The DOE Network Function (NF) Project is designed to provide functionality to Industrial Control System (ICS) operators to allow them to set per-flow policy between endpoints. Primarily this is intended to provide additional security and behavior stability over insecure and unreliable commodity transport, but the NF can be leveraged for a wide range of needs as they evolve over time. By using a network function to provide additional functionality the lifecycles of network resilience needs and industrial hardware are decoupled, allowing long-life ICS hardware to continue to operate in a fast evolving network environment.
The Network Function insertion in the topology is generally as seen below:
While this trivial example shows paired NFs being used to provide secure and reliable delivery over commodity transport, it can also be deployed to enforce flow policy within an administrative domain - for example, between the typical enterprise network and the industrial controls at the same site.