Ethernet hardware webcast questions and answers
The Control Engineering webcast, Ethernet Hardware, Nov. 12, is available for archived viewing, and the system integrator who provided advice on industrial Ethernet hardware answered additional questions from the audience, below. This webcast is a Control Engineering Registered Continuing Education Program (RCEP) accredited for 1 professional development hour (PDH).
Some of the questions raised during the Control Engineering webcast on Ethernet hardware were answered during the live question-and-answer session (available for viewing as part of the 1-hour webcast). Questions among Control Engineering registrants' included Ethernet network design, Ethernet switches, Ethernet protocols, network troubleshooting, network security, and Power over Ethernet-related topics. Kurt Forster, an industrial network expert with Autopro Automation Consultants Ltd., provided advice on Ethernet hardware for the webcast and answered additional questions that didn't fit into the 1-hour webcast, below. Registrants to the Control Engineering RCEP-accredited webcast are eligible for a professional development hour (PDH) after viewing and passing a quiz. See the Ethernet Hardware webcast here.
Audience question: What is the recommended separation between industrial and IT networks?
Answer from Kurt Forster: There are many different ways to separate the industrial networks from the enterprise. These are the most common:
1. Full air gap is a total segregation between the two infrastructures with no possible connectivity or direct data transfer between the two.
2. On-command air gap. This is the same as No. 1; however, when asked to do so and permission is granted, a cable between the two infrastructures would be connected and enabled for an amount of time. This would then be disconnected once the session was finished.
3. Single firewall pass-through is when you have a firewall in between the two infrastructures, and a select set of clients are allowed through.
4. Single firewall and an automation demilitarized zone (DMZ). It's the same as No. 3, without a pass-through. All data ends in a DMZ zone. (Firewall and DMZ are owned and controlled by the integrated control systems - information systems (ICS-IS) team
5. Double firewall shared DMZ is where one firewall on the enterprise connects to an ICS switch. From that ICS switch the automation firewall also would connect into it. (The DMZ space would be shared between information technology/information systems (IT/IS) and ICS-IT. Most servers and computers would be dual-homed, or it would be a shared IP range.)
6. ICS-IS firewall to ICS/IS boundary router with a DMZ coming off of the firewall would run from the boundary firewall into an IT/IS firewall with a DMZ coming off of the firewall.
Recommendation: It depends on who administrates the infrastructures above. However, I feel that No. 6 is the best and recommended solution as there are clear defined DMZs from both sides of the boundary router.
Question: What are the recommended ways of connecting industrial Ethernet to legacy networks?
Answer: This depends on what you call a legacy network and which legacy network is deployed. However, if we are talking about a token ring network or a control network, then normally you would have devices with the protocol network interface card (NIC), for Modbus, etc., in a PC and a second Ethernet NIC in the PC. This PC would normally be a historian, which would be able to push the data to the new historian or supervisory control and data acquisition (SCADA) server. This question is too broad to recommend one clear solution. However, if you build the new network as a ISA95 Purdue level and connect the legacy network via a dual homing at ISA Level 2, then this would be the best solution without more details.
Q: When doing a SCADA system installation using an Ethernet-type network connection, are there differences in an intranet- or Internet-type installation and setup? What are the advantages or disadvantages of each?
A: An intranet installation would be done on a server over the internal network with the installation media actually in the server itself. Internet installation would be done between a computer on an intranet and a device at a remote location connecting to the network via the Internet through a firewall. This could also mean that the installation is done on a cloud server on the Internet.
I am going to presume that you are asking about an intranet installation and a cloud Installation. The advantage of an intranet installation is that you are responsible for the hardware and applications being installed on the hardware. You are also responsible for the security and the patching levels of the devices. This may not sound like an advantage, but some applications are not designed to be installed on virtual or hardware that is not supported. Certain drivers are required to allow alarming with network failures. These drivers may not work on cloud servers.
The benefit of using cloud servers for applications that can run on the cloud is that you never need to worry about hardware upgrades, and if done correctly in a "high availability" or "fault tolerant" mode, you should never lose connection to the servers.
Q: What are the advantages of using SCADA systems, and what is the best type of physical hardware to use for maximum redundancy (minimizes downtime) in the event of power interruption or natural disaster?
A: The advantages of using SCADA can be found around the Internet, but in short, in most systems, it allows the monitoring, control-system administration, data collection, and historization to be done from a central location. When this is done from two separated locations in a fault-tolerant and high- availability design, a disaster could happen and could be controlled from a separate building (sometimes called a war room or standby control room) while the main control building is being evacuated.
Q: Besides security, what other advantages does Ethernet provide over intranet-type hardware?
A: Intranet is just a term for a type of network architecture and whether it crosses communication boundaries between business zones, such as intranet, extranet, and Internet. Ethernet devices are used in all of these designs.
Q: What are the advantages and advancements, current and future, that we should know about in the Ethernet hardware?
A: Ethernet hardware runs all infrastructures from remote and local closed networks to cloud systems, so it is important to understand the different types of Ethernet devices for the business zones in which you will work, such as enterprise, manufacturing, production, control, and automation. There are devices like switches that are used in all of the zones mentioned, but know which switch to use for its zone application is important. Because the industrial sector is normally 10 years behind the IT/IS sector, Ethernet devices that have trended and proven to be successful over the past 10 years slowly are getting introduced into new designs being deployed today. Often systems designed and applied in the industrial market are done in 15-year lifecycles. The technology must be proven, reliable, and maintainable for this period.