Corporate-wide enterprise networks generally are protected and monitored for new and evolving threats. Ensuring security of real-time process control systems comes with another set of challenges, and linking business applications with data generated from real-time systems creates a greater need for real-time security.
Not only must modern control systems integrate with today's business systems, in many cases, they also have to share much of the same technology: Windows-based HMIs, Ethernet-based backbones, RFID-tagged components and handheld PDA maintenance tools.
Standards-based communications protocols have accompanied the growth of these trends. Although these protocols are relatively new to real-time environments, they are widely accepted in the corporate IT environment.
It also is widely accepted that much of the equipment used in the corporate environment is not robust or fast enough for real-time control. With all the advances in technology and processing speed, is this still true?
This also begs the question: How real must real time be? Our criteria for real time is that information be delivered and available where it is required, when it is required. A typical continuous process such as a refinery may have updates of seconds or even minutes, while many manufacturing processes such as filling operations require scan rates in milliseconds.
So how real is real time once the communications protocols are introduced into the real-time process environment? The first three layers of the OSI model, physical, data and network layers, require the most attention since they control the actual transmission of data/signals.
Hardware and Layers
Switches and routers are critical elements to the network infrastructure. These connectivity elements coupled with a solid design will deliver security, reliability and quality of service. Switches represent Layer 2 of the OSI whereas routers represent Layer 3. There also are Layer 3 switches that are defined as multilayer/routing switches.
Figure 1 indicates how the lowest two layers of the OSI model are applied to many commonly used networking protocols. Note that Layers 1 and 2 define Ethernet and therefore "industrial ethernet" is defined only by these layers. Hence, despite the fact that these protocols use Ethernet as the basis for their transmission, the protocols themselves all are different and incompatible.
The most basic Layer 1 devices are network hubs or repeaters, which were predecessors to local area network (LAN) switches. Hubs operate at Layer 1 of the OSI model, physically connecting nodes where network traffic is broadcast through the entire flat network hierarchy. In a small workgroup environment having a hub traditionally was acceptable. However, most network environments are growing, dynamic, and based on the types of data traffic. This increasing level and complexity of data traffic is what drove the requirement for switches.
Switches are a key LAN component because the devices enable multiple users to directly communicate with each other. Relative to routers, switches improve throughput for users by virtually defining users within logical workgroups. Switches recognize only other locally connected nodes/devices. Unlike basic network hubs, data broadcasts are restricted to the defined domains or user groups. For hubs, data that arrives at one port is retransmitted or repeated to all the other ports, and consequently devices connected to the hub with a resultant risk of high data traffic, but little information transfer. As a result of Layer 2 protocols, the switch reviews and learns media access control (MAC) layer addressing from the header of every packet. The switch then compares the MAC address against its look-up table to confirm that the destination is connected to one of its ports and then forwards the packet to that port only. If there are no matches, the packet is discarded, reducing the bandwidth requirements on all ports. This translates into faster throughput because there is little overhead to review between source and destination.
The collection of remote devices (data sources/sinks), network devices (routers, switches, hubs) and data devices (historians, PLCs, servers, HMIs) combine to form a LAN. Since each device on a digital network theoretically can communicate with every other device, the number of potential connections can grow exponentially and become difficult to manage even with switches to help manage the load. Figure 2 shows how each layer in the OSI model requires the addition of information and overhead to a message.
Virtual LANs (VLANs)commonly are created to organize logical workgroups or workgroup domains independent of physical locations within a defined network. Participation within a VLAN is defined by policies or business requirements. VLANs communicating with other VLAN groups must do so through a router. Common VLAN nodes hear traffic from other VLAN members on the same VLAN. To a degree, this serves security since certain user groups might have confidential data that must be separated from other workgroups. Subdividing Layer 2 networks through broadcast domains will reduce segment use and increase throughput.