.2.3Each serial segment shall be isolated and surge-protected where it leaves a panel, coordinated with Grounding And Bonding. NOTE A serial multidrop segment that is star-wired, unterminated, or improperly biased produces intermittent communication faults that are difficult to diagnose; the topology and termination are not optional. (7.2.4)
7.3 Integration Protocol — OPC UA
7.3.1OPC UA (IEC 62541) shall be the protocol for cross-domain and cross-vendor data integration — between the control layer and the historian, MES, or enterprise reporting — where a vendor-neutral, secure interface is required.
7.3.2OPC UA connections shall use the protocol's native security (application authentication, message signing, and encryption) and shall not be exposed across the OT/IT boundary except through the DMZ.
NOTE OPC UA is an integration layer, not a real-time control protocol; it complements the control protocol rather than replacing it, and is the right tool for moving structured data up the Purdue levels. (7.3.3)
8.1 Copper or Fiber Selection
NOTE Network media between active devices shall be selected per segment based on distance, the need for galvanic isolation, electrical-noise exposure, and the routing environment. (8.1.1)
NOTE Balanced twisted-pair copper (Category 6 or 6A per ANSI/TIA-568) is appropriate for segments within a building or panel lineup that are within the 100 m channel limit and not exposed to severe electrical noise or ground-potential differences. (8.1.2)
NOTE Optical fiber is required where the segment exceeds the copper distance limit, crosses between buildings or structures with different ground references, runs through or near medium- and high-voltage equipment, or passes through areas of severe electrical noise. (8.1.3)
○ Multimode fiber (OM3) — within plant, short backbone
○ Multimode fiber (OM4) — within plant, higher bandwidth/distance
○ Single-mode fiber (OS2) — long backbone, inter-building, future-proof
○ Balanced twisted-pair copper (Cat 6A) — short, in-building, low-noise only
○ Category 6A balanced twisted-pair (ANSI/TIA-568)
○ Category 6 balanced twisted-pair (ANSI/TIA-568)
○ Industrial M12-terminated twisted-pair (harsh locations)
○ Multimode fiber to field device (isolation / distance)
8.1.4Fiber shall be used for any segment that crosses between separately grounded structures, because fiber is a dielectric and breaks the metallic path that would otherwise carry damaging ground-potential differences and surge current between buildings.
8.1.5Copper segments shall not exceed the 100 m channel length of ANSI/TIA-568; segments approaching the limit shall use fiber or an intermediate switch.
NOTE Running copper between buildings or near medium-voltage gear is a recurring source of equipment damage and communication faults; the galvanic isolation of fiber eliminates ground loops and induced noise that copper cannot. (8.1.6)
8.2 Cabling Installation
8.2.1Network cable types, ratings, and pathway methods shall comply with Conductors And Cables and Raceways And Conduit and with NFPA 70 Article 725 and Chapter 8. 8.2.2Communications and control cabling shall maintain separation from power conductors per the cable manufacturer's instructions and the NEC to limit induced noise.
9 Switches and Network Devices
9.1 Managed Industrial Switches
9.1.1Switches on the control network shall be managed industrial switches, not unmanaged or office-grade switches.
9.1.2Managed switches shall support VLANs (IEEE 802.1Q), the selected redundancy/ring protocol, port security, SNMP monitoring, and the management interface required by the cybersecurity hardening plan.
○ Managed — full L2 (VLAN, ring protocol, port security, SNMP)
○ Managed — L3 (routing, inter-VLAN, ACLs) for distribution/core
○ Lightly managed — limited configuration (edge field devices only)
NOTE Unmanaged switches shall not be used on the control network because they provide no segmentation, no redundancy participation, no port security, and no diagnostics, and they cannot be hardened. (9.1.3)
9.2 Routing and Firewalls
9.2.1Inter-zone routing and filtering shall be performed by a Layer 3 switch, router, or industrial firewall at each conduit boundary.
9.2.2The firewall rule set shall be default-deny, permitting only the specific protocols, source/destination pairs, and ports required by the conduit, and shall be documented in the zone and conduit register.
9.2.3Remote access into the OT network, where provided, shall terminate in the DMZ and require multi-factor authentication, and shall not provide a direct path to control devices.
9.3.1Gateways translating between protocols (e.g., Modbus RTU to Modbus TCP, or serial to Ethernet) shall be placed at a defined boundary and shown on the architecture drawing.
9.3.2Media converters (copper-to-fiber) shall be managed where they participate in a redundancy ring; standalone unmanaged converters shall be limited to point-to-point links that do not require ring participation or diagnostics.
10 Redundancy and Determinism
10.1 Topology and Redundancy Protocol
NOTE The control-network backbone shall use a redundant topology (ring or redundant star) so that a single cable or switch failure does not isolate controllers from the supervisory layer. (10.1.1)
NOTE The redundancy protocol shall be selected to meet the recovery-time requirement of the controlled process. (10.1.2)
RSTP (IEEE 802.1D/802.1Q) — recovery in seconds, simple, vendor-neutral
MRP (IEC 62439-2) — ring recovery typically under 200 ms
DLR (Device Level Ring, ODVA/EtherNet/IP) — recovery under 3 ms
PRP (IEC 62439-3) — parallel networks, zero-time seamless
HSR (IEC 62439-3) — ring, zero-time seamless
Vendor proprietary fast-ring (within a single switch family)
05000
3305020050020005000
Default: 200 ms
10.1.3A ring topology shall have a designated ring manager (redundancy manager), and the role assignment shall be documented; client switches shall be configured consistently with the manager.
NOTE RSTP recovery is measured in seconds and is acceptable only where the process tolerates that interruption; processes requiring bumpless recovery shall use DLR, PRP, or HSR for seamless or near-seamless switchover. (10.1.4)
NOTE Mixing redundancy protocols in one ring, or leaving two ring managers active, creates a network loop or a broadcast storm; the redundancy design shall be coherent across the ring. (10.1.5)
10.2 Determinism and Latency
10.2.1Where the controlled process requires deterministic delivery (motion, fast interlocks, isochronous I/O), the network shall be designed for bounded latency using prioritization (QoS / IEEE 802.1Q priority) and, where required, the real-time class of the selected protocol.
10.2.2Control traffic shall be prioritized over non-control traffic on shared segments so that bulk transfers (historian backfill, file copies, video) cannot delay control messages.
NOTE Network load on any control segment should be kept well below saturation so that latency and jitter remain bounded under worst-case traffic; an overloaded control segment introduces variable delay that undermines determinism. (10.2.3)
11 Time Synchronization
11.1 Time Source and Protocol
NOTE All controllers, servers, switches, and instruments that timestamp data shall be synchronized to a common, traceable time source so that alarms, events, and trends across the system share one timeline. (11.1.1)
○ NTP (RFC 5905) — millisecond accuracy, sufficient for SCADA timestamping
○ PTP (IEEE 1588) — sub-microsecond, for motion / sequence-of-events / TSN
○ Both — NTP for general devices, PTP where sub-microsecond is required
GPS/GNSS-disciplined grandmaster clock (on site)
Site NTP server synchronized to GPS/GNSS
Site NTP server synchronized to an internal reference
Upstream/enterprise time source via the DMZ (read-only)
11.1.2A site time reference shall be provided, and time shall be distributed within the OT network from that reference rather than from an enterprise source reached across the OT/IT boundary.
NOTE NTP provides millisecond accuracy that is sufficient for SCADA alarm and event timestamping; PTP (IEEE 1588), using hardware timestamping, provides sub-microsecond accuracy required for motion control, sequence-of-events recording, and time-sensitive networking. (11.1.3)
NOTE Unsynchronized clocks make multi-device event sequences impossible to reconstruct after an upset; common time is a prerequisite for meaningful alarm analysis and forensic review. (11.1.4)
12 Remote Site Communications
12.1 Telemetry for Distributed Sites
NOTE Geographically distributed water and wastewater facilities — remote pump stations, lift stations, wells, tanks, and metering sites — shall communicate with the central SCADA system over a wide-area telemetry bearer rather than plant cabling. (12.1.1)
Licensed point-to-multipoint radio (utility-owned spectrum)
Unlicensed spread-spectrum radio (900 MHz / 2.4 GHz)
Cellular (private APN, 4G/5G)
Cellular with radio backup (dual-path)
Fiber/leased line where available
12.1.2Remote sites shall use a controller or RTU that retains local control and logs data when communications are lost, and forwards stored data when communications are restored (store-and-forward).
12.1.3Loss of the telemetry link shall not stop the local process; the remote site shall continue to run on local control and shall annunciate the communications failure to the central SCADA system.
NOTE Treating a remote site as if it were on a reliable plant LAN is a frequent design error; telemetry links are high-latency, low-bandwidth, and intermittent, and the remote controller must be able to run autonomously through an outage. (12.1.4)
12.2 Telemetry Protocol
12.2.1The telemetry protocol for distributed water/wastewater sites should be DNP3 (IEEE 1815), which supports report-by-exception, time-stamped events, store-and-forward, and secure authentication suited to low-bandwidth, intermittent links.
○ DNP3 (IEEE 1815) — report-by-exception, time-stamped, secure auth
○ Modbus over the bearer (simple polling)
○ OPC UA over cellular VPN (where bandwidth permits)
○ Vendor proprietary telemetry protocol
12.2.2Polling and report-by-exception parameters shall be tuned to the bearer bandwidth so that the link is not saturated and data collisions are avoided.
NOTE Telemetry traffic crossing public networks (cellular, leased) shall be encrypted (VPN or DNP3 Secure Authentication) so that a remote site cannot be commanded by an unauthorized master. (12.2.3)
13 OT Cybersecurity Baseline
13.1 Security Program and Levels
13.1.1The OT cybersecurity baseline shall follow ISA/IEC 62443 and NIST SP 800-82 and shall implement the zones, conduits, and target security levels established under Network Architecture.
13.1.2A target security level (SL-T) shall be assigned to each zone per ISA/IEC 62443-3-2, and the network controls shall be configured to meet the corresponding system security requirements of ISA/IEC 62443-3-3.
○ SL 1 — protection against casual or coincidental violation
○ SL 2 — protection against intentional violation using simple means
○ SL 3 — protection against intentional violation using sophisticated means
○ SL 4 — protection against intentional violation using sophisticated means with extended resources
NOTE For critical infrastructure such as water and wastewater treatment, the Owner's risk assessment and any applicable regulatory guidance (including AWWA cybersecurity guidance and WaterISAC fundamentals) shall inform the selected security level. (13.1.3)
13.2 Device Hardening
13.2.1Every active network device shall be hardened before being placed in service: default credentials changed, unused physical ports and logical services disabled, secure management protocols enabled (e.g., SSH and HTTPS rather than Telnet and HTTP), and the device firmware updated to a tested, supported version.
13.2.2Unused switch ports shall be administratively disabled, and port security (MAC limiting or sticky MAC) shall be enabled on access ports where the connected device set is fixed.
NOTE Default credentials and open management services are the most exploited weakness in OT devices; an unhardened switch on the control network is a foothold regardless of any firewall in front of it. (13.2.3)
☐ Default credentials changed; unique per-device or per-role accounts
☐ Unused ports administratively disabled
☐ Port security (MAC limiting / sticky MAC) on access ports
☐ Insecure management services disabled (Telnet, HTTP, unused SNMP)
☐ Secure management enabled (SSH, HTTPS, SNMPv3)
☐ Firmware updated to a tested, supported version
☐ Configuration backed up after commissioning
13.3 Account Management
13.3.1Network devices shall use named accounts with role-based privilege rather than shared administrator logins, and accounts shall be managed centrally where the device class supports it.
13.3.2Access to network device management shall be restricted to the management VLAN and to authorized engineering hosts, and shall not be reachable from the general control VLAN or from outside the OT network except through the DMZ.
13.4 Patch Management
13.4.1A patch-management process shall be established that identifies firmware and software updates for network devices, tests them in a non-production environment, and schedules their application during planned outages.
NOTE Patches shall not be applied to production OT devices without testing, because an untested firmware update can disrupt the controlled process; the patch process shall balance vulnerability exposure against availability. (13.4.2)
○ Scheduled — tested updates applied during planned maintenance windows
○ Risk-based — security-critical patches expedited after testing; others deferred
○ Vendor-validated only — only updates validated by the system vendor are applied
13.5 Monitoring and Logging
13.5.1Network devices shall send security and operational logs to a central collector (syslog or SNMP) located within the OT network, and the time on all devices shall be synchronized so that logged events correlate.
13.5.2Network monitoring should include passive detection of unexpected devices, unexpected traffic flows between zones, and link or redundancy failures, with alarms surfaced to operations.
NOTE Logging without synchronized time and without a collector is of little value during an incident; centralized, time-aligned logs are what make an upset or intrusion reconstructable. (13.5.3)
13.6 Backup and Recovery
13.6.1The as-commissioned configuration of every active network device shall be backed up, stored securely, and updated whenever a configuration change is made.
13.6.2A documented restore procedure shall be provided for each device class so that a failed device can be replaced and reconfigured from backup without reconstructing its configuration from memory.
14 Testing and Commissioning
14.1 Cable and Link Testing
14.1.1All copper network cabling shall be certified to the ANSI/TIA-568 performance category specified, and all fiber links shall be tested for insertion loss (and OTDR-traced where required), with results recorded per link.
☐ Copper channel/permanent-link certification (ANSI/TIA-568)
☐ Fiber insertion-loss (power-meter) test, each link
☐ Fiber OTDR trace, each backbone link
☐ Connector/termination inspection record
14.1.2Cable certification and fiber test results shall be submitted before the network is energized for commissioning.
14.2 Network Functional Testing
14.2.1Commissioning shall verify device addressing and VLAN membership, end-to-end communication between each controller and the supervisory layer, and the firewall/conduit rule set against the zone and conduit register.
14.2.2Redundancy failover shall be tested by breaking each ring segment and each redundant link in turn and confirming that recovery occurs within the specified time and that no controller loses supervisory communication beyond the allowed interruption.
14.2.3Time synchronization shall be verified by confirming that all timestamped devices agree on time to within the accuracy of the selected protocol.
☐ Addressing and VLAN membership verification
☐ End-to-end controller-to-SCADA communication
☐ Firewall / conduit rule verification against the register
☐ Redundancy failover test (each ring segment and redundant link)
☐ Time-synchronization verification
☐ Remote-site telemetry and store-and-forward test (where applicable)
☐ Network load / latency measurement on control segments
14.3 Security Acceptance
14.3.1A security acceptance check shall confirm that device hardening, account management, and the firewall rule set match the approved cybersecurity hardening plan, and that no default credentials, open insecure services, or undocumented network paths remain.
14.3.2Remote-access paths, where provided, shall be tested to confirm they terminate in the DMZ, require multi-factor authentication, and do not provide a direct path to control devices.
15 Installation
15.1 Device Mounting and Power
15.1.2Devices shall be powered from the regulated, backed-up control power source serving the associated controllers, and redundant power inputs shall be connected to independent supplies where available.
15.2 Grounding and Bonding
15.2.1Network equipment grounding and the bonding of cable shields, racks, and cabinets shall comply with Grounding And Bonding. 15.2.2Shielded copper cable shields shall be bonded as specified by the cable system (typically at one end for low-frequency, both ends for high-frequency) consistently across a segment, coordinated with the grounding standard, to control noise without creating ground loops.
15.2.3Fiber shall be used in preference to shielded copper where ground-potential differences between structures make consistent shield bonding impractical, as established under Transmission Media.
15.3 Labeling and Documentation
15.3.1Every network device, port, patch, and cable shall be labeled to match the as-built network drawings and the addressing/VLAN documentation.
15.3.2Labels shall identify the device name, the zone, and the address so that a technician can correlate physical equipment to the architecture drawing without guessing.
16 Delivery, Storage, and Handling
16.1Network devices shall be delivered in the manufacturer's packaging and protected from moisture, dust, electrostatic discharge, and physical damage until installed.
16.2Fiber-optic cable and connectors shall be protected from contamination and from bend radii smaller than the manufacturer's minimum during delivery, storage, and pulling.
16.3Devices and cable stored on site before installation shall be kept in a dry, temperature-controlled space within the manufacturer's storage limits.
17 Warranty
17.1 Warranty Terms
1 year (minimum)
2 years
3 years
5 years (where offered for industrial network hardware)
17.1.1The manufacturer shall warrant each active network device against defects in materials and workmanship for the specified term from substantial completion.
17.1.2The integrator shall warrant the network configuration and integration work — addressing, segmentation, redundancy, time sync, and security hardening — for a minimum of one year from substantial completion, including correction of defects discovered in that period.
18 Spare Parts
18.1 Spare Parts Package
18.1.1The Contractor shall furnish manufacturer-recommended spares so that a failed network device can be replaced and restored from backup configuration without ordering parts.
- One spare managed switch of each type and port configuration deployed
- Spare media converters and SFP transceivers of each type deployed
- Spare fiber patch cords and copper patch cords of each type and length deployed
- One spare remote-site radio or cellular modem of each type deployed (water/wastewater)
☐ Spare managed switch of each type/port configuration
☐ Spare media converters and SFP transceivers
☐ Spare fiber and copper patch cords
☐ Spare remote-site radio / cellular modem (water/wastewater)
☐ Spare power supplies for network devices
18.1.2Spares shall be the same model and firmware-compatible with the installed devices, and the spare-parts list shall be included in the closeout documentation.