+---
+title: Process Control Networks
+category: Instrumentation & Controls / Control Panels & Networks
+toc_depth: 3
+description: >
+ When to use: The operational-technology (OT) communications network that connects controllers, remote and distributed I/O, field instruments, and the supervisory SCADA/HMI layer in industrial, process, and water/wastewater (WTP/WWTP) facilities. Covers the network reference architecture and zone segmentation built on the Purdue / ISA-95 model with a demilitarized zone (DMZ) separating the OT network from the enterprise IT network; industrial protocol selection (EtherNet/IP, PROFINET, and Modbus TCP on Ethernet; Modbus RTU and PROFIBUS on serial; OPC UA for cross-domain integration); transmission media selection (balanced twisted-pair copper versus optical fiber for distance, galvanic isolation, and noise immunity); managed industrial Ethernet switches and ring/redundancy protocols (RSTP, MRP, DLR, PRP/HSR); determinism and latency; network time synchronization (NTP and PTP); remote-site telemetry over licensed/unlicensed radio and cellular for geographically distributed water and wastewater systems; and the OT cybersecurity baseline per ISA/IEC 62443 (zones and conduits, device and switch hardening, patch management, account management, and monitoring). Applicable to new plant networks, full network replacements, and substantial OT network expansions.
+
+ Not intended for: Commercial building automation (BAS/DDC) HVAC control networks and their BACnet/Modbus field buses (see [[sync/building-automation-system]]); enterprise IT local area networks, office structured cabling, and data-center cabling; the controllers themselves (see [[sync/programmable-logic-controllers]]); the supervisory software and operator interface (see [[sync/scada-and-hmi-systems]]); the field instruments and final control elements connected to the network (see [[sync/process-instrumentation]], [[sync/flow-measurement]], [[sync/analytical-instrumentation]], [[sync/control-valves-and-actuators]]); the control panels and enclosures that house the network hardware (see [[sync/industrial-control-panels]]); programming, configuration, and overall system integration scope (see [[sync/control-systems-integration]]). Network cable materials and pathway methods are governed by [[sync/conductors-and-cables]] and [[sync/raceways-and-conduit]]; equipotential bonding and grounding of the network by [[sync/grounding-and-bonding]]; these are referenced here, not duplicated.
+---
+
+# Scope {toc}
+
+## This specification covers the design, materials, configuration, segmentation, and cybersecurity hardening of the process control network (PCN) — the operational-technology communications network that interconnects programmable controllers, remote and distributed I/O, networked field instruments, and the supervisory SCADA/HMI layer in industrial, process, and water/wastewater facilities. {note}
+
+## The network addressed in this standard is organized on the Purdue / ISA-95 reference model: Level 0 field devices and instruments, Level 1 controllers and I/O, Level 2 supervisory control and local HMI, and Level 3 site operations and the historian, with a demilitarized zone (DMZ) at Level 3.5 separating the OT network from the Level 4 enterprise/IT network. {note}
+
+## The boundary of work under this standard is the OT network itself — the switches, routers, firewalls, media converters, gateways, wireless radios, time servers, network cabling between active devices, and the configuration, segmentation, and security hardening that bind them into zones and conduits. {note}
+
+## The controllers, the SCADA/HMI software, the field instruments, and the panels that the network connects are each governed by their own standard and are referenced here only at the network interface. {note}
+
+## Network architecture, zones, and conduits shall comply with the Purdue / ISA-95 reference model as defined in ANSI/ISA-95.00.01 (IEC 62264-1) and the segmentation guidance of NIST SP 800-82.
+
+## OT cybersecurity provisions shall comply with the ISA/IEC 62443 series.
+
+## Industrial Ethernet protocols and cabling shall comply with the applicable parts of IEC 61158, IEC 61784, IEC 61918, and ANSI/TIA-1005.
+
+## Wiring methods, raceways, bonding, and grounding shall comply with NFPA 70 (National Electrical Code), including Article 725 for Class 2 and Class 3 circuits and Chapter 8 for communications circuits.
+
+## The Contractor shall coordinate the process control network with the controllers ([[sync/programmable-logic-controllers]]), the SCADA/HMI layer ([[sync/scada-and-hmi-systems]]), the field instruments, the control panels ([[sync/industrial-control-panels]]), the overall system integration ([[sync/control-systems-integration]]), and the network cabling, raceway, and grounding standards ([[sync/conductors-and-cables]], [[sync/raceways-and-conduit]], [[sync/grounding-and-bonding]]).
+
+## Scope Boundaries {toc}
+
+### This standard governs the industrial OT network and is distinct from the commercial building automation network. {note}
+
+### Commercial building automation (BAS/DDC) networks for HVAC and ancillary building systems — including their BACnet and Modbus building field buses — are outside this scope and are governed by [[sync/building-automation-system]]. {note}
+
+### Enterprise IT networks, office and general-purpose structured cabling, and data-center cabling are outside this scope; the boundary between the OT network and the enterprise network is the DMZ defined in this standard. {note}
+
+### Sequences of operation and control logic are established on the contract documents and executed by the controllers ([[sync/programmable-logic-controllers]]); this standard governs the network that carries the data, not the logic that acts on it. {note}
+
+# Referenced Standards {toc}
+
+## Equipment, materials, configuration, and installation shall comply with the latest adopted edition of each of the following unless a specific edition is cited.
+
+## Where conflicts exist between referenced standards, the more stringent requirement shall govern unless the Engineer of Record directs otherwise in writing.
+
+## Standards Table {toc}
+
+| Standard | Title |
+|----------|-------|
+| ANSI/ISA-95.00.01 / IEC 62264-1 | Enterprise-Control System Integration (Purdue / ISA-95 reference model) |
+| ISA/IEC 62443-1-1 | Security for Industrial Automation and Control Systems — Terminology, Concepts, and Models (foundational requirements) |
+| ISA/IEC 62443-2-1 | Establishing an Industrial Automation and Control Systems Security Program |
+| ISA/IEC 62443-3-2 | Security Risk Assessment for System Design (zones and conduits) |
+| ISA/IEC 62443-3-3 | System Security Requirements and Security Levels |
+| ISA/IEC 62443-4-2 | Technical Security Requirements for IACS Components |
+| NIST SP 800-82 | Guide to Operational Technology (OT) Security |
+| IEC 61158 | Industrial Communication Networks — Fieldbus Specifications |
+| IEC 61784-1 / 61784-2 | Industrial Communication Networks — Profiles (fieldbus and real-time Ethernet) |
+| IEC 61784-5 | Industrial Communication Networks — Installation Profiles |
+| IEC 61918 | Industrial Communication Networks — Installation of Communication Networks in Industrial Premises |
+| ISO/IEC 11801 / ISO/IEC 24702 | Generic Cabling for Customer Premises / Industrial Premises (MICE environmental classification) |
+| ANSI/TIA-568 | Telecommunications Cabling Standard (balanced twisted-pair and optical fiber components) |
+| ANSI/TIA-1005 | Telecommunications Infrastructure Standard for Industrial Premises |
+| IEC 62541 | OPC Unified Architecture (OPC UA) |
+| IEC 62439-2 | Media Redundancy Protocol (MRP) |
+| IEC 62439-3 | Parallel Redundancy Protocol (PRP) and High-availability Seamless Redundancy (HSR) |
+| IEEE 802.1D / 802.1Q | Spanning Tree (RSTP) / Bridges and Bridged Networks (VLANs) |
+| IEEE 1588 | Precision Time Protocol (PTP) for Networked Measurement and Control Systems |
+| IEEE 802.1AS | Timing and Synchronization for Time-Sensitive Applications |
+| IETF RFC 5905 | Network Time Protocol Version 4 (NTPv4) |
+| IEEE 1815 | Distributed Network Protocol (DNP3) |
+| NFPA 70 | National Electrical Code (NEC) — Article 725 (Class 2/3) and Chapter 8 (communications) |
+
+# Submittals {toc}
+
+## Action Submittals {toc}
+
+### The Contractor shall submit the following for the Engineer's review and approval prior to procurement and installation.
+
+- Network architecture drawing showing the Purdue / ISA-95 level assignment of every device, the zones and conduits, the DMZ, and the demarcation between the OT network and the enterprise network
+- Zone and conduit register identifying each zone, its assets, the conduits connecting it, and the target security level (SL-T) assigned per ISA/IEC 62443-3-2
+- IP addressing plan and VLAN schedule, including subnets per zone, management VLAN, and address assignment method (static for OT devices)
+- Product data for all active network devices — managed switches, routers, firewalls, media converters, protocol gateways, wireless radios, and time servers — including port count, media type, ring/redundancy protocol support, protocol support, environmental rating, power input, and ISA/IEC 62443-4-2 component certification where claimed
+- Protocol schedule listing each industrial protocol in use (EtherNet/IP, PROFINET, Modbus TCP, Modbus RTU, PROFIBUS, OPC UA, DNP3) and the devices and conduits on which each operates
+- Media selection schedule identifying copper versus fiber for each network segment with the basis (distance, galvanic isolation, noise immunity, or routing through high-voltage areas)
+- Redundancy scheme description identifying the ring or redundancy protocol (RSTP, MRP, DLR, PRP, or HSR), the recovery-time target, and the ring manager assignment
+- Time synchronization design identifying the grandmaster/reference clock, the protocol (NTP or PTP), the time source (GPS/GNSS or other), and the distribution path
+- Remote-site telemetry design for distributed water/wastewater sites, including the communications bearer (licensed radio, unlicensed radio, or cellular), the telemetry protocol (DNP3 typical), polling and report-by-exception strategy, and store-and-forward behavior on loss of communications
+- Cybersecurity hardening plan addressing device hardening, default-credential elimination, account management, port security, firewall/conduit rule set, patch management, backup, and logging/monitoring per ISA/IEC 62443 and NIST SP 800-82
+- Bill of materials and cable schedule, coordinated with [[sync/conductors-and-cables]] and [[sync/raceways-and-conduit]]
+
+```datasheet
+label: Action Submittals Required
+type: checkbox
+options:
+ - "Network architecture drawing (Purdue/ISA-95 levels, zones, conduits, DMZ)"
+ - "Zone and conduit register with target security levels (62443-3-2)"
+ - "IP addressing plan and VLAN schedule"
+ - "Active network device product data (62443-4-2 certification where claimed)"
+ - "Protocol schedule (EtherNet/IP, PROFINET, Modbus, OPC UA, DNP3)"
+ - "Media selection schedule (copper vs. fiber with basis)"
+ - "Redundancy scheme (RSTP/MRP/DLR/PRP/HSR) and recovery target"
+ - "Time synchronization design (NTP/PTP, reference clock)"
+ - "Remote-site telemetry design (radio/cellular, DNP3)"
+ - "Cybersecurity hardening plan (62443 / SP 800-82)"
+ - "Bill of materials and cable schedule"
+default: "Network architecture drawing (Purdue/ISA-95 levels, zones, conduits, DMZ)"
+```
+
+### Fabrication, procurement, and installation shall not proceed until action submittals have been reviewed and returned.
+
+## Closeout Submittals {toc}
+
+### At substantial completion, the Contractor shall provide the following before the network is accepted.
+
+- As-built network architecture and topology drawings reflecting all field changes, including final port assignments and patch records
+- As-configured device configuration files (switch, router, firewall, radio, and gateway) exported and provided in both native and human-readable form
+- Final IP addressing and VLAN documentation as commissioned
+- Network commissioning and test records, including cable certification, redundancy failover tests, and time-synchronization verification
+- Cybersecurity hardening record documenting the as-built device hardening, account list, firewall/conduit rules, disabled services and ports, and firmware versions
+- Configuration backup media and the documented restore procedure for each device class
+- Operation and maintenance manuals for all active network devices
+- Warranty documentation
+
+```datasheet
+label: Closeout Submittals Required
+type: checkbox
+options:
+ - "As-built network architecture and topology drawings"
+ - "As-configured device configuration files (native and readable)"
+ - "Final IP addressing and VLAN documentation"
+ - "Network commissioning and test records"
+ - "Cybersecurity hardening record (accounts, rules, ports, firmware)"
+ - "Configuration backup media and restore procedure"
+ - "Operation and maintenance manuals"
+ - "Warranty documentation"
+default: "As-built network architecture and topology drawings"
+```
+
+# Quality Assurance {toc}
+
+## Integrator Qualifications {toc}
+
+### The network integrator shall have a minimum of five years of continuous experience designing and commissioning industrial OT networks of the type and scale specified.
+
+### Personnel configuring managed switches, routers, and firewalls shall hold current manufacturer certification on the products supplied, and personnel performing fiber-optic termination and testing shall hold a recognized fiber-optic installer certification.
+
+### For water and wastewater projects, the integrator shall demonstrate prior experience with distributed telemetry and DNP3, which differ materially from a single-site plant network. {note}
+
+## Component Security Certification {toc}
+
+```datasheet
+label: Network Device Security Certification (ISA/IEC 62443-4-2)
+type: radio
+options:
+ - "Required — switches, routers, and firewalls certified to ISA/IEC 62443-4-2"
+ - "Required for security-zone boundary devices (firewalls/routers) only"
+ - "Not required — hardening per project plan in lieu of certification"
+default: "Required for security-zone boundary devices (firewalls/routers) only"
+```
+
+### Network infrastructure devices should be certified to ISA/IEC 62443-4-2 for the component type (network device or host device) at the target security level assigned to their zone.
+
+### Devices forming a zone or conduit boundary (firewalls and security routers) shall provide the technical security capabilities required by ISA/IEC 62443-3-3 for the target security level of the conduit.
+
+### 62443-4-2 certification provides independent evidence that a device has the native security capabilities — authentication, access control, integrity protection, and audit — needed to reach a target security level without relying solely on compensating controls. {note}
+
+## Factory Acceptance Test {toc}
+
+### Where the network and its active devices are pre-configured and staged off site, a factory acceptance test (FAT) shall verify device configuration, addressing, VLAN segmentation, redundancy failover, and the firewall/conduit rule set before shipment to site.
+
+### The FAT shall be witnessed by the Engineer or the Owner's representative, or recorded and submitted where remote witnessing is accepted.
+
+## Pre-Installation Conference {toc}
+
+### A pre-installation conference shall be held before network installation begins, attended by the controls integrator, the electrical contractor, the SCADA/HMI integrator, the Owner's OT and IT representatives, and the commissioning agent.
+
+### The agenda shall include the OT/IT demarcation and DMZ ownership, IP addressing authority, the cybersecurity hardening plan, cable pathway coordination, grounding and bonding, and the commissioning and security-acceptance schedule.
+
+### The boundary between OT and IT responsibility is the most common source of project conflict; the DMZ owner, the firewall rule authority, and the addressing authority shall be agreed in writing at this conference. {note}
+
+# Environmental and Service Conditions {toc}
+
+## Installation Environment {toc}
+
+### Industrial OT network hardware is exposed to temperature extremes, vibration, dust, moisture, and electrical noise that exceed the office environment for which commercial IT switches are designed. {note}
+
+### The MICE classification of ISO/IEC 11801 and ISO/IEC 24702 (Mechanical, Ingress, Climatic, Electromagnetic) describes the installation environment and is the basis for selecting hardware and cabling rated for it. {note}
+
+```datasheet
+label: Network Environment Classification (MICE)
+type: select
+options:
+ - "M1 I1 C1 E1 — office/control-room environment (managed IT-grade hardware acceptable)"
+ - "M2 I2 C2 E2 — general industrial / plant floor (industrially rated hardware)"
+ - "M3 I3 C3 E3 — harsh / heavy industrial, wet wells, outdoor (hardened hardware, sealed connectors)"
+default: "M2 I2 C2 E2 — general industrial / plant floor (industrially rated hardware)"
+```
+
+### Active network devices installed outside a conditioned control room shall be industrially hardened, with a wide operating-temperature range, fanless convection cooling, DIN-rail mounting, and redundant DC power input.
+
+### Devices installed in wet wells, lift stations, outdoor cabinets, or washdown areas shall be rated for the ingress and climatic class of the location, and connectors in those locations shall be sealed (e.g., M12 industrial connectors) rather than standard RJ45.
+
+### Specifying office-grade switches for plant-floor or outdoor service is a frequent and costly error; commercial switches with fans and a narrow temperature range fail early in industrial heat, dust, and vibration. {note}
+
+## Temperature and Power {toc}
+
+```datasheet
+label: Network Device Operating Temperature Rating
+type: select
+unit: "°C"
+options:
+ - "0 to +45 (control-room / conditioned space)"
+ - "-10 to +60 (general industrial)"
+ - "-40 to +75 (extended industrial / outdoor / unconditioned)"
+default: "-40 to +75 (extended industrial / outdoor / unconditioned)"
+```
+
+```datasheet
+label: Network Device Power Input
+type: select
+options:
+ - "24 VDC — single input"
+ - "24 VDC — dual redundant inputs"
+ - "48 VDC"
+ - "120/240 VAC"
+ - "Power over Ethernet (PoE/PoE+) for field devices"
+default: "24 VDC — dual redundant inputs"
+```
+
+### Active network devices should be powered from the same regulated, backed-up DC control power as the controllers they serve, so that a power disturbance does not drop the network while the controllers remain energized.
+
+### Devices supporting redundant power input shall have both inputs connected to independent supplies where available.
+
+# Network Architecture and Reference Model {toc}
+
+## Purdue / ISA-95 Reference Model {toc}
+
+### The network shall be structured on the Purdue / ISA-95 reference model, with each device assigned to a level: Level 0 (field instruments and final elements), Level 1 (controllers and I/O), Level 2 (supervisory control and local HMI), Level 3 (site operations, historian, engineering workstations), and Level 4 (enterprise/IT, outside this scope).
+
+### The level assignment of every device shall be shown on the network architecture drawing.
+
+### The Purdue model is the organizing principle for OT network segmentation: traffic flows and trust decrease moving up the levels, and the controls between levels are where security is enforced. {note}
+
+## OT/IT Demilitarized Zone {toc}
+
+### A demilitarized zone (DMZ) shall be provided at Level 3.5 between the OT network (Levels 0 through 3) and the enterprise/IT network (Level 4).
+
+### No direct communication path shall exist between the OT network and the enterprise network; all cross-domain data exchange shall traverse the DMZ.
+
+### Data shared with the enterprise (historian replication, reporting, remote read-only views) shall be brokered by a server or data diode located in the DMZ, so that no enterprise host initiates a connection directly into the control network.
+
+### The DMZ is the single most important architectural control for protecting the control network; a flat network with the OT and enterprise systems on the same broadcast domain has no defensible boundary and is the condition that lets IT-side malware reach controllers. {note}
+
+```datasheet
+label: OT/Enterprise Boundary Architecture
+type: select
+options:
+ - "Firewalled DMZ with broker server (historian/reporting replica in DMZ)"
+ - "Firewalled DMZ with data diode (one-way OT-to-enterprise only)"
+ - "Dual-firewall DMZ (separate OT-side and IT-side firewalls)"
+ - "Air-gapped — no enterprise connection"
+default: "Firewalled DMZ with broker server (historian/reporting replica in DMZ)"
+```
+
+## Zones and Conduits {toc}
+
+### The network shall be partitioned into security zones and conduits in accordance with ISA/IEC 62443-3-2.
+
+### Each zone shall group assets that share common security requirements, and each conduit shall be the controlled communications path between zones.
+
+### A target security level (SL-T) shall be assigned to each zone and conduit based on a documented risk assessment, and the network controls shall be selected to meet that level.
+
+### Inter-zone traffic shall pass only through a conduit with an enforcing device (firewall or security router); intra-zone traffic shall not be required to traverse the boundary.
+
+### Zones and conduits convert an abstract risk assessment into concrete firewall rules and VLAN boundaries; without them, every device implicitly trusts every other device on the network. {note}
+
+## Network Segmentation {toc}
+
+```datasheet
+label: Segmentation Method
+type: select
+options:
+ - "VLANs on managed switches with inter-VLAN firewall/routing"
+ - "Physically separate switches per zone"
+ - "VLANs plus physically separate switches at zone boundaries"
+default: "VLANs on managed switches with inter-VLAN firewall/routing"
+```
+
+### The control network shall be segmented from the plant business systems and from other zones using VLANs (IEEE 802.1Q) on managed switches, physically separate switches, or a combination, as required to enforce the zone model.
+
+### Broadcast and multicast traffic, which several industrial protocols rely on, shall be contained within the appropriate zone so that a multicast storm in one zone does not degrade another.
+
+### Inter-VLAN traffic shall be routed and filtered by a Layer 3 device or firewall, not bridged.
+
+# Industrial Protocols {toc}
+
+## Ethernet-Based Control Protocols {toc}
+
+### The primary control protocol on the Ethernet network shall be selected to match the controller platform and the installed base, and shall be one of the open industrial Ethernet protocols. {note}
+
+### EtherNet/IP (managed by ODVA, built on the Common Industrial Protocol) is common with one major controller family and uses standard Ethernet with CIP at the application layer. {note}
+
+### PROFINET (IEC 61158 / IEC 61784, managed by PI) is common with another major controller family and provides real-time and isochronous classes. {note}
+
+### Modbus TCP is a simple, widely supported register-based protocol used for device integration and for equipment that lacks a native EtherNet/IP or PROFINET interface. {note}
+
+```datasheet
+label: Primary Ethernet Control Protocol
+type: radio
+options:
+ - "EtherNet/IP (ODVA / CIP)"
+ - "PROFINET (IEC 61158/61784)"
+ - "Modbus TCP"
+ - "Mixed — multiple protocols gatewayed to a common layer"
+default: "EtherNet/IP (ODVA / CIP)"
+```
+
+### The primary control protocol shall be applied consistently within a zone; mixing real-time control protocols within a single zone without a documented reason complicates redundancy, time sync, and troubleshooting.
+
+### Where multiple protocols are unavoidable, they shall be bridged at a defined gateway, not by allowing unrelated protocols to share a control VLAN.
+
+## Serial and Legacy Protocols {toc}
+
+### Modbus RTU and PROFIBUS DP serve serial-connected and legacy field devices and shall be brought onto the Ethernet network through a gateway at a defined point rather than extended as long serial trunks. {note}
+
+```datasheet
+label: Serial Field Protocols Present
+type: checkbox
+options:
+ - "Modbus RTU (RS-485)"
+ - "PROFIBUS DP (RS-485)"
+ - "PROFIBUS PA (IEC 61158-2, process automation)"
+ - "Proprietary serial (vendor-specific, behind a gateway)"
+ - "None — all devices natively Ethernet"
+default: "Modbus RTU (RS-485)"
+```
+
+### Serial multidrop segments (RS-485) shall be wired in a daisy-chain (not star) topology, terminated at both ends with the characteristic impedance, and biased per the device requirements.
+
+### Each serial segment shall be isolated and surge-protected where it leaves a panel, coordinated with [[sync/grounding-and-bonding]].
+
+### A serial multidrop segment that is star-wired, unterminated, or improperly biased produces intermittent communication faults that are difficult to diagnose; the topology and termination are not optional. {note}
+
+## Integration Protocol — OPC UA {toc}
+
+### OPC UA (IEC 62541) shall be the protocol for cross-domain and cross-vendor data integration — between the control layer and the historian, MES, or enterprise reporting — where a vendor-neutral, secure interface is required.
+
+### OPC UA connections shall use the protocol's native security (application authentication, message signing, and encryption) and shall not be exposed across the OT/IT boundary except through the DMZ.
+
+### OPC UA is an integration layer, not a real-time control protocol; it complements the control protocol rather than replacing it, and is the right tool for moving structured data up the Purdue levels. {note}
+
+# Transmission Media {toc}
+
+## Copper or Fiber Selection {toc}
+
+### Network media between active devices shall be selected per segment based on distance, the need for galvanic isolation, electrical-noise exposure, and the routing environment. {note}
+
+### Balanced twisted-pair copper (Category 6 or 6A per ANSI/TIA-568) is appropriate for segments within a building or panel lineup that are within the 100 m channel limit and not exposed to severe electrical noise or ground-potential differences. {note}
+
+### Optical fiber is required where the segment exceeds the copper distance limit, crosses between buildings or structures with different ground references, runs through or near medium- and high-voltage equipment, or passes through areas of severe electrical noise. {note}
+
+```datasheet
+label: Backbone / Inter-Building Media
+type: radio
+options:
+ - "Multimode fiber (OM3) — within plant, short backbone"
+ - "Multimode fiber (OM4) — within plant, higher bandwidth/distance"
+ - "Single-mode fiber (OS2) — long backbone, inter-building, future-proof"
+ - "Balanced twisted-pair copper (Cat 6A) — short, in-building, low-noise only"
+default: "Single-mode fiber (OS2) — long backbone, inter-building, future-proof"
+```
+
+```datasheet
+label: Horizontal / Device-Level Media
+type: radio
+options:
+ - "Category 6A balanced twisted-pair (ANSI/TIA-568)"
+ - "Category 6 balanced twisted-pair (ANSI/TIA-568)"
+ - "Industrial M12-terminated twisted-pair (harsh locations)"
+ - "Multimode fiber to field device (isolation / distance)"
+default: "Category 6A balanced twisted-pair (ANSI/TIA-568)"
+```
+
+### Fiber shall be used for any segment that crosses between separately grounded structures, because fiber is a dielectric and breaks the metallic path that would otherwise carry damaging ground-potential differences and surge current between buildings.
+
+### Copper segments shall not exceed the 100 m channel length of ANSI/TIA-568; segments approaching the limit shall use fiber or an intermediate switch.
+
+### Running copper between buildings or near medium-voltage gear is a recurring source of equipment damage and communication faults; the galvanic isolation of fiber eliminates ground loops and induced noise that copper cannot. {note}
+
+## Cabling Installation {toc}
+
+### Network cable types, ratings, and pathway methods shall comply with [[sync/conductors-and-cables]] and [[sync/raceways-and-conduit]] and with NFPA 70 Article 725 and Chapter 8.
+
+### Communications and control cabling shall maintain separation from power conductors per the cable manufacturer's instructions and the NEC to limit induced noise.
+
+### Cable lengths, routing, and outlet/connector locations are [[drawing: as indicated on the network and cable-route drawings]].
+
+# Switches and Network Devices {toc}
+
+## Managed Industrial Switches {toc}
+
+### Switches on the control network shall be managed industrial switches, not unmanaged or office-grade switches.
+
+### Managed switches shall support VLANs (IEEE 802.1Q), the selected redundancy/ring protocol, port security, SNMP monitoring, and the management interface required by the cybersecurity hardening plan.
+
+```datasheet
+label: Switch Management Class
+type: radio
+options:
+ - "Managed — full L2 (VLAN, ring protocol, port security, SNMP)"
+ - "Managed — L3 (routing, inter-VLAN, ACLs) for distribution/core"
+ - "Lightly managed — limited configuration (edge field devices only)"
+default: "Managed — full L2 (VLAN, ring protocol, port security, SNMP)"
+```
+
+### Unmanaged switches shall not be used on the control network because they provide no segmentation, no redundancy participation, no port security, and no diagnostics, and they cannot be hardened. {note}
+
+## Routing and Firewalls {toc}
+
+### Inter-zone routing and filtering shall be performed by a Layer 3 switch, router, or industrial firewall at each conduit boundary.
+
+### The firewall rule set shall be default-deny, permitting only the specific protocols, source/destination pairs, and ports required by the conduit, and shall be documented in the zone and conduit register.
+
+### Remote access into the OT network, where provided, shall terminate in the DMZ and require multi-factor authentication, and shall not provide a direct path to control devices.
+
+## Protocol Gateways and Media Converters {toc}
+
+### Gateways translating between protocols (e.g., Modbus RTU to Modbus TCP, or serial to Ethernet) shall be placed at a defined boundary and shown on the architecture drawing.
+
+### Media converters (copper-to-fiber) shall be managed where they participate in a redundancy ring; standalone unmanaged converters shall be limited to point-to-point links that do not require ring participation or diagnostics.
+
+# Redundancy and Determinism {toc}
+
+## Topology and Redundancy Protocol {toc}
+
+### The control-network backbone shall use a redundant topology (ring or redundant star) so that a single cable or switch failure does not isolate controllers from the supervisory layer. {note}
+
+### The redundancy protocol shall be selected to meet the recovery-time requirement of the controlled process. {note}
+
+```datasheet
+label: Redundancy / Ring Protocol
+type: select
+options:
+ - "RSTP (IEEE 802.1D/802.1Q) — recovery in seconds, simple, vendor-neutral"
+ - "MRP (IEC 62439-2) — ring recovery typically under 200 ms"
+ - "DLR (Device Level Ring, ODVA/EtherNet/IP) — recovery under 3 ms"
+ - "PRP (IEC 62439-3) — parallel networks, zero-time seamless"
+ - "HSR (IEC 62439-3) — ring, zero-time seamless"
+ - "Vendor proprietary fast-ring (within a single switch family)"
+default: "MRP (IEC 62439-2) — ring recovery typically under 200 ms"
+```
+
+```datasheet
+label: Maximum Network Recovery Time
+type: range
+unit: ms
+options:
+ min: 0
+ max: 5000
+ setpoints: [0, 3, 30, 50, 200, 500, 2000, 5000]
+default: 200
+```
+
+### A ring topology shall have a designated ring manager (redundancy manager), and the role assignment shall be documented; client switches shall be configured consistently with the manager.
+
+### RSTP recovery is measured in seconds and is acceptable only where the process tolerates that interruption; processes requiring bumpless recovery shall use DLR, PRP, or HSR for seamless or near-seamless switchover. {note}
+
+### Mixing redundancy protocols in one ring, or leaving two ring managers active, creates a network loop or a broadcast storm; the redundancy design shall be coherent across the ring. {note}
+
+## Determinism and Latency {toc}
+
+### Where the controlled process requires deterministic delivery (motion, fast interlocks, isochronous I/O), the network shall be designed for bounded latency using prioritization (QoS / IEEE 802.1Q priority) and, where required, the real-time class of the selected protocol.
+
+### Control traffic shall be prioritized over non-control traffic on shared segments so that bulk transfers (historian backfill, file copies, video) cannot delay control messages.
+
+### Network load on any control segment should be kept well below saturation so that latency and jitter remain bounded under worst-case traffic; an overloaded control segment introduces variable delay that undermines determinism. {note}
+
+# Time Synchronization {toc}
+
+## Time Source and Protocol {toc}
+
+### All controllers, servers, switches, and instruments that timestamp data shall be synchronized to a common, traceable time source so that alarms, events, and trends across the system share one timeline. {note}
+
+```datasheet
+label: Time Synchronization Protocol
+type: radio
+options:
+ - "NTP (RFC 5905) — millisecond accuracy, sufficient for SCADA timestamping"
+ - "PTP (IEEE 1588) — sub-microsecond, for motion / sequence-of-events / TSN"
+ - "Both — NTP for general devices, PTP where sub-microsecond is required"
+default: "NTP (RFC 5905) — millisecond accuracy, sufficient for SCADA timestamping"
+```
+
+```datasheet
+label: Time Reference Source
+type: select
+options:
+ - "GPS/GNSS-disciplined grandmaster clock (on site)"
+ - "Site NTP server synchronized to GPS/GNSS"
+ - "Site NTP server synchronized to an internal reference"
+ - "Upstream/enterprise time source via the DMZ (read-only)"
+default: "GPS/GNSS-disciplined grandmaster clock (on site)"
+```
+
+### A site time reference shall be provided, and time shall be distributed within the OT network from that reference rather than from an enterprise source reached across the OT/IT boundary.
+
+### NTP provides millisecond accuracy that is sufficient for SCADA alarm and event timestamping; PTP (IEEE 1588), using hardware timestamping, provides sub-microsecond accuracy required for motion control, sequence-of-events recording, and time-sensitive networking. {note}
+
+### Unsynchronized clocks make multi-device event sequences impossible to reconstruct after an upset; common time is a prerequisite for meaningful alarm analysis and forensic review. {note}
+
+# Remote Site Communications {toc}
+
+## Telemetry for Distributed Sites {toc}
+
+### Geographically distributed water and wastewater facilities — remote pump stations, lift stations, wells, tanks, and metering sites — shall communicate with the central SCADA system over a wide-area telemetry bearer rather than plant cabling. {note}
+
+```datasheet
+label: Remote Site Communications Bearer
+type: select
+options:
+ - "Licensed point-to-multipoint radio (utility-owned spectrum)"
+ - "Unlicensed spread-spectrum radio (900 MHz / 2.4 GHz)"
+ - "Cellular (private APN, 4G/5G)"
+ - "Cellular with radio backup (dual-path)"
+ - "Fiber/leased line where available"
+default: "Licensed point-to-multipoint radio (utility-owned spectrum)"
+```
+
+### Remote sites shall use a controller or RTU that retains local control and logs data when communications are lost, and forwards stored data when communications are restored (store-and-forward).
+
+### Loss of the telemetry link shall not stop the local process; the remote site shall continue to run on local control and shall annunciate the communications failure to the central SCADA system.
+
+### Treating a remote site as if it were on a reliable plant LAN is a frequent design error; telemetry links are high-latency, low-bandwidth, and intermittent, and the remote controller must be able to run autonomously through an outage. {note}
+
+## Telemetry Protocol {toc}
+
+### The telemetry protocol for distributed water/wastewater sites should be DNP3 (IEEE 1815), which supports report-by-exception, time-stamped events, store-and-forward, and secure authentication suited to low-bandwidth, intermittent links.
+
+```datasheet
+label: Telemetry Protocol
+type: radio
+options:
+ - "DNP3 (IEEE 1815) — report-by-exception, time-stamped, secure auth"
+ - "Modbus over the bearer (simple polling)"
+ - "OPC UA over cellular VPN (where bandwidth permits)"
+ - "Vendor proprietary telemetry protocol"
+default: "DNP3 (IEEE 1815) — report-by-exception, time-stamped, secure auth"
+```
+
+### Polling and report-by-exception parameters shall be tuned to the bearer bandwidth so that the link is not saturated and data collisions are avoided.
+
+### Telemetry traffic crossing public networks (cellular, leased) shall be encrypted (VPN or DNP3 Secure Authentication) so that a remote site cannot be commanded by an unauthorized master. {note}
+
+# OT Cybersecurity Baseline {toc}
+
+## Security Program and Levels {toc}
+
+### The OT cybersecurity baseline shall follow ISA/IEC 62443 and NIST SP 800-82 and shall implement the zones, conduits, and target security levels established under Network Architecture.
+
+### A target security level (SL-T) shall be assigned to each zone per ISA/IEC 62443-3-2, and the network controls shall be configured to meet the corresponding system security requirements of ISA/IEC 62443-3-3.
+
+```datasheet
+label: Minimum Target Security Level (SL-T) for the Control Zone
+type: radio
+options:
+ - "SL 1 — protection against casual or coincidental violation"
+ - "SL 2 — protection against intentional violation using simple means"
+ - "SL 3 — protection against intentional violation using sophisticated means"
+ - "SL 4 — protection against intentional violation using sophisticated means with extended resources"
+default: "SL 2 — protection against intentional violation using simple means"
+```
+
+### For critical infrastructure such as water and wastewater treatment, the Owner's risk assessment and any applicable regulatory guidance (including AWWA cybersecurity guidance and WaterISAC fundamentals) shall inform the selected security level. {note}
+
+## Device Hardening {toc}
+
+### Every active network device shall be hardened before being placed in service: default credentials changed, unused physical ports and logical services disabled, secure management protocols enabled (e.g., SSH and HTTPS rather than Telnet and HTTP), and the device firmware updated to a tested, supported version.
+
+### Unused switch ports shall be administratively disabled, and port security (MAC limiting or sticky MAC) shall be enabled on access ports where the connected device set is fixed.
+
+### Default credentials and open management services are the most exploited weakness in OT devices; an unhardened switch on the control network is a foothold regardless of any firewall in front of it. {note}
+
+```datasheet
+label: Device Hardening Measures
+type: checkbox
+options:
+ - "Default credentials changed; unique per-device or per-role accounts"
+ - "Unused ports administratively disabled"
+ - "Port security (MAC limiting / sticky MAC) on access ports"
+ - "Insecure management services disabled (Telnet, HTTP, unused SNMP)"
+ - "Secure management enabled (SSH, HTTPS, SNMPv3)"
+ - "Firmware updated to a tested, supported version"
+ - "Configuration backed up after commissioning"
+default: "Default credentials changed; unique per-device or per-role accounts"
+```
+
+## Account Management {toc}
+
+### Network devices shall use named accounts with role-based privilege rather than shared administrator logins, and accounts shall be managed centrally where the device class supports it.
+
+### Access to network device management shall be restricted to the management VLAN and to authorized engineering hosts, and shall not be reachable from the general control VLAN or from outside the OT network except through the DMZ.
+
+## Patch Management {toc}
+
+### A patch-management process shall be established that identifies firmware and software updates for network devices, tests them in a non-production environment, and schedules their application during planned outages.
+
+### Patches shall not be applied to production OT devices without testing, because an untested firmware update can disrupt the controlled process; the patch process shall balance vulnerability exposure against availability. {note}
+
+```datasheet
+label: Patch Management Approach
+type: radio
+options:
+ - "Scheduled — tested updates applied during planned maintenance windows"
+ - "Risk-based — security-critical patches expedited after testing; others deferred"
+ - "Vendor-validated only — only updates validated by the system vendor are applied"
+default: "Risk-based — security-critical patches expedited after testing; others deferred"
+```
+
+## Monitoring and Logging {toc}
+
+### Network devices shall send security and operational logs to a central collector (syslog or SNMP) located within the OT network, and the time on all devices shall be synchronized so that logged events correlate.
+
+### Network monitoring should include passive detection of unexpected devices, unexpected traffic flows between zones, and link or redundancy failures, with alarms surfaced to operations.
+
+### Logging without synchronized time and without a collector is of little value during an incident; centralized, time-aligned logs are what make an upset or intrusion reconstructable. {note}
+
+## Backup and Recovery {toc}
+
+### The as-commissioned configuration of every active network device shall be backed up, stored securely, and updated whenever a configuration change is made.
+
+### A documented restore procedure shall be provided for each device class so that a failed device can be replaced and reconfigured from backup without reconstructing its configuration from memory.
+
+# Testing and Commissioning {toc}
+
+## Cable and Link Testing {toc}
+
+### All copper network cabling shall be certified to the ANSI/TIA-568 performance category specified, and all fiber links shall be tested for insertion loss (and OTDR-traced where required), with results recorded per link.
+
+```datasheet
+label: Cable Test Documentation
+type: checkbox
+options:
+ - "Copper channel/permanent-link certification (ANSI/TIA-568)"
+ - "Fiber insertion-loss (power-meter) test, each link"
+ - "Fiber OTDR trace, each backbone link"
+ - "Connector/termination inspection record"
+default: "Copper channel/permanent-link certification (ANSI/TIA-568)"
+```
+
+### Cable certification and fiber test results shall be submitted before the network is energized for commissioning.
+
+## Network Functional Testing {toc}
+
+### Commissioning shall verify device addressing and VLAN membership, end-to-end communication between each controller and the supervisory layer, and the firewall/conduit rule set against the zone and conduit register.
+
+### Redundancy failover shall be tested by breaking each ring segment and each redundant link in turn and confirming that recovery occurs within the specified time and that no controller loses supervisory communication beyond the allowed interruption.
+
+### Time synchronization shall be verified by confirming that all timestamped devices agree on time to within the accuracy of the selected protocol.
+
+```datasheet
+label: Network Commissioning Tests
+type: checkbox
+options:
+ - "Addressing and VLAN membership verification"
+ - "End-to-end controller-to-SCADA communication"
+ - "Firewall / conduit rule verification against the register"
+ - "Redundancy failover test (each ring segment and redundant link)"
+ - "Time-synchronization verification"
+ - "Remote-site telemetry and store-and-forward test (where applicable)"
+ - "Network load / latency measurement on control segments"
+default: "Redundancy failover test (each ring segment and redundant link)"
+```
+
+## Security Acceptance {toc}
+
+### A security acceptance check shall confirm that device hardening, account management, and the firewall rule set match the approved cybersecurity hardening plan, and that no default credentials, open insecure services, or undocumented network paths remain.
+
+### Remote-access paths, where provided, shall be tested to confirm they terminate in the DMZ, require multi-factor authentication, and do not provide a direct path to control devices.
+
+# Installation {toc}
+
+## Device Mounting and Power {toc}
+
+### Active network devices shall be mounted in the control panels or network cabinets [[drawing: as indicated on the panel and network-cabinet drawings]], on DIN rail or rack as appropriate, with the manufacturer's required clearance for cooling and cabling.
+
+### Devices shall be powered from the regulated, backed-up control power source serving the associated controllers, and redundant power inputs shall be connected to independent supplies where available.
+
+## Grounding and Bonding {toc}
+
+### Network equipment grounding and the bonding of cable shields, racks, and cabinets shall comply with [[sync/grounding-and-bonding]].
+
+### Shielded copper cable shields shall be bonded as specified by the cable system (typically at one end for low-frequency, both ends for high-frequency) consistently across a segment, coordinated with the grounding standard, to control noise without creating ground loops.
+
+### Fiber shall be used in preference to shielded copper where ground-potential differences between structures make consistent shield bonding impractical, as established under Transmission Media.
+
+## Labeling and Documentation {toc}
+
+### Every network device, port, patch, and cable shall be labeled to match the as-built network drawings and the addressing/VLAN documentation.
+
+### Labels shall identify the device name, the zone, and the address so that a technician can correlate physical equipment to the architecture drawing without guessing.
+
+# Delivery, Storage, and Handling {toc}
+
+## Network devices shall be delivered in the manufacturer's packaging and protected from moisture, dust, electrostatic discharge, and physical damage until installed.
+
+## Fiber-optic cable and connectors shall be protected from contamination and from bend radii smaller than the manufacturer's minimum during delivery, storage, and pulling.
+
+## Devices and cable stored on site before installation shall be kept in a dry, temperature-controlled space within the manufacturer's storage limits.
+
+# Warranty {toc}
+
+## Warranty Terms {toc}
+
+```datasheet
+label: Network Equipment Warranty Term
+type: select
+options:
+ - "1 year (minimum)"
+ - "2 years"
+ - "3 years"
+ - "5 years (where offered for industrial network hardware)"
+default: "2 years"
+```
+
+### The manufacturer shall warrant each active network device against defects in materials and workmanship for the specified term from substantial completion.
+
+### The integrator shall warrant the network configuration and integration work — addressing, segmentation, redundancy, time sync, and security hardening — for a minimum of one year from substantial completion, including correction of defects discovered in that period.
+
+# Spare Parts {toc}
+
+## Spare Parts Package {toc}
+
+### The Contractor shall furnish manufacturer-recommended spares so that a failed network device can be replaced and restored from backup configuration without ordering parts.
+
+- One spare managed switch of each type and port configuration deployed
+- Spare media converters and SFP transceivers of each type deployed
+- Spare fiber patch cords and copper patch cords of each type and length deployed
+- One spare remote-site radio or cellular modem of each type deployed (water/wastewater)
+
+```datasheet
+label: Spare Parts Package
+type: checkbox
+options:
+ - "Spare managed switch of each type/port configuration"
+ - "Spare media converters and SFP transceivers"
+ - "Spare fiber and copper patch cords"
+ - "Spare remote-site radio / cellular modem (water/wastewater)"
+ - "Spare power supplies for network devices"
+default: "Spare managed switch of each type/port configuration"
+```
+
+### Spares shall be the same model and firmware-compatible with the installed devices, and the spare-parts list shall be included in the closeout documentation.