I am currently working on a battery energy storage project with extensive cybersecurity requirements from the client that need to be implemented in the logical design of the network. We have OT assets such as a microgrid controller, BESS, few IEDs - relays and power meters and an edge gateway, with a few of these requiring outbound internet access. As part of the network segmentation effort to limit lateral movement of malicious actors or malware, we are segmenting subsystems using VLANs and VRFs (mad up of multiple VLANs with similar subsystems) and any inter-VRF communications will need to transverse through the firewall and thus, be subject to firewall policies. From this, we have:

(a) DNP3 communication between a microgrid controller and BESS that are in two separate VRFs
(b) Modbus TCP communication between an edge gateway and power meters that are in two separate VRFs

We have several layer 2 switch, a single layer 3 switch ( to support inter-VLAN communication within the same VRF, create VRFs) and an edge firewall.

I wanted to know what the community's experience is with implementing OT protocols - DNP3, Modbus - through this sort of logical design. I am particularly concerned, first about workability and then about latency. How do Modbus and DNP3 work when client and server are in different VLANs, different VRFs and need to transverse a firewall in "real time"?

 

DNP3 and Modbus TCP will work across VLANs and VRFs with proper routing and firewall configurations. Both protocols are sensitive to latency, so you should focus on minimizing firewall inspection and ensuring optimal routing paths between VRFs.