Is Ethernet the key to IIoT?
It is expected there will be 34 billion devices connected to the Internet of Things (IoT) by 2020, with businesses and government accounting for over 55% of those connections. With the IoT’s promise for increased efficiencies (such as lower operating costs and greater productivity), embedded machine-to-machine (M2M) communications among "smart objects" are increasingly common within commercial, industrial and government entities.
Unlike consumer IoT, the requirements for data integrity, reliability, and security are far more exacting for the Industrial IoT (IIoT). The threat of disruption poses tremendous security risks for the entire digital network, yet the prospects of unprecedented transparency and efficiencies of an IIoT remain compelling.
Real-time visibility and control of connected IIoT objects demand high-performance, low-latency networks with remote management capabilities. Enter Ethernet, which has been the technology of choice for Enterprise, data center and many service provider networks because of its advantages including standardization, versatility, high performance and low cost.
Today’s IIoT networks, however, largely use specialized network protocols and diverse installed bases of legacy equipment. This makes modernization onto an all IP Ethernet infrastructure more complex. Upgrade strategies for these heterogeneous networks must balance the imperatives of industrial settings—system reliability, determinism and security—with migration to the standardized and low-cost networking solution delivered by Ethernet.
Three of the top challenges facing IIoT system designers are security, determinism, and network migration. Meeting these challenges requires using a combination of technologies ranging from Ethernet switching solutions, programmable devices, high-precision timing, Power over Ethernet (PoE) and application-optimized software.
Industrial network security
Security in today’s industrial networks is typically premised on isolation from a corporate network by firewall and from the Internet. Broader attempts to secure industrial networks often entail network downtime, costly network topology changes or both, jeopardizing plant productivity, revenue and sometimes safety. But assuming that a given industrial network is protected simply because we believe it isolated from the Internet is a misconception.
As recent cyber attacks have illustrated, the reality is that isolating a modern industrial network from the Internet can actually make it less secure, since it’s harder to manage and diagnose issues. Isolated networks are also difficult to scale and reconfigure as companies update supply chains, adopt new technologies or evolve in response to new competitive threats and opportunities.
IIoT network security must take a multi-layered approach to protect the data plane, management (network and element) and control (protocol) planes. All three require protection, particularly for M2M communications. A typical approach relies on encryption of data, management and control traffic, addressing authentication, authorization and accounting (AAA), and data integrity.
Networkwide encryption is another layer that guarantees security of all network traffic. In Ethernet networks, MACsec (IEEE 802.1AE) and Keysec (now part of IEEE 802.1X) are the L2 encryption and key management protocols to secure Ethernet physical ports and VLANs. Further enhancing confidentiality, IEEE 802.1AEbn includes strong 256-bit encryption now required by certain government agencies.
While encryption alone is insufficient to secure a network, using a strong 256-bit encryption like MACsec in networking equipment and end points can provide a means for authentication, data integrity and user confidentiality needed in Ethernet-based IIoT networks. In addition, leveraging FPGAs with built-in security capabilities can be used to provide a root of trust in a system. Often these devices are used to securely boot an external processor, adding yet another security layer to combat against tampering with network elements to find keys.
As IIoT becomes more widespread, companies will increasingly look to acquire data at the network edge, using big data analytics and cloud computing to scale processing and make practical use of all this data. An Internet connection is essential. This is where a centralized security orchestration approach that works closely with distributed networking hardware can provide an effective way to secure the IIoT network.
Ultimately, a multi-layer approach to security is imperative for industrial networks, ensuring the network’s reliability and uptime while not restricting operations.
When considering deterministic performance and network reliability in Ethernet networks, the expectation is that specific functions occur within a precise timeframe. This is possible when each network element is time-aware and can recognize whether it delivered Ethernet packets "on time."
But this is only one part of the solution. A mechanism to synchronize and to distribute precise "time" in Ethernet exists today using IEEE 1588v2; however, the latest Time Sensitive Networking (TSN) standards bring system developers a very time-oriented style of traffic scheduling.
Developed by the IEEE 802 group, TSN standards broaden Ethernet capabilities to make it a true industrial-grade, real-time communications protocol. Elements include clock synchronization, time-based message handling, frame preemption and seamless redundancy.
TSN (AVB Gen2) is a suite of standards providing the following features:
- Timing and synchronization for time-sensitive applications (IEEE 802.1ASbt)
- Enhancements for scheduled traffic (IEEE 802.1Qbv)
- Frame preemption (IEEE 802.1Qbu)
- Path control and reservation for redundant networks (IEEE 802.1Qca)
- Stream reservation protocol (SRP) enhancements to support Qbu/Qbv/Qca/CB (IEEE 802.1Qcc)
- Seamless redundancy (IEEE 802.1CB).
In addition to improved usability and performance, for example, IEEE 802.1ASbt adds one-step time stamp support. This reduces the number of packets needed to convey network timing information versus a two-step process used in the prior generation standard. The reduction in packet traffic and computing power is beneficial in broad, daisy-chained, time-aware networks. IEEE 802.1ASbt also enhances timing information availability by providing multiple levels of synchronization to attain accurate timing at individual network nodes.
The new TSN features will give Ethernet networks the real-time determinism and low latency needed for communications in IIoT applications. This should remove the last barrier that might prevent an IIoT network using Ethernet as its main backbone, driving convergence of critical and noncritical control and data traffic onto a single network.
While Ethernet with TSN will finally become a plausible deterministic backbone for industrial network deployments, proprietary interfaces will remain in place, at least for the foreseeable future. FPGAs/SoCs that have the capability to translate between Ethernet, IEEE 1588, TSN and specialized industrial protocols while keeping deterministic behavior will be critical.
Determinism is one of the key advantages of using FPGAs versus MCUs. For example, a networked motor control application that uses EtherCAT will benefit from the deterministic nature of an FPGA fabric. The FPGA can implement the protocol conversion and the motor control algorithms all with the lowest possible latency. The FPGAs, as opposed to MCUs, are capable of transmitting data in a deterministic fashion and performing deterministic motor control in synchronization with remote nodes.
The eventual migration of IIoT networks to IP/Ethernet is a given, but it’s important to recognize two major factors unique to this transition:
- Ethernet standards, components and systems designed for Local Area Networks (LANs) are not a natural fit for IIoT networks.
- IIoT network migration requires a balancing act to support existing "nonstandard" protocols and prepare the network to leverage early stage innovations.
So, when faced with the typical industrial network-comprised of a heterogeneous installed base of legacy equipment that uses multiple specialized network protocols-there are several key elements that system designers should look for to simplify their network migration to Ethernet:
- Multi-protocol support of Ethernet and fieldbus interfaces to ensure interoperability and scalability in large scale heterogeneous networks
- Optimized Ethernet switch software stacks for easy deployment and management
- Unified hardware and software to reliably deliver the real-time determinism and low latency required for industrial communications
- Flexibility of port configuration and synchronization options while meeting IIoT’s environmental and operational requirements
- Power over Ethernet (PoE) options up to 95 W to safely power remote devices, simplifying deployments
All of the above are possible with a pragmatic combination of hardware and software that combines:
- Low-power and secure FPGA solutions
- Ethernet-switching silicon optimized for industrial deployments
- Software stacks that not only provide manageability and monitoring capabilities but also an ecosystem of security orchestration software
- Ruggedized PoE solutions designed for industrial settings.
It is important to note that there will be no "one-size-fits-all" approach for IIoT systems. Options to support PoE, synchronization needs and data encryption can help deliver a seamless upgrade to the baseline hardware and software solution. Other scenarios may have computing needs that may be made possible either with an integrated CPU in the switch or the FPGA or a stand-alone CPU.
Designing for IIoT applications demands a sensible migration path leveraging new technology for deterministic networks while acknowledging that industrial networks exist in a system environment that prioritizes maximum network uptime over the latest network upgrades. In a world where network disruption is simply not feasible, the industry must move past old technologies and protocols and first-generation industrial Ethernet networks.
Uday Mudoi is vice president of marketing at Microsemi Corporation.