How to Implement Secure Time Sensitive Networks for the IIoT Using Managed Ethernet Switches
The Industrial Internet of Things (IIoT) needs secure, real-time, and high bandwidth connectivity for various devices. IIoT networks in Industry 4.0 automation, water management, oil and gas processing, transportation, utility power management, and similar critical applications also need an efficient and flexible way to deliver power to devices, and they need a connectivity solution with high port density to support large numbers of devices in minimal space. Next-generation managed Ethernet switches can satisfy those needs and more.
Managed Ethernet switches can be remotely configured and controlled, simplifying network deployments and updates. They enable a variety of network architectures like star and line topologies with redundant operation, including compliance with IEC 62439-1, which applies to high-availability automation networks. They support IEEE 802.1 standards for Time Sensitive Networking (TSN) and IEEE 802.3 standards for Power over Ethernet (PoE) and PoE+.
These switches are available certified to the ISASecure program for off-the-shelf automation and control systems based on the International Society of Automation / International Electrotechnical Institute (ISA/IEC) 62443 series of standards. They can be configured with combinations of 10/100BASE TX / RJ45 slots for copper interconnects and tri-speed fiber optic small form factor pluggable (SFP) slots with adjustable speeds of 100 Mb/sec. (Mb/s), 1 Gb/sec. (Gb/s), and 2.5 Gb/s.
This article begins with a brief look at the transition from the automation pyramid in Industry 3.0 to the automation pillar in Industry 4.0, reviews several options for deploying networks to carry both urgent and non-urgent traffic, and considers how TSN fits in and can be implemented. It then considers how PoE and PoE+ can simplify the powering of sensors, controls, and other devices on the IIoT, and it presents the importance of security, including ISASecure certification and advanced security features like wire-speed access control lists (ACLs) and automatic denial-of-service (DoS) prevention. It closes by delineating the benefits of using managed Ethernet switches and presents several exemplary BOBCAT managed switches from Hirschmann.
Pyramid to pillar
The move from the pyramid factory architecture of Industry 3.0 to the pillar architecture of Industry 4.0 is the driving force behind the development of TSN. The pyramid separated factory functions into a hierarchy from the factory floor to centralized control and management functions. Real-time communication is mainly needed at the factory floor’s lowest level, where sensor data controls manufacturing processes. That changes in Industry 4.0.
The automation pillar of Industry 4.0 reduces the number of levels from four to two: the field level and the factory backbone. The field level includes increasing numbers of sensors and a growing assortment of controllers. Some controllers are moving down to the field level from the pyramid’s control/programmable logic controller (PLC) level. At the same time, other functions formerly in the control/PLC level are moving up to the factory backbone, becoming virtual PLCs along with manufacturing execution system (MES), supervisory control and data acquisition (SCADA) functions, and enterprise resource planning (ERP).
The connectivity layer ties together the field and backbone levels. The connectivity layer and the field-level networks must deliver high-speed, low-latency communication and be able to carry combinations of low-priority traffic and time-critical traffic. TSN supports that requirement by enabling real-time deterministic network (DetNet) traffic over standard Ethernet networks (Figure 1).
Power over Ethernet (PoE) is a great complement to TSN in the Industry 4.0 automation pillar. One of the driving forces in Industry 4.0 is the IIoT that consists of many sensors, actuators, and controllers. PoE was developed to address the challenges of powering IIoT devices throughout a factory or other facility.
PoE supports the simultaneous transmission of high-speed data (including TSN) and power over a single network cable. For example, 48-Vdc power can be distributed up to 100 m through a CAT 5/5e cable using PoE. In addition to simplifying network installations, PoE simplifies the implementation of uninterruptible power and redundant power sources and can improve the reliability of industrial processes and equipment.
PoE uses two types of devices: power sourcing equipment (PSE) that injects power onto the network and powered devices (PDs) that extract and use the power. There are two types of PoE. Basic PoE can deliver a maximum of 15.4 W to a PD. PoE+ is a recent development that can deliver up to 30 W to a PD.
Network security
The ISA and IEC have developed a series of standards for industrial automation and control systems (IACS). The ISA/IEC 62443 series includes four sections. Section 4 applies to device suppliers. IEC 62443-4-2 certified devices have been independently evaluated and are secure-by-design, including best practices for cybersecurity. Two important tools for IACS security are access control lists (ACLs) and denial of service (DoS) attack protection. In both cases, there are multiple approaches available for network engineers.
ACLs are used to permit or deny traffic coming into or leaving network interfaces. A benefit of using ACLs is that they operate at network speed and don’t impact data throughput, an important consideration in TSN implementations. Hirschmann’s HiOS divides ACLs into three categories:
Basic ACLs for TCP/IP traffic have a minimum number of configuration options for setting up permission rules like, “device A can only communicate with this group of devices,” or “device A can only send specific types of information to device B,” or “device A can’t communicate with device B.” Using Basic ACLs can simplify and speed deployments.
Advanced ACLs for TCP/IP traffic are also available and provide more granular control. Traffic can be permitted or denied based on its priority, flags set in the headers, and other criteria. Some rules can be applied only at certain times of the day. Traffic can be mirrored to another port for monitoring or analysis. Specific types of traffic can be forced to a defined port regardless of its original destination.
Some IACS devices don’t use TCP/IP, and HiOS also allows ACLs to be set at the Ethernet frame level based on medial access control (MAC) addressing. These MAC-level ACLs can enable filtering based on a range of criteria, including traffic type, time of day, the source or destination MAC address, and so on (Figure 4).
While ACLs must be configured, DoS prevention is often baked into devices and automatically implemented. It can handle attacks over TCP/IP, legacy TCP/UDP, and internet control message protocol (ICMP). For TCP/IP and TCP/UDP cases, DoS attacks take various forms related to the protocol stack, i.e., sending the device under attack packets that don’t conform to the standard. Or a data packet can be sent to the device under attack using the device’s IP address, potentially causing an endless loop of replies. Ethernet switches can protect themselves and can protect legacy devices on a network by automatically filtering out malicious data packets.
Another common DoS attack comes in through an ICMP ping. Pings are intended to identify device availability and response times across a network but can also be used for DoS attacks. For example, the attacker can send a ping with a payload large enough to cause a buffer overflow in the receiving device, crashing the protocol stack. Today’s managed Ethernet switches can automatically protect themselves from ICMP-based DoS attacks.
Managed switches
BOBCAT managed Ethernet switches from Hirschmann support TSN and feature expanded bandwidth capabilities by adjusting the SFPs from 1 to 2.5 Gb/s without changing the switch. They have high port densities with up to 24 ports in a single unit, and SFP or copper uplink port options available (Figure 5). Other features include:
ISASecure CSA / IEC 62443-4-2 certified, including ACLs and automatic DoS prevention
Support up to 240 W across 8 PoE/PoE+ ports without load sharing
Standard ambient operating temperature range of 0°C to +60°C and extended temperature models that operate from -40°C to +70°C
Models that feature approval to ISA12.12.01 for use in hazardous locations
Examples of Hirschmann BOBCAT switches include:
BRS20-4TX with four 10/100 BASE TX / RJ45 ports rated for ambient temperatures from 0°C to +60°C
BRS20-4TX/2FX with four 10/100 BASE TX / RJ45 ports and two 100 Mbit/s fiber ports, rated for ambient temperatures from 0°C to +60°C
BRS20-4TX/2SFP-EEC-HL with four 10/100 BASE TX / RJ45 ports and two 100 Mbit/s fiber ports, rated for ambient temperatures from -40°C to +70°C and approval to ISA12.12.01 for use in hazardous locations
BRS20-4TX/2SFP-HL with four 10/100 BASE TX / RJ45 ports and two 100 Mbit/s fiber ports, rated for ambient temperatures from 0°C to +60°C and approval to ISA12.12.01 for use in hazardous locations
BRS30-12TX with eight 10/100 BASE TX / RJ45 ports and four 100 Mbit/s fiber ports, rated for ambient temperatures from 0°C to +60°C
BRS30-16TX/4SFP with sixteen 10/100 BASE TX / RJ45 ports and four 100 Mbit/s fiber ports, rated for ambient temperatures from 0°C to +60°C
Managed Ethernet switches are available that support TSN, PoE and PoE+, provide high levels of cybersecurity, and deliver the high bandwidth connectivity needed for the IIoT and the Industry 4.0 pillar networking structure. Those switches are easy to configure, have high port densities, have extended operating temperature capabilities, and are available in versions approved for ISA12.12.01 for use in hazardous locations.
