The Hidden Benefits of Manageable Switches in OT Networks

Feb. 20, 2023
Why upgrading to modern, scalable, and manageable infrastructure should be considered as part of any smart manufacturing initiative.

Ethernet-based OT (operations technology) networks are commonplace today, but switch selection and network topology design continue to be an afterthought in many cases. In the past, TCP/IP-based controls networks were built similarly to serial-based networks. Legacy serial networks often involved linear topologies, passive nodes, and shared addressing spaces. And though these designs often work in modern Ethernet controls networks, they are not optimal and often contain unmanageable network infrastructure devices.

At the heart of an ethernet-based OT network is the Ethernet switch. These devices come in many flavors, from unmanaged devices with no user-configurable settings, to devices that require complex configuration for optimal use. While the former may seem like the easy choice, a managed switch is often the best choice when considering the tools and features they have to offer.

Scalability and redundancy

Managed network switching is key to supporting the configurability behind a scalable network—one that can grow without major re-configuration. The biggest, and most used feature for this is network segmentation, which uses VLANs to logically separate traffic and keep factory cell and area zones separate from each other. By organizing a factory floor into relevant groupings, it allows for easier growth both vertically and horizontally throughout the topology. In addition, managed network switches can support redundancy technologies such as REP, DLR, and port-channeling. These allow for better use of redundant links, keeping the network performing well, even in the event of hardware or link failure.

Advanced troubleshooting

When manufacturing grinds to a halt because of a network issue, troubleshooting the connection and getting manufacturing processes back online is mission critical. Even simple network topologies are often more complex than they may first appear, carrying hidden protocols and control data that can offer insight into what may be causing network issues. Managed switching provides visibility into these protocols and can point the user to exactly where the issue is and allow them to resolve it. For example, in a network where many endpoints are connected, a duplicate IP address can wreak havoc and be troublesome to track down. With a managed switch, a user can check ARP (address resolution protocol) tables on the switches to identify hardware addresses that share the same IP and follow MAC (media access control) address tables to find the exact port the misconfigured endpoint is plugged into. A user can even take action to remediate the problem immediately by shutting down the port temporarily until the issue can be resolved. All this can be done remotely as well, removing the need to have the engineer physically in front of the network switch.

Security

Cybersecurity in today’s industrial control system (ICS) networks is driven by globally recognized standards, such as ISA/IEC 62443, and managed network switches provide the foundation allowing for visibility and control strengthening overall OT security posture. But as information security departments take on a more active role in securing OT, the need has arisen for more comprehensive monitoring and insight into vulnerabilities unique to industrial automation equipment. Modern ICS security and visibility tools use technology called “continuous packet capture.” These tools listen to all communications on the network and identify trends and deviations at the packet-level. This is accomplished by configuring switch port-mirroring, or sending copies of network packets to a destination which is monitoring and analyzing the traffic. Having the flexibility to add port-mirroring directly to where the traffic is being generated provides infosec professionals with the data they need to assist their OT counterparts in securing the plant floor.

The future of industrial networking

IT/OT convergence is real, and many IT technologies are becoming increasingly relevant in the OT space. Network automation, for instance, is starting to become more commonplace in OT networks. Automation in this context refers to items like scheduled configuration backups and updates, self-healing network topologies, and efficient management of physical and virtual devices within the infrastructure. Even some of the large ICS vendors are pushing customers to leverage infrastructure as code), which menas managing and provisioning infrastructure through code instead of through manual processes as is done in many OT environments.

As customers aim to modernize legacy ICS networks, choosing the right managed switching platform is crucial to a successful smart manufacturing journey. And while the topic of accessing machine data for advanced analytics tends to get all the glory, it is also important to recognize that managed industrial switching is the foundation of these information-driven initiatives and thus deserves attention.

Corey Schoff is a senior network and security engineer at Malisko Engineering Inc., a certified member of the Control System Integrators Association (CSIA). For more information about Malisko Engineering, visit its profile on the Industrial Automation Exchange. 

Sponsored Recommendations

C2-08DR-4VC

CLICK PLUS discrete/analog combo module, Analog Input: 2-channel, current/voltage, Analog Output: 2-channel, current/voltage, Discrete Input: 4-point, sinking/sourcing, Discrete...

MSD-SLC16G

CLICK industrial memory card, 16GB microSD. For use with all products with microSD memory card slot.

C0-12DRE-D

CLICK Ethernet Analog PLC, 24 VDC required, Ethernet and serial ports, Discrete Input: 4-point, DC, Analog Input: 2-channel, current/voltage, Discrete Output: 4-point, relay, ...

C2-FILL

CLICK PLUS option slot cover.