Discover Siemens IWLAN
Industrial Ethernet Book Issue 100 / 13
  Print this Page   Send to a Friend  

Mission critical security and top trends for IT infrastructure

IT infrastructure security is a mission critical application that needs to meet high standards as the cost of mistakes can be extremely high. Keeping up with trends in security design architecture is vital, but priorities need to include deep expertise, as well as extensive service and support, from equipment manufacturers.

NETWORK INFRASTRUCTURES for heavy duty security applications are extremely complex. They represent a mix of various designs, technologies and equipment. They have to meet toughest requirements in terms of performance and do a good job even in the harshest environments.

Managing such infrastructures might be challenging. Much depends on the right solution architecture. Modern design architecture for mission critical infrastructures in security is guided by six key trends.


With advanced networked systems becoming more converged and incorporating even more services and functions, top priority must be placed on their reliability.

Convergence with TCP/IP

In the past, security networks were separate sub-networks that operated via different media, such as for example via coaxial cabling for video surveillance. This brought about a whole generation of standalone CCTV cameras and video applications. CCTV cameras were relatively inexpensive, easy to use, compatible with systems of various manufacturers and offered great performance in low light situation scenarios.

However, they lacked features which have become indispensable over time, such as e.g. megapixel resolution, digital zoom, video analytics and remote management of all the security devices from a single central interface, which could be accessed from anywhere. In short, they lacked the benefits of Ethernet.

Ethernet is an open platform for intelligent integration of various security and safety devices into a single network. Be it a digital signage screen or information system, intruder or fire alarm, perimeter detection, access control and analytics, intercoms or sensors, building banagement or biological authentification and recognition systems, all reside on a common network including data, voice and video.

It is possible to manage interactions between these devices and systems through "cause and effect" responses or reaction scenarios from a single location. It is even possible to view and access system information and alarms remotely via an app on your smartphone. Ethernet makes it possible to access sensible information and monitor, record or view events from virtually anywhere and on any device. This is why growth in the security and video surveillance field is spurred by IP convergence.

Reliability and high availability

As systems grow more converged and incorporate even more services and functions, top priority is placed on their reliability. Reliability and high availability are of extreme importance in applications which can be characterised as "mission critical".

A mission critical application is an application in which an infrastructure failure could result in serious issues, damage or even claim people′s lives. Examples here are video surveillance in cities (public security), traffic monitoring and control, airport and railway infrastructure and many more.

The network infrastructure of a mission critical application should operate 24 hours a day, 7 days per week, 365 days a year and should stay available all the time. Such systems are usually installed outside of buildings and have a redundant network design to stay available no matter what. They have to operate in harsh and even hostile environments, with extreme temperature ranges, aggressive chemicals, ingress, interference, vibrations and shocks, as well as moisture, dust and dirt. This means much higher requirements for network components, including the industrially hardened design of the equipment.

Cyber security

In a world where everything is linked to everything, special care should be taken to ensure your network equipment meets current cyber security standards. Systems installed must support AES 256 encryption and RADIUS authentication, HTTPS and SSH, SNMPv3, etc. Ports must be configured in such a way as to accept devices ONLY with a specific MAC address or from a specific vendor and immediately trigger an alarm once tampering/manipulation activity is detected. To prevent theft, ports might be lockable by special Secure Lock systems.

When installing a new active network component, it is critical to change its default settings and set a strong password and login.

Before purchasing solutions, end users have to make sure that their vendor of preference has a Product Security Incident Response Team (PSIRT) for proactive help with potential network vulnerabilities. PSIRT is a kind of seal of quality, it distinguishes responsible manufacturers whose service and support goes far beyond purchasing.


In a world where systems are linked, care should be taken to ensure network equipment meets current cyber security standards.

Power over Ethernet

Make sure your IT infrastructure supports PoE. PoE, or Power over Ethernet, is a technology that lets network cables carry electrical power. It is very convenient for the user. A single PoE cable provides data communication and powers end devices such as cameras at the same time. With a PoE Switch you can power applications located in unconventional and uncomfortable places without tethering them to an electrical outlet.

PoE was first specified in 2003 as Type 1, IEEE 802.3af, and provides 15.4W per port. Currently it is the most widespread type of PoE. However, for advanced applications in security and video surveillance where PTZ cameras or high definition information monitors are used, or where your security equipment has to function in extremely rough environments (with dedicated wattages required for cooling/ heating), you should think of IEEE 802.3at (PoE Plus, Type 2), with 30W per port, and plan for even higher budgets.

Easy management and maintenance

For mission critical infrastructures with their large areas it is the ease of management and maintenance that ranks extremely high. A mission critical infrastructure displays a highly distributed network pattern, with various facilities scattered over large distances or covering huge space with no direct access to equipment. That is why a single, centralised interface is required to manage, maintain, troubleshoot and adjust various network and security functions.

The work in the field should be streamlined and automated, for example by collecting information for decision making from the field, fixing an issue via remote control, or using automated scenarios for various occasional events such as disconnections. To use IT resources in a more efficient way, switches and other active network devices with extended diagnostic functionalities have to be used to keep the network running.

Smart software tools should be selected to provide a centralised cockpit to deal with the whole system without leaving the office.

Both hardware and software should be foolproof and easy enough to enable a single IT manager to run a system of hundreds of distributed switches all by themselves.

Interoperability

Finally, you should think about interoperability so that everything connected to the network - end devices, components, core network equipment; Ethernet devices and non-Ethernet devices - really work well together - with minimum downtime, jitter and noise. Information provided by all these systems should be easy to integrate into SCADA.

All in all, the list is far from being exhaustive. However, it helps to indicate key trends shaping the architecture of modern IT infrastructures in security applications. Embracing these trends is key to a successful implementation of security projects for mission critical infrastructures.

However, much can go wrong if the network components to support such infrastructures are selected too quickly. Choosing the right type of network components, both passive (cabling, connectors and accessories) and active, (Industrial Ethernet switches) helps to avoid many problems from the very start.

Heavy duty network solutions

In the previous part of the article, we stated that the driving factors in mission critical infrastructures are convergence, reliability and high availability due to industrial design, interoperability, better protection against cyber security issues, PoE as well as the ease of management and administration. But what does it specifically mean? What should you actually keep in mind when selecting network components for a mission critical application in security? The points below offer guidance and help get a better feeling.

It goes without saying that network components to support mission critical applications should be robust. They should perform well in environments, which might be described as extremely difficult. There might be large temperature fluctuations to withstand (e.g. -40C to +85C), or systems might be subject to increased vibrations, pressures or shock influence.

Be it high EMI levels, dust and dirt, IT components designed for mission critical applications cannot fail and should be particularly resilient. Moreover, the design of the network equipment should be extremely compact to account for lack of space as network components for mission critical applications are often placed in the least traditional of places.

This calls for Ethernet switches of an industrial grade, made up of industrially hardened components and with an industrial hardware design. Such switches have an improved immunity to EMI, dirt and dust. To save up space, they usually have a small size and come in compact robust design with no holes but with special ribs over the whole housing to ensure passive cooling. The best of breed solutions have an MTBF of over 500 years in harsh environments (please note - not in comfortable "office" environments) and ensure high availability even in the most hostile environments with minimum service and maintenance interventions.

Hard duty Ethernet Switches should have extended functionalities. One of them is Power over Ethernet. Thanks to Ethernet, many end devices like cameras or access control units with an RJ45 interface can be powered directly through the same network. So Ethernet switches for mission critical applications should power other network devices within their 100 m radius via PoE.

As PoE (IEEE 802.3af, 15.4W per Port) is often not enough, PoE+ with higher power budgets is required (IEEE 802.3at, 30W per Port). The PoE functionality helps to reduce cabling installation costs and makes it easier to power security devices which are usually positioned in hard to reach places. Modern applications require a high number of PoE+ ports and accordingly high PoE budgets (e.g. up to 360W per switch).

What′s more, despite the impressive rates of TCP/IP convergence there are still a large number of non-Ethernet devices like sensors (accelerometers, gyroscopes, pressure sensors, humidity and smoke sensors, etc.) and remote control units. They have to be integrated as well as part of a security system, and better with minimum costs. So heavy duty switches should come with I/O modules to accommodate them. Thanks to this functionality, both IP converged and non-converged devices can be monitored and managed from a single location as part of SCADA.

As mission critical networks should be built with advanced redundancy in mind, one should ensure an extremely short recovery time. Protocols such as MSTP (Multiple Spanning Tree), MRP (Media Redundancy Protocol) and zero loss redundancy (HSR, High Availability Seamless Redundancy) grant high level of redundancy at the data transmission level, whereas redundant power supply units make sure there is always power for edge devices in case of a system downtime.

Moreover, as all the data is put on a single network, advanced IT security mechanisms should be in place to ensure effective cyber security protection, e.g. HTTPs, SNMPv3, SSH, 802.1x (authentication via a password and a login), SCP, hack & crack hardened firmware, etc.

The Switch should support intelligent diagnostics functionalities to ensure easy maintenance and administration, including precise positioning of potential points of failures on both TP ports and fibre uplinks. All the switches should be managed and maintained from a single location, even if scattered over large distances.

To spare qualified IT staff from the routine work, switch functionalities like link diagnostics and alarm messages help make the network maintenance much easier. Another good idea is using special SD cards. These cards do not only store the latest switch configuration settings and firmware, but also have a unique MAC address.

It makes it possible to replace, for example, an out of life switch in the field by simply inserting the SD card of an old switch (with all the latest firmware and configuration settings) into a new switch, without any need to update switching tables or RADIUS configurations. This significantly simplifies network upgrade as the system will see the same switch all the time and is a task which could be delegated to less qualified staff.

Last but not least, there comes interoperability. Security networks are extremely complex, they might come from different vendors and/or operate in different environmental conditions. It means that systems of various vendors have to coexist, so that the customers are free to choose the vendor with the best offer to address a specific application.

For example, for the network core one might use the solutions from one vendor, but for network parts (aggregation and access levels) which operate in harsh environments in the street the choice might be different as tougher design requirements apply. So all the network components have to perfectly match each other and be compatible with the systems of third party manufacturers. Care should be taken to select the best solutions available on the market for each specific service, application or operating environment.


Heavy duty Ethernet switches often provide extended functionalities such as support for Power over Ethernet.

Conclusion

In short, mission critical applications like security need to meet much higher requirements as the cost of the mistake is much higher. Many things can be avoided, like high expenditures on upgrades or downtime due to choosing office grade equipment for heavy duty applications, false port provisioning, or selecting incompatible vendor solutions.

Also, network management and maintenance can be significantly simplified with a very small team handling hundreds of active Ethernet switches without leaving the office. Of course, there are many challenges, but they can be overcome by making smart choices from the very start.

Spending a bit more time at the design stage costs zero, yet yields ample benefits throughout the life cycle of your installation and makes the system stable.

Keeping up with the trends in security design architecture and choosing well tested components for a specific type of application are only one part of the equation. Another is deep expertise of the integrator, good vendor name as well as extensive service and support from the equipment manufacturer.

Technology report by Nexans.


Source: Industrial Ethernet Book Issue 100 / 13
   Print this Page    Send to a Friend  

Back

Sponsors:
Discover Siemens IWLAN
SPS IPC DRIVES 2017
China International Machine Tools Expo 2017
Sensors Midwest 2017

Get Social with us:


© 2010-2017 Published by IEB Media GbR · Last Update: 21.09.2017 · 21 User online · Legal Disclaimer · Contact Us