Which Managed Switch? Part 1

We are often consulted on which managed switch series to use for a project. Sometimes this is part of a much larger greenfield design, and other times it’s an informal direct message asking, “Hey Josh, what do you think of XYZ switch?” Anyone who has ever asked me that question probably wasn’t prepared for the waterfall that followed. I stand firmly in the position there is no one-size-fits-all answer, so in this series I’ll attempt to address some of the nuances.

Here in Part 1, I’m revisiting a similar post I wrote several years ago with a few updates. Part 1 is specifically addressing the topic of switch selection for Business/[IT] networks vs. for Industrial/SCADA/PCS/DCS/[OT] networks.

Customers often want to know whether they can use the same product line for both IT and OT networks. Based on our experience in multiple vertical markets from consumer products, oil & gas, manufacturing, to water/wastewater, we offer the following food for thought:

FACT: The requirements for the IT network and OT network are vastly different.

Uptime:

Generally speaking, organizations want all networks to have high uptime, but relatively speaking, this can mean two very different things. Most organizations generally tolerate an IT printer being unavailable for seconds/minutes/maybe hours, but certainly won’t tolerate similar outages for a PLC on the OT network. The OT downtime typically carries a much higher associated cost. For product selection, some relevant questions include:

"How quickly should the network recover after restoration of power following an outage?"

[Compare equipment start-up/boot times between manufacturers.]

"How quickly should the network recover in the event of a network cable or segment failure?"

[Compare equipment redundancy protocol offerings between manufacturers.]

"How quickly do we need an operational replacement device if one undergoes a hardware failure?"

[Compare availability of fast device replacement options such as USB/SD card between manufacturers.]


Environment:

IT equipment is often housed in environmentally-controlled areas, while OT equipment is often installed closer to the process and therefore exposed to higher temperatures, vibration, EMI/RFI, and possibly classified areas etc. In other cases, however, there is a desire to share a trunk of fibers, mounting enclosures, and other network assets etc. between IT and OT networks at common locations. Questions include:

“In what environment is this equipment going to be installed?”

[Compare equipment environmental specifications, presence of moving parts - fans, power requirements (120VAC vs 24VDC), installation form factor (desktop, rackmount, DIN-Rail), and size (how many U in the rack, how many inches on the DIN-Rail) between manufacturers.]

Devices and Services:

IT networks typically serve laptops, desktops, servers, printers, phones, and their associated services and protocols (web-browsing, e-mail, file-sharing, voice, video), while OT networks typically serve PLCs, VFDs, instrumentation, workstations and servers, and their associated services and protocols (real-time control, alarming, monitoring, visualization, data acquisition, historical data collection). Both network types often serve vendor-proprietary protocols, either as a requirement or as an option to ease deployment or offer optimized performance. The need to facilitate these specific protocols must be considered when selecting network hardware. Questions include:

“What devices and services/protocols need to be accommodated?”

[Compare equipment inclusion/support for required protocols between manufacturers.]

“Are there OT-specific protocols or unique communications that will have issues on unsupported or improperly configured switches? Is it easy to configure any required features to accommodate these?”

[Compare the ability to handle above between manufacturers. We have many cautionary tale examples of these including the multicast portion of some vendor’s SCADA protocols, the use of priority tagged frames seen from some DCS controllers, the occasional non-routable or non-NAT-friendly protocol, etc.]


Ownership/Maintenance/Management:

This topic is often the most important of the bunch. Questions include:

"Who will be responsible for the day-to-day management, monitoring, configuration changes, device replacement, etc?"

[Consider capability of existing personnel and cost to train personnel to operate equipment between manufacturers.]

Naturally, the answer to the "Who" question at a facility is often different for the IT network vs. OT network, although we’re certainly seeing more IT responsibility/involvement/ownership in larger organizations. In either case, consideration should be given to whether the personnel responsible for maintenance have sufficient understanding, training, confidence, and competence to maintain the network. In facilities where the IT network is maintained by traditional IT, and the OT network is maintained by controls engineers, this issue is the main reason we see and promote the likes of a Westermo or Hirschmann for OT and Cisco, Juniper, etc. for IT. Generally speaking, it is much easier for a controls engineer with limited networking experience to learn to maintain a Westermo or Hirschmann (due to their user-friendly Web GUIs and management tools), whereas a traditional IT network admin is often more familiar and comfortable maintaining Cisco from their experience with the CLI or associated commercial infrastructure management tools.

So can you use the same series for your IT and OT network? The answer is a CLEARMAYBE? You’ll need to work through the questions above to answer that.

Just as with many of these product selection topics, we appreciate these considerations are not trivial and require a lot of investigation to answer on both the internal and equipment vendor sides. Having gone through this gauntlet many times, we can certainly help accelerate and add clarity to the process. Don’t hesitate to reach out if a consultation would help for your next project!

***I do indeed have strong opinions on other OT switch lines such as Cisco IE, the white-labeled Allen Bradley/Rockwell Stratix variant, Moxa, and many others. Those opinions may or may not be the subject of future posts in this series.***

Previous
Previous

Which Managed Switch? Part 2

Next
Next

WeConfig - Port Security