Managed switches can help industrial manufacturers overcome IT/OT convergence challenges and achieve greater efficiencies, increased reliability, and improved network security. Barry Turner, Technical Business Development Manager, at Red Lion Controls explains how.
Barry Turner, Technical Business Development Manager, Red Lion Controls
With Industry 4.0 and the resulting advances in technology, manufacturers have had to continually rethink the relationship between information technology (IT) and operational technology (OT). Previously, these two areas functioned separately. IT managed all enterprise business applications while OT kept manufacturing facilities running smoothly.
As the IIoT continues to evolve and revolutionize the way that manufacturing equipment works together, integrating these two worlds is increasingly imperative to remain competitively efficient and secure.
Two distinct factors challenge administrators in today’s smart manufacturing industry. The first is that manufacturers need to understand how to extract and contextualize OT data for higher-level IT use in order to identify trends and patterns and make the data more actionable. The second is that, given all the connectivity, data collection, and intelligence involved in Industrial IoT systems, manufacturers must be proactive and responsive to dynamic and always-present security challenges.
Managed Ethernet switches can help enable the sort of IT/OT convergence that’s needed to solve these inherent challenges. When implemented along with a Defense in Depth security strategy using security features inside the managed switch, these tools can optimize data access and visualization and allow businesses to extract more insights, reap more benefits, and minimize downtime.
Taking a Multi-Layered “Defense in Depth” Approach to Security
Security is not just one department’s responsibility anymore, especially with the IIoT transforming manufacturing environments. IT and OT teams must be aligned on security measures even if they have different priorities, and additional layers of security must be implemented as well.
A Defense in Depth (DiD) strategy uses multiple layers of protection and security controls throughout an IT/OT system to better protect networks, devices, and other applications from attacks and intrusions. Each security layer — such as firewalls, virtual local area networks (VLANs), and robust user access controls — represents another obstacle that can help prevent bad actors from getting through. Even if one layer becomes compromised, the additional layers make it more likely that the threat will be detected and stopped before resulting in harmful access to systems or operational data.
You can implement a DiD security plan by constructing zones and conduits using VLANs, routers, and monitored access control. Managed Ethernet switches are key. I recommend using Layer 2 Ethernet switches to create the VLANs and then building a path in and out of these smaller zones using firewalls and routers.
Strict access control is also a vital part of a DiD strategy, so monitoring and alert capabilities are essential. In many cases, access control lists can also be helpful, as they allow access only to designated IP or MAC addresses on the network. Anytime unusual activity is detected, the network should log that event and immediately alert administrators so control engineers can be activated to limit damage or downtime.
For example, administrators using our new N-Tron Series NT5000 managed switches can use the event log or syslog to receive notifications about access attempts or changes in the switch configuration and automatically disable user or port credentials after a defined number of failed access attempts.
These switches also support IEEE 802.1X with RADIUS remote server authentication, which allows a centralized RADIUS server on the network to grant and remove port and user authentication. Additional security features include password encryption, MAC port security (HTTPS, SSH, SSL, and SNMPv3), configurable password lengths, and an ability to define multilevel user privileges and disable unused protocols.
Using Industrial Managed Ethernet Switches for More Robust Security
The increased adoption of IIoT technologies also increases IT and OT network complexity, and these bigger networks become bigger targets for cyberattacks. When connected equipment first entered industrial manufacturing environments, the focus was on rapid deployment — connecting machines and networks as quickly and easily as possible to start taking advantage of new efficiencies.
While this connectivity trend continues, adding more IIoT devices and bringing more legacy equipment online, manufacturers must also now focus on network security. In this context, replacing inexpensive unmanaged Ethernet switches with managed Ethernet switches is not only an essential part of a solid DiD security plan, but one that pays off long-term. Managed switches provide a layered security approach that grows more vital as more devices are connected to OT networks and offer features including VLAN-based network segregation, port mirroring, network redundancies with faster ring protocols, and advanced diagnostics for troubleshooting.
Again, our rugged NT5000 managed switches are a good example, offering advanced security, diagnostic tools and monitoring, and easy setup. Designed to keep industrial networks connected and protected, NT5000 switches have a configuration wizard and a graphical dashboard that offers a logical view of the switch — including active ports, errors, temperature, contact relay status, and color-coded gauges for port traffic — which makes it quick and easy for users to identify and address possible network disruptions in real-time and helps lower their total cost of ownership. The graphical dashboard also enables port and tag configuration, which makes it easy to achieve complex VLAN configurations, and preconfigured N-Ring ports for easy N-Ring Auto-Member functionality.
However, I do need to emphasize that adding managed switches alone will not make your industrial networks and systems secure. Managed switches give you more ways to implement layers of protection and ensure that your network aligns with your DiD strategy. Managed switches also make it quicker and easier to troubleshoot your network than unmanaged Ethernet switches, which require more manual labor. For example, with managed Industrial Ethernet switches, you can find the resolution in minutes rather than hours. So, although managed switches do have a higher initial cost, they also deliver dividends throughout their entire lifecycle, which ultimately results in a lower total cost of ownership.
Using Edge Connection Software to Better Contextualize Data
Many manufacturers still struggle to achieve the true digital transformation of IT/OT convergence. Data is only as good as your ability to use it, and while most industrial manufacturers have tons of operational data, many don’t know how to draw insights from their data sources and apply those advantageous insights across throughout their enterprise.
Having access to relevant context for your OT data at the network edge or device level — such as time stamps and data sources or types — is key to having high data integrity that can be quickly analyzed and acted upon. To efficiently extract actionable information, the data needs to be in a flexible, interchangeable format that both OT and IT applications can read.
Achieving IT/OT integration allows manufacturers to connect, contextualize, and use data to improve efficiencies as the data is being generated in real-time. When industrial equipment data can be understood and acted upon in systems across the enterprise, such as in optimization programs, traceability records, analytics engines, and quality systems, manufacturers can improve their operational resiliency, supply chain agility, and sustainability.
Edge connection software and other new edge technologies can help make these connections and break down barriers between IT, OT, and other enterprise systems. Edge software collects, organizes, and contextualizes OT data to make it readable and useable by IT databases and applications. This opens up the flow of actionable facility-level and enterprise-level data and makes it actionable so it can be used to speed up digital transformation.
Whether manufacturers are using an IT device with OT features or an OT device with IT features, their edge device should be able to:
- Connect to built-in sensor networks that link to PLCs or controllers.
- Connect directly to sensors or to brownfield devices, modern PLCs, industrial switches, and operator panels.
- Configure alarms to alert users about out-of-bounds conditions.
- Securely access data and assets over VPN.
Red Lion’s FlexEdgeIIoT platform, which serves as a bridge between the OT and IT networks, is a good example of edge connection technology with these capabilities. Designed to serve as a networking router, protocol converter, advanced IIoT gateway, or scalable edge controller, our highly scalable, all-in-one FlexEdge platform makes it easy to connect network assets and improve productivity at the edge.
Like many industrial control products, the FlexEdge Intelligent Edge Automation Platform supports syslog and RADIUS, the latter of which allows you to securely connect to the network while structured query language (SQL) synchronizes to IT data servers. It also allows you to add three communications sleds, including multi-radio cellular, Wi-Fi, Ethernet serial, and USB connectivity, so you’re ready for when future standards emerge.
In addition, the FlexEdge platform lets you connect your equipment’s protocols to modern open standards, like OPC UA, for enterprise visibility, and its protocol driver library unlocks data already available in existing equipment. You can also choose software functionality based on your application — such as networking gateways, protocol gateways, advanced IIoT gateways, or automation controllers with IEC 61131 capabilities — which is hugely beneficial since being able to add new capabilities via software alone means you don’t need to add or buy more equipment. So, the FlexEdge platform can also help you reduce costs and downtime when your application needs change.
But while I’m certainly partial to the FlexEdge, there are many edge devices that enable IT/OT integration and allow users to access valuable, long-term insights into factory floor operations that can be used to develop and implement proactive, predictive, and even prescriptive maintenance strategies.
The Critical Role of Standard Ethernet Solutions
Standard Ethernet solutions including EtherNet/IP and PROFINET devices also enable successful IT/OT integration by establishing a common set of management capabilities and diagnostic tools and reducing the number of differences between facilities’ OT networks and enterprise IT networks. This makes it easier for critical data to be sent to manufacturing enterprise systems, or factory floor OT networks; the broader enterprise IT network, like enterprise resource planning or ERP systems; and other cloud systems.
EtherNet/IP devices, which use standard IEEE 802.3 Ethernet technology and internet protocol suite standards, have an object-oriented design and use the Common Industrial Protocol (CIP) to support IT/OT convergence and make it easier for IT folks to work with OT. PROFINET standards and PROFINET-certified switches also provide a common bridge between IT and OT networks and, like EtherNet/IP devices, are key to connecting and securing both lower-level and upper-level networks. The interoperable environments these standard Ethernet technologies help create allow users to extract and use real-time data to consistently drive growth in dynamic business environments.
Just note that manufacturers employing both standard Ethernet solutions and a DiD strategy must include the EtherNet/IP device level and CIP Security in their plans to ensure comprehensive network protection.
Integrating and Safeguarding Your IT and OT Networks with Red Lion Controls and RS
Red Lion Controls is a leading global supplier of industrial data solutions that empower industrial organizations to unlock the value of their data. We have more than 50 years’ experience designing and developing innovative solutions that allow users to access, connect, visualize, and leverage their data in real-time, improve productivity, and reduce costs.
Our industrial managed Ethernet switches provide ease of use, support IT/OT integration, and satisfy IT/OT demands for secure, dependable communication with visibility into the data that drives productivity. They also offer best-in-class performance and are designed to operate flawlessly in harsh industrial environments like manufacturing facilities that produce everything from food and beverages to automobiles.
RS offers more than 2,000 Red Lion products, including managed Ethernet switches and other industrial data communications products, as well as PLCs, HMIs, industrial controls, sensors, power products, and wire and cable. RS also has a team of highly trained sales representatives, dedicated key account managers, and technical support staff that can help you select the best Red Lion solutions for your unique applications.
To learn more about our new N-Tron Series NT5000 gigabit managed Layer 2 Industrial Ethernet switches, which are now available at RS, check out this brochure. To learn more about Red Lion, please visit the Red Lion Controls storefront and our New Products page on the RS website, the Red Lion Controls video collection on the RS YouTube page, and the Red Lion website. For assistance identifying and deploying Red Lion’s industrial data solutions in your facility and using them to integrate your IT and OT networks, please contact your local RS representative at 1.866.433.5722 or reach out to the RS technical support team.
