Ethernet

Managing industrial Ethernet switches

While traditional industrial networks are using Ethernet switches to prepare for the Industrial Internet of Things (IIoT) applications, there is a place for unmanaged switches, though they come with some risks.
By Suzanne Gill May 4, 2019
Courtesy: CFE Media

Making traditional industrial networks ready for Industrial Internet of Things (IIoT) applications with managed industrial Ethernet switches is key for a lot of companies. However, is there a place for unmanaged switches in the IIoT, and how smart or manageable do networking devices need to be?

It is first important to understand the network’s requirements and applications. Ivana Nikic, product marketing engineer, industrial Ethernet at Moxa, said there are some advantages, but also some dangers of using an unmanaged switch.

Nikic explained industrial unmanaged switches are cost-effective, durable in harsh environments, and can be used to connect a number of devices to the network. They come with the advantage of being a plug-and-play device where no network expert is needed for the configuration and implementation processes. They also work as transparent devices to most industrial protocols, which eliminates the question of compatibility. Additionally, they are usually a smaller form factor, which makes them suitable for easy installation in control cabinets.

“However, the biggest disadvantage of an unmanaged switch is its lack of ability to pass on information via communication. If a communication failure occurs on the unmanaged switch it could go unnoticed,” Nikic said. “Because of the resulting production downtime this will add a higher cost to the overall equipment effectiveness.”

Nikic suggests choosing a managed switch which can be integrated and checked easily by a network monitoring system, supervisory control and data acquisition (SCADA) system, human-machine interface (HMI) or controller portal. Another issue to look out for relates to the use of unmanaged switches with industrial protocols such as Profinet, EtherNet/IP and Modbus TCP, which are based on Ethernet communication and used in applications that require networks with fast response times and low jitter.

“The more devices you add to your network through unmanaged switches, the more you are slowing it down, causing jitter and high response times,” Nikic said. “Managed switches come with rainbow of capabilities to make the network more reliable, to name some of the basic ones like: management and prioritization of different types of network traffic data, support of redundancy protocols and of network management protocols like simple network management protocol (SNMP).”

Another important consideration is the issue of security. “There are many ways to protect even most vulnerable devices by positioning them correctly in the network and protecting them by the secure devices from the upper levels of the network. While unmanaged switches come with no security, managed switches can come with the support of different levels of security, from basic functions like user login authentication, to more advanced ones like client/server-based access control and data encryption.”

Nikic believes unmanaged switches only are suitable for connecting small numbers of devices with basic connectivity in applications where no special requirements for the network communication are needed — like monitoring, redundancy, high response times or industrial protocol support. In the long-term it could be more expensive to use unmanaged switches than investing in a managed switch.

Increasing network demands

Data communication networks are getting larger and more complex and the demands placed on them also are increasing. Users require greater reliability, faster speeds and enhanced security features to ensure higher availability and protection against growing cybersecurity threats.

A chemical processing plant, for example, will require hundreds of networking points for programmable logic controllers (PLCs), valves and sensors.

“Using unmanaged devices for such applications would reduce capital expenditures (CAPEX), but the network lifecycle cost would ultimately be higher due to the lack of visibility of the overall network and increased time to locate and resolve issues,” said Ray Lock, technical director at Westermo.

From a cybersecurity standpoint, Lock believes even layer 2 managed switches create a point of weakness for a network.

“A network based on unmanaged devices would effectively be an open door to unwelcome actors attempting to penetrate it,” he said. “It is entirely possible and advisable to install perimeter firewalls at each zone where they connect to the next layer of the network. However, an actor could remain undetected at the edge of the network for a considerable amount of time. Installing separate cybersecurity devices at the edge of the network defeats the cost argument and still does not address the need for network management. Also, increasing the number of devices implemented decreases overall network reliability.”

According to Lock, today’s managed Ethernet switches meet these challenges and play an essential role in providing robust networks capable of supporting essential and critical systems.

“Managed switches offer port security, with the ability to disable ports and prevent unauthorized access,” Lock said. “More sophisticated mechanisms, such as MAC filtering and IEEE 802.1x port authentication, can secure open ports. SNMP traps can indicate when a port comes up or a user fails to authenticate correctly. Segmenting using VLAN’s further supports improved network security as a firewall can be introduced close to the edge of the network. Managed switches also provide monitoring tools to determine the health of the network. The ability to monitor the interconnecting media or port errors can point to where early intervention will reduce the number of breakdowns at crucial times.”

Lock agreed unmanaged devices do still have a place in very simple system installations such as a standalone machine that needs a switch to connect the internal devices together.

“There is an argument that ‘my network is not connected to the Internet,’ but security by obscurity is no longer a suitable defense,” Lock said. “You may have a totally isolated network, but if an actor penetrates the physical security or the actor is located internally, then the network is wide open to abuse or attack. In short, if you want a resilient and reliable network, to control and manage and report on the status of the network, then managed devices are essential. If you don’t need those elements, then unmanaged switches might just about meet your requirements.”

Three switch questions to ask

Although tool assistance and better web interfaces have increased the accessibility and ease of use of managed switches in recent years, the constantly increasing feature set and complexity in managed switches has, at the same time, negated this improvement for some users.

Oliver Kleineberg, global CTO of core networking business within Belden’s Industrial IT platform, suggests users should ask three questions to decide whether to use managed or unmanaged devices:

  1. Do I need network media fault-tolerance? Only managed switches support the protocols — such as media redundancy protocol (MRP) or rapid spanning tree protocol (RSTP) — to enable media fault tolerance, which protects the network against cable or device failures.
  2. Do I need network diagnostic functions? Managed switches support diagnostic functions beyond physical link and link activity detection. To a certain degree, this question is connected to the complexity of the network. A small network with only a few devices might not require the diagnostic functions of a managed switch. However, larger networks may benefit from the diagnostic and monitoring capabilities managed switches provide. This is especially true if the managed switches are combined with a network management technologies that can monitor the entire network.
  3. What level of cybersecurity do I need? Some unmanaged switches can provide baseline security functions, such as deactivating unused physical ports through a local USB configuration. For some applications, this is sufficient. Modern managed switches offer a wide range of cybersecurity features, such as firewalling/filtering functions or network access control. If a company plans on implementing networks with a defense-in-depth approach in mind — as recommended for mission-critical networks in standards like IEC 62443—managed switches will be needed.

Suzanne Gill is editor, Control Engineering Europe. This article originally appeared on the Control Engineering Europe website. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

KEYWORDS: Ethernet, managed switch, unmanaged switch

Managed Ethernet switches are more beneficial in the long run than unmanaged switches.

Managed switches provide additional security, networking and communication options for users.

Unmanaged switches are useful and suitable for applications where no special requirements for the network are needed.

CONSIDER THIS

What is your biggest consideration when choosing between a managed or unmanaged industrial Ethernet switch?

Want this article on your website? Click here to sign up for a free account in ContentStream® and make that happen.


Suzanne Gill
Author Bio: Suzanne Gill is editor, Control Engineering Europe.