How to implement secure, time-sensitive networking for IIoT using managed Ethernet switches

Infineon / Mitsubishi / Fuji / Semikron / Eupec / IXYS

How to implement secure, time-sensitive networking for IIoT using managed Ethernet switches

Posted Date: 2024-02-04

Author: Jeff Shepard

The Industrial Internet of Things (IIoT) requires secure, real-time, and high-bandwidth connectivity for a variety of devices. IIoT networks in Industry 4.0 automation, water management, oil and gas processing, transportation, utility power management, and similar critical applications also require an efficient and flexible way to power devices and a high port density connectivity solution that can Supports a large number of devices in the smallest space. Next-generation managed Ethernet switches can meet these needs and more.

Managed Ethernet switches can be configured and controlled remotely, simplifying network deployment and updates. They enable various network architectures such as star and line topologies with redundant operation, including compliance with IEC 62439-1 for high-availability automation networks. They support the IEEE 802.1 Time Sensitive Networking (TSN) standard as well as the IEEE 802.3 Power over Ethernet (PoE) and PoE+ standards.

The switches are certified under the ISASecure program for use in turnkey automation and control systems based on the International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443 series of standards. They can be configured to combine 10/100BASE TX/RJ45 slots for copper interconnects with adjustable speeds of 100 Mb/s (Mb/s), 1 Gb/s (Gb/s) and 2.5 Gb/s of three-speed optical small form-factor pluggable (SFP) slots.

This article first briefly introduces the transition from the automation pyramid of Industry 3.0 to the automation pillar of Industry 4.0, reviews several options for deploying networks to carry emergency and non-emergency traffic, and explores how to incorporate and implement TSN. It then explores how PoE and PoE+ can simplify powering sensors, controls, and other devices on the IIoT and introduces the importance of security, including ISASecure authentication and wire-speed access control lists (ACLs) and automatic denial of service (DoS) protection. Advanced security features. Finally, the benefits of using managed Ethernet switches are explained, and several typical BOBCAT managed switches from Hirschmann are introduced.

From pyramid to pillar

The transformation from the pyramid factory architecture of Industry 3.0 to the pillar architecture of Industry 4.0 is the driving force for the development of TSN. The pyramid divides the functions of the factory into different levels from the shop floor to central control and management functions. Real-time communications primarily need to occur at the lowest levels of the factory floor, as sensor data controls production processes. Industry 4.0 changes this situation.

The automation pillar of Industry 4.0 reduces the levels from four to two: the field level and the factory backbone level. The field level includes an increasing number of sensors and an increasingly rich set of controllers. Some controllers are moving from the control pyramid/programmable logic controller (PLC) level down to the field level. At the same time, other functions formerly relegated to the control/PLC layer are moving to the factory backbone, joining manufacturing execution systems (MES), supervisory control and data acquisition (SCADA) functions, and enterprise resource planning (ERP) to form virtual PLCs.

The connectivity layer ties the field layer and the backbone layer together. Connection and field layer networks must provide high-speed, low-latency communications and be able to carry both low-priority and time-critical traffic. TSN meets this requirement by enabling real-time deterministic network (DetNet) traffic over standard Ethernet networks (Figure 1).

Figure 1: Transition from Automation Pyramid to Automation Pillar TSN-capable connecting links. (Image: Belden)

Three TSN configurations

The IEEE 802.1 Ethernet standard specifies three configurations of TSN: centralized, decentralized (also called fully distributed), and a hybrid configuration of a centralized network and decentralized users. In each case, configuration is highly automated to simplify TSN deployment, starting with identifying the TSN features supported in the network and then activating the required features. At this point, the call sending device can send information about the data stream to be transmitted. The three methods differ in how they handle the device and data flow requirements in the network.

In a centralized configuration, talkers and listeners communicate through the Centralized User Configuration (CUC) logical device. CUC creates data flow requirements based on talker and listener information and sends them to a centralized network configuration (CNC) device. The CNC determines the time slot for the next data flow based on factors such as network topology and resource availability, and sends the required configuration information to the switch (Figure 2).

Figure 2: Centralized TSN architecture uses CUC to connect talking and listening parties and CNC to send configuration information to the switch. (Image credit: Belden)

In a decentralized configuration, CUC and CNC are eliminated, and device requirements are propagated through the network based on information within each device. In a hybrid configuration, the CNC is used for the TSN configuration, and the talking and listening devices share their needs over the network (Figure 3). Centralized and hybrid approaches provide centralized configuration of network switches (managed).

Figure 3: Examples of decentralized (top) and hybrid (bottom) TSN configurations. (Image credit: Belden)

PoE sum PoE+

In the automation pillar of Industry 4.0, Power over Ethernet (PoE) is a powerful complement to TSN. One of the driving forces of Industry 4.0 is the IIoT, which consists of many sensors, actuators and controllers. PoE was developed to address the challenge of powering IIoT devices throughout a factory or other facility.

PoE supports simultaneous transmission of high-speed data (including TSN) and power over a single network cable. For example, using PoE technology, 48V DC power can be transmitted over CAT 5/5e cable up to 100 meters. In addition to simplifying network installation, PoE simplifies the implementation of uninterruptible and redundant power supplies, improving the reliability of industrial processes and equipment.

PoE uses two types of equipment: Power Source Equipment (PSE), which injects power into the network, and Powered Devices (PD), which extracts and uses the power. There are two types of PoE. Basic PoE can provide up to 15.4 W of power to the PD. PoE+ is a recent development and can provide up to 30 W of power to PDs.

cyber security

ISA and IEC have developed a series of standards for industrial automation and control systems (IACS). The ISA/IEC 62443 series consists of four parts. Part 4 applies to equipment suppliers. IEC 62443-4-2 certified devices are independently evaluated, secure by design, and incorporate best practices for cybersecurity. Two important tools for IACS security are access control lists (ACLs) and denial of service (DoS) attack protection. In both cases, there are several approaches that network engineers can take.

ACLs are used to allow or deny traffic entering or leaving a network interface. One benefit of using ACLs is that they operate at network speed without affecting data throughput, which is an important consideration in TSN implementation. Hirschmann's HiOS divides ACLs into three categories:

A basic ACL for TCP/IP traffic has minimal configuration options and can only set permission rules, such as "Device A can only communicate with this group of devices", or "Device A can only send specific types of information to device B", or " Device A cannot communicate with device B". Using basic ACLs can simplify and speed up deployment.

Advanced ACLs for TCP/IP traffic provide more granular control in addition to the above configuration options. Traffic can be allowed or denied based on its priority, flags set in headers, and other criteria. Some rules only apply at certain times of the day. Traffic can be mirrored to another port for monitoring or analysis. Specific types of traffic can be forced to specified ports regardless of their original destination.

Some IACS devices do not use TCP/IP, and HiOS also allows ACLs to be set at the Ethernet frame level based on media access control (MAC) addressing. These MAC-level ACLs filter based on a range of criteria, including traffic type, time of day, source or destination MAC address, and more (Figure 4).

Figure 4: MAC-level ACLs can be used on devices that do not use TCP/IP. (Image credit: Belden)

Although ACLs must be configured, DoS protection is usually built into the device and implemented automatically. It handles attacks via TCP/IP, traditional TCP/UDP, and Internet Control Message Protocol (ICMP). In the case of TCP/IP and TCP/UDP, DoS attacks take various forms related to the protocol stack, namely sending substandard packets to the attacked device. Or sending packets to the compromised device using its IP address, potentially causing an endless loop of replies. Ethernet switches can protect themselves and legacy devices on the network by automatically filtering malicious packets.

Another common DoS attack comes from ICMP pings. The purpose of ping is to determine the availability and response time of devices across the network, but it can also be used for DoS attacks. For example, an attacker could send a ping with a payload large enough to cause the receiving device's buffer to overflow, crashing the protocol stack. Today's managed Ethernet switches automatically protect against ICMP-based DoS attacks.

Managed switch

Hirschmann's BOBCAT managed Ethernet switches support TSN and expand bandwidth capabilities without replacing the switch by scaling SFP from 1 Gb/s to 2.5 Gb/s. It offers high port density, with up to 24 ports on a single device, and a choice of SFP or copper uplink ports (Figure 5). Other features include:

・ISASecure CSA / IEC 62443-4-2 certification, including ACL and automatic DoS protection
・8 PoE/PoE+ ports support up to 240 W without load sharing
・Standard ambient operating temperature range is 0°C to +60°C, extended temperature models have an operating temperature range of -40°C to +70°C ・Models certified for use in hazardous locations according to ISA12.12.01

Figure 5: BOBCAT managed Ethernet switches are available in a variety of configurations. (Image credit: Hirschmann)

Examples of Hirschmann BOBCAT switches include:

・ BRS20-4TX is equipped with four 10/100 BASE TX / RJ45 ports and is rated for an ambient temperature of 0°C to +60°C
・ BRS20-4TX/2FX equipped with four 10/100 BASE TX / RJ45 ports and two 100 Mb/s fiber optic ports, rated for ambient temperature 0°C to +60°C
・ BRS20-4TX/2SFP-EEC-HL comes with four 10/100 BASE TX/RJ45 ports and two 100 Mb/s fiber optic ports, rated for ambient temperatures from -40°C to +70°C, passes ISA12.12.01 Hazardous location certification
・ BRS20-4TX/2SFP-HL is equipped with four 10/100 BASE TX/RJ45 ports and two 100 Mb/s fiber optic ports, rated for ambient temperatures from 0°C to +60°C, and passes ISA12.12.01 hazardous location use Certification
・ BRS30-12TX is equipped with 8 10/100 BASE TX / RJ45 ports and 4 100 Mb/s fiber optic ports, and is rated for an ambient temperature of 0°C to +60°C
・ BRS30-16TX/4SFP is equipped with sixteen 10/100 BASE TX / RJ45 ports and four 100 Mb/s fiber optic ports, and is rated for an ambient temperature of 0°C to +60°C


Managed Ethernet switches generally support TSN, PoE and PoE+, provide a high level of network security, and provide the high-bandwidth connectivity required by IIoT and Industry 4.0 backbone network structures. These switches are easy to configure, offer high port density, operate over a wide temperature range, and are available in versions certified for use in ISA12.12.01 hazardous locations.

#implement #secure #timesensitive #networking #IIoT #managed #Ethernet #switches