More than 20 years ago, industrial operations began to build digital communications and digital backbones into their production platforms, using both proprietary networks and Ethernet-based systems.
In part, this development was driven by the rapid growth of office-based Ethernet networks and network technology. Manufacturers wanted to increase digital data, sensor information and data from manufacturing devices – such as PLCs and intelligent servo drives – to give better control and management of production systems.
Networks built using unmanaged Ethernet switches could handle network traffic but lacked the sophistication that managed Ethernet switches offer–network visibility and network control. Unmanaged switches also increased the risk of security breaches from vulnerable devices on the network.
As the Industry 4.0 revolution proceeds, few industrial systems and facilities remain isolated, standalone operations. Manufacturing sites upgrading technology with digital sensors and smart devices – and those previously isolated systems are being tied to Ethernet-based networks, ultimately exposing them to the Internet. Those growing Ethernet networks demand greater focus on security – on having visibility into what is being connected to the network, if it has the right permissions and if it presents any risk of infiltration of malware.
Risks of unmanaged Ethernet switches
Many once-isolated manufacturing systems generate valuable data, but accessing to that information in real time has required significant investments.
In some cases, industrial OT organizations have tried to manage costs by using less sophisticated unmanaged Ethernet switches. Industrial Ethernets constantly transact time-sensitive data, in some cases vital input/output (I/O) signals. Responsive I/O and interlock signaling plays a crucial role in preventing equipment failure or damage, wasted product and data loss.
Robust and hardened industrial Ethernet switches are readily available. Unlike products adapted from Ethernet technology used in office networks, these systems have been engineered and manufactured for reliable operation in industrial environments with high levels of vibration and ESD and surge protection.
For a standalone automated production system, such as a bottling machine, the internal network in the machine typically needs to connect the machine’s programmable logic controller (PLC), human machine interface (HMI), sensors and other I/O connected devices. A low-cost unmanaged switch connecting the machine’s PROFINET or Ethernet I/P backbone was sufficient.
However, those kinds of machines are quickly being replaced by automated networks. As the network device count goes higher or a formerly standalone piece of automated equipment gets interconnected on virtual local area networks (VLAN), the need for a managed industrial Ethernet switch quickly becomes apparent.
Security becomes paramount
Unmanaged switches do not have the software layers managed switches have to exercise real control over how traffic traverses a network and what devices can be attached. With unmanaged switches, anyone can plug a PC into the switch and access that network segment, potentially finding pathways into larger parts of a manufacturer’s OT or IT platforms.
Managed Ethernet switches can provide defense in depth, a concept incorporated into and formalized in the ISA/IEC 62443 series of standards that define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). These standards set best practices for security and provide a way to assess the level of security performance.
Following these standards, managed industrial Ethernet switches have multiple overlapping layers and features to provide the maximum amount of protection against a risk factor. If someone wants to add a device or PC to a system with a managed network switch, these overlapping layers can include advanced password encryption capabilities, MAC security, configurable password length and multi-level user access control. Managed Ethernet switches can be easily programmed to automatically disable user or port credentials after a set number of failed access attempts.
Many hacker groups and internet criminals continually target the industrial elements of corporate networks, in part because many still have unmanaged Ethernet switches that provide vulnerable access points. With these kinds of features, the industrial network can be equipped with the same password management, control and updating practices established by the IT department for the rest of the company, elevating security and implementing the kind of defense in depth that is vitally necessary for dependable and active cybersecurity.
Improving network traffic, easing configuration
Industrial Ethernet networks are becoming increasingly complex and traffic heavy. To minimize networking delays, improving the level of determinism, communication data packets should be transmitted from the source to the target device. When packets go where they are not needed, destination devices expend resources to handle the packet, delaying processing of critical communication.
Managed switches give automation engineers exceptional control over these kinds of issues. For example, in a large machining department with multiple machine tools networked together, each work cell may have multiple devices within each tool – such as variable frequency drives (VFD) – generating high volumes of network traffic.
That VFD data may be useful for preventive maintenance and system performance tracking, but it may not be necessary for that data to also be passed up to the PLC in the work cell. Managed Ethernet switches use sophisticated access control lists to define that – for a specific MAC address – the broadcast would never traverse the link that goes to the PLC.
This same feature can limit what additional devices or network links can be connected to a particular uplink port, ensuring proper traffic management for any given work cell or automation network segment.
Many leading industrial Ethernet managed switches have been designed for fast, easy, virtually plug-and-play installation and configuration.
This is especially valuable in industrial environments where integrating managed Ethernet switches is often assigned to controls or automation engineers, whose backgrounds and training aren’t necessarily grounded in Ethernet network configuration tasks and processes.
The latest generation of switches come pre-configured, supporting all the necessary protocols – such as IGMP snooping. Many platforms feature simple graphical user interfaces that include a logical view showing active ports, power supply, temperature and contact relay status, along with color-coded gauges for port traffic and event tracking.
The value of industrial data
Many manufacturers recognize their most valuable asset is their industrial data. In Industry 4.0, as they implement or upgrade their industrial networks to take full advantage of the speed and power of industrial Ethernet systems, there are clear advantages to investing in managed industrial Ethernet switches.
They give industrial users easier, more secure and more reliable access to all that valuable data, with state-of-the-art features to minimize cybersecurity risks and give plant managers critical visibility and greater control of their industrial networks.
