Full featured managed switches from the IT world feature an impressive array of options and functionality—perhaps too many for operational technologists. Unmanaged switches, on the other hand, are relatively unsophisticated devices that cost less, but lack security and redundancy features. In this episode of Control Amplified: The Process Automation Podcast, Keith Larson talks to Charlie Norz, product manager for I/O systems, WAGO USA, about a network switch option designed specifically for the needs of OT applications—and the priorities and skillsets of the engineers and technicians that work with them.
Transcript
Keith Larson: There’s perhaps no clearer indication of the convergence of information technology and operational technology than the increased use of Ethernet networks, but the convergence has not been without bumps in the road. Full featured managed switches are great, in the IT world they feature an impressive array of options and functionality—perhaps too many for OT technologists tasked with their configuration—at a price point to match. Unmanaged switches, on the other hand, are relatively unsophisticated devices that cost less, but lack the security and redundancy features of increasing importance in industrial environments. If only there was an option that was cost effective, secure, reliable and easy to use as well!
Hello, this is Keith Larson, editor of Control magazine and ControlGlobal.com. Welcome to this Solutions Spotlight episode of our Control Amplified podcast, sponsored today by WAGO. With me today to talk about a network switch option designed specifically for the needs of OT applications—and the priorities and skillsets of the engineers and technicians that work with them—is Charlie Norz, product manager for I/O systems at WAGO USA.
Welcome, Charlie, a real pleasure to chat with you today. Thanks for joining.
Charlie Norz: Yeah. Thanks, Keith. I appreciate the opportunity, and enjoy talking to you about networking on the plant floor.
Keith: Absolutely. Well, maybe to start things off, perhaps you can talk a bit more about those fancy IT managed Ethernet switches from the IT world. When you go to deploy those in an OT environment, what are some of the issues the might arise when you go to a full IT switch from more of a plant floor environment?
Charlie: Well, I would say that, as you know, these managed switches, or fully managed switches, really came out of the IT world, right, where you're in office environments, a lot of different types of traffic, and really not deterministic traffic. So, I still would say that fully managed switches offer network administrators a wide variety of tools that help users both secure their networks as well as optimize network performance. Right? And these devices, or these fully managed switches, they do work in the OT environment, but in most cases, they have so many features built into them, only a few of them are really used for plant floor networking. And so, the other part is also, typically, these switches are configured using something they call a Command Line Interface, which is, you know IT people are really familiar where they work with it every day, but controls engineers not so much. So, these fully managed switches typically offer way more features than are ever used on the plant floor and also the tools to configure them are really typically use by IT. So, a lot of times, it's just overkill.
Keith: And on the other end of the spectrum, there are the fully unmanaged switches that may not have the functionality required, What are the downfalls or shortcomings of going all the way to more unmanaged switches entirely?
Charlie: You mentioned it in your intro a little bit. It's that unmanaged switches are plug-and-play, they're very economical and offer users really reliable communications. But, I think the main issue with these kind of switches, or unmanaged switches, is that they don't provide any security features at all, which is becoming a growing issue on the plant floor. And then, as we have more and more devices that have IP addresses on them, right, we see users wanting to make sure they can optimize their plant floor network as well, and that just is something you can't do with an unmanaged switch.
Keith: Yeah, in the intro I also alluded to a third alternative to managed and unmanaged Ethernet switches. What is WAGO’s solution and what advantages does it really represent for the industrial OT crowd?
Charlie: Yeah, so honestly, there seems to be a technology gap between these complex, fully managed switches used in the IT world, and just simple plug-and-play unmanaged switches. So, therefore, what WAGO has done is we've developed a switch that we call our lean managed switches to meet the current challenges on the plant floor, both for security and network optimization. And these switches offer features that are needed for control networks, but they don't have the complexity of fully managed switches that you would need in an IT environment.
Keith: I think one of the big things you talk about is really having a more intuitive user interface. You mentioned command line, the interface for the more IT-savvy folks. Tell me a little bit more about the intuitive user experience that you've developed, and how does that really support more effective use of the switches from initial configuration all the way through later parts of the lifecycle through troubleshooting, security and monitoring, those kind of things?
Charlie: Yeah, so first of all, I would say that our lean managed switches are configured by using a cloud-based management tool. So, basically, a controls engineer can use a web browser to configure the switch for security or network optimization, and they don't really need to learn a language, the IT language the command line interface. So, I think it's much easier for the setup of the switch by just configuring it via a web browser.
And then, secondly, our lean managed switches offer a very unique feature, which is basically a read-only dashboard and topology map, where even a plant floor operator could look at this dashboard that has a traffic light indicator, like in green, yellow and red, and they can easily see that there's a problem with the health of the network. And even the topology map actually shows what's connected to the switch and you can quickly identify if there's a red line, and something's not connected. Maybe the plant floor operator could even recognize that the system's not powered up and fix the problem without needing to have a maintenance person there. So, this can really help reduce downtime in the longrun, and it makes it very easy to setup.
Keith: Yeah, I would imagine that not only do you see if the devices you intend to be on the network are there, but if somebody were to add another device, you've got the functionality to tag that as well, correct?
Charlie: Yep, absolutely.
Keith: Are there other specific features that you have on the lean switches that are an advantage over the unmanaged switches? Are there other things besides the user interface?
Charlie: Yeah, I would say, you know, in the world we live in today, network security is becoming more and more of an issue, even at the plant floor, right? So, a lot of recommendations by security experts say to do this defense-in-depth, not just one firewall, but you have many different ways of helping to prevent a cyber attack. And so, our lean managed switches have a number of different features to help with security. I'll give you a couple of examples.
One example is most switches, engineers order and will have extra ports because you never know for future expansion or something changes in the design and you need more ports, right? But the problem is that these ports then is, if they're unmanaged switch, provide access to the complete network, so they're easy to plug into. So, one thing with our lean managed switches, we have the ability through that web interface to disable any unused ports. So, even if someone does plug into them, that has no effect on the network, no access to the network. And they can be easily turned back on if you would ever need them again.
And so, that's one easy, simple way to help increase security. Another is really to limit the number of devices on the switch. So, the switch has a function where once you have it set up the way the network should be, it can learn, the switch will learn what devices are connected to it. And so, if sometime in the future, if an unknown device gets plugged into the network, then the lean managed switch can block the communication from that device to ensure that someone's not trying to gain access where they shouldn't be.
Keith: Yeah, I think one of the other advantages that I was reading about is offering redundancy at the lean managed switch level, which you don't have with the unmanaged switch. Correct? That's one of the capabilities you brought with from the fully managed switches. Is that fair to say?
Charlie: Yeah, definitely it's mostly for more critical networks on the plant floor, right? Users want to make sure that if maybe a switch fails or a cable gets disconnected or a switch gets powered off, right, that your network can still operate efficiently. And so, users use network rings to do that, and typically, you would need some kind of a managed switch to do that. Our lean managed switches offer a couple different technologies to do that. One is rapid spanning tree, and that's a protocol that's been proven in the marketplace and it has a very complex mesh network, so that's a nice tool. For more simple applications there's a technology that's called Ethernet Ring Protection Switching, or ERPS. So, our lean managed switches support both of those, really to help increase network availability.
Keith: That makes a lot of sense. Certainly seems to have a great set of functionality that really fits the OT needs. What about if you need to start transmitting data off the plant floor, where it might be more vulnerable to security risks there. What's the solution in a lean managed switch approach?
Charlie: Yeah, typically you would find in a control network a lot of these switches are locked up in control cabinets, so people don't have a lot of access to them. But there's always that issue when you go a long distance with an Ethernet cable maybe between two different systems, or maybe between buildings in a complex. So, in those cases, it's much harder to ensure that data is not hacked. So, if you have those kind of applications with long runs, typically, you should consider encrypting the data, so that hackers can't get a hold of it, or they can't read the information if they do get a hold of it, and then also so that they can't inject messages into the network. So, it sounds like a complicated process, but it can be easily done. In our lean managed switches, we have a version of it that can encrypt any Ethernet traffic, and we use a IEEE technology that's called MAC security, or MACsec for short, and this encrypts, it's an encryption from point-to-point, so the data between the two switches is encrypted. So, no one can read or hack into the data. And this encryption is done at the hardware level, so you don't have to worry about lagging communication, you still have a lot of bandwidth with this type of method of data security.
Keith: Cool, seems like a handy functionality to have in the OT environment certainly. So, bottom line, what sort of price differential are we talking about between managed, lean managed and unmanaged switches in an OT environment?
Charlie: Yeah, understand, I think the issue we try to set out here is we have a fully managed switch with a lot of features in it. So, what we've done with our lean managed switches is we worked to price them well below a fully managed switch, and then also make sure they're only a little bit more than unmanaged switches. So, these switches, I would say, are very cost effective for plant floor networking applications.
Keith: Thanks so much, Charlie, for sharing your perspective with us today. For those of you listening, thanks for tuning in. And thanks also to WAGO for sponsoring this episode. Again, I've been speaking today with Charlie Norz, I/O product manager for WAGO USA. Thank you, Charlie, for joining us.
Charlie: Yeah, thank you, Keith.
Keith: My name is Keith Larson, and you’ve been listening to a Control Amplified podcast. If you’ve enjoyed this episode, you can subscribe at the iTunes store and at Google Podcasts. Plus, you can find the full archive of past episodes at controlglobal.com. Signing off, until next time.
For more, tune into Control Amplified: The Process Automation Podcast.