Industrial Ethernet switches: to manage or not?

10 December 2018

To make traditional industrial networks ready for Industrial Internet of Things (IIoT) applications device connectivity is key. Suzanne Gill asks how smart or manageable networking devices need to be, and is there a place for unmanaged switches in the IIoT?

To answer these questions it is first important to understand the requirements of the network and the applications. According to Ivana Nikic, product marketing engineer - Industrial Ethernet at Moxa, there are some advantages, but also some dangers that could be faced by using an unmanaged switch.

Looking at the obvious advantages Nikic explained that industrial unmanaged switches are cost-effective, durable in harsh environments and can easily be used to connect a number of devices to the network. They come with the advantage of being a ‘plug & play’ device where no network expert is needed for configuration and the implementation process. They work as transparent devices to most industrial protocols which eliminates the question of compatibility. They are also usually of a smaller form factor which makes them suitable for easy installation in control cabinets.
“However, the biggest disadvantage of an unmanaged switch is its lack of ability to pass on information via communication. If a communication failure occurs on the unmanaged switch it could go unnoticed,” said Nikic. “Because of the resulting production downtime this will add a higher cost to the overall equipment effectiveness.” Nikic suggests choosing a managed switch which can be easily integrated and monitored by a network monitoring system, SCADA, HMI or controller portal. Another issue to look out for relates to the use of unmanaged switches with industrial protocols such as PROFINET, Ethernet/IP, and Modbus TCP, which are based on Ethernet communication and which are normally used in applications that require networks with fast response times and low jitter. “The more devices you add to your network through unmanaged switches, the more you are slowing it down, causing jitter and high response times,” said Nikic. “Managed switches come with rainbow of capabilities to make the network more reliable, to name one of the basic ones like management and prioritisation of different types of network traffic data, support of redundancy protocols (e. g. RSTP) and of network management protocols (like SNMP).”

Another important consideration is the issue is security. “There are many ways to protect even most vulnerable devices by positioning them correctly in the network and protecting them by the secure devices from the upper levels of the network. While unmanaged switches come with no security, managed switches can come with the support of different levels of security from basic functions like user login authentication to more advanced ones like client/server-based access control and data encryption.”
     In conclusion, Nikic believes that unmanaged switches are only suitable for connecting small numbers of devices with basic connectivity in applications where no special requirements for the network communication are needed – like monitoring, redundancy, high response times or industrial protocol support. In the long-term it could be much more costly to use unmanaged switches than to invest in a managed switch.

Increasing demands 
At the same time that data communication networks are getting larger and more complex the demands placed on them are also increasing, with users now requiring greater reliability, faster speeds and enhanced security features to help ensure higher availability and protect against the growing cybersecurity threats. 

A moderately sized chemical processing plant, for example, will require hundreds of networking points for PLCs, valves and sensors. “Using unmanaged devices for such applications would reduce the CAPEX, but the network lifecycle cost would ultimately be higher due to the lack of visibility of the overall network and increased time to locate and resolve issues,” said Ray Lock, technical director at Westermo.

From a cybersecurity standpoint, Lock believes that even layer 2 managed switches create a point of weakness for a network. “A network based on unmanaged devices would effectively be an open door to unwelcome actors attempting to penetrate it,” he said.

“It is entirely possible and advisable to install perimeter firewalls at each zone where they connect to the next layer of the network. However, an actor could remain undetected at the edge of the network for a considerable amount of time. Installing separate cybersecurity devices at the edge of the network defeats the cost argument and still does not address the need for network management. Also, increasing the number of devices implemented decreases overall network reliability.”

According to Lock, today’s managed Ethernet switches help meet all these challenges and play an essential role in providing robust networks capable of supporting both essential and critical systems. He said: “Managed switches offer port security, with the ability to disable ports and prevent unauthorised access. More sophisticated mechanisms, such as MAC filtering and 802.1x port authentication, can secure open ports. SNMP traps can indicate when a port comes up or a user fails to authenticate correctly. Segmenting using VLAN’s further supports improved network security, as a firewall can be introduced close to the edge of the network. Managed switches also provide monitoring tools to determine the health of the network. The ability to monitor the interconnecting media or port errors can point to where early intervention will reduce the number of breakdowns at crucial times.”

Lock agrees with Nikic, that unmanaged devices do still have a place in very simple system installations, such as a standalone machine that just needs a switch to connect the internal devices together. “There is an argument that `my network is not connected to the internet’, but security by obscurity is no longer a suitable defence. You may have a totally isolated network, but if an actor penetrates the physical security or the actor is located internally, then the network is wide open to abuse or attack.”

“In short, if you want a resilient and reliable network, to control and manage and report on the status of the network, then managed devices are essential. If you don’t need those elements, then unmanaged switches might just about meet your requirements.”

Questioning your choices
Although tool assistance and better web interfaces have greatly increased the accessibility and ease of use of managed switches in recent years, the constantly increasing feature set and complexity in managed switches has, at the same time, negated this improvement for some users. 

Oliver Kleineberg, global CTO of Core Networking Business within Belden’s Industrial IT platform suggests that when making a decision managed or unmanaged devices the following questions should first be answered:

Do you need network media fault-tolerance? Only managed switches support the protocols, such as MRP (Media Redundancy Protocol) or RSTP (Rapid Spanning Tree Protocol), to enable media fault tolerance which protects the network against cable or device failures.

Do you need network diagnostic functions? Managed switches support diagnostic functions beyond physical link and link activity detection. To a certain degree, this question is connected to the complexity of the network. A small network with only a few devices might not require the diagnostic functions of a managed switch. Larger networks however, with a certain complexity in end device attachments and applications, may benefit greatly from the diagnostic and monitoring capabilities that managed switches provide. This is especially true if the managed switches are combined with a network management solution that can monitor the entire network.

What level of cybersecurity do you need? Some unmanaged switches can provide baseline security functions, such as deactivating unused physical ports through a local USB configuration. For some applications, this is sufficient. Modern managed switches offer a wide range of cybersecurity features, such as firewalling/filtering functions, ARP spoofing detection or Network Access Control. If you plan on implementing networks with a ‘defense-in-depth’ approach in mind – as recommended for mission-critical networks in standards like IEC 62443 – you will need managed switches.

Contact Details and Archive...

Print this page | E-mail this page