September/October 2024 143

ISSN 1470-5745

Industrial Ethernet Automation Networking & IIoT

Special Report

IT-OT
Convergence
Tech Trends
Page 36

Industrial Cybersecurity
Experts Weigh In 6

Building futureproof IEC 62443 standards: Industrial Ethernet Book Using Industrial PoE
industrial security 17 targeting cyberattacks 19 Corporate Profiles 43 switches 60

Visit us on the web n www.iebmedia.com

GET CONNECTED… Visit our new website at: www.iebmedia.com

Contents
Cybersecurity trends in focus
Earlier this year, Antaira Technologies
highlighted cybersecurity trends that should
be in focus for industrial network managers.
According to the Cybersecurity and
Infrastructure Security Agency (CISA),
cyberattacks cost the US economy $242
billion annually. But fortunately, just
as cybercriminals are evolving with new
techniques and strategies, so are the security 2024 Corporate Profiles: 43 New Products: 62
and information technology professionals
responsible for stopping them.
Contents
Here are the key trends Antaira noted:
Machine Learning-Powered Malware Detection:
Network security professionals are turning Industry news 4
to Machine Learning (ML) to improve the
detection and classification of malware. ML
programs can learn behavioral patterns shared Industrial cybersecurity experts look to the future 6
by different malware types by analyzing
millions of representative malware samples,
combined with input from humans, or the Building futureproof industrial network security 17
program's own queries.
Quantum-resistant Encryption Algorithms:
Data scientists fear that a powerful quantum IEC 62443 standards: defending against infrastructure cyberattack 19
computer may soon be able to breach the
encryption algorithms that protect and
authenticate digital information. Data today Effective strategies for keeping IoT environments secure 24
is kept private thanks to cryptographic
techniques managed by the National Institute
of Standards and Technology (NIST). This Automatic CIP Security via Pull Policy 26
year, the NIST is on schedule to standardize
four quantum-resistant encryption algorithms,
a process that will involve the NIST creating Cybersecurity basics: industrial security fundamentals 31
guidelines to ensure the new algorithms are
used correctly.
Spikes in Ransomware Attacks: Financially
IT-OT convergence leverages advanced technology solutions 36
motivated ransomware attacks were up 95
percent in 2023, year over year. In 2024 there
is an expectatation to see a similar spike in
2024 Industrial Ethernet Book Corporate Profiles 43
both the frequency and the sophistication of
ransomware attacks on industrial networks.
Digital tool life monitoring: making machine data transparent 55
Focus on IIoT Device Security: Industrial device
security is coming to the forefront, especially
with industrial switches and sensors. Heat treatment OEM chooses flexibility and scalability 57
Industrial networks contain sensitive data
that make them a target for hackers seeking
proprietary intellectual property. Maximizing automation efficiency with Industrial PoE switches 60
Zero Trust Framework Adoption: Zero Trust (ZT)
architecture assumes that no user, device,
computer system, or service inside or outside New Products 62
the organization should be trusted to gain
unauthorized access until verified.
Regulatory Changes: Cybersecurity regulations
are continually evolving to keep pace with the Industrial Ethernet Book
shifting threat landscape.
Antaira noted that, as the digital landscape The next issue of Industrial Ethernet Book will be published in November/December 2024.
continues to evolve, so do the tactics and Deadline for editorial: December 13, 2024 Advertising deadline: December 13, 2024
strategies employed by cybercriminals Editor: Al Presher, [email protected]
and malicious actors. It's crucial for those
Advertising: [email protected]
involved with industrial networks to stay
informed about the latest cybersecurity trends Tel.: +1 585-598-6627
to protect their data and assets effectively. Free Subscription: iebmedia.com/subscribe
Al Presher Published by IEB Media Corp., 1247 Anthony Beach Rd., Penn Yan, NY, 14527 USA ISSN 1470-5745

09.202 4 i n d u str i a l e th e r n e t b o o k 3
 Emerson latest to join Margo
Industry news

interoperability at the edge

Industrial automation leaders drive digital transformation through seamless edge interoperability with new
open standard.

EMERSON IS THE LATEST AUTOMATION supplier

SOURCE: MARGO
to join the Linux Foundation’s Margo, the new
open-standard initiative designed to make
edge applications, devices and orchestration
software work together seamlessly across multi-
vendor industrial automation environments.
According to an Emerson press release, as
process and discrete manufacturers implement
enhanced digitalization, they encounter
challenges at the edge due to multi-vendor
and multi-technology devices, apps and
orchestration environments that do not easily
integrate. The Margo initiative addresses these
challenges through the creation of practical
reference implementation, open standards and
testing toolkits.
This approach will help remove obstacles and
simplify the process of building, deploying,
scaling and operating complex, multi-vendor Margo is supported by some of the largest global automation solution providers worldwide.
industrial edge environments, helping
manufacturers of all sizes build new and better B&R), Capgemini, Microsoft, Rockwell in today’s industrial world. Digitalization
digital operations or modernize existing ones. Automation, Schneider Electric (including can help deliver on these benefits, but
“The modern OT edge is the backbone of AVEVA) and Siemens. The group invites like- digital ecosystems require a robust, secure
our next-generation automation architecture, minded industry peers to join the collaboration and interoperable framework at the edge,
enabling the availability of data and computing and contribute to building a meaningful and connecting operations and information
closest to where it is needed,” said Peter effective interoperability standard that will help technologies. For ABB, a long-standing
Zornio, Emerson's chief technology officer. customers achieve their digital transformation advocate of open automation systems, driving
“Successful implementation will require open goals with greater speed and efficiency. a forward-thinking collaborative initiative
edge standards that will enable scalable, “At the core of Margo development is a like Margo is key to achieving this goal.” –
simplified and seamless interoperability among commitment to delivering interoperability in a Bernhard Eschermann Chief Technology Officer,
applications, edge devices and orchestration modern and agile way,” said Bart Nieuwborg, ABB Process Automation.
software – no matter the vendor technology. Chair of the Margo Initiative and Senior “Interoperability is the key to digital
Program Manager, Rockwell Automation. transformation at scale – empowering
Launch of Margo “A comprehensive open-source reference manufacturers to unlock the potential of the
Earlier this year, the Linux Foundation implementation aims to facilitate the adoption, Industrial IoT at full speed without large teams
announced the launch of Margo, (www. and the associated compliance test toolkit will of IT specialists.” – Florian Schneeberger, Chief
margo.org), a new open standard initiative ensure the trust in Margo’s interoperability Technology Officer, B&R.
for interoperability at the edge of industrial promise, paving the way for the industry to “Microsoft is thrilled to be supporting
automation ecosystems. Drawing its name tap the full potential of, for example, data and Margo and continuing our efforts to help
from the Latin word for edge, Margo defines AI at the edge.” industrial customers accelerate their digital
the mechanisms for interoperability between “The idea that users should be free to transformation journey. Our customers tell
edge applications, edge devices, and edge create the best solution for their needs us every day about the challenges to scale
orchestration software. The open standard without unnecessary constraints, costs, or and operate their industrial solutions due to
promises to bring much needed flexibility, delays embodies the spirit of open-source a lack of interoperability at the edge. They
simplicity, and scalability – unlocking collaboration,” said Jim Zemlin, Executive want help to reduce the complexity, cost,
barriers to innovation in complex, multi- Director of the Linux Foundation. “Open and time to value. Microsoft is committed
vendor environments and accelerating digital interoperability among a wide selection of to align our adaptive cloud strategy
transformation for organizations of all sizes. apps and devices will reduce the need for architecture, such as Azure Arc and Azure IoT
specialized resources and streamline the Operations, with the Margo initiative to help
Joint Development Foundation deployment, scaling and operation of multi- our customers build, deploy, and scale their
Hosted by the Joint Development Foundation, vendor ecosystems.” applications faster, and run them both on
a part of the Linux Foundation family, the the edge or in the cloud”. – Christoph Berlin,
initiative is supported by some of the largest Industry Support General Manager, Microsoft Azure.
automation ecosystem providers globally, “Mastering efficiency, flexibility and quality
including founding members ABB (including faster than competitors is key to success News report by Emerson and Margo.

4 in d u s t r ial et h er ne t b o o k 09.2024
| IO05E |

Compact, powerful, predictive:

The Beckhoff power supplies
with EtherCAT

24/48 V DC power supplies with EtherCAT interface

increase plant availability with predictive diagnostics
reliable current and voltage monitoring
prewarning thresholds individually adjustable
detection of input transients
monitoring of internal device temperature
output switchable via EtherCAT

Scan to discover
more about the
full range of
power supplies
 Industrial cybersecurity
Cybersecurity

experts weigh in on the future

Cybersecurity has become the number one issue for factory networks. Experts predict that artificial intelligence
and machine learning will make an impact, the IT and OT worlds will grow closer together and that resilient
network infrastructure and structured frameworks will strengthen industrial cybersecurity solutions.

SOURCE: TTTECH INDUSTRIAL

"Key technology trends in industrial cybersecurity include the adoption of enhanced OT visibility, software-based segmentation, zero-trust remote access,
and unified IT/OT security platform. Vendors are addressing these concerns with innovative solutions designed to protect industrial environments effectively.”
Fabien Maisl, Marketing Lead, Industrial Security, Cisco.

THE FUTURE OF INDUSTRIAL CYBERSECURITY the technologies and trends shaping the next environments effectively.”
is dependent on the development of new generation of industrial networks. Enhanced OT Visibility: Identifying and
technologies that will make the next profiling OT assets is key to reduce the attack
generation of industrial networks more Keys to protecting industrial surface and build effective security policies.
intellient and more secure than ever before. environments Traditional OT visibility solutions require
For this special report on Industrial OT visibility, software-based segmentation, deploying dedicated appliances or SPAN
Cybersecurity, IEB reached out to a series of zero-trust remote access, and unified IT/OT networks which are proving too complex
industry experts to get their perspective on security platform. and expensive. OT visibility capabilities can
the technologies that are shaping present and now be embedded in networking equipment
future industrial cybersecurity solutions. According to Fabien Maisl, Marketing Lead, to easily capture east-west traffic and gain
Seven leading companies have responded Industrial Security at Cisco, “the key technology comprehensive visibility on all OT assets
with their take on the trends for industrial trends in industrial cybersecurity include the Software-based Segmentation: Segmenting
cybersecurity, what they see as the most adoption of enhanced OT visibility, software- industrial networks in small zones of trust
potent solutions available, the challenges based segmentation, zero-trust remote access, is an efficient way to protect operations
that automation engineers are facing and and unified IT/OT security platform. Vendors and avoid attacks to spread. But in many
what promises to be the leading industry are addressing these concerns with innovative cases, it can be too complex to modify the
applications. Here is what they have about solutions designed to protect industrial network, deploy zone-based firewalls, and

6 in d u s t r ial et h er ne t b o o k 09.2024
 VISIT US!
electronica 2024
12 - 15 November
Munich, Germany
Hall C4 - Booth 121

SPS 2024
12 - 14 November
Nuremberg, Germany
Hall 5 - Booth 110

INDUSTRY-LEADING
SCALABLE ETHERNET.
TIMED TO PERFECTION.
ANALOG.COM/CHRONOUS

Delivering the Future of Time Sensitive Networking.

Analog Devices´ Chronous™ family of Industrial Ethernet connectivity products enable
best-in-class industrial automation solutions for the connected factory of tomorrow.
ADI Chronous physical layer devices and embedded switches offer industry´s lowest latency
and power for the highest level of determinism and synchronization in high-performance factory,
process and motion control applications.

Turn your vision of the connected factory into reality. Learn more and visit analog.com/chronous
 ensure assets are placed in the proper segment Zero-Trust Remote Access: Deploying contractors, or the operations teams
Cybersecurity

without disrupting production. Software-based Zero-Trust Network Access (ZTNA) solutions themselves have installed their own solutions:
segmentation leverages networking equipment in manufacturing networks simplifies remote cellular gateways or software products that IT
to easily enforce access policies that can be access management. It ensures that remote is not controlling. These backdoors are at odds
centrally configured and dynamically updated. users only access necessary equipment, with the OT security projects undertaken by
Combined with enhanced IT visibility, this reducing the risk of unauthorized access and the IT/CISO teams and create a shadow-IT
helps IT and OT work together to easily build enhancing overall security. This streamlines situation that makes it difficult to control
a segmentation strategy. the management of remote access policies who is connecting, what they are doing, and
Zero-Trust Remote Access: Machine builders, and credentials and safeguards OT assets from what they can access. On the other hand, VPNs
maintenance contractors, and the operations potential threats. have the drawbacks of being always on, with
teams need remote access to OT assets for Unified IT/OT Security: Converging IT and all-or-nothing access, and requiring complex
maintenance and troubleshooting. Cellular OT security strategies in manufacturing configurations to control what remote users
gateways or software products that IT is not networks provides global visibility across both have access to.
controlling are security backdoors. environments, enabling faster threat detection With Secure Equipment Access (SEA), Cisco
VPNs are too complex to manage at the scale and unified security policies. This results in is solving the challenges of deploying secure
of OT. Organizations are starting to deploy improved defense against modern threats, remote access to OT at scale. It embeds
Zero-Trust Network Access (ZTNA) solutions to seamless communication between IT, OT, the gateway function into Cisco industrial
simplify the remote access workflow. Remote and cloud resources, and a cohesive security switches and routers. Enabling remote access
users log into a web portal where access posture that enhances overall operational is now a software feature to activate. There is
policies are defined and enforced for the resilience. no dedicated hardware to install and manage.
entire infrastructure, making it easy to define Configuring and enforcing security policies
credentials and control access. The portal Cutting edge cybersecurity is done in a central console, making it easy
communicates with routers and switches in “To gain visibility on OT assets and their to control who can access what and when
the infrastructure to ensure that remote users activities, you need to capture network traffic across all sites. Distributing the gateway
are only granted access to selected equipment to extract information from communication functionality anywhere in the network enables
which they need to configure, not to the entire flows,” Maisl said. “Traditional security remote access to any assets, even those
network. solution providers typically configure SPAN being NAT boundaries. The switch or router
Unified IT/OT Security: Industrial operations ports on network switches to duplicate traffic that provides connectivity now also provides
are no longer working on air gapped and send it to a central server or dedicated remote access to these assets. And the same
environment. Industry 4.0 and OT digitization appliances. Not only is this complex to network equipment can enforce segmentation
require seamless communications between manage, it’s also very expensive to deploy at policies to prevent lateral movement to other
OT, IT and cloud resources. As IT and OT scale as you would need to SPAN traffic from assets.
networks are converging, IT and OT security all switches to gain visibility on east-west
also needs to converge. Organizations need traffic in addition to north-south traffic.” Responding to challenges
to enable a cohesive security strategy that He added that, with Cyber Vision, Cisco Maisl said that one major concern for
includes having global visibility on both IT embeds visibility capabilities into switches customers is the lack of visibility into OT
and OT environments to detect modern threats and routers, eliminating the need to duplicate assets. Many organizations do not have a
faster, unifying security policies to avoid gaps network flows or to deploy additional complete inventory of all their OT and ICS
in defense, and leveraging IT security tools appliances. Obtaining visibility is a matter of devices, making it difficult to monitor and
and practices to enable advanced protection activating a software feature. Cost, traffic, and secure them effectively. This lack of visibility
of OT assets and orchestrate faster remediation operational overhead are all minimized. can lead to blind spots in the network,
and recovery. “Segmenting industrial networks is key where vulnerabilities may go undetected, or
to protect operations and avoid attacks to unknown assets becoming the source of an
Technology benefits spread. It is a key requirement of the ISA/ attack. Without a detailed inventory of assets
Maisl said that the newer solutions offer IEC62443 security standard. Firewalls are and their roles in the industrial process, it
specific benefits for industrial cybersecurity perfect for building an industrial demilitarized is becoming almost impossible to design and
offer, and potential impact on manufacturing zone (iDMZ). But deploying rugged firewalls enforce security policies that will effectively
networks. These benefits include: in each product cell in factories leads to protect the environment without disrupting
Enhanced OT Visibility: Embedding OT deployment issues like those IT faces with production.
visibility capabilities in networking equipment visibility appliances. Not only can it be very Another concern is the complexity and
allows manufacturing networks to gain expensive, maintaining these firewall rules can diversity of industrial environments which
comprehensive insights into all OT assets. This become a challenge,” Maisl said. generally include legacy systems that were
leads to improved asset management, better Solutions such as Cisco Identity Services not designed with cybersecurity in mind.
threat detection, and streamlined security Engine (ISE) work with your network switches, Protecting these systems is a significant
operations, making the network more secure routers, and wireless access points to restrict challenge and requires precise mitigation
and resilient. communications according to the zones measures you can only implement if you have
Software-based Segmentation: and conduits you have defined. It leverages a detailed asset inventory.
Implementing software-based segmentation groups defined in Cyber Vision to allow or Additionally, the convergence of IT and
in manufacturing networks enables the deny communications for each asset. When industrial networks increases the attack
creation of small, manageable zones of trust a change is required, you can just move the surface, requiring comprehensive security
without extensive network modifications. This asset to another group in Cyber Vision. ISE will measures that address both domains. Gone are
minimizes production disruptions, enhances automatically instruct the network to apply the days when OT security could be managed
collaboration between IT and OT teams, and the corresponding security policy. in its own silo. Organizations now also need to
improves the containment of cyber threats, When it comes to remote access, in converge their IT and OT security practices and
thereby protecting critical operations. many cases machine builders, maintenance implement a unified cybersecurity strategy.

8 in d u s t r ial et h er ne t b o o k 09.2024
 SOURCE: ISTOCKPHOTO
Cybersecurity
“The integration of IT and OT systems requires a robust communication infrastructure that can handle the demands of both realms. Current technology trends
in industrial cybersecurity include the increased adoption of AI-driven threat detection, zero-trust architectures, and advanced network segmentation,”
Michael Metzler, Vice President Horizontal Management Cybersecurity for Digital Industries, Siemens.

However, there is still a lack of collaboration automated network segmentation, zero-trust across both IT and OT environments. These
between IT and OT teams. This siloed approach remote access, and more… all embedded solutions are designed to be scalable, allowing
makes it challenging to design, implement, and into rugged industrial networking equipment companies to protect both modern and legacy
maintain effective cybersecurity strategies. purpose-built for the constraints of advanced systems without significant overhauls.
manufacturing operations.
Targeted applications Solutions for industrial
“As manufacturers accelerate digitization IT-OT Convergence cybersecurity
of their factories, they realize that both Robust communication infrastructure needed to “Industrial networks are the nerve pathways
industrial networking and cybersecurity handle the demands of both realms. in production; they are becoming in sum
technologies are growing in complexity,” Maisl ever more complex. Hardware alone no
said. “As they increasingly use data to drive Michael Metzler, Vice President Horizontal longer determines their performance.
software-defined industrial operations and Management Cybersecurity for Digital Software-based network management and
adopt AI technologies, there is a clear need Industries at Siemens said that “the the use of cybersecurity tools have become
for a converged strategy that incorporates not convergence of Information Technology indispensable,” Metzler said.
only IT and OT but also security.” (IT) and Operational Technology (OT) is He added that new industrial cybersecurity
He added that, to enable smart a rapidly evolving trend in the industrial solutions offer several benefits including
manufacturing operations, the factory network sector. As companies increasingly look improved threat detection, reduced response
must adopt modern IT technologies. Only this for ways to optimize their operations and times, and enhanced protection against both
can simplify managing and reconfiguring improve efficiency, the need for seamless internal and external threats. These solutions
the infrastructure, virtualize functions that communication between traditionally separate can significantly reduce the risk of costly
used to run on dedicated hardware, support systems becomes paramount. It lays the downtime due to cyber incidents, thereby
the fast and reliable transmission of large foundation for data-driven decision making.” improving overall operational efficiency. The
volumes of data to AI applications, and more. “The integration of IT and OT systems potential impact on manufacturing networks is
This IT infrastructure must be supported by requires a robust communication infrastructure substantial, as these solutions enable a more
comprehensive cybersecurity capabilities that that can handle the demands of both realms. resilient and secure production environment,
are made simple and cost effective to deploy Current technology trends in industrial which is crucial in an era of increasing cyber
at scale. cybersecurity include the increased adoption threats.
Cisco is converging network and security of AI-driven threat detection, zero-trust “The risk of cyberattacks on industrial
functionality to reduce complexity, enable architectures, and advanced network plants is real - and the frequency continues
unified IT/OT security practices, and help segmentation,” he said. to increase. To comprehensively protect
accelerate adoption of AI-driven factories. To this end, Siemens – a major supplier for industrial plants against cyberattacks from
Our network designs include centralized industrial cybersecurity – is offering solutions inside and outside, all levels must be addressed
management of networks and security that offer real-time monitoring, automated simultaneously - from the operational to the
policies, unified visibility into both OT and IT, response capabilities, and enhanced visibility field level, from data protection to secure

09.202 4 i n d u str i a l e th e r n e t b o o k 9
 SOURCE: ISTOCKPHOTO
Cybersecurity

“Artificial intelligence and machine learning—tools enabled by the vast power of cloud computing—are where we are headed. The problem is that these
solutions are only useful with huge amounts of consistent, quality data from the plant floor,” Dan White, Director of Technical Marketing at Opto 22.

communication,” Metzler said. Metzler said. “For many companies, this technical defenses. Overall, the shortage of
With Defense in Depth, Siemens provides task has become too complex. They need a skilled cybersecurity professionals presents a
a multi-layered security concept that partner who is familiar with and has mastered challenge, making it essential for companies
offers industrial plants comprehensive and the special requirements of industry and to not only invest in technology but also
far-reaching protection in accordance with cybersecurity.” in ongoing training and education for their
the recommendations of the international He said that when implementing industrial workforce.”
IEC 62443 standard. cybersecurity strategies, challenges include
It is aimed at plant operators, integrators protecting legacy systems that were not Critical infrastructure protection
and component manufacturers and covers all originally designed with cybersecurity in Metzler said that the newest industrial
relevant aspects of industrial cybersecurity. mind, ensuring the secure integration cybersecurity solutions are specifically
Cutting-edge cybersecurity technologies in of IT and OT (Operational Technology) targeting areas such as critical infrastructure
industrial environments are characterized networks, managing the growing complexity protection, secure remote access for
by their ability to seamlessly integrate with of industrial networks, and addressing industrial control systems, and the protection
existing systems, including legacy OT devices. the shortage of skilled cybersecurity of industrial IoT devices. These solutions are
Technologies such as machine learning-based professionals. also being applied to ensure compliance
anomaly detection, industrial firewalls with Additionally, companies must ensure that with stringent regulatory requirements and
deep packet inspection, and secure remote all components, including new and legacy to safeguard sensitive production data. With
access solutions are being applied in factories devices, are equipped with robust security the increasing convergence of IT and OT,
to provide real-time threat detection and functionalities. This includes implementing traditional defense concepts are increasingly
automated incident response. What makes technologies like industrial firewalls, reaching their limits. Software-based network
these technologies unique is their focus on intrusion detection systems, and secure management and the use of cybersecurity
the specific needs of industrial environments, remote access solutions that are specifically tools have therefore become indispensable.
where uptime and safety are paramount. designed for industrial environments. To be able to detect potential
Companies must also balance the need for vulnerabilities in OT networks at any time,
Customer concerns robust security with the requirement for Siemens has designed a complementary
A key issue is addressing the primary minimal disruption to production processes tool set for plant operators with the SINEC
concerns that automation engineers and and safety systems. software family. The SINEC Security Inspector
companies are facing when implementing “Beyond technology, the correct handling determines the security status of individual
industrial cybersecurity strategies. of cybersecurity measures by personnel components or entire production networks.
“The special framework conditions in is crucial,” Metzler said. “This involves The SINEC Security Monitor analyzes network
Operational Technology (OT), including training staff to adhere to defined policies traffic and detects anomalies through
continuous operation, high performance and procedures, such as incident response passive, non-intrusive continuous security
requirements, and availability, demands protocols and regular security audits. A monitoring. The latest tool in the SINEC
an in-depth understanding of industrial lack of cybersecurity awareness or poor portfolio is the SINEC Security Guard, an
processes so that security concepts can be adherence to security protocols by employees intuitive cloud-based software-as-a-service
optimally introduced and implemented,” can undermine even the most advanced that displays vulnerabilities for OT-Assets

10 in d u s t r ial et h er ne t b o o k 09.2024
 SOURCE: ISTOCKPHOTO

Cybersecurity
“Interestingly the cybersecurity needs in the industrial area seem to be driven by the IT world. Top keywords are asset management, patch management,
intrusion detection, security operations center, none of which is specific to the OT environment,” Dr. Lutz Jänicke, Phoenix Contact.

and enables optimized security management More data at the edge viewed as viable for plant floor operations
for industrial operators without dedicated “As more data is collected at the edge of due to its latency, sensitivity to noise, and
cybersecurity expertise. The SINEC NMS the network, from the plant floor and remote nondeterminism. But the new obsession with
network management system also enables equipment, and moved into cloud computing data—and the not-yet-realized benefits that
centralized monitoring and configuration platforms, AI tools and algorithms can make AI and ML can provide once we have a lot of
of networks as well as security through sense of it far more quickly and effectively data to analyze—have led the factory floor
encrypted data communication and local than humans,” White said. “Finding to start catching up.”
documentation. operational anomalies, predicting equipment Primary concerns that automation
failures, and optimizing energy and raw engineers and companies are facing when
Impact of AI and machine material usage are just a few examples of implementing industrial cybersecurity
learning the benefits.” strategies fall into a series of categories
Tools enabled by the power of cloud computing. For too long, manufacturing networks including support for legacy systems.
have been isolated from the outside “Legacy systems, often characterized by
Dan White, Director of Technical Marketing at world. Companies now understand that outdated hardware, software, and security
Opto 22 told IEB that “artificial intelligence manufacturing data must be democratized protocols, pose significant cybersecurity risks
and machine learning—tools enabled by the within the organization to unlock cost and to industrial organizations. These systems
vast power of cloud computing—are where efficiency savings. Manufacturing networks were designed in an era when security was
we are headed. The problem is that these need to be reimagined to incorporate secure less of a concern, leaving them vulnerable to
solutions are only useful with huge amounts democratization of that data, which today’s modern attack vectors,” White added.
of consistent, quality data from the plant modern edge gateways and PLCs can achieve. Lack of Security Features: Most legacy
floor.” White added that the “cutting-edge” systems lack built-in security features such
He added that, in response, automation cybersecurity technologies that factory as zero-trust user authentication, VPNs,
vendors have developed sophisticated control environments are now discovering have firewalls, encryption, SSL/TLS certificate
platforms that not only securely transmit data been used by IT and internet companies for support, and network segmentation.
to the cloud but also ensure its accuracy right years. Online banking uses secure SSL/TLS Without security features, they're easy
from the source. Edge controllers, positioned encryption and certificates. VPNs, firewalls, targets for hackers who can exploit known
directly at the data origin, play a crucial role and MQTT pub/sub architectures have existed vulnerabilities.
in this process. They filter and process raw since the 1990s. So what makes them Vendor Lock-in: Reliance on legacy systems
data on-site, ensuring only relevant and unique is that factory environments are now often involves vendor lock-in, which limits
refined information is sent to the cloud. embracing them. the options for upgrading or replacing the
Using a modern publish/subscribe protocol “Don’t forget factories have used networks system, making it difficult to implement
like MQTT Sparkplug, which also supports since the 1970s, before Ethernet and the modern security measures.
SSL/TLS security certificates, companies can Internet. Those were serial networks and Limited Scalability: Legacy systems, which
rest easy knowing their plant data is getting usually proprietary, and we didn’t have great typically rely on a poll/response architecture,
to the cloud safely and securely. ways to democratize data back then,” White may not be able to handle the increased
said. “In the 1990s, Ethernet wasn’t even data demands of modern IIoT applications,

09.202 4 i n d u str i a l e th e r n e t b o o k 11
Cybersecurity

SOURCE: ISTOCKPHOTO
“The key to effective industrial cybersecurity solutions is the development of resilient network infrastructure based on a defense in depth
security approach is critical in ensuring the continuity of operations after any kind of major cybersecurity incident," Dr. Al Beydoun, ODVA
President and Executive Director.

making them more susceptible to failures and IT solutions moving to the Communication security via secure protocols
security breaches. OT world must be supported by centrally managed PKI
As a result, organizations must carefully Implementations specifically targeting the or similar solutions, as communication does
evaluate the risks associated with legacy industrial environment are needed. occur between IT and OT. A final ingredient for
systems and develop strategies to mitigate concepts like zero trust is endpoint security.”
them. These strategies may involve upgrading “Interestingly the cybersecurity needs in He added that all of these measures need
to more modern systems or using modern the industrial area seem to be driven by to be implemented in a centralized manner
edge devices to create a secure layer between the IT world,” Dr. Lutz Jänicke, Corporate unless in a very large factory an OT specific
OT and IT networks. Product & Solution Security Officer, Phoenix setup might be possible. If this is not the
Contact, told IEB. “Top keywords are asset case, attacks must be remediated in a central
Targeted solutions management, patch management, intrusion Security Operations Center and security
Application areas that the newest Industrial detection, security operations center, none management needs to be coordinated
Cybersecurity solutions are targeting cover of which is specific to the OT environment. between IT and OT. Of course, tooling on the
a variety of needs for smart manufacturers. Implementations specific to the industrial shopfloor might be technically different but
“Let’s look at some of the low-hanging environment are needed.” its operation needs to be integrated into the
fruit. Right away, we are seeing a huge Jänicke said that specialized products for overall security management.
move toward energy data collection,” White OT are established, like firewalls, remote
said. “Most companies don’t understand their maintenance solutions, intrusion detection Engineering challenges
electric bill or how peak demand charges and systems. However, the trend is moving away “Only few automation engineers have a solid
variable rates work for their utility. Regardless from “security products” to protect the OT cybersecurity background and experience,”
of industry—from automotive to aerospace world and the future will rather be “secure Jänicke said. “That makes it difficult to
and from agriculture to electronics—there’s products”. These follow security by design have the necessary ‘holistic approach’ within
one thing everyone has in common: they all rules and implement security functions like both cybersecurity and for the automation
use electricity. More granular analysis can access control and secure communications solution as a hole. Depending on the setup
help firms reduce costs and assign electricity instead of relying on add-on products. of the company, cybersecurity is typically
costs to the process that’s using them.” “IT solutions are moving into the OT world. organized in the IT departments, but both
“After that, I would say operational A very important topic is the management OT and IT need to work together. This often
equipment effectiveness (OEE). By adding a of cybersecurity in the IT as well as in the is a significant challenge due to different
simple edge device onto an existing piece OT environment. Connected systems need to cultures.”
of machinery, which can be done for about be monitored for vulnerabilities, patches and “However, due to the convergence of IT
$1,000, companies can start to see when and updates need to be rolled out,” Jänicke said. and OT, IT technologies will move farther into
why their factory equipment isn’t running at "Accounts needed for authentication and the OT world as will cybersecurity threats,” he
full capacity,” he added. authorization require central management. added. “Overarching cybersecurity strategies

12 in d u s t r ial et h er ne t b o o k 09.2024
 Cybersecurity
therefore need to integrate both worlds, including device authentication, message super users still must rely on the zero-trust
requiring automation engineers to fully adopt integrity, traffic encryption, role-based approach to access confidential data and
the IT world.” access, and a device level firewall.” control potentially dangerous equipment
Beydoun said it’s important to not lean too in case their access is compromised. A
Resilient network heavily on any one kind of security system systemic way to ensure a high level of
infrastructure and to have experts available to review logs network security is to rely on the ISA/IEC
Based on a defense in depth security approach. when suspicious behavior is identified by an 62443 cybersecurity standards for industrial
automated system. Even the concept of air automation and control systems. Looking
Dr. Al Beydoun, ODVA President and gapping is starting to unravel with the ability for automation networks that adhere to the
Executive Director, told IEB that that “the to remotely detect radiation signatures security principles of IEC 62443, such as CIP
key to effective industrial cybersecurity from physical electronic equipment. The Security, and devices that are certified to IEC
solutions is the development of resilient significant value provided from taking 62433 standards is another way to bolster
network infrastructure based on a defense in advantage of edge and cloud connectivity an organization’s defense in depth security
depth security approach is critical in ensuring for business optimization combined with the approach.
the continuity of operations after any kind of increase in potential threat vectors make
major cybersecurity incident.” defense in depth and zero trust security vital Impact of AI
“The greater the number of potential investments for the future. “One of the newest additions to security is
hurdles that any threat actor must overcome the implementation of Artificial Intelligence
increases the odds that a potential incident Zero Trust Approach systems to look for abnormalities in network
will be discovered early on and therefore will He added that adopting a zero-trust approach traffic to identify suspicious behavior as early
minimize the potential damage,” Beydoun makes it much more time consuming and as possible,” Beydoun said. “AI systems can
stated. “Stopping attacks can come in many difficult for a bad actor to continue to expand see if someone is accessing the network from
forms including employee training, physical privileges and access within a breached unexpected locations, outside of normal
security, firewalls, switch based deep packet network given that each new connection must working hours, or in areas that are not a part
inspection, network segmentation via be authenticated. The addition of role-based of an employee’s job responsibilities. While
separate security zones and communication access to end point authentication reduces false positives are sure to come to light from
conduits between zones, and end point the privileges of a given user and further dedicated workers going above and beyond,
security that supports zero trust with limits the potential damage a cyber threat the early detection of cyber threat actors can
authentication for each connection. One actor can inflict. significantly limit potential damage caused.”
potential option for automation devices is CIP It is important to make sure that even the The advantage of AI systems is that they
Security, which provides end point security most privileged of root and administrative can crunch vast amounts of data and see

Remote Machine Diagnostics and Commissioning

Home/Office

Remote Site

LTE

Remote Site

EIGR-C

Perform secure remote diagnostics EIGR-V

and commissioning for machines
over wired or wireless using
a Skorpion IP Router.

Providing Solutions to Your Automation Needs

Learn more at www.ccontrols.com/machine 630-963-7070 • [email protected]
Cybersecurity

SOURCE: ISTOCKPHOTO
“Implementing cybersecurity strategies is a very involved process. These strategies need to consider the entire landscape of the network including
local networks as well as the integration of remote sites. Everything needs to be considered in a layered approach,” Mike Willet, Network
Engineer, Red Lion.

when there are deviations outside of the could already be compromised, which has in productivity and growth. Therefore,
norm in production processes and machinery led to the rise of security concepts such as security policy, training, and protections are
operations that would be hard to detect zero trust that always requires verification for an invaluable investment in the future of
by a person. Experts are still required to each connection. The potential for economic, industrial operations, especially as security
validate the findings and to determine the environmental, or loss of life and limb, threats continue to grow and evolve.
next steps that need to be taken. One of the combined with the challenge of guarding
disadvantages of AI systems is that they will networks that have a staggering number of Flexible hardware solutions
need to be redesigned and retrained over potential entry points, has also given rise to Integrate local networks and serve as hub of
time as the networks change given that the importance of end point security such as automation network.
models are trained to fit a given set of data CIP Security for EtherNet/IP.
from a time period in the past. It’s important Mike Willet, Network Engineer for Red
to note that AI will just be another tool, Key applications focus Lion said that a “key technology trend is
albeit a valuable one, in securing networks “Automation applications where misuse can implementing hardware that can serve many
and operations. result in harm to employees and environment purposes in the landscape of the topology,
or seriously jeopardize the economic viability security and the overall industrial network.”
Challenges for automation of a company are the most important to He cited FlexEdge from Red Lion as a
engineers protect in case of an cyberattack from key product that can be used as a firewall
Beydoun said that controls engineers are a bad actor,” Beydoun said. “Critical to secure the edge of the network, connect
tasked with the immense challenge of application examples that require the most remote sites securely, integrate the local
ensuring that complex networks aren’t stringent security include metal stamping networks and also serve as the hub of the
compromised in a way that will result in the or rolling equipment, chemical mixers, oil automation network with Crimson.
loss of throughput, quality, or proprietary distillation towers, and water treatment “It is an overall solution that can be
information. While an automation company plant disinfectant and corrosion control the focal point of the industrial network.
must work to prevent a multitude of potential processes.” Red Lion is addressing these concerns with
entry points, a bad actor just needs to find He added that it is imperative to utilize products like FlexEdge and NT5000 switches
one successful way to enter a network. zero trust security to protect control devices to build out the industrial network,” Willet
Once inside the network, whether by at the lowest level for vital applications. said.
phishing for the credentials of a company’s CIP Security for automation devices offers
trusted employee or through technical flexible protection via profiles that can be Industrial cybersecurity solutions
exploits, the cyber threat actor can then implemented as needed, allowing for high Willet said that new solutions can offer
choose to stay silent while working to overhead encryption for critical applications advancements to security for industrial
elevate their access privileges, waiting for an while only using authentication for other less networks. Users can have the ability to
advantageous time like a company shutdown important processes. Security has become a better secure entry and exit points into
to initiate an attack. key enabler of automation device to cloud the industrial network and also keep the
A network that may appear to be secure connectivity that is allowing for increases local segment of the network secure. New

14 in d u s t r ial et h er ne t b o o k 09.2024
 Advanced security features are also

SOURCE: RED LION

Cybersecurity
becoming more prevalent. Modern solutions
offer features such as network segmentation,
real-time traffic inspection, and secure
communication protocols. They protect
manufacturing networks from diverse cyber
threats while maintaining operational
efficiency.
“Lastly, there is a growing emphasis on
embedding security measures directly into
the network infrastructure. Moxa focuses on
foundational elements like authentication,
access control, and segmentation, enabling
a robust defense-in-depth strategy. This
approach ensures that security is not an
afterthought but a core component of
The FlexEdge Intelligent Edge Automation Platform from Red Lion is powered by the company's the network design, enhancing overall
Crimson Configuration Software. resilience,” Liou added.

solutions can also empower industrial if Red Lion products such as FlexEdge and Impact on manufacturing networks
network users and administrators to manage NT5000 switches are implemented into the “New industrial cybersecurity solutions offer
the industrial network and maintain better network the ease-of-use factor can be very significant benefits, particularly in terms
insight into monitoring and ongoing status helpful while building the foundation of the of regulatory compliance and operational
of the network. network. resilience,” Liou said. “By adopting horizontal
“When Red Lion products are implemented He added that security at various points standards like ISO/IEC 27001 and IEC 62443,
into the industrial network, users can build and areas in the network is very important. organizations gain clarity and structure in
out a new solution for cyber security with Targeting the edge segments of the network implementing cybersecurity measures. These
the ease of use and functionality that the are crucial because those areas are often standards simplify compliance, helping
devices bring. When a FlexEdge device is connected to public networks and are usually organizations navigate complex regulatory
installed as a firewall and automation device connecting various sites together. landscapes more effectively.”
with Crimson, it can also monitor NT5000 “It is important to maintain security One of the key benefits is the adaptation
switches using N-View and port statistics can at those points because those are the of these solutions to the specific needs of
be mapped to tags to view and build alarms,” main entry and exit points from untrusted operational technology (OT) environments.
Willet said. sources. But it is also important to build out For example, Moxa’s IEC 62443-certified
“This solution can build a secure network a security architecture throughout the entire solutions are designed to meet the unique
with the advantage of passive monitoring to network,” he said. “Making sure that the requirements of industrial control systems
gain insight into the health of the network. network switches connected downstream in (ICS), ensuring that security measures are
Manufacturing networks can benefit from this the network that are connecting end devices relevant and effective in these settings.
because they can implement a secure network have the proper security measures in place is Another major advantage is the ability
properly and gain the added benefits of a also very important.” to maintain operational continuity while
secure network with the ease of use factor enhancing security. Moxa’s solutions
of Red Lion products.” Structured framework for incorporate redundant network architectures,
cybersecurity which allow for secure maintenance and
Cybersecurity strategies Standards including ISO/IEC 27001, NIST CSF, upgrades without disrupting critical
“Implementing cybersecurity strategies is a and IEC 62443. operations. This approach is vital for
very involved process,” Willet said. “These managing risks and ensuring continuous
strategies need to consider the entire “One major trend is the adoption of availability in industrial environments.
landscape of the network including local horizontal standards like ISO/IEC 27001, NIST Furthermore, integrating foundational
networks as well as the integration of remote CSF, and IEC 62443,” Laurent Liou, Product security elements directly into the network
sites. Everything needs to be considered in a Marketing Manager, Cybersecurity at Moxa infrastructure provides a solid base for
layered approach. So, with all of this comes told IEB recently. “They provide a structured additional security measures. Moxa’s
quite a bit of planning.” framework for cybersecurity, bridging the gap solutions reduce the attack surface and
During the implementation of the security between IT and OT requirements. Vendors support a comprehensive defense-in-depth
plan all the outside or untrusted traffic must like Moxa incorporate these standards into strategy, which is crucial for improving the
be defined and properly secured for specific their solutions, ensuring compliance with overall resilience of manufacturing networks.
inbound or outbound connections and regulations while aligning with industry best New solutions offer a structured approach
protocols. Also, the local and private side of practices.” to cybersecurity, tailored to the needs of
the networks where end devices are connected Liou said that another trend is the industrial environments, while ensuring
must also be properly secured. So, the overall integration of best practices directly into continuous operations and enhancing overall
concerns could emerge in the development cybersecurity solutions. For instance, Moxa’s network security.
stage of the security implementation plan adoption of IEC 62443 enhances the security of
itself and during the configuration stage industrial control systems by addressing their Cybersecurity technologies
of the firewalls, routers, switches and other unique challenges. This helps organizations “Cutting-edge cybersecurity technologies
devices in the network. It is critical to build a robust cybersecurity posture that meets distinguish themselves by integrating
implement the proper security measures and both regulatory and operational demands. advanced security features directly into

09.202 4 i n d u str i a l e th e r n e t b o o k 15
Cybersecurity

SOURCE: ISTOCKPHOTO
“One major trend is the adoption of horizontal standards like ISO/IEC 27001, NIST CSF, and IEC 62443. They provide a structured framework for cybersecurity,
bridging the gap between IT and OT requirements.” Laurent Liou, Product Marketing Manager, Cybersecurity at Moxa.

the network infrastructure, particularly in productivity levels while safeguarding against Industrial cybersecurity solutions
industrial environments,” Liou said. “These cyber threats. “A primary focus is securing OT environments,
features include secure communication which include industrial control systems (ICS)
protocols, robust access controls, and real-time Primary customer concerns and other critical industrial networks,” Liou
traffic inspection, all of which are designed to The European Union’s NIS2 Directive and said. “Moxa’s IEC 62443-certified solutions are
protect operational technology systems from a Cyber Resilience Act (CRA) imposes strict specifically designed to protect these systems
wide range of cyber threats.” cybersecurity requirements, especially for from cyber threats while ensuring they operate
A critical component of these technologies critical infrastructure. Navigating these efficiently and reliably. This is essential for
is network segmentation and redundancy. regulations can be overwhelming, particularly industries where the integrity and availability
By creating isolated network segments when considering the additional guidelines of control systems are paramount.”
and utilizing redundant pathways, these issued by organizations like ENISA (European Sectors such as energy, water, and
solutions help mitigate the impact of Union Agency for Cybersecurity) and sector- transportation face stringent regulatory
potential breaches. For instance, Moxa’s IEC specific bodies like EMSA and ENTSO-E. requirements, and Moxa’s solutions help
62443-compliant devices are engineered to Moreover, national laws such as Germany’s organizations in these industries achieve
ensure continuous operational availability IT Security Act 2.0 further complicate compliance while protecting essential
even in the event of a cyber incident. the landscape by adding country-specific services from cyber threats. These solutions
This segmentation also supports secure obligations. These regulations often require are particularly important for maintaining the
maintenance and upgrades by isolating the integration of various industry standards, security and reliability of critical systems.
changes from critical operations. like IEC 62443, which focuses on OT security. Additionally, Moxa’s solutions simplify
Lious said that another defining Compliance with these standards is essential compliance management by aligning with
characteristic is the defense-in-depth for addressing disaster recovery, safety, horizontal standards like ISO/IEC 27001 and
approach. This strategy involves multiple layers and secure communication protocols within IEC 62443. This alignment helps organizations
of security controls, starting with foundational industrial environments. Another major manage cybersecurity risks more effectively
measures like network segmentation and concern is maintaining operational continuity and streamline the compliance process, which
secure communication protocols. Moxa’s while implementing new security measures. is crucial in regulated industries.
solutions enhance this foundation with Enhancing cybersecurity often necessitates “By focusing on these application areas,
additional protective layers to address various significant changes to existing OT systems, Moxa’s industrial cybersecurity solutions
attack vectors, reducing vulnerabilities across which can disrupt operations. Ensuring that enhance overall security, ensure regulatory
the network. these measures integrate seamlessly without compliance, and protect critical systems
Performance and availability are also compromising performance or availability is a from evolving cyber threats,” Liou said.
prioritized in these advanced solutions. Moxa critical and resource-intensive task. “These solutions provide a comprehensive
designs its technologies to integrate security Automation engineers must navigate a and integrated approach to cybersecurity,
measures without compromising network multifaceted regulatory landscape, align supporting both operational resilience and
efficiency, ensuring that manufacturing with multiple standards, and ensure that regulatory adherence in complex industrial
operations remain smooth and uninterrupted. cybersecurity measures do not disrupt ongoing environments.”
This balance between performance and operations, all while adapting to the specific
security is crucial for maintaining high needs of industrial environments. Al Presher, Editor, Industrial Ethernet Book

16 in d u s t r ial et h er ne t b o o k 09.2024
 Building futureproof industrial

Cybersecurity
network security
The major stages for building effective OT cybersecurity include a solid foundation with secure networking
devices, deploying solutions that offer OT-centric layered protection and developing an ability to monitor
network status and identify cyberthreats.

TODAY, INDUSTRIAL ORGANIZATIONS ARE

SOURCE: ISTOCKPHOTO
embracing digital transformation to gain
a competitive edge and boost business
revenue. To achieve digital transformation,
industrial operators must first address the
daunting task of merging their information
technology (IT) and operational technology
(OT) infrastructure.
However, businesses trying to streamline
data connectivity for integrated IT/OT
systems often encounter challenges such
as lacking performance, limited network
visibility, and lower network security from
existing OT network infrastructure. Building
a robust, high-performance network for daily
operations that is easy to maintain requires
thorough planning.
In this article, we will focus on the
importance of strong OT network security
and provide some tips on how to strengthen
cybersecurity for industrial operations.

Why ramping up OT network

Building secure industrial networks requires careful strategy and planning. But the key is implementing
security is a must
a multi-layered defense strategy in several stages.
Nowadays, industrial applications
are facing more and unprecedented
cyberthreats. These threats often target Three major stages of building OT cybersecurity measures at every level to
critical infrastructure in different cybersecurity minimize security risks. In the event of
industries all across the world, including Building a secure industrial network can be an intrusion, if one layer of protection is
energy, transportation, and water and done with the right approach. The key to compromised, another layer prevents the
wastewater services. If successful, such strong cybersecurity is implementing a multi- threat from further affecting the network.
attacks can cause significant damage to layered defense strategy in several stages. In addition, instant notifications for security
industrial organizations in the form of high events allow users to quickly respond to
recovery costs or production delays. Stage One: build a solid foundation potential threats and mitigate any risk.
Before building IT/OT converged networks, with secure networking devices When deploying multi-layered network
asset owners must define the target security When developing secure networking protection for OT networks and infrastructure,
level of the entire network and strengthen infrastructure, start with choosing secure there are two key OT cybersecurity solutions
measures to minimize the impact of potential building blocks. The increasing number of to consider, namely industrial firewalls and
intrusions. Poor network security exposes cyberthreats has also led to the development secure routers.
critical field assets to unwanted access and of comprehensive OT network security
allows malicious actors to breach integrated standards. Shield critical assets with
systems. Industrial cybersecurity standards, such industrial firewalls
However, strengthening OT network as NIST CSF and IEC 62443, provide security An efficient way to protect critical field
security is not that straightforward. IT guidelines for critical assets, systems, assets is using industrial firewalls to create
security solutions require constant updates and components. Implementing industrial secure network zones and defend against
to ensure they can protect against the latest cybersecurity standards and using networking potential threats across the network. With
cyberthreats. devices designed around these standards every connected device being the potential
Applying these necessary updates often provides asset owners with a solid foundation target of cyberthreats, it’s important to deploy
means interrupting network services and for building secure network infrastructure. firewalls with robust traffic filtering that allow
systems, which is something OT operations administrators to set up secure conduits
cannot afford. Operators need an OT-centric Stage Two: deploy OT-centric throughout the network.
cybersecurity approach to protect their layered protection Next-generation firewalls feature advanced
industrial networks without sacrificing The idea of defense-in-depth is to provide security functions such as Intrusion
network or operational uptime. multi-layered protection by implementing Detection/Prevention Systems (IDS/IPS) and

09.202 4 i n d u str i a l e th e r n e t b o o k 17
Cybersecurity

SOURCE: MOXA
Enterprise

SCADA Application Server

Fortify Network
Boundaries

Micro-segmentations Shield Critical

Assets

PLC PLC PLC

Field Site Field Site Field Site

When deploying multi-layered network protection for OT networks and infrastructure, there are two key OT cybersecurity solutions to consider, namely
industrial firewalls and secure routers

Deep Packet Inspection (DPI) to strengthen secure router features both switching and of cybersecurity solutions and management
network protection against intrusions by routing functions with Gigabit speeds, software offers administrators an invaluable
proactively detecting and blocking threats. alongside redundancy measures for smooth way to monitor and identify cyberthreats with
Advanced security functions tailored intra- and inter-network communication. a holistic view.
for OT environments help ensure seamless The demand for remote access to maintain
communications and maximum uptime critical assets and networks has also been Futureproof network security with
for industrial operations. For example, on the rise. Industrial secure routers with effective solutions
OT-centered DPI technology that supports VPN support allow maintenance engineers Network security is imperative for industrial
industrial protocols can detect and block and network administrators to access private network infrastructure. Moxa has translated
unwanted traffic, ensuring secure industrial networks remotely through a secure tunnel, over 35 years of industrial networking
protocol communications. enabling more efficient remote management. experience into a comprehensive OT-centric
In addition, industrial-grade IPS can cybersecurity portfolio that offers enhanced
support virtual patching to protect critical Stage Three: monitor the network security with maximum network uptime.
assets and legacy devices from the latest status and identify cyberthreats Moxa is an IEC 62443-4-1 certified
known threats without affecting network Deploying a secure industrial network is industrial connectivity and networking
uptime. Designed for industrial applications, just the start of the journey towards robust solutions provider. When developing
IPS provides pattern-based detection for cybersecurity. During daily operations, it products, designs adhere to the security
PLCs, HMIs, and other common field site takes a lot of time and effort for network principles of the IEC 62443-4-2 standard to
equipment. administrators to have full network visibility, ensure secure product development. The goal
monitor traffic, and manage the countless is to provide users with the tools necessary
Fortify network boundaries with networking devices. Implementing a to build robust device security for industrial
industrial secure routers centralized network management platform applications.
IT/OT converged networks require a multi- can provide a huge boost to operational To defend against increasing cyberthreats,
layered and complex industrial network efficiency by visualizing the entire network OT-focused cybersecurity solutions can
infrastructure to transmit large amounts of and simplifying device management. It also maximize uptime while protecting industrial
data from field sites to the control center. allows network administrators to focus more networks from intruders. Network management
Deploying powerful industrial secure routers resources on ramping up network and device software can simplify management for
between different networks can both fortify security. networking devices and OT cybersecurity
network boundaries and maintain solid In addition, a centralized network security solutions, allowing administrators to monitor
network performance. Featuring built-in management platform for cybersecurity the network security status and manage
advanced security functions such as firewall solutions can boost efficiency even more. Such cyberthreats with ease.
and NAT, secure routers allow administrators to software allows administrators to perform mass
establish secure network segments and enable deployments for firewall policies, monitor Technology article by Moxa.
data routing between segments. For optimal cyberthreats, and configure notifications for
network performance, a powerful industrial when threats occur. The right combination Visit Website

18
 IEC 62443 standards: defending

Cybersecurity
against infrastructure cyberattack
By putting together and adopting the IEC 62443 standard, industrial automated control system stakeholders
have paved the road for dependable and safe infrastructures. Secure authenticators are the bedrock of the
future of IEC 62443 standard-compliant components requiring robust hardware-based security.

SOURCE: ISTOCKPHOTO
Industry 4.0 calls for highly connected sensors, actuators, gateways, and aggregators. This increased connectivity increases the risk of potential cyberattacks,
making security measures more critical than ever. The creation of organizations such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
illustrates the importance and demonstrates a commitment to safeguarding critical infrastructures and ensuring their resilience against cyberattacks.

THE FOUNDATIONAL REASONING AND BENEFITS must learn how to navigate its complexities Why IEC 62443?
of the IEC 62443 series of standards is that it and understand these new challenges in order In 2010, the emergence of Stuxnet thrust
provides a set of protocols designed to ensure to make use of it successfully. industrial infrastructures into a state of
cybersecurity resilience and protect critical vulnerability. Stuxnet was the world’s first
infrastructures and digital factories. Industrial systems at risk publicized cyberattack indicating that
This leading standard offers an extensive The digitalization of critical infrastructures attacks could successfully target IACSs from
layer of security; however, it raises several such as water distribution, sewage, and power afar. Subsequent attacks have solidified the
challenges for those seeking certification. We grids has made uninterrupted access essential realization that industrial infrastructures can
will explain how security ICs provide essential for everyday life. However, cyberattacks are be harmed through remote attacks that can
assistance to organizations striving to reach still one of the causes of disruption to these target a specific type of equipment.
certification goals for industrial automated systems and they are expected to grow. Government agencies, utilities, IACS users,
control systems (IACS) components. Industry 4.0 calls for highly connected and equipment makers quickly understood
sensors, actuators, gateways, and aggregators. that IACS needed to be protected. While
Introduction This increased connectivity increases the risk governments and users naturally leaned
Despite the potential for increasingly of potential cyberattacks, making security towards organizational measures and
sophisticated cyberattacks, IACS have measures more critical than ever. The creation security policies, equipment makers
previously been slow to adopt security of organizations such as the U.S. Cybersecurity investigated possible hardware and software
measures. This has been partly due to the and Infrastructure Security Agency (CISA) countermeasures. However, adoption of
lack of common references for designers and illustrates the importance and demonstrates security measures was slow due to:
operators of such systems. The IEC 62443 series a commitment to safeguarding critical • the complexity of the infrastructures
of standards offers a way forward towards more infrastructures and ensuring their resilience • the different interests and concerns of
secure industrial infrastructures, but firms against cyberattacks. stakeholders

09.202 4 i n d u str i a l e th e r n e t b o o k 19
Cybersecurity

SOURCE: ANALOG DEVICES

Figure 1. The IEC 62443 is a comprehensive security standard.

• the variety of implementations and 62443 standard encompasses organizational artificial intelligence (AI) algorithm from
available options policies, procedures, risk assessment, and being reverse engineered.
• the lack of measurable objectives security of hardware and software components. Also, because IACS are complex by nature,
Overall, stakeholders faced uncertainty The complete scope of this standard makes it’s essential to consider the entire security
about the right level of security to target, one it uniquely adaptable and reflective of current spectrum. Procedures and policies alone
which carefully balanced protection with costs. realities. Additionally, the ISA has taken a are insufficient if not supported by secure
The International Society for Automation comprehensive approach when addressing the equipment, while robust components are
(ISA) launched working groups to establish various interests of all stakeholders involved useless if their secure usage is not properly
common references under the ISA99 in an IACS. In general, security concerns are defined by procedures.
initiative, which finally led to the release of different from one stakeholder to another. The chart in Figure 2 shows the adoption
the IEC 62443 series of standards. This set For example, if we think about IP theft, the rate of the IEC 62443 standards through ISA
of standards is currently organized into four IACS operator will be interested in protecting certifications. As expected, a standard defined
levels and categories, shown in Figure 1. manufacturing processes while an equipment by industry key stakeholders has accelerated
Thanks to its comprehensive scope, the IEC maker may be concerned with protecting an the implementation of security measures.

20 in d u s t r ial et h er ne t b o o k 09.2024
 • Level 1 does not consider public key

SOURCE: ANALOG DEVICES

Cybersecurity
cryptography
• Level 2 requires the commonly adopted
processes such as certificates signature
verification
• Levels 3 and 4 call for hardware
protection of the private keys used in the
authentication process
Starting at Security Level 2, many security
functions are required, including mechanisms
based on cryptography involving secret or
private keys. For security levels 3 and 4,
hardware-based protection of security or
cryptography functions is required in many
cases. This is where industrial component
designers will benefit from turnkey security
ICs, embedding essential mechanisms such as:
• Secure key storage
• Side-channel attacks protection
• Commands for functions such as:
- Message encryption
- Digital signature computation
- Digital signature verification
These turnkey security ICs relieve IACS
component developers from investing
resources into complex security primitive
design. Another benefit of using security ICs
is to inherently take advantage of the natural
Figure 2. The number of ISA certifications over time. isolation between general-purpose functions
and dedicated security functions. The strength
of security functions is more easily evaluated
IEC 62443 compliance: a complex are software applications, host devices, when security is concentrated in an element
challenge embedded devices, and network devices. For rather than spread throughout the system. Also
The IEC 62443 is an incredibly comprehensive each component type, IEC 62443-4-2 defines gained from this isolation is the preservation
and effective standard for cybersecurity, the capability security level (SL-C) based of the verification of the security function
yet its complexity can be overwhelming. on the component requirement (CR) and across software and/or hardware modifications
The document itself is nearly 1000 pages in requirement enhancement (RE) they meet. of the component. Upgrades can be performed
length. Acquiring a clear understanding of Table 1 summarizes SL-A, SL-C, SL-T, and their without the need to reassess the complete
cybersecurity protocols involves a learning relationship. security function.
curve and reaches beyond absorbing the Let’s take the example of a network- Furthermore, secure ICs vendors can
technical language. Each section within IEC connected programmable logic controller implement extremely strong protection
62443 must be understood as a part of a larger (PLC). Network security requires that the PLC techniques that are not accessible at the
whole, as the concepts are interdependent (as is authenticated so that it does not become an PCB or system level. This is the case of
shown in Figure 3). entry door for attacks. A well-known technique hardened EEPROM or Flash memory or physical
For example, as per IEC 62443-4-2, a risk is public key-based authentication. With unclonable function (PUF) that can achieve
assessment targeting the entire IACS must be regards to the IEC 62443-4-2: the highest level of resistance against the
conducted and the outcomes will condition the
SOURCE: ANALOG DEVICES
decisions that determine the target security
levels for equipment.

Designing IEC 62443 compliant

equipment
Highest Security Levels Call for Hardware
Implementation
The IEC 62443 defines security levels in
straightforward language as shown in Figure 4.
The IEC 62443-2-1 mandates a security risk
assessment. As an outcome of this process,
each component is assigned a target security
level (SL-T).
As per Figure 1 and Figure 3, some parts
of the standard deal with processes and
procedures while IEC 62443-4-1 and IEC
62443-4-2 address the components’ security.
Component types as per IEC 62443-4-2 Figure 3. A high level view of the certification process.

09.202 4 i n d u str i a l e th e r n e t b o o k 21
 result, the IACS accumulates and is exposed

SOURCE: ANALOG DEVICES

Cybersecurity

to all their vulnerabilities, as illustrated by

the MITRE ATT&CK database6 or the ICS-CERT
advisories.
Moreover, with the Industrial Internet of
Things IoT (IIoT) trend of embedding more
intelligence at the edge,8 devices are being
developed to make autonomous system
decisions. Therefore, it is even more critical
to ensure that device hardware and software
can be trusted given these decisions are
critical to safety, operation of the system,
and more.
Additionally, protecting the R&D IP
investments of device developers from theft—
related to AI algorithms, for example—is a
common consideration that can drive the
decision to adopt the protection that a turnkey
security IC can support.
Another important point is that insufficient
cybersecurity may negatively impact functional
safety. Functional safety and cybersecurity
interactions are complex and discussing them
would deserve a separate article, but we can
highlight the following.
Figure 4. The IEC 62443 levels of security.
IEC 61508: Functional Safety of Electrical/
Electronic/Programmable Electronic Safety-
most sophisticated attacks. Overall, security of devices, but the diverse composition of Related Systems mandates cybersecurity risks
ICs are a great foundation to build system devices inherently expands the variety of analysis based on IEC 62443.
security. attack vectors. While IEC 61508 focuses primarily on hazard
“Given existing platforms, there’s a lot of and risk analysis, it mandates subsequent
Securing at the edge viable attack vectors and increased exposure security threat analysis and vulnerability
Industry 4.0 means sensing everywhere, of both the endpoint and the edge devices,” analysis each time a cybersecurity occurrence
any time, and thus calls for the deployment said Yaniv Karta, CTO of the app security and is serious.
of more edge devices. IACS edge devices penetration-testing vendor, SEWORKS. The IACS edge devices we listed are
include sensors, actuators, robot arms, PLCs As an example, in a complex IACS, not all embedded systems. IEC 62443-4-2 defines
with their I/O modules, etc. Each edge sensors come from the same vendor, nor do specific requirements for these systems such as
device is connected to a highly networked they share the same architecture in terms malicious code protection mechanisms, secure
infrastructure and becomes a potential entry of microcontrollers, operating systems, or firmware updates, physical tamper resistance
point for hackers. Not only does the attack communication stacks. Each architecture and detection, the root of trust provisioning,
surface expand proportionally with the number potentially carries its own weaknesses. As a and integrity of the boot process.

SOURCE: ANALOG DEVICES

Figure 5. Secure authenticators features mapping to IEC 62443 requirements.

22 in d u s t r ial et h er ne t b o o k 09.2024
 Cybersecurity
SOURCE: ANALOG DEVICES
add high grade security to an existing design.

SOURCE: ANALOG DEVICES

They save the R&D effort of rearchitecting
a device for security for a low BOM cost.
For example, they do not require changing
the main microcontroller. As examples, the
DS28S60 and MAXQ1065 secure authenticators
address all levels of the IEC 62443-4-2
requirements as illustrated in Figure 5.
The DS28S60 and MAXQ1065 3 mm × 3 mm
TDFN packages make them suitable for the
most space-constrained design and their low
power consumption perfectly addresses the
most power-constrained edge devices.
IACS component architectures already
featuring a microcontroller with the
security functions to address IEC 62443-4-2
requirements can also benefit from secure
authenticators for keys and certificate
distribution purposes. This would save the
Meet IEC 62443 objectives with naturally occurring random variation in OEMs or their contract manufacturers from
ADI’s Secure Authenticators wafer manufacturing processes to generate investing in costly manufacturing facilities
Secure authenticators, also referred to as cryptographic keys rather than storing them needed to handle secret IC credentials. This
secure elements, from Analog Devices have in traditional EEPROM of Flash. The variations approach would also protect keys stored in
been designed to address these requirements exploited are so small that even the expensive, microcontrollers to be extracted through
with ease of implementation and cost most sophisticated, invasive techniques debugging tools such as JTAG.
efficiency in mind. Fixed-function ICs that used for chip reverse engineering (scanning
come with a full software stack for the host electron microscopes, focus ion beams, and Conclusion
processor are turnkey solutions. microprobing) are inefficient to extract keys. By putting together and adopting the IEC
As a result, security implementation is No technology outside of integrated circuits 62443 standard, IACS stakeholders have
delegated to ADI and components designers can reach such a level of resistance. paved the road for dependable and safe
can focus on their core business. Secure Secure authenticators also enable certificates infrastructures. Secure authenticators are the
authenticators are the root of trust by and chains of certificate management. bedrock of the future of IEC 62443 standard-
essence, providing secure and immutable In addition, ADI offers a highly secure compliant components requiring robust
storage of root keys/secrets and sensitive data key and certificate preprogramming service hardware-based security. OEMs can design with
representative of the state of the equipment, in its factories, so that original equipment assurance, knowing that secure authenticators
such as firmware hashes. They feature a manufacturers (OEMs) can receive parts will help them achieve the certifications they
comprehensive set of cryptographic functions already provisioned that can seamlessly seek.
including authentication, encryption, secure join their public key infrastructure (PKI) or
data storage, life cycle management, and enable offline PKI. Their robust cryptographic Christophe Tremlet, Director, Business
secure boot/update. capabilities enable secure firmware updates Management, Analog Devices.
ChipDNA™ physically unclonable and secure boot.
function (PUF) technology utilizes the Secure authenticators are the best option to View Product Portfolio

09.202 4 i n d u s tr i a l e th e r n e t b o o k 23
 Effective strategies for keeping
Cybersecurity

IoT environments secure

IoT devices can offer flexibility and convenience. However, in order to get the most benefit out of these
solutions, they need to be adequately protected. By following effective strategies, organizations can ensure IoT
devices don’t become a source of a network breach and remain an asset that helps improve business operations.

SOURCE: ISTOCKPHOTO
Effective cybersecurity strategies are an important part of an overall program to develop IIoT and Industry 4.0 solutions.

THE INTERNET OF THINGS (IoT) HAS BECOME motion and will usually be stored in caches Compromised network access
an integral part of modern-day society. From on both the device itself and connected data In the event a malicious source gains access
the smart devices we use in our homes to storage locations. to an unsecured IoT device, they can use
the sensors used in supporting intelligent If databases or networks are left unsecured, this entry as a starting point to go deeper
factories and supply chains. this can lead to potential security breaches, into networked systems and look for more
However, while IoT devices and the networks which are the primary sources of identity theft valuable targets. Some of these targets could
they support offer a number of advantages for and other forms of fraud. be computers or databases connected to
everyone, they can pose a number of risks to the network, which could contain important
organizations that don’t adequately secure Remote controlled botnets elements of the underlying infrastructure.
them. Cybercriminals will often look to recruit a A compromised network can lead to a wide
The question is what are the security risks number of IoT devices to conduct large-scale range of issues for organizations, which can
that IoT devices introduce? attacks on other organizations. These massive have long-term, negative operational and
Because of their “always on” functionality, networks, known as “botnets” can be used financial implications.
IoT devices can bring a number of unique for a variety of malicious purposes, including
challenges to individuals and businesses by launching Distributed Denial of Service Injection points for dangerous
opening up a variety of security vulnerabilities. (DDoS) attacks that flood networks with a malware
This can lead to: large volume of activity at once - downing IoT devices offer organizations a high level of
servers and any connected applications or flexibility and convenience, especially when
Database security breaches systems. they’re positioned in various locations around
IoT devices operate by collecting a large Botnets are often used to hijack the buildings and offices. However, if they are
amount of information - much of it can processing power of different devices and can more accessible to individuals, this can also
be sensitive information about connected be used to successfully accomplish a number leave them open to tampering.
networks or critical systems and databases. of illegal activities - often without the device’s Cyberattackers are able to exploit software
This information is typically in constant owners even knowing it’s happening. vulnerabilities in devices if they’re able to

24 in d u s t r ial et h er ne t b o o k 09.2024
 Cybersecurity
SOURCE: ISTOCKPHOTO
A compromised network can lead to a wide range of issues for organizations, which can have long-term, negative operational and financial implications.

access them directly. Using various tools Using network segmentation all IoT devices and report on their firmware
and equipment, they can modify the device's Network segmentation, the practice of versions. This allows you to have a unified
software and firmware and inject malicious breaking up a larger network into smaller view of all digital assets to make sure they’re
code that can be used to carry out their pieces, is a common security measure all getting the security updates and patches
agendas. being used increasingly in modern business they need to keep the business network
environments. secure.
Strategies for securing an IoT The purpose of network segmentation
infrastructure is to create isolation points in the event a Implementing firewall protections
Although IoT devices come with their own particular endpoint is breached. In the event Firewalls are another important necessity
level of risk when integrated into business of successful network penetration, segmented when using IoT devices. They are another tool
environments, this doesn’t mean organizations networks make it much more difficult for for helping to monitor incoming and outgoing
don’t have options for reducing their digital attackers to move laterally into other more network traffic while also having specific
attack surface. valuable systems or databases. configurations in place to successfully block
Below are some effective strategies that can Organizations can begin segmenting their any unauthorized access.
be put in place to keep an IoT infrastructure networks by making use of virtual local area Next-generation firewalls (NGFW) offer
secure. networks (VLANs) in combination with firewalls even more advanced features like intrusion
and other security networking solutions. This prevention systems which filter traffic on a
Best practices password policies process can be more time-consuming to set much more granular level. In these setups,
One of the most effective ways to keep up, however, it can be well worth the effort firewalls will use deep packet inspection
devices secure is by applying best practices to ensure IoT devices aren’t a source of major methods to add an additional layer of security
when creating authentication credentials. This security breaches. that traditional firewalls won’t support.
includes establishing passwords at least 12
characters in length and using a combination Monitoring IoT devices Make IoT devices more secure
of upper and lowercase letters as well as Another important part of keeping a more IoT devices can offer a great deal of
numbers and symbols. secure IoT network is by regularly monitoring flexibility and convenience for individuals
Many out-of-the-box IoT devices will the traffic coming too and from connected and businesses. However, in order to get the
already have default administrative passwords devices. This is an important step in not only most benefit out of these solutions, they need
in place. It’s important to never leave being able to identify suspicious activities to be adequately protected. By following the
these unchanged, as they are often easy to happening on a network, but also giving IT strategies discussed, organizations can ensure
compromise. administrators an opportunity to contain their IoT devices don’t become a source of a
Establishing stronger passwords for them. network breach and instead remain an asset
devices is important, but users should Networking monitoring solutions can use that helps improve business operations.
also remember to change their credentials automated processes to monitor activity on
regularly (every 90-180 days). This added system networks while setting up alerts tied to Guido Voigt is the Director of Engineering at
step is an additional protection for networks failed login attempts or malware detections. Lantronix.
that may have had certain credentials Another critical feature of many network
compromised over time. monitoring solutions is their ability to track Learn More

09.202 4 i n d u str i a l e th e r n e t b o o k 25
 Automatic CIP Security
Cybersecurity

via Pull Policy

This article explores important use cases for automatic pull policy as a new approach to delivering CIP Security
configuration, discussed requirements, and evaluated some technology options. The ability to pull all of the CIP
Security configuration is important for enabling use cases which will be important in the future.

SOURCE: ISTOCKPHOTO
CIP Security provides important information assurance properties that are needed to mitigate threats in many industrial applications using EtherNet/IP.

THE CIP SECURITY PULL MODEL PROFILE network and the configuration tool on the • Software that only has CIP client
provides a major benefit of allowing a public network. We will explore use cases and capabilities and no server functionality
device to automatically discover a certificate requirements for a feature such as this, as well • Fully automatic device replacement with
enrolment server and request a certificate as potential technology choices. CIP Security enabled
for secure communication. However, secure In order to serve these use cases (and
communication with CIP Security requires Introduction potentially others) a new mechanism for
additional configuration beyond just the CIP Security provides important information delivering CIP Security configuration is
certificate. Additional value could be realized assurance properties that are needed discussed here. Requirements for this
by defining a mechanism for a device to to mitigate threats in many industrial mechanism are discussed in this article, but
request not just a certificate, but also the applications using EtherNet/IP. However, essentially it needs to be able to serve CIP
associated configuration for enabling CIP prior to using CIP Security there must be a Security configuration via a document that
Security. configuration step that takes place. is requested by a client. In this context, the
This configuration includes things like The CIP specification has defined a common term “document” refers to a packaged data
allowed cipher suites, trust anchors, certificate way in which this configuration is delivered format that exists in one coherent file and can
revocation lists, etc. One benefit of this ability to a device via CIP objects and services. This be transmitted to the consumer independent
would be the seamless application of device works well in many cases, although there are of the transport mechanism. Of course, this
replacement, where a replaced device could some limitations. This is explored further in scheme must provide authenticity assurances
automatically discover a security configuration the use cases section, but briefly there are and be resistant to cyber-attacks.
server and request all of the configuration at least three situations where delivering CIP Besides discussing use cases and
needed for CIP Security. Security configuration via CIP objects and requirements, this article will also investigate
Furthermore, this would enable devices services presents a limitation: potential technologies to realize this scheme
to work in network architectures where a • Network architectures where routing for delivery of CIP Security configuration
configuration tool could not reach the device, is not allowed like Network Address via a document format. A few technologies
like a NAT with the device on the private Translation (NAT) are weighed against how well they meet

26 in d u s t r ial et h er ne t b o o k 09.2024
 Cybersecurity
SOURCE: ODVA
the requirements, and a recommendation
for a technology to use is given, as well as
recommended future work.

Use cases
A consistent security configuration is required
for devices to operate in a secure manner. Due
to the need for clients and servers to have
the same configuration, a mechanism for
the clients and servers to request, or “pull”
security configuration is useful to distribute
this security configuration across multiple use
cases that may even overlap.
The existing Push Model is useful in that a
centralized tool can configure all the devices
in the network, but it fails to accommodate
some important use cases, which are explored
below. Note that the Push Model as currently
defined can provide a certificate as well as
the necessary CIP Security configuration via
CIP services and attributes. However, the
current Pull Model only provides a certificate;
therefore, this document format is necessary
to provide parity of Push and Pull models.
In this use case, the PLC opens a client
connection (not a CIP connection, rather some
TCP or similar session) to the OT Configuration
server and pulls its security configuration
periodically. The routes through the router
and the firewall can be simply configured and
monitored.

Motor
Network topologies that enforce network
segregation through routers with Network Figure 1.
Address Translation (NAT) make it difficult for
Push Model connections to be made through Fully automatic device replacement technical specifications and practical use
the router. In Figure 1, any devices that In one last use case regarding device case considerations. By addressing these
connect to the DMZ will have a translated IP replacement, allowing a device being crucial prerequisites, a solid foundation can
address of 10.20.14.1. replaced to retrieve its own configuration be established for implementing a reliable and
The DMZ will not be allowed to make a is a straightforward way to facilitate device tailored security configuration.
connection through the router to the OT replacement. The specifics of how a device
Network unless pre-configured routes are may come to be trusted on the network Document format
used. This requires substantial configuration are outside the scope of this article, but a A comprehensive document format is essential
and continuous maintenance as devices in the simplified configuration to enable that process for managing and communicating critical
segregated network are added and removed. can be accomplished with a Pull Model. security parameters from the configuration
Preconfigured routes also weaken the security As an example, an electric motor driver server. This document format enables the
posture of the segregated network giving is replaced. The motor driver searches for a inclusion of crucial information such as
attackers a well-defined path to gain access well-known address using mDNS (multicast allowed cipher suites, trust anchors, and
to the network. DNS packets to discover a service) or DNS-SD certificate revocation list together with the
(a specific protocol for discovering network communication certificate.
Deliver security config to “client- services) in order to find the OT Configuration Integrity and consistency are vital
only” software service address. After the address is resolved, aspects when it comes to delivering the
SCADA, HMI, Engineering, Configuration the motor driver can then pull its initial security security related configuration. Bundling
and Management tools, are often client only configuration from the OT Configuration all the configuration options in one single
functionality. Unlike OT devices such as PLCs service. This configuration may be enough to document maintains the reliability and
and IO, they have no ability to accommodate a allow the full bootstrapping of trust of the new trustworthiness of the information. Both
Push Model for configuration. However, there is motor driver without manual intervention. these attributes ensure that the content of
still a need for coherent security configuration the document remains accurate and unaltered.
for clients to be aligned with servers in the Requirements This allows for all of the configuration to be
system. Much like the first use case where a This section outlines some of the crucial applied atomically, as it can be parsed and
client connection can be easily configured requirements ensuring the effective delivery interpreted by the device and then applied
through routers and firewalls, the Pull Model of a robust security configuration. Here, at once. Furthermore, the document format
provides simpler system configuration while a diverse set of requirements is outlined abstracts the transport of configuration from
ensuring a high level of security posture. that encompass various aspects, including the configuration itself, meaning that this

09.202 4 i n d u s tr i a l e th e r n e t b o o k
27
 could be delivered over other transports (e.g. keys are not the normal use-case, it is an the policy document. Since mDNS/DNS-SD
Cybersecurity

MQTT) if that was necessary or beneficial in unnecessary burden to always encrypt the is already established in the CIP Security
some use cases. whole document. specification, it is preferable to continue
A well-defined document format containing There are however merits to allow for utilizing these mechanisms. By reusing the
allowed cipher suites, trust anchors, and encryption of the whole document if same mechanisms and protocols, unnecessary
certificate revocation lists, delivered additional configuration attributes that require burden on end nodes is eliminated. Generally,
along with the device’s identity certificate protection, are added in the future. For this this requirement is meant to ensure that any
establishes a robust security configuration. reason, it’s preferable to make it an option for technology chosen would not prevent the
the end-user to protect the whole document continued use of mDNS/DNS-SD.
Authenticity with encryption.
The authenticity of a document confirms its Configuring retry
genuine origin and ensures that it has not been Versioning During the initial discovery process of the Pull
tampered with. It ensures that the document End nodes need to be aware of the specific Policy server, the end node will continuously
can be trusted as an accurate representation of version of the policy they are applying attempt to find the server and request the
its contents, i.e. the full security configuration in order to ensure proper functionality policy document. However, it is crucial
delivered from the server. and compatibility. This is crucial when to avoid overwhelming the network with
The validation of the authenticity of a implementing updates or modifications excessive traffic when the server is offline
document is crucial and something that can to policies while maintaining backward or temporarily unable to provide the policy
be done using different mechanisms. In all compatibility. There are two primary methods document.
cases there needs to be some provisioning to accomplish version tracking; using a To address this issue, it is necessary to
done before the validation of the authenticity counter or using timestamps. implement a mechanism that reduces network
takes place. One common approach is the use The counter-based approach involves traffic generated by the end node's attempts
of digital signatures. Digital signatures utilize assigning a numerical value to each new to discover the server or obtain a policy
cryptographic techniques to bind a unique version of the policy document. Every time a document. This mechanism should include a
identifier to the document. By verifying the new version is created, the counter increments sensible default value, which can potentially
digital signature, the device can authenticate by one. End nodes can then reference this be modified by end users through configuration
the document and trust that it came from the counter value to determine the policy version options. Additionally, incorporating a back-off
expected sender and was not modified by an they should apply. algorithm could be a beneficial consideration.
unauthorized party. However, in this case the Alternatively, timestamps can be employed
device would need to be pre-provisioned with a to track policy versions. Each time a new Trigger a reconfiguration
key from the server generating the document. version of the policy document is created, a Over time, it is expected that the configuration
In all cases the pre-provisioning requires timestamp indicating the date and time of the policy will undergo changes, necessitating the
that some trust provisioning with the update is assigned. End nodes can compare deployment of a new policy document on the
device takes place before the authenticity their own timestamp with the latest timestamp end-nodes. To ensure proper functioning, this
of the document can be verified. Once the in the document to determine which version new policy deployment must be synchronized
pre-provisioning of trust occurs this could to apply. This method provides more value, across the entire system or, at the very least,
allow for a fully automatic and seamless device allowing for precise version identification among all interconnected end-nodes.
replacement. To establish the initial trust, the when the configuration change in the Given the requirement for synchronization
process of a trust on first use (TOFU) approach document was done. However, it does require among the affected end-nodes, a triggering
would be required. Upon the first attempt to that consumers of the policy document have mechanism becomes necessary for initiating
connect, to a configuration server the device time set in a synchronous manner with the this reconfiguration. In many cases, it is
is initially provisioned with cryptographic configuration server. advantageous for the reconfiguration trigger
keys. These keys then facilitate validation of It's worth noting that choosing the counter- to be executed through a CIP command. This
the authenticity of the signed configuration based approach initially does not preclude approach allows for the synchronization of
document, providing the replaced device with the utilization of timestamps in the future. reconfiguration with the control operation of
security configuration. Timestamps can be introduced for additional the system, including the secure closure and
functionalities as needed in the future. For re-establishment of IO connections. However,
Confidentiality example, timestamps can be used to track the there are also advantages to triggering the
In general, the security configuration isn’t last modification time of the document or for reconfiguration through the policy server
secret and doesn’t need to be protected by auditing purposes, while the counter remains especially if it could be done through a
encryption. However, the pre-shared keys are dedicated to policy versioning. non-CIP mechanism, as the policy server would
one attribute within the security configuration not need to know about CIP at all.
that needs to be protected and kept secret. Automatic discovery Alternatively, it is possible for each
Installations that use pre-shared keys are In the CIP Security Pull Model Profile, the end-node configured via the policy document
normally smaller installations with a limited initial setup involves locating an Enrollment to periodically check for policy updates. In
number of nodes. In those cases, it’s less likely over Secure Transport (EST) server through many cases this will provide an acceptable
that the Pull Model will be used, as a centralized mDNS/DNS-SD and subsequently requesting level of synchronization, as changes across
configuration server may not be present. identity and trust information using the EST the system need not be synchronized
If pre-shared keys are to be delivered via protocol. The certificate and trust provisioning atomically. Many security changes will result
the Pull Model, at a minimum they need to process in the Pull Model comprises two in connections being dropped and re-made,
be encrypted in some way. Alternatively, the primary steps. Firstly, the EST server is which will provide some amount of downtime.
whole document could be encrypted. This discovered using mDNS/DNS-SD. Secondly, If this downtime extends by a few seconds
would protect the pre-shared keys in the case certificates are retrieved from the EST server. that is likely acceptable, as these types of
when they are used. Since only the pre-shared Likewise, the new Pull Policy approach changes are likely not being applied during
keys need to be protected and pre-shared requires the discovery of a server to access production.

28 in d u s t r ial et h er ne t b o o k 09.2024
 Cybersecurity
SOURCE: ODVA
Existing Policy Encoded CIP
AutomationML Custom JSON Explanation
Language like REGO Commands

Document format 10 10 10 10 All options provide data in a document format

AutomationML, JSON, and most existing policy languages
already have mechanisms for applying a digital signature. A
Authenticity 10 10 10 8 custom file of encoded CIP commands would need to define
a mechanism or choose from one of the many file signing
formats.
Essentially the same scoring and same reasoning as for
Confidentiality 10 10 10 8
authenticity
Once again, the same reasoning holds; existing languages
Versioning 10 10 10 8
can use existing versioning.
None of these technologies provide this, it would need to be
Automatic discovery n/a n/a n/a n/a
added through another means like DNS-SD.
AutomationML, JSON and existing policy languages can
Configuration retry 9 9 9 7 easily encode this via a name-value pair, or encoded CIP
commands as those don’t have a seamless way to do this.
Trigger a reconfiguration 9 9 9 7 Same reasoning as for Configuration Retry.
JSON is a very lightweight technology and would be tailored
to this use case, therefore it is highly efficient. Many of
the existing languages are not well suited to an embedded
Suitable for an
6 10 2 10 space. AutomationML is used in some embedded applica-
embedded environment
tions, but is feature rich and built on XML, which is not
very lightweight. CIP commands are already used in the
embedded space, so this option is also very well-suited.
JSON and many existing languages are very human
Human readable 8 9 9 3 readable, AutomationML is more complex but still fits here.
CIP commands however are not generally human readable.
A custom JSON for CIP Security policy is well suited to
delivering CIP, and of course CIP commands are perfectly
Optimized for CIP 6 9 1 10
suited to this task. AutomationML is not, and many existing
policy languages are not possible to use for this purpose.

Totals 78 86 70 71

Ease of use with CIP configuration Suitable for embedded computing formatting. Given that the configuration policy
Even if a technology was able to easily meet all environments is to be encoded and delivered in a document,
of the aforementioned requirements, it would Given that many of the CIP stacks execute on an the transport mechanism is not very important;
be useless if it could not be used to encode embedded software platform, any technology a document can be transmitted over various
CIP configuration. This effort is focused on chosen for pull policy must be able to execute communication protocols. However, the
deploying CIP Security configuration as within an embedded environment. Although technology used to format this document is
document-based policy in a secure manner, this might not completely disqualify some important to define. Various technologies offer
so it is very important that the document possible solutions, it will likely make some less trade-offs. A discussion of a few possibilities
is able to encode CIP configuration. Some suitable. Technologies that rely on large files follows.
technologies may be optimized for other types or require software agents to run would be less
of information and therefore are not able to suitable for use in an embedded environment. AutomationML
easily encode CIP configuration, in which case Automation Markup Language or
they would not be suitable. Human Readable AutomationML, is a data modeling language
Configuring CIP Security involves several It is ideal to choose a technology that allows created specifically for industrial automation.
things, from simple setting of Boolean for the policy document to be human readable. AutomationML is object oriented and
attributes to transmission of certificates for This would provide a quick interpretation of provides some powerful features like object
use as trust anchors. Although not strictly a given policy document, and possibly even inheritance. This is realized using role classes
necessary for the minimum configuration, it allow for manual editing in a simple system. and interface classes. This provides a high
is also helpful to be able to encode a request Auditing would also be easier, as a human or degree of flexibility in modeling various data
for the execution of a certain CIP service, as machine could interpret the document without concepts, and it has been used successfully
these might be necessary for the policy to be any additional decoding needed. in many applications, such as in the Process
fully realized (for example, the policy may Industry with CAEX via IEC 62424. However,
include running the Object_Cleanup service of Technology with these features comes complexity, and
the CIP Security object to clean up any unused There are several possibilities for the given that CIP objects do not directly support
certificates after a new policy is applied). technology used for the configuration policy object inheritance, AutomationML may not be

29
09.202 4 i n d u s tr i a l e th e r n e t b o o k
Cybersecurity

SOURCE: ISTOCKPHOTO
The ability to pull all of the CIP Security configuration is important for enabling use cases which will be important in the future.

the best fit for CIP configuration policy, as not them generically. All of these were created Conclusions
all of the functionality can or will be realized. for a use other than with CIP Security policy, This article explored some of the important
AutomationML relies on XML for the data so they will of course not be well optimized use cases for automatic pull policy as a
encoding. XML is a well-used format, although for that. It may be possible in some cases new approach to delivering CIP Security
it is not generally viewed as a compact format, for them to still be used, but that is not the configuration, discussed requirements, and
especially in the context of embedded devices. purpose of these languages and there will evaluated some technology options. The ability
However, AutomationML is already deployed likely be limitations in using them for CIP to pull all of the CIP Security configuration is
in various use cases across the industrial Security policy. important for enabling use cases which will
automation space, often as a unifying format An example of a language like this is Rego, be important in the future, including securing
to ensure different engineering tools are which is used with Open Policy Agent (OPA). devices within a private NAT network and
able to use the same data. Although this is This language is well optimized for access client-only software.
a very important use case it is quite different control, and although it is flexible, it would It is likely that client-only software will grow
from the use case of distributing CIP Security be challenging to tailor it to work with CIP in usage as more IIoT applications are realized
configuration policy. object/attribute configuration. in practice, such as connecting software
agents that harvest data or applications that
Custom JSON encoded document Encoded CIP services reside on mobile devices.
A custom encoding could be defined using Another possibility is to simply use the Furthermore, the ability to replace a CIP
JSON to represent CIP objects, attributes encoded CIP services within a document device and deliver all of the CIP Security
and services. The downside of this is that it format. CIP already defines a format for configuration seamlessly will enable better
requires some upfront work to define this. calling services as a transmission protocol. workflows and further ease of use. Although
However, it would likely be very well suited for This “on-the-wire” formatting could simply be it is possible to realize this through a number
CIP Security configuration policy, as it would encoded into a document and used there. This of technologies, analysis shows that defining
be defined specifically for that purpose. JSON is quite straightforward from the standpoint a JSON schema for encoding CIP Security
is a very popular data exchange format that of capturing the necessary configuration. configuration is the best technology choice.
is compact and has wide support in parsers, However, it would not be human readable. Follow-on work will include defining a
some being quite lightweight and optimized Furthermore, it would not be straightforward specification enhancement to Volume 8 of the
for embedded environments. JSON already has to encode information that might not be part CIP specification that defines a mechanism for
signing and encryption defined via the JOSE of a CIP object, such as the revision of the this, likely using JSON. Other follow-on work
standard; that could be applied for authenticity policy document. Signing and encryption includes an investigation into whether or not
and confidentiality. Furthermore, a JSON would also need to be defined for this option. this might be suitable for delivering other
schema could be defined to better document Although there are many ways to sign and CIP configuration via a policy document. It is
the configuration policy format and to help encrypt a file, there is no standard way that likely that the same requirements would hold,
possible future enhancement efforts. For all this would be done since it is a custom file. although certain applications like CIP Motion
these reasons this is an attractive option if the or CIP Safety might have additional needs that
upfront development cost is palatable. Technology comparison were not explored.
Building on the discussion above, some scoring
Other policy languages can be done of these different choices against Joakim Wiberg, Head of Technology, HMS
There are a number of “policy languages” the requirements. An arbitrary value of 0 – 10 Networks; David Smith, Cybersecurity Architect,
that are already in use for various purposes. is used for how well each requirement is met. A Schneider Electric; and Jack Visoky, Principal
Although it is not practical to analyze all of score of 10 means the requirement is met in an Engineer and Security Architect, Rockwell
these languages, it is possible to speak about ideal way, 0 means it is not met at all. Automation.

30 in d u s t r ial et h er ne t b o o k 09.2024
 Cybersecurity basics:

Cybersecurity
industrial security fundamentals
The fundamentals of industrial cybersecurity are based on key principles including confidentiality, integrity
and availability. Cybersecurity often seems like an invincible Hydra but, with practical guidelines, users can
setup systems and create strategies that significantly strengthen the security of company networks.

SOURCE: ISTOCKPHOTO
Cybersecurity is a never-ending task. With defined processes for continuous improvement, organizations create the preconditions for a continuous
improvement cycle, including regular review and refinement of security protocols, incident response procedures, and monitoring mechanisms.

CYBERSECURITY IS A BARE NECESSITY, THAT the area of OT, though, availability is the top Controlling access to information
much is clear. What is less clear, however, are priority. After all, if there are interruptions ensures confidentiality and integrity.
the basic principles that form the foundation in a production line, this can result in vast Here, it is important to distinguish
of a strong and effective cybersecurity financial costs. In an operating theatre, it between authorisation and authentication.
strategy. If they are missing, the entire can even be a matter of lives. This means Authentication is the process of checking
concept is rickety. that in the area of OT, not only the threat whether a person or computer is actually
must be evaluated, but also the effects of who they say they are. This ensures
Part One: Confidentiality, security measures. everyone knows with whom they are
Integrity and Availability In an OT network, Principle C sharing information. Authorisation, on the
C.I.A. – these three letters stand for the (confidentiality) requires the data flow other hand, regulates the access rights or
classic understanding of cybersecurity. between sensors, controllers and other privileges of a person or software. Both –
Even if others are sometimes added, these devices in an OT network to be encrypted, e.g. clearly defined authorisation guidelines and
three form the core. The C stands for by using TLS/SSL, so that no unauthorised the systematic authentication of users – are
confidentiality. This means that only the party can access sensitive information. This crucial for preventing intrusions.
authorised parties involved are allowed to might also include the encryption of firewall
read the content. The I stands for integrity, configurations that contain confidential Types of threat – meaning well
which states that the content of a message details about the network’s security design. I does not always equal doing well
may not be changed. In addition, the A is for integrity demands that only subscribed or The basis of a cybersecurity strategy also
availability: a message must be available for purchased operating systems and software are includes defining possible dangers. Obvious
exactly as long as necessary, neither longer run on the hardware – also known as secure examples are powerful hacker organisations,
nor shorter. boot. Moreover, A for availability refers to a international espionage and warfare. Still,
When it comes to IT security, these three network concept that guarantees redundancy this doesn’t mean that anyone who isn’t
aspects are considered equally important. In to rule out a single point of failure (SPOF). connected to the internet or company

31
09.202 4 i n d u s tr i a l e th e r n e t b o o k
Cybersecurity

SOURCE: MOXA
Following the fundamentals of cybersecurity management creates the discipline required within an organization.

network is safe: around a fifth of threats for protective measures to keep pace. equipment based on vulnerabilities. This
arise from internal hazards. All it takes, While brute-force attacks are still common, means that weak points in devices and
for example, is a disgruntled, dismissed ransomware continues to grow and social software are known to the public. It is crucial
employee whose password hasn’t been engineering is becoming more sophisticated. to identify which ones need a firmware update
changed. In Maroochy, an administrative area Advanced persistent threats (APTs) are used and to execute it in a timely manner.
of Australia, for example, a worker hooked to secretly collect private data over a longer
up the network of a water treatment plant period of time. Protection mechanisms
to a Wi-Fi router before switching jobs. Years Once an attacker has found an easy victim, One common shield against online threats
later, when he was rejected for a position at it is quite possible that they will look for is encryption. It prevents information from
the town hall, he flooded the park with 1,000 further vulnerabilities. It is a well-known being intercepted during the communication
litres of wastewater. fact that it takes some time to make a between two nodes. For example, a Wi-Fi
Yet, even with good intentions, employees weak infrastructure secure. However, even connection can be tapped, but if it uses WPA
can cause harm. In terms of security, it rudimentary cybersecurity measures can encryption, the transmitted content cannot
makes no difference whether the intention is significantly reduce the potential extent of be deciphered. Communication via open
malicious or not – it is the result that counts. damage and the consequences of a successful networks, e.g. in hotels or airports, must
With the dramatic rise in sophisticated attack. be encrypted to maintain confidentiality.
social-engineering and deepfake-phishing However, even if the communication is
attempts, the risk of an employee trying Dealing with vulnerabilities private, e.g. between employees working from
to help their manager in a supposedly In this context, it’s important to know how home, all intermediate networks that make
threatening situation that is actually fake weak points are currently handled. During up the internet must be considered a threat.
and malicious is growing. In 2019, a major the development of a network component, Another encryption application is
American bank made headlines when it they can be recognised at an early stage with signatures. In contrast to symmetric
accidentally exposed over 800 million private static tests or peer reviews. Automated tests encryption, which uses the same key for
data records, including driving licence details are used to check the system’s resistance encryption and decryption, asymmetric
and bank statements. to common attacks. Intrusion tests are also methods use different keys. This means
Another myth that needs to be common practice, in which a third party that a communication can be encrypted
invalidated is the idea that it takes powerful attempts to systematically and exploratively with a secret key and anyone who decrypts
supercomputers and the latest technology circumvent the defence measures. Should a it with the publicly available key can read
to cause significant damage. The reality is vulnerability be discovered in a new product, its content. In addition, the recipient knows
much simpler: crime is already offered “as the manufacturer can fix it immediately. If that the document originates from the owner
a service”. According to Forbes , paralysing the product is already on the market, the of the secret key as the document bears a
an internet-based asset for an hour on the person carrying out the test usually notifies signature. This way, digital certificate
darknet only costs USD 165, while you can the manufacturer and gives them time to authorities (CAs) can provide entities with
obtain a valid credit card number linked to create a patch before publicising the problem certificates certifying the authenticity of this
an account with at least USD 10,000 for as via groups such as MITRE. Although such entity. This is the case, for example, with
little as USD 25. responsible disclosure is not required by websites that use HTTPS. If their certificate
law, it is standard practice in the security is invalid, it cannot be decrypted with the
Cat-and-mouse game industry. CA's public key. In this situation, the browser
The rapid development of criminal Not only are vulnerabilities publicly cannot verify the identity of the website and
cyberattacks with ever more complex and available, there are even free search engines doesn’t display it. The reason is that the
precise forms of intrusion poses a challenge that can be used to look for network website could be an imitation of the original

32 in d u s t r ial et h er ne t b o o k 09.2024
 SOURCE: MOXA
Cybersecurity
Critical Assets

Industrial
IPS/IDS

Industrial
Firewall

Network
Segmentation

Fundamentals of Defense in Depth strategies.

or a malicious intermediary between the user secure? it is advisable to catalogue critical assets,
and the original website. A more advanced design is “defence in including all machines, systems, and areas
depth” with a multi-layer principle: each in which intellectual property and/or
Security at network topology level layer is slightly more secure than the last, confidential information is saved.
There are further measures that make network with the most important operations and data This is followed by a thorough assessment
topologies resistant to cyberattacks. In the that must not be compromised under any of the direct and indirect consequences of
OT sector, air gapping is frequently found. The circumstances in the middle. The “defence potential threats, allowing you to define a
internal network and the globally networked in depth” method is the foundation for the response strategy that reduces immediate
outside world are separated. Nevertheless, Purdue model, which is also recommended in risks and prevents long-term consequences.
air gapping is no longer considered sufficient EU cybersecurity guidelines. To this end, the risks associated with each
because many potentially dangerous actors One modern architecture is SASE (Secure identified threat are categorized. Possible
are located internally. If no physical access Access Service Edge). Here, all security responses are considered for each threat:
control is used in conjunction with air functions, including authentication and Acceptance: some risks may be considered
gapping – i.e. control over who can enter the authorisation, are not located in a central acceptable; thresholds are then used to
building – anyone can join the network via system, but at the edge of the network. determine the point up to which the risk is
a USB stick or the Wi-Fi. And do the network tolerable and monitoring is sufficient.
engineers have a list of all the computers Part Two: specific steps for more Damage containment: a strategy to reduce
that have activated Bluetooth? Most of them security in industrial automation the likelihood or impact of potential threats
do not. This means the network is open and Cybersecurity often seems like the may include implementing security measures,
connected. invincible Hydra, constantly growing new protocols, and redundancies.
The expression “castle with moat” uses heads as soon as one has been cut off. Elimination: structural changes to the
a medieval metaphor to describe a network However, with practical guidelines, you can network, the integration of advanced security
with extremely robust perimeter security. It defeat it and significantly strengthen the technologies and the removal of vulnerable
is based on the assumption that the outside security of the company network. components help eliminate risks from the
world is hostile, while the inside is secure. start.
Unfortunately, this model is no longer up to Threat modeling
date. Since the COVID pandemic at the latest, The first step towards a stable cybersecurity Directives, laws, and standards
many people have been using VPNs to work framework is gaining a detailed overview Compliance with EU directives, national laws
from home. This blurs the “secure perimeter”: of the existing network and identifying and industry-specific cybersecurity standards
Does it include the home network? Is that the potential vulnerabilities. To do this, is a must. However, by keeping up to date

33
09.202 4 i n d u s tr i a l e th e r n e t b o o k
Cybersecurity

SOURCE: MOXA
ARC Cybersecurity Maturity Model.

with regulations and guidelines, companies Resources can thus be allocated effectively Software upgrades
not only fulfil their legal obligations, but also and protection prioritized where it is most It makes sense to approach the topic
increase their own security. urgently needed. On this basis, a plan for a of software upgrades with a meticulous
On this basis, it is also important to define secure network model can be created step inventory of the firmware versions of all
governance rules. These should include the by step. important devices. This demands caution,
policies, procedures and protocols that To start with, it is advisable to begin professionals should check the authenticity
govern day-to-day operations of industrial with simple hygiene measures. These of upgrades with the respective provider.
automation. Effective cybersecurity include regular software updates, password Otherwise, the door is open for counterfeit
governance includes solid risk assessment, management, and basic access controls, e.g. malware.
ongoing identification of cybersecurity restricting the use of certain resources to The upgrade process should be carried out
risks and up-to-date guidelines based on individual MAC addresses. in stages so that the effects of upgrades can
industry standards. Integral components The next step will show solutions that be monitored and evaluated on a smaller
include access controls, defined responses to are more sophisticated. According to the scale before they are applied to the entire
incidents, and the sensitization and training defense-in-depth principle, several layers of network.
of employees. security measures can be combined to create In many cases, an immediate firmware
Once the governance rules are in place, it a multi-layered defense strategy. A mix of update is not possible. The recommended
is important to monitor them continuously firewalls, intrusion detection systems, and alternative is virtual patching. This involves
and carry out regular security checks and encryption is recommended. implementing security measures at network or
assessments. This is the only way to identify By separating the floor plan from the application level so that no changes to the
and resolve new vulnerabilities. corporate network with a DMZ (demilitarized firmware are required. Hence, network traffic
zone), a buffer network, direct communication can be actively monitored, malicious patterns
Setting up a resilient network between the corporate and floor network is identified, and vulnerabilities prevented from
The fundamental step to a secure industrial prevented and access is controlled with being exploited by outdated firmware.
automation network is to carefully assess firewalls.
the security requirements for each segment. In addition, the isolation of critical Foster security awareness
Segmentation involves dividing the network segments is an important aspect for In addition to technical measures, the human
into separate segments or zones to control minimizing the movement and therefore the factor is crucial. Teams must be equipped
traffic, improve security and mitigate potential spread of threats within the network. To this with the necessary resources to master the
attacks. Each segment can have its own security end, the number of access points and the intricacies of different types of attack. This
policies and access controls to increase security number of neighboring networks that can starts with creating checklists and step by
and minimize the risk of threats. This allows for communicate with the most secure segments step procedures that act as practical guides
a targeted security strategy focusing on specific are kept to a minimum. This maintains the for each type of attack. These materials
parts of the network while improving overall integrity of the entire network, even if one should be simple and practical, and complex
system security. area is compromised. security measures should be broken down
When assessing each segment, consider Furthermore, authorization mechanisms into practicable steps. This will enable
the organization’s critical assets and should be adapted to the functional roles cybersecurity specialists to empower other
confidential information, identify potential to ensure that people only have access to teams to respond effectively to threats.
vulnerabilities, and assess the potential resources that are necessary for their tasks. It In order to embed cybersecurity awareness
impact of security breaches on each segment. is advisable to separate administrative roles in the minds of employees, regular training
That way, each segment can be assigned a from other functions and thus strictly limit programs are needed that cover theoretical
security level based on the probability and access to critical configurations and sensitive aspects as well as practical exercises on
possible impact of a successful attack. information. real-life scenarios.

34 in d u s t r ial et h er ne t b o o k 09.2024
 Checkpoint 2:

SOURCE: MOXA
Cybersecurity
Close unused ports
Checkpoint 1: Password or services
protection Checkpoint 3:
Create a whitelist
Checkpoint 4:
Update security
patches

8 1
70 624
51
694 3
583 02
4 7
2
91
8 0

Device security checkpoints.

The corporate culture is also an important and best practices is also recommended to internal reviews, but also provides valuable
pillar for security awareness, emphasizing an ensure that security measures are mutually insights for the continuous improvement of
environment where team members can report reinforcing. cybersecurity.
security concerns without fear of reprisals,
which is crucial. Placing blame for security Network monitoring Continuous improvement
incidents is counterproductive. Instead, The first step of network monitoring is Cybersecurity is a never-ending task.
the focus should be on understanding the gaining a comprehensive understanding With defined processes for continuous
causes and taking corrective action. Praise of the activities within the industrial improvement, organizations create the
is also an effective way of encouraging ecosystem. With the help of modern tools preconditions for a continuous improvement
positive behavior. Recognizing vigilance and technologies, network traffic, device cycle. This should include the regular
and responsiveness encourages employees interactions and communication patterns review and refinement of security protocols,
to actively contribute to the safety of the can be observed in real time. This allows incident response procedures, and monitoring
company. anomalies, potential vulnerabilities, and mechanisms. The evaluation should involve
unauthorized access to be detected. team members from different departments
Security in the ecosystem Monitoring security breaches requires robust and hierarchical levels, and suggestions
A solid security strategy also takes all of the intrusion detection systems, log analysis, and should be considered without reservation.
company's partners into account. This starts an active search for signs of unauthorized Training programs, awareness campaigns, and
with defining clear rules. Authentication access, malware, or other security breaches. collaboration frameworks should also be part
should be one of the non-negotiable security This is where the aforementioned culture of of continuous improvement.
aspects, as it is proof of the legitimacy of encouraging employees to report security At the same time, the threat landscape is
interactions within the industrial ecosystem. incidents comes into play. constantly changing. Active participation in
Of course, authentication protocols must Every security incident should be threat intelligence networks and industry
comply with industry standards and meticulously documented, even (seemingly) forums as well as continuous training help
regulations. Apart from that, partner minor incidents. It is helpful to develop a prepare people for evolving threats.
assessments, audits and security practices standardized process for recording the details
should be continuously scrutinized by of the incident, the measures taken, and the Laurent Liou, Product Marketing Manager,
experts. lessons learned. Such documentation not Moxa.
Based on the principle "Together we are only ensures compliance with regulations, for
stronger", actively sharing threat intelligence example during audits, official inspections, or Learn More

35
09.202 4 i n d u s tr i a l e th e r n e t b o o k
IT-OT Convergence

IT-OT convergence leverages

advanced technology solutions
Advanced technology is driving the latest solutions for IT-OT convergence. In this special report, industry
leaders speak out about the impact of artificial intelligence, the move to software-based solutions, virtual
controllers and the ongoing push for more efficient, interconnected and agile operations.

SOURCE: ISTOCKPHOTO
“From a technology perspective, IT-OT Convergence remains critically important as industries increasingly seek to harness the full potential of digital
transformation. The progress made in this area is significant with advancements in edge computing, cloud platforms, and advanced analytics paving
the way for more integrated and intelligent manufacturing environments.” -- Ronny Hendrych, Program Manager, Industrial Operations X, Siemens.

TO TACKLE IT/OT CONVERGENCE CHALLENGES, Impact of Artificial Intelligence of cloud computing, simulation, Industrial
smart manufacturing companies are leveraging Accelerating the cycles of innovation. Internet of Things (IIoT), and edge
new technologies including use of Artificial computing into industrial environments.
Intelligence, software-based solutions and “Driven by faster innovation cycles, higher These technologies enable real-time data
virtual controllers to achieve a blending of cost and quality pressures and facing a lack collection, processing, and analysis directly
IT and OT systems that deliver more efficient, of talent combined with the sustainability at the production level (shopfloor), which
interconnected and agile operations. challenge, companies need to be able significantly enhances decision-making and
In this special report, the Industrial Ethernet to adapt their product development and operational efficiency.
Book reached out to industry experts to gain manufacturing in a speed that only software Another trend is the evolution of advanced
their perspectives on how IT-OT convergence is capable today. AI is shaping up to be a Manufacturing Execution Systems (MES)
efforts are continuing to focus on enabling strong driver to bring this needed change and Manufacturing Operations Management
seamless data connectivity, interoperability also to the shopfloor,” Ronny Hendrych, (MOM) systems that bridge the gap between
and scalability. Program Manager, Industrial Operations X at operational technology (OT) on the shopfloor
Here is what they had to say about bridging Siemens told IEB recently. and information technology (IT) systems,
the gap between IT and OT, and driving greater Hendrych said that, for that, the key such as Enterprise Resource Planning
operational efficiency and security in today’s technology trends in the IT-OT Convergence (ERP). These trends are driving the need for
complex industrial environments. discussion include the increasing integration seamless data connectivity, interoperability,

36 in d u s t r ial et h er ne t b o o k 09.2024
 IT-OT Convergence
and scalability across diverse industrial as more efficient resource utilization, faster industry is moving in the right direction.
setups. response times to production issues, and the The continuous innovation in this space
ability to implement predictive maintenance is helping companies to not only meet
Technology solutions strategies. This level of integration current operational needs but also to
Potential solutions to IT-OT Convergence also supports the adoption of AI-driven position themselves for future growth and
include Industrial Edge computing, applications, which can further optimize technological evolution. The importance
advanced SCADA (Supervisory Control processes and reduce costs. of IT-OT Convergence will only increase
and Data Acquisition) systems, and IIoT “To address the challenges of IT-OT as industries strive for greater efficiency,
platforms. Especially Industrial Edge integration, it's essential to understand how sustainability, and competitiveness. The
computing, for example, enables data to these technologies work together,” Hendrych progress made so far is encouraging,
be processed and analyzed closer to the added. “For instance, an Industrial Edge but ongoing efforts and collaborations
source (on the shopfloor), reducing latency solution typically involves the deployment between technology providers and industrial
and bandwidth issues, which are crucial for of edge devices, such as industrial PCs or companies will be essential to fully realize
real-time applications. Advanced SCADA dedicated edge gateways, on the shopfloor. the potential of this convergence.
systems act as a data integration layer, These devices collect data from sensors, PLCs “One aspect we need more focus on is the
harmonizing and contextualizing data from (Programmable Logic Controllers), and other change on how collaboration between IT
various OT sources before transmitting it OT components. The data is then processed and OT personal can be improved and how
to higher-level IT systems. IIoT platforms locally on the edge device, where it can be IT working modes (e.g. DevOps and stronger
facilitate connectivity and data exchange aggregated, filtered, and analyzed before use of simulation & test technologies) can
across different systems and locations, being sent to IT systems or cloud platforms.” be applied to fully benefit from those data
enabling centralized monitoring, predictive A SCADA system or an HMI (Human- driven paradigms in production,” Hendrych
maintenance, and optimization of production Machine Interface) system often acts as the concluded.
processes. intermediary, managing the flow of data
The importance of these technologies lies between OT and IT systems. It provides a
in their ability to break down data silos, unified interface for operators to monitor and Focus on scalability and
improve real-time decision-making, and control industrial processes while ensuring flexibility
enhance overall operational efficiency. By that the data is formatted correctly and IT and OT stakeholders share data and insights
implementing these technologies, industries securely transmitted to higher-level systems. more effectively.
can achieve higher levels of automation, Data integration layers like the Siemens
reduce downtime, and meet regulatory Industrial Edge Information Hub (IIH) further According to Jessica Forguites, Technical
requirements more effectively, ultimately enhance this process by providing additional Platform Lead at Rockwell Automation: “In
leading to increased competitiveness and tools for data processing, visualization, and the age of AI there are many technology
sustainability. To succeed, this has to become integration with cloud or IT systems. These trends shaping collaboration or convergence
a culture of data-driven decision-making technologies open new possibilities for of IT and OT groups and the technologies they
based on IT/OT integration. However, many addressing IT-OT integration challenges, use. Common discussions with our customers
IT/OT projects fail due to various inefficient such as ensuring data consistency, managing include investment in software targeted
IT/OT collaboration solutions. For this, the increasing volume of data generated by toward specific outcomes, investment in
these technologies have to be embedded in modern industrial systems, and providing infrastructure and networks to account
a systematic approach going from small use secure and scalable solutions that can grow for new requirements, and data streams
cases enrolling it to the whole organization at with the needs of the business. associated with their company’s goals.”
the speed of relevancy for those companies. Forguites said that potential solutions
Looking ahead to IT/OT convergence include integrated
Technology benefits Given the challenges of IT-OT Convergence network infrastructure, edge computing
“The specific technical benefits of these from a technology perspective, Hendrych gave solutions, and software and services that
solutions include enhanced data transparency, his opinion on the continuing importance support a unified framework in critical areas
improved scalability, and increased flexibility and progress made on this issue. like security and data management. These
in industrial operations,” Hendrych said. “From a technology perspective, IT-OT solutions enhance scalability and flexibility,
“For example, Industrial Edge computing Convergence remains critically important as help ensure consistent regulatory compliance,
allows for localized data processing, which industries increasingly seek to harness the improve collaboration among stakeholders,
minimizes latency and ensures that critical full potential of digital transformation,” and accelerate data-driven decision-making.
operations can continue even if there is Hendrych said. “The progress made in this “The technical benefits include enhanced
a disruption in cloud connectivity. This area is significant, with advancements reliability and uptime, improved data
is particularly important for applications in edge computing, cloud platforms, and integrity and consistency, and optimized
requiring real-time control and monitoring.” advanced analytics paving the way for more asset utilization, such as network resources,
SCADA systems with integrated Industrial integrated and intelligent manufacturing servers, and storage capacity,” Forguites
Edge solutions provide seamless Southbound- environments.” said.
Northbound communication, enabling a He added, however, that the challenges The technology operates by offering
smooth flow of data between OT and IT are still substantial, particularly in terms flexible segmentation options to manage
systems. This ensures that data from sensors of ensuring seamless interoperability data flows during system integration,
and controllers on the shopfloor is accurately between legacy OT systems and modern IT ensuring scalable and manageable asset and
captured, processed, and transmitted to infrastructures, maintaining data security, data identification over time. It also enables
enterprise-level systems for further analysis and managing the complexity of these IT and OT stakeholders to share data and
and decision-making. These technical integrations. Despite these challenges, the insights effectively, avoiding multiple sources
benefits translate into tangible improvements ongoing development of flexible, scalable, of truth, and supports operational continuity
in enterprise/automation integration, such and secure solutions demonstrates that the throughout ongoing system integrations.

09.202 4 i n d u str i a l e th e r n e t b o o k 37
IT-OT Convergence

SOURCE: ISTOCKPHOTO
“Potential solutions to IT/OT convergence include integrated network infrastructure, edge computing solutions, and software and services that support a
unified framework in critical areas like security and data management.” -- Jessica Forguites, Technical Platform Lead, Rockwell Automation.

“Businesses are increasingly reliant on and agile operations driven by a series of initiatives that provide higher performance,
data driven insight to achieve the outcomes technology trends: edge compute, easy installation, security,
they are looking for. This makes IT and OT Industrial IoT developments: vast and troubleshooting capabilities,” Diwakar
convergence a necessity for organizations availability of smart sensors and connected said. “The expectation from their networks
to remain competitive and secure, while industrial assets to collect real-time data will be such that it contributes to more
managing long term total cost of ownership for better monitoring and controlling the cohesive, responsive and secure operational
of their assets. The rapid progress of IT/OT physical processes environment alongside increase productivity
convergence has laid a foundation for more The need for large scale industrial networking: and helping them stay competitive in the
efficient operations, improved resiliency, higher speed connectivity with low latency marketplace.”
in addition to other digital transformation to support ever more advanced process Therefore, the technologies that can help
goals,” Forguites said. automation powered by seamless and secure in IT-OT convergence are: (1) Standardized
communication between the IT and OT systems networking hardware and software across IT
to unlock the promises of industry 4.0 and OT, (2) A common network management
Blending of IT and OT systems The rise of AI & ML enabled software platform, (3) Embedded security in network
More efficient, interconnected and agile applications that need operational data to equipment, and (4) unified IT/OT security
operations. predict anomalies, optimize operations, and platform to detect faster and better
enhance decision making. orchestrate response.
According to Krishna Diwakar, Technical Unified cybersecurity across IT and OT to Standard networking equipment across
Marketing Engineer at Cisco, “Traditionally, protect both operations and enterprise IT and OT can eliminate patchwork of
IT and OT teams have operated in silos, but networks and ensure that any security networks that offer different capabilities
recognition of integrating these two domains breaches remain contained and not spread and require multiple tools to manage and
are bringing them to work closer together from one domain to the other secure. A single management system for
and help the organization succeed. IT-OT Increasing use for hosted applications in the standardized environment can automate
convergence involves blending of IT systems datacenters, private, and public clouds for networking tasks across the entire network
which handle data management and business scaling resources for data storage, analysis, increasing consistency and reducing OpEx.
analytics with OT systems which manage and as well facilitating automation across IT and Embedded security in network equipment
control physical processes and machineries OT systems. rather than point products, and common
in verticals such as manufacturing, utilities, security operations streamline architectures
transportation, etc.” Solutions to IT-OT convergence and provide a more holistic view of threats
Diwakar stated that IT-OT convergence “In the coming years manufacturers will across the organization for better correlation,
fosters more efficient, interconnected continue to invest in smart network detection, and response.

38 in d u s t r ial et h er ne t b o o k 09.2024
 IT-OT Convergence
SOURCE: ISTOCKPHOTO
“The convergence of IT and OT offers numerous benefits, including increased efficiency, improved security, enhanced reliability, and the ability to
leverage digital technologies for innovation. As industries continue to evolve and become more technologically advanced, the trend towards IT and OT
convergence is likely to accelerate.” -- Krishna Diwakar, Technical Marketing Engineer, Cisco.

Diwakar said that solutions like the above automation. IT knows networking and for enterprise and operations, while purpose-
help organizations bridge the gap between IT security. This collaboration reduces the built for their respective environments and
and OT, driving greater operational efficiency, need for separate support teams and tools use cases, share components from the same
security, and adaptability in today’s complex and in most cases prevents re-inventing ASIC family and run the same operating system
industrial environments. the wheel,” Diwakar said. “OT teams can (IOS XE). Cisco industrial switches, routers,
leverage the automation expertise from IT and wireless equipment are all managed by
Enterprise/automation integration and avoid manual repetition of tasks with the same Catalyst Center that uses machine
“When IT/OT collaborate, each team focus a huge reduction in errors enabling quicker learning for predictive insights and automated
on their unique skill sets to define together time to market and adopt technological troubleshooting, minimizing downtime not
the right strategies and the technologies advancements with ease.” just for the enterprise but also for the OT
supporting them. OT knows industrial For example, Cisco networking products networks in single management pane.

SOURCE: ISTOCKPHOTO

Benefits of IT and OT collaboration led off by improved cybersecurity.

09.202 4 i n d u str i a l e th e r n e t b o o k 39
IT-OT Convergence

SOURCE: ISTOCKPHOTO
“Driven by the ever-increasing performance of computing hardware, IT and OT are moving from specialized hardware to software implemented products.
This is true, for example, in IT with virtualization and containerization or software defined networks. In OT, products like PLCs are moving from specialized
runtimes to support standard programming languages.” -- Dr. Lutz Jänicke, Corporate Product & Solution Security Officer, Phoenix Contact.

Diwakar said that a recent survey Addressing challenges Vision provides Identity Services Engine
conducted by Cisco and detailed in 2024 Diwakar said that commonality between the (ISE), a network access control and policy
State of Industrial Networking Report, shows network devices used in both IT and OT, enforcement engine, predominantly used in
the benefits that respondents recognize that for instance the Cisco Industrial Ethernet IT can now be used to automate and push
closer alignment of IT and OT would yield as switches, offer the ruggedization and security policies to the devices in the OT
shown in the chart below. compliance standards for industrial use, network in a consistent manner. It also
He added that Cisco industrial switches and but run the same IOS XE software as Cisco simplifies the tools needed to secure and
routers are the only industrial networking Catalyst enterprise switches making it easier optimize OT operations.
equipment on the market to offer OT visibility to use the common set of protocols like
capabilities. The embedded Cyber Vision NETCONF, RESTCONF and programmable APIs Continuing importance and progress
sensor inventories and profiles industrial to automate and gain insights into the OT “The convergence of IT and OT offers a
assets and enables real-time monitoring network. This common functionality makes it powerful combination of benefits, including
of application flows, without the need easier for the organization since they could improved operations, better data analytics,
for dedicated security appliances or SPAN leverage the skills IT already possesses, and and enhanced security. Cisco as the
networks. This comprehensive visibility no time is needed for learning new skills or networking and security market leader is
into industrial networks provides the basis ramping-up. building OT products that are both enterprise-
of automated network segmentation in OT Moving from unmanaged to managed grade and industrial-strength. Using Cisco
as required by ISA/IEC 62443 standards switches in the OT deployments helps networking products, OT and IT teams can
and enables adopting a common zero-trust focus on features like VLANs to segment forge a better partnership as Cisco meets the
framework across IT and OT networks to the network and QOS ensuring the traffic needs of both,” Diwakar said.
control which device can access what. flow gets the best treatment they would He added that a unified view of both IT
Reporting events to a single SOC platform, require and conserving bandwidth. Effective and OT cybersecurity threats is undoubtedly
such as Splunk, provides a comprehensive bandwidth utilization facilitates the efficient a huge win from a technology perspective. It
view of potential threats across IT and network resource usage, reduce latency and offers unified threat management that allows
OT environments which allows detecting achieve operational efficiency in Industrial for coordinated response and mitigation
advanced threats faster and better settings. efforts, a shared perspective that allows
coordinated response and mitigation efforts. Informed by the visibility that Cyber building of consistent security policies, and

40 in d u s t r ial et h er ne t b o o k 09.2024
 IT-OT Convergence
reduced risk of blind spots by monitoring of Processing of data using cloud services Soft controllers then evolved into
both IT and OT environments. and/or container technologies makes Programmable Automation Controllers (PACs)
“Looking beyond technology, a single deployments more effective. Of course, this that combine the advantages of controllers
vendor solution for IT and OT may also reduce integration comes with additional security and PCs. Virtual controllers are essentially
overall licensing and support costs resulting challenges due to increased connectivity. PACs that run within a virtual machine
in lower OpEx, provide a more predictable “IT environments are becoming more and managed by a real-time hypervisor or virtual
and manageable environment compared to more service oriented,” Jänicke said. “By machine monitor on a commercial-off-the-
multiple vendors, and help organizations packaging operations into microservices shelf (COTS) server. Virtual controllers, PACs,
create a networking and security blueprint functions become very modular and can be soft controllers, IPCs, and traditional PLCs
that they can replicate across their developed, deployed, and updated in small can all run industrial Ethernet communication
operations,” Diwakar said. increments. Concepts like DevOps would not networks including EtherNet/IP.
“The convergence of IT and OT offers be thinkable without these environments.
numerous benefits, including increased In addition, by using standard libraries and Advantages of virtual controllers
efficiency, improved security, enhanced offerings available in many languages like The advantages of virtual controllers stem
reliability, and the ability to leverage Java, C#, … a new function can be built from the fact that they are not tied to
digital technologies for innovation. As without digging into lower-level details.” the underlying hardware that the control
industries continue to evolve and become Jänicke said that the same is not fully software runs on and that they rely on
more technologically advanced, the trend applicable to lower-level automation systems. internet connectivity. This enables virtual
towards IT and OT convergence is likely to They still need to be developed to support machines to keep operating in the case
accelerate.” real-time operations and the deployment of a hardware failure by switching over to
needs to be stable. Using above mentioned a different server. Additionally, applying
technologies however allows to implement software patches for security or stability
Moving to software solutions “glue logic” that is easier to interface to the upgrades has traditionally been very difficult
OT becoming more closely connected to enterprise systems. Virtual PLCs that will be to accomplish with traditional controllers
enterprise systems. a very visible move in the convergence have that are spread throughout plants and not
been discussed for quite some time and seem typically connected directly to the internet.
Dr. Lutz Jänicke, Corporate Product & Solution to become available now. In contrast, virtual controllers can be
Security Officer, Phoenix Contact said that “The convergence is ongoing and will updated much faster in comparison when
“generally driven by the ever-increasing not stop,” Jänicke concluded. “It offers a security vulnerability or operational
performance of computing hardware, IT and advantages in effectiveness and efficiency improvement is identified. Further, the
OT are moving from specialized hardware of OT operations.” updates can be verified in a test environment
to software implemented products. This is before pushing the patch to production in
true, for example, in IT with virtualization Impact of virtual controllers the same way that traditional IT software
and containerization or software defined Automation and control software that is fully updates are made. Another significant
networks. In OT, products like PLCs are independent of the hardware. benefit of virtual controllers is that remote
moving from specialized runtimes to support management will allow for a larger amount of
standard programming languages. This According to Steven Fales, Director of data to be available for operations analysis
also includes the usage of (IT) standard Marketing at ODVA, “virtual controllers and improvement as well as maintenance
communication protocols instead of or in are an emerging technology in Industrial management.
addition to specific OT protocols. Automation that are set to enable greater
Jänicke said that OT devices and services IT-OT convergence going forward.” Specific technical benefits
are more closely connected to enterprise Fales said that what differentiates a virtual “Virtual controllers will allow for a much
systems to support the management and controller from a traditional controller is that greater level of IT-OT convergence than
monitoring of the systems and of course the the automation and control software is fully previously possible by bringing the full
production. independent of the hardware. This is made advantages of containerized software to
“An obvious technology trend is the possible by using standalone, executable industrial control. The ability to manage
implementation of artificial intelligence packages of software that include the code, thousands of virtual controllers in the
(machine learning). Impressing results can runtime, system tools, system libraries, and same way that traditional PCs are by IT will
be seen in drafting and translating texts or settings to run the desired applications. provide much faster software bug fixes and
in videos. As there is a strong dependency This is like the way that cloud servers run a more complete picture of an organization’s
on material to learn from, application in software independently so that different operations,” Fales said. “Traditional PLCs are
the OT area might be challenging. Still, servers can be used to scale up the possible limited to running embedded firmware on
the processing of such data would be an number of connections or to switch over to a specialized hardware that can make changes
IT-topic,” he added. different server in case there is trouble with or data gathering more challenging. The
the existing hardware. Industrial personal use of virtual controllers could also open
IT-OT convergence computers (IPC) were the initial basis for the development and maintenance of the
Jänicke said that both IT and OT are moving decoupling the software from the hardware in programming language code to a much wider
towards IT technologies. Communication is industrial controllers since standard personal group of professionals from the IT world
based on IP and web services, for example, computers were used to run industrial using more commonly used coding languages.
using REST interfaces. This allows for a software for control applications. This led While the development of specific control
seamless integration. Standardization is to the development of soft controllers that loop algorithms would be best left with
most important and is underlined by the role were originally based on IPC hardware and experienced OT engineers there are other less
of OPC UA. Additional synergies might be are capable of both traditional control as well critical tasks that can be done by software
found in the use of digital twin technologies as gateway, human-machine interface (HMI), developers with a smaller amount of domain
improving the exchange of data. web server connectivity, and more. expertise. Additionally, the implementation

09.202 4 i n d u str i a l e th e r n e t b o o k 41
IT-OT Convergence

SOURCE: EWON
“The advantages of virtual controllers stem from the fact that they are not tied to the underlying hardware that the control software runs on and that they
rely on internet connectivity. This enables virtual machines to keep operating in the case of a hardware failure by switching over to a different server. ”
-- Steven Fales, Director of Marketing, ODVA.

of artificial intelligence would also be easier PLCs that leverage embedded firmware and are specifications, usage of TCP/IP, real time
with virtual controllers given the ability to located on machine offer a level of reliability capabilities, media independence, and safety
more easily update the software as changes that is critical to operations uptime. and security services.
are made.” Automation applications that can tolerate “However, they will likely be running in
He added that the downside of virtual periods of unavailability are the initial target new virtual controller and cloud environments
controllers is that there are serious concerns for virtual controllers. It remains to be seen in the future to take advantage of the
regarding security, safety, and real time whether traditional controllers will stay in their lessons learned in IT of virtual patching
capability. While the historical security current form or if the advantages of virtual PLCs and remote management,” Fales said. “IT
by obscurity of traditional controllers has will start a shift toward decoupling hardware and OT technologies have and will continue
long since been rejected, there are definite from software and adding more reliance on to converge toward each other slowly
reliability advantages to having a physically internet connectivity to all controllers. but surely enabling industry to smoothly
onsite controller that adheres to IEC/ISA transition to the full advantages of cloud
62433 security standards and has limited Progress being made computing, artificial intelligence, and the
connectivity to the internet. Fales said that automation has made new technologies of tomorrow. As has been
Additionally, the reliance on internet significant strides moving from pneumatic constant in industrial automation for decades
connections could lead to challenges keeping controls in the 1950s to PLCs in the 1970s though, the new will need to coexist with the
an operation running properly either because and then from fieldbus to Industrial Ethernet old to keep the industries humming along
the machine would be constantly returning and PLCs to PACs in the 2000s. Industrial that provide for our basic needs including
to a safe state or would simply shut down Ethernet communication networks such water, food, and transportation.”
in the middle of a process in the case of an as EtherNet/IP will remain relevant going
intermittent internet connection. Traditional forward due to their adherence to IEEE Al Presher, Editor, Industrial Ethernet Book.

42 in d u s t r ial et h er ne t b o o k 09.2024
 Industrial Ethernet Solutions

2024
Corporate
Profiles

Learn about the companies

and technologies shaping the
future of Industrial Ethernet,
the IIoT and Industry 4.0.
Corporate Profile

Beckhoff Automation:
New Automation Technology
Beckhoff implements open automation systems using proven PC-based control technology. The main areas
that the product range covers are industrial PCs, I/O and fieldbus components, drive technology, automation
software, control cabinet-free automation, and hardware for machine vision.

SOURCE: BECKHOFF
PRODUCT RANGES THAT CAN BE USED AS Worldwide presence on all have never been changed, but only extended
separate components or integrated into a continents compatibly. This means that current devices
complete and mutually compatible control The corporate headquarters of Beckhoff can be used in existing systems without any
system are available for all sectors from Automation GmbH & Co. KG in Verl, Germany, problems and without having to consider
Beckhoff Automation. New Automation is the site of the central departments such different versions. The extensions include
Technology stands for universal and industry- as development, production, administration, Safety over EtherCAT for machine and
independent control and automation solutions sales, marketing, support and service. personnel safety in the same network, and
that are used worldwide in a large variety Beckhoff’s presence in the international EtherCAT P for communication and supply
of different applications, ranging from market is guaranteed by its subsidiaries. voltage (2 x 24 V) on the same 4-wire cable.
CNC-controlled machine tools to intelligent Beckhoff is represented in more than 75 And also EtherCAT G/G10, which introduces
building control. countries by worldwide cooperation partners. higher transfer rates, while the existing
EtherCAT equipment variety is integrated via
PC-based control technology EtherCAT – the Ethernet Fieldbus the so called branch concept: even here there
Since Beckhoff’s foundation in 1980, the Selecting the communication technology is is no technology break.
development of innovative products and important: it determines whether the control
solutions on the basis of PC-based control performance will reach the field and which Beckhoff Automation at a glance
technology has been the foundation of devices can be used. EtherCAT, the Industrial • 2023 global sales: €1.75 billion (+16%)
the company's continued success. We Ethernet technology invented by Beckhoff, • Headquarters: Verl, Germany
recognized many standards in automation makes machines and systems faster, simpler • Managing owner: Hans Beckhoff
technology that are taken for granted and more cost-effective. EtherCAT is regarded • Employees worldwide: 5,500 (FTE, March
today at an early stage and successfully as the "Ethernet fieldbus" because it combines 2024)
introduced to the market as innovations. the advantages of Ethernet with the simplicity • Engineers: 2,000
Beckhoff’s philosophy of PC-based control of classic fieldbus systems and avoids the • Subsidiaries/representative offices
as well as the invention of the Lightbus complexity of IT technologies. The EtherCAT worldwide: 40
system and TwinCAT automation software Technology Group (ETG), founded in 2003, • Sales offices in Germany: 23
are milestones in automation technology makes it accessible to everyone. With over • Representatives worldwide: >75
and have proven themselves as powerful 7,000 member companies from 72 countries
alternatives to traditional control (as of March 2023), the ETG is the world's Beckhoff Automation GmbH & Co. KG
technology. EtherCAT, the real-time largest fieldbus user organization. [email protected]
Ethernet solution, provides a powerful EtherCAT is an international IEC standard Phone: +49 5246 963-0
and future-oriented technology for a new that not only stands for openness, but also
generation of control concepts. for stability: until today, the specifications Visit Website

44 in d u s t r ial et h er ne t b o o k 09.2024
 Corporate Profile
Analog Devices: accelerating your
digital transformation journey
Access new insights from the Intelligent Edge with innovative solutions that solve the toughest industrial
automation challenges.

SOURCE: ANALOG DEVICES

ANALOG DEVICES (ADI) IS A GLOBAL LEADER From complete Time Sensitive Networking and security capabilities designed to connect
in the design and manufacturing of analog, solutions for high-performance motion control the real world to factory networks and beyond
mixed signal, and DSP integrated circuits. We in factory automation to innovative single pair to the cloud.
intelligently bridge the physical and digital Ethernet products for robust edge connectivity
worlds with a cutting-edge portfolio of in process/factory and building automation Why ADI?
technologies that sense, measure, interpret, – our market-leading Ethernet portfolio of Our long history, rich industrial expertise,
connect, power, and secure. ADI is not a combined software and hardware solutions and system design knowledge combines with
typical semiconductor company. We push the are scalable and timed to perfection. advanced technologies to deliver seamless and
boundaries of silicon technology, investing ADI’s Ethernet solutions encompass a range secure connectivity across the automation
heavily in software, systems expertise, and of advanced Industrial Ethernet technologies network, turning your vision of the connected
domain knowledge within our key markets such from real-time Ethernet switches to physical factory into reality. ADI ensures your time-
as industrial automation. The combination of transceivers and network interface solutions critical automation and control data is
this knowledge with that unmatched set of that include protocol stacks. Designed delivered perfectly on time, every time. Get to
analog-to-digital capabilities enables ADI to to support scalable and flexible system market fast by using ADI’s complete solutions
approach challenges at the system-level and development, the ADI Ethernet product that provide predictable, trusted results you
help our customers get to market faster, create portfolio offers multiple port count, low power can depend on every time. For deterministic,
and capture more value, and make sound consumption, and flexible bandwidth. Being verified robust, scalable and flexible solutions
investments with a roadmap to tomorrow. multiprotocol, these solutions are compatible that simplify system design and reduce the
with the majority of existing industrial development burden, look no further than
Industry-leading, scalable protocols while also providing the ability to Analog Devices.
Ethernet – timed to perfection future-proof for TSN networks.
We turn your vision of connected factories ADI’s Ethernet solutions are designed
into reality. ADI’s portfolio of compatible and and verified for robust operation in harsh Analog Devices
interoperable industrial Ethernet connectivity industrial environments and offer effective Email: [email protected]
products enables best-in-class industrial security at each node point within a system. Phone: +49 89 769030
automation solutions for the connected Our suite of industrial Ethernet products
factory of tomorrow. includes technologies, solutions, software, Visit Website

09.202 4 i n d u str i a l e th e r n e t b o o k 45
Corporate Profiles

Opto 22: Your Edge in

Automation
Let the engineers at Opto 22 help you build your connected automation system.

READY TO CONNECT AUTOMATION, ENTERPRISE,

SOURCE: OPTO 22
and cloud data? Opto 22’s groov family of
industrial edge controllers and I/O gives you
the integrated control, connectivity, and
cybersecurity tools to do it.
With groov EPIC and groov RIO, you can
bring brownfield systems into the next
generation of industrial automation.
Create cohesive OT data systems from
multi-vendor networks with OPC UA, MQTT,
and more.
Secure PLC, I/O, and equipment data
with built-in cybersecurity features like
encryption, mandatory user authentication,
and configurable device firewalls.
And you can collect, process, and publish
OT data where it’s needed, into on-premises
and cloud-based applications like databases,
CMMS, SCADA, and ERP.

Control and I/O options at the edge

For groov EPIC, develop real-time control
programs in a language you know: ladder logic,
function block diagram, flowcharts, Python, An edge programmable industrial controller, groov EPIC® is much more than a PLC or a PAC. It can
C/C++, and more. Build HMI screens for secure and simplify automation and IIoT projects, while reducing cost and complexity.
embedded or external touchscreens, PCs, and
mobile devices. Run Inductive Automation’s
Ignition Edge on the EPIC programmable software-configurable I/O, embedded software, Why choose groov?
industrial controller. and even CODESYS control programming in a Built on Opto 22’s nearly 50 years of
groov RIO edge I/O combines security, single compact edge device. experience, groov products are backed by
lifetime guarantees on solid-
state I/O, UL Hazardous
SOURCE: OPTO 22

Locations approval, ATEX

compliance, and a wide -20 to
70°C operating temperature
range.
Count on free pre-sales
engineering help and product
support as well. All Opto 22
products are developed,
manufactured, and supported
in the U.S.A.
Contact our engineers
today, and let’s talk about
what you want to do.

Opto 22
www.opto22.com

groov RIO® edge I/O offers over 200,000 software-configurable I/O combinations plus optional real-time control in a single, Visit Website
compact, PoE-powered industrial package.

46 in d u s t r ial et h er ne t b o o k 09.2024
 Corporate Profiles
Contemporary Controls:
Your Trusted Partner
Providing innovative and reliable solutions to the industrial automation industry for more than 49 years,
Contemporary Controls has been a leader in innovative solutions for industrial automation.

SOURCE: CONTEMPORARY CONTROLS

WITH MORE THAN 49 YEARS OF to the LAN side while keeping the
experience, Contemporary Controls same IP settings for the devices
has been a leader in innovative and the application, lowering
solutions for industrial automation. installation cost and eliminating
Contemporary Controls’ CTRLink trouble shooting.
products are designed for unattended The IP address for the WAN port
operation in environments not on the IP router is the only setting
conducive to office-grade equipment. that requires modification allowing
The products provide convenient multiple machines to reuse the
DIN-rail mounting in control panels, same configuration on the LAN
24VAC/DC power, UL 508, improved side. Skorpion routers have been
EMC compliance and reliability. successfully used in Robotics,
Contemporary Controls’ repeating Automated Guided Vehicles (AGVs),
hub, switches, media converters Packaging and Scientific Equipment.
and IP routers adhere to IEEE 802.3
standards and more. Specialty Simplified, Secure Remote
regulatory needs are addressed in Communication
selected models. Utilizing the EIPR/EIGR series VPN
routers, Contemporary Controls
Rugged Ethernet Switches offers three VPN solutions that
Whatever the Ethernet infrastructure need, a Innovative Diagnostic Switches deliver secure, remote access—RemoteVPN
solution is available from CTRLink products. For troubleshooting, diagnostic switches subscription service, and Self-HostedVPN and
For simple systems, plug-and-play unmanaged allows a network sniffer to attach to an BridgeVPN solutions. Hosted on the Internet
switches provide a cost-effective method for unused port on a switch and observe all traffic and maintained by Contemporary Controls,
expanding Ethernet networks. Most models on the network. RemoteVPN provides secure communication
include features such as auto-MDIX and auto- and the convenience of remote access without
negotiation. For demanding applications, Cost-Effective, Trusted IP Routers having to maintain a VPN server.
managed switches provide features such Contemporary Controls’ Skorpion series of IP Contemporary Controls’ Self-HostedVPN
as VLANs, SNMP, Quality of Service, port routers ease the integration of new machines and BridgeVPN solutions allow users to set up
security, port mirroring, alarming and cable into the existing network. Each machine and maintain their own secure remote access
redundancy. consisting of multiple IP devices connects without subscription fees and without the
need for a cloud-based VPN server.

Solutions You Can Depend On

SOURCE: CONTEMPORARY CONTROLS

With automation systems, applications vary

and can require a special product or need.
Contemporary Controls has worked with OEMs
in obtaining UL 864 compliance with some
CTRLink switches, and can help in other areas
such as private-labeling, unique packaging or
extreme environmental design.
Contemporary Controls’ customers are
systems integrators, contractors and
OEMs seeking simple, reliable networking
and control products from a dependable
source. With headquarters based in the US,
Contemporary Controls also has operations in
the UK, Germany and China and is well suited
to fulfil your application needs.

Contemporary Controls
www.ccontrols.com

Visit Website

09.202 4 i n d u s tr i a l e th e r n e t b o o k
47
Corporate Profiles

Machine and Device

Connectivity
Providing data-driven OT Insights.

SOURCE: SOFTING INDUSTRIAL/SHUTTERSTOCK

SOFTING INDUSTRIAL OFFERS ADVANCED AND
easy-to-use products and solutions for the
digitalization and networking of industrial
systems and processes. Our innovative solutions
help to increase the efficiency of production
and provide users with secure and flexible
connectivity between machines and systems.
They enable optimized data exchange, efficient
OT/IT integration, and seamless connections to
edge and cloud platforms.

Controller connectivity
Our controller connectivity products improve
the scalability and reduce the operating costs
of your applications, whether for brownfield
or greenfield projects. They provide access to
controllers from leading manufacturers and
IoT devices and improve connectivity at the
interface between OT and IT.

Connectivity for field devices

Our software and hardware gateways enable Seamless OT-IT Integration Drives Data-Driven Insights for Optimized Processes.
you to unlock HART, PROFIBUS, and other
device data in Plant Asset Management SCADA, MES or ERP via the OPC UA Unified Embedded Industrial Ethernet and
applications to optimize your commissioning, Name Space (UNS). Ethernet-APL
maintenance and diagnostic processes. Our solutions enable you to seamlessly
CNC machine connectivity integrate Industrial Ethernet and Ethernet-APL
OPC UA Unified Name Spaces We provide products to securely read data into your industrial devices. We support you
Use our solutions to collect and consolidate from CNC machines without changing the in implementing real-time Ethernet protocols
data to make it available in a consistent and machine configuration, and efficiently for reliable communication. Additionally, we
structured format for applications such as integrate it into IoT and cloud applications. offer flexible software solutions for various
embedded systems. This allows you to design
your network connection efficiently and
SOURCE: SOFTING INDUSTRIAL/SHUTTERSTOCK

future-proof.

Empowering Your Digital

Transformation with Seamless
Industrial Connectivity
With Softing Industrial, you gain a trusted
partner dedicated to enhancing your
industrial connectivity, ensuring your
operations are more efficient, secure, and
future-ready. Together, we can drive the
digital transformation of your business.

Softing Industrial Automation

GmbH
Email: [email protected]
Web: https://go.industrial.softing.com/
softing-ieb

Visit Website
Softing offers Advanced, Easy-to-Use Solutions for Digitalizing and Networking Industrial Systems.

48 in d u s t r ial et h er ne t b o o k 09.2024
 Corporate Profiles
Cisco - Powering smart industries
Cisco transforms critical industries by bridging the gap between IT and OT, and enabling AI-driven solutions
that empower smarter, safer, and more sustainable operations.

SOURCE: CISCO
Figure 1: Cisco industrial networking portfolio.

AN INDUSTRIAL NETWORK WITH SCALE, network devices are managed and secured by define policies for effective segmentation in
flexibility, performance, determinism, security, the same proven tools that IT has used and conjunction with Cisco Identity Services Engine
and resiliency is the key to reliable operations trusted for many years. Network innovations or Cisco Secure Firewalls. Cisco leverages its
where operational data can be easily harnessed allow OT teams to run advanced services unique enterprise security portfolios of products
for industrial agility and increased profitability. within the equipment obviating the need for and solutions, together with threat intelligence
additional servers, networking complexity, and from Talos®, one of the world’s largest security
Accelerate digital transformation expense, while increasing the collaboration research teams, to make security inherent and
For over 20 years, Cisco has offered a between IT and OT. embedded in the industrial network.
comprehensive portfolio of industrial switches,
routers, and wireless which are purpose-built for Protect operations Enable AI strategies
every industrial sector. Cisco industrial switches Cybersecurity is paramount in industrial Cisco industrial network provides the high
enable resiliency to minimize downtime, operations due to the critical nature of performance, low latency, and highly reliable
support communications protocols between the systems involved. A breach can lead infrastructure for data collection, transmission,
control systems and machinery with minimal to significant disruptions, financial losses, and analysis, enabling AI applications to drive
delay, and protect operations with visibility, and even physical harm. Deeper integration innovation, improve efficiency, and facilitate
data encryption, and network segmentation. between IT, cloud, and industrial networks is data driven decisions.
Cisco industrial Wi-Fi, Ultra-Reliable Wireless creating many cybersecurity issues that are
Backhaul, and LoRaWAN solutions extend the becoming the primary obstacle to industry Deploy confidently
wired network with dependable connectivity digitization efforts. Cisco makes designing, implementing, and
to mobile devices and sensors. Cisco industrial Cisco’s approach to industrial security securing your industrial network easier by
routers help securely connect your distributed starts with gaining deep visibility. Cisco Cyber publishing tested architectures, including
field operations over 4G/5G and SD-WAN to Vision runs within Cisco industrial networking those built with our partnerships with leading
your enterprise and the cloud. equipment, analyzes traffic, identifies assets, Industrial Automation and Control Systems
All Cisco industrial switches, routers, wireless discovers security vulnerabilities, and helps (IACS) vendors so you can deploy confidently
and minimize risk.

Cisco is the only IT/OT networking

company
Cisco’s industrial automation and control
networking solutions integrate industrial-
strength networking equipment with
enterprise-grade network management and
security tools and provide validated and
field-proven guides designed to accelerate
your adoption of and benefit from IIoT. Cisco
IIoT converges IT management and security
technologies with industrial networks, drawing
on both IT expertise and operational intelligence.

Cisco
Figure 2: Cisco connects and protects operations. Visit Website

09.202 4 i n d u s tr i a l e th e r n e t b o o k
49
Corporate Profiles

Rugged instrumentation for

reliable measurement and control
Moore Industries is a world leader in the design and manufacture of exceptionally rugged, reliable and high-
quality field and DIN rail-mounted instrumentation for the process monitoring and control industries.

MOORE INDUSTRIES WORLDWIDE SALES AND

SOURCE: MOORE INDUSTRIES

support offices provide first rate customer
service and solutions for the chemical,
petrochemical, utilities, petroleum extraction,
refining, pulp and paper, food and beverage,
mining and metal refining, pharmaceuticals,
and biotechnology industries.

IIoT Solutions built to Deliver

Field Data to your Host Systems
HART and MODBUS industrial communication
protocols have dramatically increased access
to device and process information that allows
you to make more effective operational process
decisions. Our Remote I/O systems including
the NCS Net concentrator System® and HART
gateways and converters such as the HES HART
to Ethernet Gateway System and HCS HART
to MODBUS Converter help integrate valuable convert and send RTD or thermocouple signals Programmable Limit Alarm Trip accepts inputs
data into your monitoring and control system ready for direct interface with an indicator, from over thirty RTD and Thermocouple sensor
strategy. recorder, PLC, DCS, or SCADA system. types, provides two or four independent and
Temperature assemblies and measurement individually-configurable alarm relay outputs,
Instrument Panels and Systems components include The WORM® flexible RTD and offers an analog output (-AO) option for
Engineering and thermocouple sensors, connection heads transmitter functionality to reduce installation
Moore Industries can specify, procure, and and enclosures, thermowells and fittings. Our costs/time.
assemble your multi-vendor electronic and TCS Temperature Concentrator System provides
pneumatic instrumentation/hardware into precision measurements via HART or MODBUS Functional Safety Solutions
custom-built instrument panels, systems RTU while significantly reducing hardware, Our spectrum of SIL 2 and SIL 3 capable
and enclosures. We will provide complete wiring, and installation costs. FS Functional Safety Series instruments
documentation, expert technical assistance, include signal isolators and splitters,
and the assurance that complete and thorough Programmable Alarm Trips single and multi-loop alarm trips and logic
testing has been performed. Provide on/off control, warn of trouble, or solvers, temperature transmitters and more..
provide emergency shutdown with one or Every instrument is built and approved for
Complete Temperature Solutions more programmable alarm (relay) outputs use in Safety Instrument Systems and are
Moore Industries Universal PC-Programmable, when a monitored process signal falls outside third-party certified by exida to IEC 61508
Smart HART® Temperature Transmitters of a selected high and/or low limit. Our SPA2 standards.
SOURCE: MOORE INDUSTRIES

More Than 55 Years Designing

and Manufacturing Rugged and
Reliable Instruments
Moore Industries has been proudly serving
the process instrumentation needs of global
manufacturers and automation companies
since 1968. Designing, building and
supporting more than 170 products across
14 product lines with unmatched systems,
support and services expertise.

Moore Industries Worldwide

www.miinet.com
Email: [email protected]

Visit Website

50 in d u s t r ial et h er ne t b o o k 09.2024
 Corporate Profiles
KLG Smartec:
Makes Industry Smarter
KLG Smartec specializes in industrial communication solutions, integrating high-quality Ethernet switches and
Smart Control Systems for reliable, high-performance industrial networking.

SOURCE: KLG SMARTEC

AT KLG SMARTEC (KLG), WE ARE DEDICATED
to advancing industrial communication
by integrating AI-powered solutions with
top-notch Industrial Ethernet Switches and
comprehensive Smart Control Solutions.
Our focus on Industrial Automation drives
us to prioritize high-quality Industrial
Communications, seamlessly blending
them with advanced industrial networking
technologies. Our expertise shines through
our commitment to developing AI-powered
Industrial Networking Solutions and efficient
Smart Control systems. This dedication ensures
peak performance and unwavering reliability in
our Industrial Network Infrastructure, adapting
to the ever-evolving landscape of industrial
internet. The ABN300 series powered by AUTBUS, the newly standardized IEC industrial broadband multidrop fieldbus.

Our Solutions multi-drop data network without protocol ensure fast and stable data transmission even
AUTBUS is a newly standardized IEC industrial translation. This integration enhances safety, in harsh industrial environments.
broadband multidrop fieldbus. It supports reliability, and operational efficiency. Kyland SICOM Series: This series includes
both balanced cables, such as twisted single- DIN-rail managed Ethernet switches, rack-
pair cables, and unbalanced cables, such Industrial Ethernet Solutions mounted managed Ethernet switches, Power
as coaxial cables. With a qualified twisted Industrial Ethernet Solutions are essential for over Ethernet (PoE) switches, and Layer 3
pair cable, AUTBUS can connect up to 254 maintaining robust and reliable communication managed rack-mounted backbone switches.
multidrop data network nodes over a distance in various industrial environments. Kyland’s These products are widely used across various
of up to 500 meters, at a data transmission industrial Ethernet solutions ensure high-speed sectors, including factory automation,
speed of 100 Mbit/s. Using OFDM technology data transfer, resilience to harsh conditions, and transportation, petrochemicals, wind power,
on the physical layer, AUTBUS is ideal for adaptability to evolving technological demands. and more.
demanding communication environments. Its Kyland Aquam Series: This series meets the Kyland Ethernet solutions offer high-speed
characteristics of broadband capability, low stringent reliability requirements of both rail data, durability, and adaptability to changing
latency, and determinism make AUTBUS well- transit and factory automation sectors. It is technologies.
suited for industrial wired data communication. ideal for applications where resistance to
AUTBUS Converter - ABN300 Series: The vibration and electromagnetic compatibility Our Applications
ABN300 series, powered by AUTBUS, supports (EMC) are critically important. Our applications deliver tailored solutions
data tunneling, which allows Ethernet- Kyland Opal Series: This series consists across multiple industries. In railway systems,
based transmission protocols and other of unmanaged Ethernet rail-type switches we ensure exceptional reliability and safety,
communication protocols, such as CAN bus, designed for applications in power, intelligent adhering to international standards. For factory
to be transparently transmitted from one data transportation, factory automation, video automation, our advanced solutions support
connection point to another via the passive surveillance, and other fields. These switches multiprotocol connectivity and enhance
operational efficiency. In the power sector,
SOURCE: KLG SMARTEC

we provide comprehensive support for reliable

and efficient generation and distribution.
Additionally, our solutions optimize operations
in the oil and gas industry, focusing on safety
and efficiency.

KLG Smartec GmbH

Arbachtalstrasse 6, 72800 Eningen,
Germany
Telephone: +49 (0) 7121 6952 804
Inquiry: [email protected]

Kyland Ethernet solutions offer high-speed data, durability, and adaptability to changing technologies. Visit Website

09.202 4 i n d u str i a l e th e r n e t b o o k 51
Corporate Profiles

One network, one solution

CC-Link IE TSN from the CC-Link Partner Association is the first and only open industrial Ethernet technology
to provide a converged network architecture by combining Time Sensitive Networking with gigabit bandwidth.

THE CC-LINK PARTNER ASSOCIATION (CLPA) IS

SOURCE: CLPA
an international organization dedicated to the
technical development and promotion of the
CC-Link family of open automation networks.
The CLPA was founded over 20 years ago in
November 2000, when it introduced CC-Link,
its highly respected industrial fieldbus
technology. This was followed in 2007 with
the widely adopted CC-Link IE, the first open
industrial Ethernet to offer gigabit bandwidth.
CLPA has since grown to be an acknowledged
industrial automation network technology
leader globally.
Today, CLPA’s key technology is CC-Link IE
TSN, the world's first open industrial Ethernet
that combines gigabit bandwidth with Time-
Sensitive Networking (TSN), making it the
leading solution for Industry 4.0 applications
and providing the foundation of the converged single network architecture, all without manufacturers. Together, these form a global
network architecture necessary to address compromising performance. This is the key installed base of about 43 million devices. The
the ever-changing challenges of 21st century to future industrial network convergence and CLPA’s technologies have found application in
manufacturing. only CC-Link IE TSN offers this functionality a wide variety of industries including but not
In order to meet demanding productivity today. This translates to key business benefits: limited to automotive, consumer electronics,
and quality targets, current production trends • Simpler, more cost-effective network semiconductor, food & beverage, packaging,
demand cost effectiveness, better process architectures and system designs material handling, water treatment and more.
insights, the shortest cycle times and the • Greater process transparency and better CLPA offers development support and
management of large amounts of process management certification for device makers and product
data. Complying to IEEE 802.1 standards, • Higher productivity developers wanting to take advantage of
CC-Link IE TSN provides this capability by • Better integration of OT and IT systems CC-Link IE TSN’s advanced capabilities in their
combining gigabit performance with the Currently the CLPA has over 4,300 member own compatible products.
integration of control, safety and motion companies worldwide, and more than 3,000 The CLPA has also been active in forming
data along with general TCP/IP traffic on a certified products available from over 390 relationships with other industry leading
associations such as the OPC Foundation and
SOURCE: CLPA

IT System
Cloud
IT PROFIBUS & PROFINET International and is a
Local Cloud
Ethernet Switch Microsoft Azure
IBM Watson CISCO
member of the TIACC organisation.
SAP HANA Cloud
Device B Device A Firewall
Wireless Router Ethernet
Switch
Ethernet
SERVICES
MQTT • Open industrial Ethernet
Service & MES SCM SCADA User XY
Maintenance ERP Reporting Analytics SCM DB • Time-Sensitive Networking
Edge Computing
• Gigabit & 100Mbit bandwidth
Analytics
Manufacturing System Predictive Maintenance
OT • Support for Industry 4.0
• Open fieldbus
Machine A Machine C
• Safety networks
• Motion control networks
Ethernet Switch
• Product certification
• Product development support
Ethernet Switch • Product promotion opportunities
Safety Controller Safety
Remote I/O
Safety Servo Cobot • PROFINET interoperability
Machine B
Controller Remote I/O Remote I/O Remote I/O Servo Servo CC-Link Partner Association
Email: [email protected]
Website: eu.cc-link.org
RFID Reader Laser Marker Weighing Systems Vision Sensor Servo Servo

Visit Website

52 in d u s t r ial et h er ne t b o o k 09.2024
 Corporate Profiles
Enabling the Future of
Industrial Networking
Moxa offers scalable, secure and reliable solutions that help enterprises strengthen their digital operations,
drive IT/OT convergence and build future-proof industrial organizations.

WITH OVER 35 YEARS OF INDUSTRY EXPERIENCE,

SOURCE: MOXA
Moxa is a global leader in edge connectivity,
industrial computing, and network
infrastructure solutions that empower the
Industrial Internet of Things (IIoT). The
company has connected more than 102 million
devices worldwide and serves customers in over
85 countries, delivering reliable networking
solutions and unparalleled customer service.
As industries navigate the challenges of
digital transformation, Moxa remains at the
forefront by providing resilient and future-
ready networking solutions, specifically
designed for IT/OT convergence. Moxa
helps businesses optimize their network
infrastructure to support the integration of
advanced technologies such as AI, IIoT, TSN,
and 5G, ensuring uninterrupted connectivity,
enhanced security, and simplified
management. Factory network diagram: Dual firewall DMZ and secure devices for assessment.

Defense-in-Depth Network Security

Industrial control systems are increasingly maximum uptime and operational reliability. and future network demands, ensuring robust
targeted by cyberattacks as industries shift network resilience and operational efficiency.
towards remote and distributed operations. Advanced Solutions for
Robust network security is now essential Futureproof Networks Simplified Industrial Network
to maintaining operational resilience and Industrial networks need to evolve to meet Management
ensuring safety. Moxa offers a defense- growing demands for performance, scalability, Effective management of industrial networks
in-depth approach to security, delivering and resilience. Moxa’s EDS-4000/G4000 Series is crucial for maintaining operational
multi-layered protection across all levels of industrial managed Ethernet switches offer a uptime and efficiency. Moxa’s MXview One
industrial networks. flexible and scalable solution that supports platform provides deep visibility and control
In adherence to the IEC 62443 cybersecurity future network expansions. With 68 models over IT/OT networks, offering real-time
standards, Moxa provides tailored security certified under the IEC 62443-4-2 standards, monitoring of wired, wireless, and IEC
solutions, including OT-centric firewalls, these switches allow for seamless integration 61850 substation networks. By simplifying
real-time visibility, and proactive threat of additional bandwidth, PoE power, and network management, MXview One helps
detection and response. The MXsecurity enhanced security features — all within a industries enhance operational efficiency and
platform enables industries to defend their compact, unified design. These futureproof uptime at all stages of network deployment,
operations from cyberthreats, ensuring switches are designed to support both current management, and maintenance.

Delivering Lasting Business Value

Moxa empowers industries with solutions
that drive long-term success. With a focus
on reliability, security, and scalability, Moxa
continues to be a trusted partner in digital
transformation for industrial automation. By
enabling industries to optimize their network
infrastructure, Moxa supports businesses in
staying competitive, secure, and ready for the
future.

Moxa GmbH
www.moxa.com
[email protected]
MXview One Central Manager: Real-time visibility and management of multi-site networks. Visit Website

09.202 4 i n d u str i a l e th e r n e t b o o k 53
 Industrial Ethernet Book
The only publication worldwide dedicated to
Industrial Ethernet Networking and the IIoT.
Visit iebmedia.com for latest updates.

New website offers deepest, richest archive of Industrial Ethernet and IIoT content on the web.

View and/or download latest issue of Industrial Ethernet Book and past issues.

Search our database for in-depth technical articles on industrial networking.

Learn what's trending from 5G and TSN, to Single Pair Ethernet and more.

Keep up-to-date with new product introductions and industry news.

 Digital tool life monitoring:

Technology
making machine data transparent
Metal machining is a standard process in the manufacturing of parts for the automotive sector. This is where
digitalization in manufacturing can help to optimize process flows and boost efficiency. In its production work,
Schlote Group utilizes the edgeConnector 840D from Softing to monitor tool life in its machining centers.

SOURCE:-FOTOGRAFIE HANUSCHKE
The medium- and large-volume processing of metal parts for the automotive sector is a key business segment for Schlote Group.

HIGH-VOLUME PRODUCTION OF AUTOMOTIVE Regular tool changes Data from the machine tool control
parts often involves the use of machining At Schlote Group’s Harsum facility, the focus The data needed – in this case, the number of
to further process cast parts. This particular is on processing parts made from steel. Tools processing cycles since the last tool change
area is a specialty for the midsize enterprise in the machining centers here are therefore – can be found in the CNC control inside the
Schlote Group. At nine facilities around the subject to high levels of wear. Depending machine tool. However, the challenge here
world, the company operates an extensive on the specific circumstances, individual is ensure the right data are extracted from
machine pool for metal processing and other tools may only have a life of a few thousand the machines in question and transferred to a
manufacturing processes. processing cycles. higher-level system.
Drilling, turning, milling, and other cutting On average, employees in production need While solutions are also offered by the
methods are part of the standard repertoire to change two to three tools every minute at machine tool makers, these are manufacturer-
here for processing engine, transmission and one of the many machining centers in use. For specific. This makes it impossible to obtain an
drivetrain components. To secure outstanding each tool responsible for handling a specific overview of the data from the overall machine
quality and high levels of efficiency, advanced processing step, a maximum number of pool, which includes machines from several
CNC machining centers and automated processing cycles is defined – after this time, makers. With the edgeConnector 840D from
production lines are used. the tool must be swapped out. Changing out Softing, Schlote Group has found a solution
True to the company slogan “Innovative the tool in time is the most effective way of that can retrieve the data from the Sinumerik
technology for success,” Schlote Group avoiding unplanned system downtime due to controls used in its machining centers.
works continuously towards improving tool breakage. “We use Windows servers as our standard
production and optimizing its process Carell: “The challenge here is monitoring all of IT systems,” Carell explains. “These provide a
flows. “This is where digitalization offers us the machining centers at the same time, so that Linux subsystem on which we can install the
huge potential,” says Sascha Carell, who is tool changes can be carried out well in advance edgeConnector 840D as a Docker container.”
responsible for shopfloor IT as the Group’s of any issues. So we were on the lookout for a Communication with the machine pool is
MES Team Lead. digitalized solution to handle this task.” then easily handled via the company-internal

09.202 4 i n d u str i a l e th e r n e t b o o k 55
 SOURCE: SOFTING INDUSTRIAL
Technology

The edgeConnector 840D from Softing accesses data from machine tools and supplies them to data consumers via an OPC/UA server (for example).

network. For machines featuring a Sinumerik next tool change. As soon as this counter with Designer.
840D Powerline control without an Ethernet a stored maximum value approaches zero, an Large screens showing dashboards with the
port, Softing offers a compatible adapter for employee has to change the tool. tool data have been installed in several places
the control’s serial interface. in the production areas at the Schlote facility.
The software is configured very quickly Visualization without programming The employees responsible for the machines
and easily via a browser-based interface. Further processing of the data supplied by the only need to glance up to see when the tools
The variables as well as the control and edgeConnector is unproblematic, as Softing are due to be changed. Other status data are
NC component can be selected in the makes use of open industry standards and also visualized alongside the tool data. These
corresponding tools, which generate the data protocols such as MQTT and OPC/UA. Schlote screens supplement the traditional “traffic
files that the edgeConnector can import. uses the Peakboard Designer to visualize the lights” on the machines. And operators are
Carell: “One thing that we wanted to get data for employees working in production. more likely to use the screens and dashboards,
right here was to have a solution that can This low-code application can be used to as they offer much more information. As one
also access data from the NC component and create visualizations even without extensive example, the screen tells them why the traffic
make these data easily available. Softing’s knowledge of coding. light has just turned yellow or red. “Being able
edgeConnector formats these process data Within the user-friendly interface, users to skim through all of the key data at a glance
into a clean and tidy process data tree.” A key work with building blocks to map out more is a real help for our production team,” says
factor for Schlote in this application is the complex process flows. To process the data Carell in conclusion.
tool monitoring counter, which indicates how from the edgeConnector, the OPC UA server
many parts can still be processed before the is selected as a data source in Peakboard Better integration with platforms
Integrating the edgeConnector 840D with
SOURCE: SCHLOTE GROUP

the Peakboard solution was also a positive

experience for Schlote’s MES Team Lead.
“I didn’t have to stop and work out a
software networking strategy, because the
manufacturers offer solutions that are designed
to fit together. This kind of architectural
compatibility and collaboratively developed
solutions package really offers great value for
end users. Carell was also highly impressed by
the experience of working with the Softing
team. “Softing responded promptly to new
requirements, also typically implementing
these over a short timeframe. At the end of
the day, this project was really like working as
part of a single development team.”

Dr. Jörg Lantzsch, Agentur, Softing Industrial.

Thanks to the data visualizations provided by Peakboard dashboards, employees can check tool
Visit Website
and machine data at any time.

56 in d u s t r ial et h er ne t b o o k 09.2024
 Heat treatment OEM chooses

Applications
flexibility and scalability
Heat treatment machinery OEM Mercer Technologies continues to innovate, adding energy cost per part. Using
energy monitoring, the company is able to calculate in real time how much it costs to heat treat parts, and can
accurately and effectively assign the cost of energy to the production of a particular component.

SOURCE:-OPTO 22
Mercer Technologies’ vacuum furnace utilizes Opto 22’s groov EPIC system with a variety of I/O modules.

INDUSTRIES LIKE AEROSPACE AND POWER is an expert on heat treatment processes. At Technologies’ Controls and Automation
generation, where the margin for error is Mercer, they not only perform heat treatments Engineer. “There’s annealing, brazing,
virtually nonexistent, utilize heat treatment on parts, they build full heat treatment pre-welding, post-welding, and so on. For that
to enhance the performance, durability, systems that they provide to their customers, reason, we wanted a platform that was flexible
and reliability of critical components. Heat and they refurbish existing heat treatment and scalable. Customization is a must.”
treating can improve strength, wear resistance, systems, breathing new life into existing
and lifespan of commonly used parts like machinery to extend service life and enhance Heat treatment challenges
camshafts, crankshafts, and turbines. performance. The heat treatment process involves heating
Mercer Technologies, a veteran owned and “All projects are different. Every furnace and cooling materials, typically metals, in a
operated company in Terre Haute, Indiana, is different,” explains Cody Young, Mercer controlled manner to alter their physical and

Vacuum furnace (exterior) Vacuum furnace (interior)

09.202 4 i n d u str i a l e th e r n e t b o o k 57
 SOURCE: OPTO 22
Applications

Mercer's most recent hardware design uses a groov EPIC System for Mercer's older systems, still running reliably, use an Opto 22 SNAP PAC
control. System.
mechanical properties without changing their before the treatment begins is a key part of longer and increases the overall cost of the
shapes. Heating to temperatures in excess of the process, and it can be accomplished in process. Vacuum furnaces, on the other hand,
1000° C requires a high degree of care and various ways. The atmospheric method, which which use vacuum pumps to decontaminate
precision. is done by purging the furnace with an inert the chamber, can reach their deepest vacuum
Ridding the chamber of contaminants gas like nitrogen, is generally safer but takes level in just a few minutes, but the operation
is a bit more perilous.
“Improper valve sequencing during vacuum
SOURCE: OPTO 22

furnace operation can cause oxygen in the air

to go where it’s not supposed to. Oxygen in the
wrong place can lead to potential explosions
or implosions, which is obviously a very bad
situation,” explains Young.

Application solutions focus

Back in 1994, when Mercer Technologies was
starting out, they needed a control solution
that could do two things: flexibly adapt to
a variety of applications and safely ensure
proper sequencing of valves to prevent
dangerous accidents.
Young found that the modular design
of Opto 22 products offered the hardware
scalability that Mercer needed. And OptoScript,
a scripting language found within Opto 22’s
PAC Control flowchart-based programming
software, offered the flexibility Mercer was
looking for. “Back in my college days at Ivy
Tech, we learned C++, so I was familiar with a
similar scripting language. I can customize it
however I want to,” Young recalls.
Beyond capable products, Mercer needed
a platform that offered local support. Based
Mercer HMI screenshot. in the USA with free product support, Opto

58 in d u s t r ial et h er ne t b o o k 09.2024
22 fit the bill. Young explains, “Opto 22

SOURCE: OPTO 22-

Applications
has competitors, but they are unmatched in
support, and using products made in the USA
is important to our mission. Every issue I’ve
ever had with Opto 22 products was resolved
quickly, usually with help from the OptoForums
[Opto 22’s factory-supported online community
forum for exchanging ideas and application
support].”

30 years later ...

Opto 22 has been providing solutions for
Mercer since the firm’s inception in 1994, and
today, Mercer has over 100 heat treatment
systems operating in the field at various
customer sites and 8 systems running in their
Terre Haute facility.
Young explains, “Vacuum chambers in
heat treatment systems used to be manually
controlled with pushbuttons and switches.
Automating with Opto 22 products has enabled
us to build a less error-prone system, but
most importantly, a safer environment for our
operators and customers.”

New products enhance heat

treatment process
While the heat treatment process itself Mercer's latest design incorporates a groov RIO EMU and a groov EPIC system.
hasn’t changed much since 1994, better
instrumentation and technology have opened
the door to further enhancements in safety, AVEVA’s OPC drivers provide seamless now accurately assign the cost of energy to
reliability, and intelligence. communication to Opto 22’s groov systems and the production of a particular component.”
also to legacy Opto 22 SNAP systems. With this new energy data, Mercer
Hardware Design Onboard the groov system, Node-RED, an Technologies can make informed decisions
Mercer’s most recent hardware design open-source flow-based programming tool for on how to optimize energy consumption and
utilizes Opto 22’s groov EPIC system with a IIoT applications, handles the RS-232 serial ensure pricing strategies are accurate and
variety of I/O modules that serve the following communication between the groov EPIC and competitive.
functions: third-party instrumentation.
• The GRV-CSERI-4 module (and in At the heart of the application is still Opto New opportunities
some cases, a USB-to-serial converter 22’s PAC Control. The flowchart programming Mercer Technologies isn’t done. Their recent
from Gearmo®) provides RS-232 environment is designed for safely controlling foray into groov products has opened the door
communication to a EuroTherm® a sequential operation like heat treatment. to new opportunities to enhance their product
temperature controller, which includes PAC Control handles all of the critical valve offering and better serve the industry.
PID loops for control, and a Televac® sequencing, and runs independently of the PC. One of Mercer’s customers, an Inductive
vacuum measurement instrument, which “For fail-safe reasons, the HMI is only used Automation® Ignition® user, recently
ensures proper vacuum levels. to view operations and to transfer recipes into expressed interest in adding their Mercer
• The GRV-OVMALC-8 module outputs a the PAC Control strategy. Once the values are Technologies equipment into their Ignition
4–20 mA signal to provide fine-tuned transferred and the process begins, the PC application. “I haven’t crossed that bridge
control of heating elements. could be unplugged, but the groov EPIC system yet,” Young says, “but my experience with
• The GRV-OMRIS-8 module’s relay outputs, will remain running to keep the furnace in a Opto 22’s support has been phenomenal. I’m
with a 5 amp capacity, control higher safe state,” explains Young. sure when the time comes, I’ll be able to find
current valves on the vacuum chamber. most of what I need on the OptoForums.”
• The GRV-OACS-12 similarly controls lower Powering through: the energy Reflecting on the 30-year history using Opto
current rated valves on the chamber. dynamics of heat treating 22 products, Young declares, “We’ve done a
• The GRV-IDCS-24 provides input from “In our most recent design, we’ve utilized a lot of refurbishing of older systems where we
pushbuttons and on/off feedback from groov RIO EMU [Opto 22’s IIoT-ready power replaced older, outdated controls with SNAP
valves. and energy monitoring module] to monitor and groov systems. We know they’ve been a
• The GRV-ITM-8 provides valuable energy consumption of a particular furnace,” success because of all the repeat business. I
temperature data through thermocouple says Young. “At max output, this furnace almost never deal with failed systems. We have
inputs. consumes nearly 350 kVA per hour, roughly systems that have been in the field for over 20
420 amps at 480 volts—enough to power an years that are still running.”
Software Design entire residential subdivision!”
Most of Mercer’s systems utilize Microsoft® Young goes on to explain, “With energy Application report by Opto 22.
Windows® 11 PCs running AVEVA® software monitoring, we can calculate in real time how
[formerly WonderWare®] for visualization. much it costs to heat treat parts, and we can Visit Website

09.202 4 i n d u str i a l e th e r n e t b o o k 59
 Maximizing automation efficiency
Technology

with Industrial PoE switches

This article explores how industrial PoE switches can maximize efficiency and flexibility in automation by
simplifying cabling, reducing installation time and centralizing management.

SOURCE: ANTAIRA TECHNOLOGIES

Use of Power Over Ethernet in car manufacturing.

INDUSTRIAL AUTOMATION IS A COMPLEX AND involved, nor does the installation require long and bandwidth can scale up to 10 Gbps for
rapidly evolving field that requires robust runs of steel conduit or earthing enclosures, end stations and up to 100G bps for backbone
and versatile networking solutions. One reducing initial deployment costs. Another networks. It also means a SCADA network that
technology that has emerged as a key enabler advantage of PoE is that it gives network deploys Ethernet as an access network can
of automation is Power over Ethernet (PoE), managers the ability to centrally monitor a benefit from PoE. A SCADA’s array of PLCs,
which combines power and data transmission device’s PoE power consumption and other RTUs, sensors and other end devices can all be
over a single Ethernet cable. power-related data. Nonessential devices being supplied with power simply by connecting the
monitored by a managed PoE switch can have device’s cable to an open switch port.
PoE in industrial automation their power automatically decreased or turned
The PoE standard was first approved by the off entirely when not in use. Flexibility is Industrial safety
Institute of Electrical and Electronics Engineers yet another benefit. Network devices can be While PoE is frequently touted for its flexibility
(IEEE) more than 20 years ago. This standard, mounted in previously inaccessible locations and infrastructure savings, this technology also
known as IEEE 802.3af, allows for up to 15.4W since power outlets no longer restrain their contributes to industrial safety.
of DC power per port. Since then, IEEE has placement. Swapping existing devices on the It is not unusual for the electrical systems
released updated standards. The most recent is network entails a little more than plugging in powering industrial facilities to be 480V or
IEEE 802.3bt Type 4, also known as 4-pair PoE the device’s Ethernet cable into a PoE network 600V, more than enough to injure an employee
(4PPoE) or PoE++. IEEE 802.3bt can supply up switch port. Also, PoE is standards-based, for from electrical shock, arc flash, explosions or
to 90W of power per port to a range of devices vendor interoperability. other hazards. Low-voltage PoE reduces or
such as IP PTZ cameras, gas analyzers, video An area of automation where PoE is paying eliminates the risks of short circuits, exposed
monitors and embedded computers that require dividends is Supervisory Control and Data wiring, or accidental contact with live voltage.
higher wattage. Acquisition (SCADA) networking. SCADA is a Overload protection, which guards against high
PoE has rapidly gained traction in the means of remotely monitoring and controlling power consumption and consequent damage to
industrial sector for a variety of reasons, just as equipment in automation processes in industries devices or cables, is also built into PoE devices.
it has in enterprise and commercial networks. such as manufacturing, oil and gas distribution, If an overload is detected, power distribution is
For one, it significantly lowers infrastructure utility power, and wastewater management. reduced or turned off to safeguard or repair the
complexity, especially in remote locations or One of the largest shifts in SCADA has been connected equipment and lower the possibility
areas of the plant without available power its evolution from serial networking protocols of overheating or a fire.
outlets. An electrician is not needed to install to the Internet protocol (IP). Adopting IP has Is electrical safety important in automation
or maintain a PoE cable due to the low voltages meant equipment costs are less expensive, projects? Overwhelming, the answer is yes.

60 in d u s t r ial et h er ne t b o o k 09.2024
 SOURCE: ANTAIRA TECHNOLOGIES
According to the National Fire Protection
Association (NFPA), electrical accidents in the

Technology
workplace cause thousands of injuries annually
and nearly one fatality per day.

Selecting a PoE managed network

switch
Network architecture, capacity, and scalability
must all be carefully considered when designing
an industrial automation network that can
accommodate PoE devices. This will require
configuring several PoE managed switches in
order to guarantee dependable and effective
network operation. So, what should you be
looking for in a managed PoE switch?

Ruggedized equipment
Numerous risks confront switch operation such as
electrical noise, humidity, corrosive chemicals,
vibrations, and extreme temperatures. To Antaira PoE managed Ethernet switches featuring 16 Gigabit PoE+ ports integrating robust M12
mitigate or reduce these factors, confirm connectors and capable of supplying 30 watts per port (IEEE 802.3 af/at) with two 10G SFP slots.
that you are purchasing industrial-grade PoE
managed switches featuring ruggedized,
environmentally hardened packaging with the it is good practice to have more to allow for into one link into the Industrial PC (IPC) will
appropriate ingress protection (IP) rating. expansion. Port count and the PoE standard often require a 10G link from the PoE switch to
Although less common, another threat is the will significantly impact the quality, scalability the IPC running the software.
presence of classified areas within a plant where and flexibility of your network. Having a mix Among the challenges facing the
volatile flammable liquids or gases are handled, of Gigabit and Fast Ethernet ports allows you manufacturer in deploying its machine vision
processed or used. In these environments an to cater to devices with varying bandwidth system was ensuring reliable connections from
explosion-proof switch will be required by Class requirements. the industrial PoE switches. Harsh conditions
1 Div 2 and ATEX codes. prevented use of the standard RJ45 connections
Compatibility found on most network switches since they
Bandwidth requirements Before power transmission can begin, the lack ingress protection and could disconnect
Switch bandwidth determines the data-carrying industrial PoE switch and the powered device due to vibrations from the heavy machinery.
capacity of a network, influencing the speed must negotiate to determine the device's power The automaker company also needed a powerful
and reliability of data transmission. Inadequate requirements. The outcome of the negotiation switch solution that transmitted image data
switch bandwidth can lead to network establishes whether the two are compatible and at high frame rates, along with a special low
congestion, latency, and compromised device whether the device can safely get the power voltage power (12-24V DC) needed for the GigE
functionality. Whether a 10/100, 2.5G, Gigabit, it needs. If successful, negotiation keeps the Vision cameras to properly operate.
or 10G switch is necessary will depend on your powered device from receiving too much or too To help make this project a reality, the
application. It is also a good strategy to plan little power; both conditions can damage the automaker selected Antaira LMP-1802-M12-
for extra bandwidth in case needs increase. device or cause it to malfunction. 10G-SFP-67-24-T PoE managed Ethernet
switches featuring sixteen Gigabit PoE+ ports
Power requirements Security features integrating robust M12 connectors and capable
Ensure the industrial PoE switch's overall power Having advanced security features in an of supplying 30 watts per port (IEEE 802.3
budget can simultaneously support all of the industrial PoE switch, such as port security af/at) with two 10G SFP slots. M12 designs
devices by factoring in each device's power and access control lists (ACLs), is essential provide extremely tight connections in areas
consumption. Industrial network devices, to protecting a network in light of growing subject to high vibration, shock, dust, liquid
including optical sensors, APs, networked concerns surrounding cybersecurity. or gases.
lighting, and IP cameras, have significant Besides the M12 connectors, LMP-1802-M12-
variation in wattage requirements, typically Case history: PoE in car 10G-SFP-67-24-T industrial switches are IP67
swinging between 15 watts to 100 watts. manufacturing rated as waterproof and dust-tight, plus operate
Confirm that the industrial PoE switches have Let's look at the actual case of an Antaira in an extended temperature range from -40°C
enough PoE power and power budget to support customer to get a better sense of the to 70°C for withstanding extreme conditions.
your devices. You’ll also need to factor in that importance of PoE in automation. In this Low voltage power requirements of the GigE
the maximum distance for PoE is 100 meters instance, the customer was an automaker Vision cameras were meet by the Ethernet
(328 feet) and that energy loss can occur over seeking to add visual guidance to its robotics switch’s 24~55VDC power input. In addition, a
longer distances. If that’s the case, you’ll need systems by installing new GigE Vision products separate Antaira switch offering two 10G SFP
to install additional network infrastructure, and machine vision cameras. In order to slots for fiber connections was installed as the
such as intermediate switches, PoE extenders simplify wiring, many GigE Vision cameras will high-speed link to the IPC.
or power injectors. use PoE for power so only one cable needs to
be run, for instance, on a robotic arm with the Henry Martel, field application engineer,
Port configuration and yypes camera able to recognize objects or to localize Antaira Technologies.
A switch’s required PoE port count depends on them for welding.
the number of PDs you plan to power, although Aggregating multiple GigE Vision cameras Visit Website

09.202 4 i n d u str i a l e th e r n e t b o o k 61
 TSN component certification from Avnu
Product News

TSN Component Certification for switches advances unified communication for Time-Sensitive Networking.

SOURCE: MOXA
Moxa obtains the world’s first TSN
Component Certification from Avnu Alliance.

MOXA HAS ANNOUNCED A GROUNDBREAKING deterministic capabilities into open, widely and effectively adopted across different
milestone in obtaining the world’s first TSN standards-based networking, the Avnu markets around the world.
Component Certification from Avnu Alliance Alliance Component Certification Program Moxa’s TSN Ethernet switches with Avnu-
for components used in its TSN-G5000 focuses on core TSN standards, including certified components have been deployed in
Series industrial Ethernet switches. Moxa’s timing and synchronization (802.1AS) success cases all around the world. Featuring
TSN-powered switches enable users to and enhancements for scheduled traffic a compact design and user-friendly interface,
design interoperable, deterministic, reliable (802.1Qbv). Manufacturers from different these Ethernet switches are ideal for a variety
end-to-end communications to achieve markets can now verify the compliance of of applications such as factory automation,
time-sensitive networking (TSN) for critical their components with the core TSN standards, dynamic mass customization, hydropower
industrial applications without the limitations resulting in improved interoperability and plants, and CNC machines. The TSN-G5000
of proprietary systems. easier integration with other systems. Series not only helps customers reduce
“The Component Certification Program is Leveraging its expertise in bridging the production times and increase efficiency,
the first of its kind to certify TSN capabilities gap between standard Ethernet and industrial but also showcases the benefits of TSN in
and serves as the industry platform for applications, Moxa supports the Component real-world applications, accelerating the
verifying conformance and cross-vendor Certification Program by providing testing digital transformation across various sectors.
interoperability of TSN components,” said products and completing test cases for network Through the TSN Component Certification
Dave Cavalcanti, President of Avnu Alliance. devices such as Ethernet switches, to help Program, Moxa believes that its commitment
“Moxa’s expertise and experience in industrial develop the program. Moxa’s experience with to advancing TSN technologies will continue
Ethernet and networking, as well as the global worldwide TSN projects such as the IEC/IEEE to set new industry benchmarks and drive
TSN standardization projects, brings crucial 60802 TSN profile for industrial automation innovations to meet the ever-changing needs
advancement to the program and improves and the IEEE 802.1 TSN Task Group, also of industrial automation.
deterministic and reliable end-to-end played a crucial role in translating IEEE SA
networking over TSN for various industrial 802.1 TSN standards into test specifications. Moxa
applications across vertical markets.” Moxa’s contributions helped ensure that these
As an industry forum for integrating component-level TSN technologies can be Visit Website

62 in d u s t r ial et h er ne t b o o k 09.2024
 Intelligent manufacturing hub

Product News
OpreX Intelligent Manufacturing Hub offers a proven data integration and visualization solution.
processes and thereby significantly

SOURCE: YOKOGAWA
reduces the amount of time required
to generate reports. Leveraging a
low-code/no-code environment,
customers can create their own RPA
software, or turn to Yokogawa for
the provision of a customized RPA
solution.
The OpreX Intelligent Manufacturing
Hub also allows for the drilling down
through data to find root causes and
gain insights. It is well suited for use in
a wide variety of industries, from oil &
gas to chemicals and pharmaceuticals.
Along with this solution, Yokogawa
will provide holistic support and
services through its global network
that are essential for the success of
any intelligent business tool project,
including definition of specifications,
training, maintenance, and technical
support.
Kunimasa Shigeno, a Yokogawa
Electric Senior Vice President &
Executive Officer and head of
the company's Digital Solutions
Sample KPI dashboards for personnel at all levels of the organization offers connectivity with RPA. Headquarters, said, “I am pleased to
announce the official launch of this
solution. Using a pre-release version
YOKOGAWA HAS ANNOUNCED THE GLOBAL a sufficient return on investment, but all this of OpreX Intelligent Manufacturing Hub, our
release in all markets other than Japan of requires considerable domain knowledge and skilled digital transformation consultants
OpreX™ Intelligent Manufacturing Hub. consulting expertise. and subject matter experts have already
By utilizing robotic process automation As a trusted provider and integrator of demonstrated their ability to identify and
(RPA) implemented in a low-code / no-code industrial automation solutions with deep solve issues. In keeping with our aim of
environment or through customization by domain knowledge, Yokogawa has the ability being a leader in the system of systems field,
Yokogawa, this data integration solution can to provide consulting on manufacturing and this solution allows for the integration of
significantly reduce reporting time. process control in a wide variety of industries. multiple corporate assets, eases collaboration
OpreX Intelligent Manufacturing Hub covers Based on the company’s understanding of across the organization, and creates a single
the full range of key performance indicators its customers’ infrastructure and business source of trusted data, giving our customers
(KPIs), workflows, and reporting at every level processes, it is able to verify and propose the information they need to make the right
of the organization, from the C-suite to the tailor-made solutions that utilize intelligent decisions at the right time. And by utilizing
plant floor, and employs a single database to business tools. RPA, they can dramatically reduce reporting
integrate and display on dashboards data that time. This is a proven solution that will enrich
customers need to make the right decision at Main features user experience and provide both value and a
the right time. User-friendly dashboards that visualize data solid return on investment.”
for decision makers at each layer of the
Development background organization Major Target Markets
Companies everywhere are looking for the Data from diverse operational technology Oil & gas, petrochemicals, chemicals,
right digital transformation (DX) solutions (OT) and IT data sources that has been renewable energy, power, pulp & paper,
that will help them to run their businesses securely integrated in a single database mining & metal, pharmaceuticals, food &
more efficiently. One common issue is that is visualized on feature-rich dashboards. beverage, water
the data they need is often scattered across Covering the full range of KPIs, workflows, and
different systems, with no interface available reporting at every level of the organization Applications
for automatic integrated access. from the C-suite to the plant floor, this gives Data integration and visualization, workflow
Business intelligence tools are available customers access to all the information they automation, management of business and
that can meet this need, but they must be need to make informed and timely decisions. plant process data
optimized based on each company’s unique
infrastructure to minimize incidents, eliminate Drastic reduction in reporting time Yokogawa
manual operations, reduce the amount of By incorporating the use of RPA technology,
time needed to generate reports, and ensure this solution eliminates the need for manual Learn More

09.202 4 i n d u str i a l e th e r n e t b o o k 63
 Exhanced CNC functionality
Product News

Siemens is paving the way for digital twins to acquire greater flexibility, productivity, and sustainability.

Siemens is introducing hardware and software

SOURCE: SIEMENS
for the Sinumerik 828D CNC specifically
designed for the compact and mid-range
machine market. The new PPU271.5,
PPU270.5, PPU290.5, and PU272.5 processor
units and the redesigned Sinumerik 828D MCP
(Machine Control Panel) operating concept
offer a wide range of functions and options
that increase the productivity, sustainability,
and efficiency of manufacturing processes.

Run MyVirtual Machine

The new processor units allow the Sinumerik
828D to be upgraded to software version
5.24, paving the way for Sinumerik Run
MyVirtual Machine. As with Sinumerik
One, the digital native CNC, Run MyVirtual
Machine allows NC programs to be created,
validated, and optimized using a digital
twin of the machine without interrupting
production. This reduces the set-up time on
the real machine by up to 20 percent and
minimizes production risks.
In addition, the working area of the Sinumerik 828D PU272.5.
machine, clamping, tool, and material
removal can be visualized in detail in
all phases of the NC program. Potential match the new generation of processor MyHMI/3GL can also be used to further
collisions can therefore be recognized units. This launches a more intuitive customize the user interface for specific
and eliminated in advance. Training new machine operation for the Sinumerik 828D areas of application.
employees with Run MyVirtual Machine also from Siemens, which offers CNC users
saves machine time and minimizes the risk greater user- friendliness, efficiency, and Enhanced connectivity, energy
of damage due to incorrect operation or flexibility. efficiency, and security functions
programming errors. The redesigned Sinumerik 828D MCP The new processor units have an X120
operating concept includes significantly interface, which enables connection
Redesigned operating concept larger and innovatively designed control to external devices like Sinumerik HT
The redesigned Sinumerik 828D MCP panels with 12.1- inch and 15.6-inch (Handheld Terminal) 10 or edge devices.
operating concept is being introduced to screens as well as mechanical keys. Create This extends the range of applications and
increases productivity.
SOURCE: SIEMENS

The Ctrl-E key combination also provides

the user with a comprehensive analysis
function that makes energy consumption
transparent. In the area of cybersecurity,
the new processor units offer security
functions like a security archive, user
management, and certificate storage, which
offers protection from manipulation and
product piracy.
With the new hardware and the associated
new software for the Sinumerik 828D,
Siemens is paving the way for digital twins
to acquire greater flexibility, productivity,
and sustainability. At the same time, the
range of applications for the control of
turning, milling, and grinding technology is
expanding to the areas of power and energy,
electronics and 5G, automotive, and more.

Siemens
Sinumerik 828D PPU271.5 and Sinumerik 828D PPU270.5 and redesigned operating concept Sinumerik
828D MCP. Visit Website

64 in d u s t r ial et h er ne t b o o k 09.2024
 GenAI automation platform

Product News
Transformative GenAI automation platform delivers powerful tool for power and water industries.

SOURCE: EMERSON
The Ovation Automation Platform with
GenAI will empower workforce, optimize
operations. As part of its release of the
Ovation™ 4.0 Automation Platform, global
automation and technology leader Emerson
is delivering transformative generative
artificial intelligence (GenAI) that will
enhance data to inform decisions, helping
power and water companies accelerate
growth, improve efficiencies and drive
more predictive, reliable and resilient
performance to their operations.
With the digital transformation of the
power and water industries, utilities and
municipalities now have vast amounts of
rich production, reliability, safety and
sustainability data for their operations –
yet much of it is fragmented and siloed.
Operators require a modern, future-proof
computing environment that can confidently
mine large and complex data sets and
harness the power of GenAI for better, more
efficient operational insights.

Ovation 4.0 Automation Platform

Emerson’s Ovation 4.0 Automation Platform
with integrated and dedicated GenAI
deployment, trained on a secure foundation
of knowledge-based data, will augment
workforce expertise and thought processes
to enhance productivity by prioritizing Transformative generative artificial intelligence (GenAI) will enhance data to inform decisions, helping
and automating tasks. The platform will power and water companies accelerate growth, improve efficiencies and drive more predictive, reliable
provide predictive guidance and recommend and resilient performance.
appropriate actions to increase reliability,
improve customer experiences and optimize control centers that monitor multiple • Security: Robust AI models will be used
overall operations. assets, acting as autonomous guardians as a tool to enhance cybersecurity by
“While global power operators are that provide prescriptive guidance to improving threat detection, response
experiencing unprecedented demands, we help with information processing and automation, vulnerability management
are also on the precipice of technological decision support. and overall security protocols.
advances that will forever change how we • Reliable, continuous operations: The Initially released on Microsoft Azure’s
and our customers work,” said Bob Yeager, Ovation GenAI assistant will predict OpenAI service, the Emerson Ovation GenAI
president of Emerson’s power and water maintenance requirements, helping will also be available on other large language
business. mitigate the impacts of common models that rely on closed, proprietary and
“The digital revolution is generating reliability issues such as faulty secure data sets.
so much valuable data that our Ovation sensors, mechanical wear, temperature “Today’s most forward-thinking power and
Automation Platform with GenAI can harvest fluctuations and pressure deviations. water companies will use our new Ovation
to create accessible, usable insights to In addition, real-time digital twin 4.0 Automation Platform with GenAI to help
inform smarter and more timely action.” simulation, coupled with AI models sort through their vast amounts of data,”
Through its AI-based capabilities, the new trained on plant-specific historic Yeager said. “By contextualizing data from
platform will help support: operations and maintenance, will the intelligent field, edge and cloud to make
• Workforce empowerment: AI assistants recognize abnormal conditions to better, safer decisions, this technology
will work side-by-side with operators identify how and why processes are will enable what is called ‘Boundless
of every experience level to optimize diverging from baseline operations. Automation™’ – breaking down data silos
workflows for more effective operations • Grid optimization: Facilitated by to liberate data and unleash the power of
and help diagnose issues and suggest AI-assisted predictive maintenance, the software.”
or implement control actions to return platform will offer advanced situational
to normal, safe operating conditions. awareness that improves decision-making Emerson
• Remote operations: AI will work in from power generation to delivery,
tandem with operators at centralized resulting in increased grid stability. Learn More

09.202 4 i n d u str i a l e th e r n e t b o o k 65
 Private 4G/5G network solution
Product News

CORE Network and RAN software with ME1310 platform for secure connectivity in harsh environments.

A Kontron and Amarisoft partnership is

SOURCE: KONTRON
promoting the use of private 5G solutions
for defense and security applications. The
integration combines the robust ME1310
Edge platform from Kontron with the CORE
and RAN software from Amarisoft. This ensures
uninterrupted connectivity reliable in isolated
and complex environmental scenarios.
The robust Kontron’s ME1310 edge platform
is designed for demanding applications and
is characterized by an exceptional durability,
performance and a reliable operation under the
toughest conditions. The platform combines
switching and timing for 4G/5G Open RAN
networks in a very robust, temperature-
independent (–40 °C to +65 °C) Platform
that can withstand extreme temperatures,
shocks and vibrations. The high processor
performance of the ME1310 and the
comprehensive connectivity options enable
seamless integration and optimal performance.
The platform allows can be easily configurability of Amarisoft Core Network within a very short time by installing a
integrated into the Amarisoft software and and RAN, allowing adaptation to a wide range software upgrade.
offers operators and system integrators of use cases with different TDD patterns,
benefit significantly in terms of performance, cell bandwidths, number of cells and MIMO Kontron
flexibility and Cost efficiency. The purely levels. They also offer more than 1000 active
software-based approach enables high UEs. New functions can be implemented Visit Website

Anybus protocol converter

Protocol converter connects serial devices to EtherCAT, EtherNet/IP, Modbus TCP or PROFINET controllers.

Bosch Rexroth has combined the Anybus

SOURCE: HMS NETWORKS

Communicator protocol converter with its
Smart Flex Effector to offer a highly versatile
compensation module.
To enable robots to perform new tasks,
the Smart Flex Effector needs to exchange
position measurement data with the robot
controllers, including information about the
deflection of the tool and control signals
for the module's locked and unlocked states.
To solve these connectivity challenges,
Bosch Rexroth turned to HMS Networks who
provided the Anybus Communicator Common
Ethernet, a ready-made protocol converter
capable of connecting serial devices to
EtherCAT, EtherNet/IP, Modbus TCP or
PROFINET controllers.
A key benefit of the Anybus Communicator
Common Ethernet was that the same unit can
connect to all the major Ethernet protocols.
The Anybus protocol converter was a that Bosch Rexroth includes the Anybus solution,” reported David Lehmann, System
solution because it can be reconfigured with Communicator as part of its complete Architect at Bosch Rexroth.
a firmware update and provide connections solution. “We decided to create an order
to the wide range of different protocols. number for the Anybus convertor, so that HMS Networks
The Smart Flex Effector and Anybus customers could buy it directly from us. So,
Communicator have worked so well together we sell both devices together as a complete Learn More

66 in d u s t r ial et h er ne t b o o k 09.2024
 Current measuring transducers

Product News
Precise measurement: new current measuring transducers with user-guided web-based management.

New current measuring transducers from

SOURCE: PHOENIX CONTACT

the ECM UC product family from Phoenix
Contact save users plenty of time with the
intuitive device configuration via web-based
management. The products measure direct,
alternating, and distorted currents in four
measuring ranges, starting from 0 to 100
mA through to max. 0 to 100 A, with a
transmission error of <0.5%. Modbus versions
enable the digital further processing of the
measured data.
Because the ECM current measuring
transducers can be configured via web-based
management, cumbersome software
downloading is no longer necessary. Here,
the device is simply connected to the PC via a
standard USB-C cable. During the configuration
process, both data transmission and power is
supplied to the device via the USB-C cable.
An external 24 V DC supply is not required
to operate the current measuring transducer.
The intuitive menu navigation simplifies a configuration file and can be imported and distorted currents in accordance with the
the settings on the device. In addition, easily to other devices, enabling the true RMS value measurement principle.
the live measured data of the current rapid commissioning of several measuring
components, such as the AC and DC currents, transducers with the same configuration. Phoenix Contact
can be visualized simultaneously in different The current measuring transducers of the
windows. The device settings are saved in ECM UC series measure direct, alternating, Visit Website

All-band GNSS antennas

Antenna provider u-blox introduces new all-band GNSS antenna for high-precision applications.

A global provider of leading positioning

SOURCE: UBLOX
and wireless communication technologies
and services, ublox, has announced a new
external GNSS antenna ANN-MB2 for wide
coverage, multi-constellation high-precision
applications.
Optimized for the u-blox high-precision
GNSS technology, ANN-MB2 is well-suited
for industrial automation, surveying,
autonomous vehicles, mobile robotics and
other applications requiring centimeter-
level position accuracy in challenging
environments.
The u-blox ANN-MB2 is a compact, high-
precision real-time kinematic (RTK) antenna
that supports L1, L2, E6/B3, L5, L-band,
and all major GNSS systems. This all-band
antenna features a robust architectural
design, superior multipath mitigation, and
versatile mounting options.
With its excellent price-to-performance
ratio, ANN-MB2 is suitable for easy multi-band, RHCP dual-feed stacked-patch available; production starts in Q4 2024.
evaluation and fast design-in of wide-band antenna element, a built-in high gain LNA
high-precision positioning applications, with wide-band SAW pre-filtering, and a ublox
paving the way for mass-market adoption. 5-meter antenna cable with an SMA connector.
ANN-MB2 includes a high-performance, ANN-MB2 engineering samples are Learn More

09.202 4 i n d u str i a l e th e r n e t b o o k 67