A supplement to PLANT ENGINEERING A supplement to PLANT ENGINEERING and Control Engineering magazines and Control Engineering magazines
SECUR ITY BUILTIN
MOVE SECURELY INTO THE CLOUD DIRECT FIELD TO CLOUD CONNECTION • • • •
IIoT-ready with Sparkplug, native MQTT and TLS encryption Built-in VPN and Firewall for increased network security Run Docker Containers in parallel with PLC logic Interface with existing controls via onboard fieldbus gateways
www.wago.us/IIoT
Contents A4 How to choose between managed and unmanaged switches Industrial automation systems need hardened networking equipment to deliver required performance and cybersecurity, and designers also must consider whether unmanaged switches are sufficient, or if the step up to managed switches is warranted ON THE COVER As industrial Ethernet networks scale up, managed switches address many concerns relating to increased traffic, requirements for redundancy and security and a general need for improved network “awareness.” Courtesy: AutomationDirect
I NSI GHTS
Insights on industrial networking
A
Jack Smith Editor
s we begin this new year, I find myself looking back over the many years I have been in industrial automation. I remember working at a company that did contract electronic manufacturing. It introduced its local area network (LAN) for data collection in a printed circuit board testing application. The dedicated LAN was the original 10BASE5 Ethernet, which used coaxial cable as a shared medium, which was prone to data collisions. Computers on the network tried to communicate sharing the same coaxial cable. Determinism wasn’t in the industry’s vocabulary back then. The industry has come a long way since. What was once a coaxial cable main backbone is now either twisted pair or fiber optic links, either used in conjunction with switches. Whereas data collisions were commonplace, switches make them a thing of the past. Now, for the industrial environment, the choice is not whether to use a switch, it is which type of switch to use: managed or unmanaged. In this issue of AppliedAutomation, the author explores the topic of managed and unmanaged switches and how to choose between them.
The first – and obvious – difference is cost. However, performance increase comes with the cost increase. There are many things a managed switch can do that an unmanaged switch cannot. But users may not need the enhanced performance for some applications. So why pay more? The author looks at how designers can determine if they can make do with an unmanaged Ethernet switch, and when a managed switch is needed. According to the author, the most common situations where a managed switch becomes necessary are when there are requirements for enhanced traffic filtering, network redundancy, comprehensive security, deeper troubleshooting and diagnostic information, overall better network “awareness” for users and automation platforms and/or any combination of these. The author said: “Unmanaged switches are certainly suitable and economical for connecting a few devices together with an understanding of low priority networking limitations. However, for many automation applications, the cost increase of moving to managed switches over unmanaged switches is not a major impact.”
Applied Automation February 2021
•
A3
INDUSTRIAL NETWORKING
How to choose between managed and unmanaged switches Industrial automation systems need hardened networking equipment to deliver required performance and cybersecurity, and designers also must consider whether unmanaged switches are sufficient, or if the step up to managed switches is warranted By Bill Dehner,
any switch to be installed in a field environment needed to withstand even greater extremes of temperature, vibration and electrical noise immunity. Early attempts at industrial-grade Ethernet switches were low-volume spen a world where fabulously fast and relatively reliable cialty products and far more expensive than commercial Ethernet — in wired and Wi-Fi formats — has become counterparts. so familiar to consumers of all ages and technical As Ethernet became prevalent in all levels of industrial abilities, it is tempting to think industrial automation automation — from field signals, to controllers and at the systems can be connected to any available networksupervisory level — economies of scale helped industrial ing gear. After all, people regularly link their portable switches reach more mainstream devices, entertainment electronics pricing levels. Improved electronand even home automation comTo minimize networking delays, ics led to lower power consumption ponents to the local network, and and heat generation, making it posin turn to the cloud, with mostly and therefore improve the level sible to remove trouble-prone fans. good results. of determinism on any network, it Designers gained a wide range of The “mostly” qualifier is why network hardware options so they industrial products must be speciis important that communication could easily make connections as fied for industrial solutions. While data packets be transmitted from needed from the field to the control any networking failure in a general panel, to the server room. Soon consumer setting is usually more the source to the target device. there was little reason, beyond savof a nuisance than a crisis, indusing a few dollars, to use anything trial systems are constantly transother than industrial-grade switches. acting time-sensitive data, even input/output (I/O) signals What was not always as obvious was when to choose in some cases, via Ethernet. These signals often are infora basic plug-and-play unmanaged switch, or when to take mational and optional to some degree, but responsive I/O the leap toward a managed switch. The operational techand interlock signaling is necessary to avoid equipment nology (OT) personnel charged with selecting automation damage, wasted product and data loss — while providing networking components were not always deeply familiar required personnel safety. with the information technology (IT) concepts, and correIndustrial-oriented network switches, powered by robust sponding benefits associated with managed switches. and redundant sources and connected with quality media and fittings, are readily available and can be found at When to go managed a range of price points. But users must actively choose between basic unmanaged switches, which can be sufFor a typical piece of original equipment manufacturer ficient for some applications, or managed switches, which (OEM) industrial equipment automated by a programcan offer significant operating benefits but cost more to mable logic controller (PLC) with I/O, a human-machine procure and configure. This article looks at how designers interface (HMI), and other miscellaneous smart devices, can determine if they can make do with an unmanaged a small unmanaged industrial switch is often the best Ethernet switch, and when a managed switch is needed. choice and can be had for prices starting under $100. These devices are easy to use, provide plenty of netIndustrial-grade and more work speed and are available for use with copper or fiber While data center Ethernet switches were available and media. For simple budget-conscious projects, they may be the best way to go. designed to meet stringent performance requirements,
I
AutomationDirect
A4 • February 2021
Applied Automation
Figure 1: As industrial Ethernet networks scale up, managed switches address many concerns relating to increased traffic, requirements for redundancy and security and a general need for improved network “awareness.” Courtesy: AutomationDirect
But once the device count goes higher, or a formerly standalone piece of automated equipment will be interconnected within a plant with dozens or hundreds of other systems and intelligent devices on the local area network (LAN), greater networking concerns emerge (see Figure 1). On a home or office network, traffic overload and other network problems might simply delay email delivery or slow down playback of a video until the issue is resolved. On an industrial control network, however, traffic overload can cause improper equipment operation. Five of the most common situations where a managed switch becomes necessary are when there are requirements for one or more of the following: • • • • •
Enhanced traffic filtering Network redundancy Comprehensive security Deeper troubleshooting and diagnostic information Overall better network “awareness” for users and automation platforms.
The following sections explore why each of these needs is a compelling reason to specify a managed switch.
Taming the traffic To minimize networking delays, and therefore improve the level of determinism on any network, it is important that communication data packets be transmitted from the source to the target device. When packets are transmitted where they are not needed, then destination devices expend resources to handle the packet, delaying processing of critical communications. Modern unmanaged switches can perform a degree of packet filtering, alleviating this issue somewhat. But there are many types of packets that cannot be effectively identified and filtered by an unmanaged switch, so these devices end up forwarding unneeded packets to all connected devices. Managed switches include several capabilities to improve traffic filtering in commercial and industrial environments:
• Multicast filtering: Multicast packets are common with control systems and are indiscriminately forwarded by unmanaged switches. Managed switches perform Internet group management protocol (IGMP) snooping to learn when these packets are needed and selectively forward them. • Virtual LANs (VLANs): Managed switches offer VLANs so users can logically separate network traffic on one physical installation. This effectively groups devices so each group does not receive traffic from other groups. • Traffic priority: Using quality of service (QoS) features enables devices to prioritize the packets they are sending, allowing managed switches to handle each packet based on its priority. The preceding features assume a functioning network, but additional aspects must be considered to overcome any hardware or media (cabling) failure.
Redundancy recommendations A basic unmanaged Ethernet network only allows one point-to-point connection, or path, between any two device ports on the network. If more than one path creates a loop between devices on such a network, then
Applied Automation February 2021
•
A5
INDUSTRIAL NETWORKING packets circulate endlessly through the loop, causing a network storm, which sooner or later overwhelms the network with traffic. However, a consequence of single paths is any hardware, power or cable failure will interrupt communications. A significant benefit of managed switches over unmanaged switches is redundancy capabilities. Two common approaches are: • Rapid spanning tree protocol (RSTP): This IT-based protocol allows designers to create multiple paths — and therefore rings — on a network, because the managed switch uses RSTP to determine and control which single path should be used, and which alternate path to switch to if trouble is detected. Network storms are averted, but RSTP can be too slow to respond in a useful way for automation applications. • Ring protocols: Ring protocols are available to connect switches in rings, which recover from network failure much faster than RSTP, and quickly enough for many critical automation applications. Ring protocols are not standardized but are instead specific to certain makes and models of switches (see Figure 2).
For the cost of upgrading to managed switches and installing some extra cable runs, industrial automation projects with more than a few switches will experience far greater network resilience by implementing a ring protocol.
Superior security Security to protect from accidental or malicious activity is desirable in any network, and crucial for automation networks that operate physical equipment and contain valuable data. Unmanaged switches forward packets, but managed switches provide an additional level of protection in the form of: • Port control: Users can disable unused ports to help limit unauthorized access. • Management and browser security: These settings, involving passwords and industry-standard HTTPS using SSL, ensure unauthorized parties or applications cannot disrupt switch and networking settings.
Deeper Diagnostics When networking problems do occur, technicians need useful information as quickly as possible for troubleshooting. Unmanaged switches typically do not support this type of diagnostics, but managed switches can provide the necessary visibility in a few ways: • Port monitoring: For detailed troubleshooting, this feature allows a technician to identify a port to be investigated, so all that port data is mirrored to another available port. Users can connect their PC to the mirror port and use software like Wireshark to examine the content of packets. • Network statistics: Managed switches provide network statistics pages in the configuration, which are accessible to users with a web browser connection and the proper credentials. The data on these pages can help identify broken packets, for example, which may be caused by faulty field wiring.
Abundant awareness
Figure 2: This managed switch network diagram shows AutomationDirect hardware with one root switch connected to three designated switches; using the ring protocol, any one active path failure can be overcome via a backup path so that all end stations stay online. Courtesy: AutomationDirect
A6 • February 2021
Applied Automation
Traffic, redundancy, security and diagnostics are important — but if the automation system and the users are not made aware of problems — then there is no way to avoid the trouble before it becomes critical. The right managed switches can provide awareness in support of smarter automatic decisions to get technicians involved as soon as possible, but only when necessary.
There are many ways to integrate network awareness into automation systems using managed switches: • Modbus TCP and EtherNet/IP: Managed switches oriented for industrial automation applications can provide diagnostics tags, which can be read by PLCs over Ethernet using the Modbus TCP or EtherNet/IP protocol. If network problems are indicated, PLCs can use this information to take action, such as stopping the equipment or notifying operators via the HMI. More advanced managed switches may allow full management capability using these protocols. • Simple network management protocol (SNMP): When managed switches incorporate SNMP, users can take advantage of many software tools able to query or receive “traps” generated by the switch, and to indicate hardware health or other network events. • Alarm outputs: For users who prefer to keep things simple and not use a communications protocol with a switch, some industrial managed switches provide a hardwired relay output to report power redundancy failure to a PLC digital input. • Spanning tree or network ring status: It is important for users to know when the spanning tree or network ring status has changed because this indicates a normal network path has experienced a failure. Managed switches can indicate this type of issue to the automation system, so users can be prompted to identify and resolve the primary problem before a secondary problem causes a network failure. • Media access control (MAC) table: Personal networks at home and commercial networks at retail businesses are likely to have many new users coming and going. Industrial networks, on the other hand, usually have a stable number of client stations. Therefore, technicians can monitor the table of MAC identifications maintained by a switch to detect unexpected changes. When an automation system commands a valve to shift or a motor to run, the end device can be monitored by sensors so the action may be verified — and alarmed if it fails to happen. Using managed switches, designers can perform a similar type of closed-loop verification for network operation using feedback from the switches. Taking these steps ensures the best possible network awareness and enables the automation system to take action and keep users informed. Critical operations deserve this level of protection.
Moving to managed Unmanaged switches are certainly suitable and economical for connecting a few devices together with an
Managed versus unmanaged switches Unmanaged switch
Managed switch
Starting around $78
Starting around $384
Ease of Use
X
X
Network Speed
X
X
Fiber Compatible
X
X
Enhanced Traffic Filtering
--
X
Redundancy
--
X
Port Monitoring
--
X
Network Management
--
X
Industrial Protocol Management (Modbus TCP, EtherNet/IP)
--
X
Attribute Cost
Table 1: This table compares unmanaged versus managed switches. For most industrial automation projects, the slightly higher cost for managed switches yields significant performance and reliability improvements.
understanding of low priority networking limitations. However, for many automation applications the cost increase of moving to managed switches over unmanaged switches is not a major impact. For many applications designers should consider the immediate and future benefits of managed switches and specify them for situations where they would previously have used unmanaged switches (see Table 1). A managed switch does demand more user configuration than a simple plug-and-play unmanaged switch. However, browser interfaces and configuration guides have simplified this task to a great extent, which means OT personnel can configure and manage industrial networks without needing IT involvement. For most any type of industrial automation project, users are likely to find the somewhat higher cost premium for a managed switch will yield significant benefits for operating, securing, and maintaining an automation system. Bill Dehner is an automation specialist with AutomationDirect. He has spent the majority of his 15-year engineering career designing and installing industrial control systems for the oil and gas, power and package handling industries. He has a bachelor’s degree in Electrical Engineering, with an associate’s in Avionics from the USAF, and is currently working for AutomationDirect as a technical marketing engineer.
Applied Automation February 2021
•
A7
Touch of Genius Intelligent System Control & Monitoring
Panel PC
smartPanel
NEW ! smartPanels & Panel PCs
With just the touch of a button, you can commission your machine with Yaskawa HMIs and controllers. We now offer our smartPanels and Panel PCs to communicate directly to Yaskawa controllers. This makes commissioning easier and operations more productive. Want easier and better system performance? Get in touch with Yaskawa today.
For more info: https://go.yaskawa-america.com/yai1407
Yaskawa America, Inc.
Drives & Motion Division
1-800-YASKAWA
yaskawa.com