9 minute read
Internet of Things
The fi rst line of defense for industrial cybersecurity
In the IIoT era, previously unconnected systems are now connected over private or public networks to gain more insights and improve productivity. The downside of this connectivity is that industrial networks are no longer immune to cyberthreats. The upside is a growing chorus of experts are sharing their knowledge to help shore up cybersecurity in industrial networks. Generally speaking, two methods are available for implementing industrial cybersecurity. One method is to secure the foundation of a network in astructure and only allow authorized tra c to fl ow to the designated areas. The other method involves identi ing critical assets and applying layered protection. Industrial secure routers and fi rewalls are essential to both of these methods as they are deployed at the ont lines to prevent unauthorized access and tra c to industrial networks.
Key criteria for choosing industrial secure routers and fi rewalls
Industrial control systems can apply a defensein-depth approach to protect critical equipment and secure various locations, device cells, function zones, and factory sites on an automation network. Defense-in-depth cybersecurity includes three types of controls: physical, technical, and administrative. First, implement physical controls by segmenting the network and creating boundaries between each segment. Next, apply technical controls by securing network tra c or fi ltering data packets. Lastly, enhance administrative security
by managing IP addresses and adopting strong security policies.
Secure routers and firewalls provide an excellent way to achieve defense-indepth cybersecurity on your network, but how do you choose the right router or firewall for your industrial application? Consider the following three criteria.
1Adding firewalls without changing your network
Network segmentation involves breaking down the network into physical or logical zones with industrial firewalls. A firewall is an access control device that looks at the IP packet, compares the packet with preconfigured policy rules, and decides whether to allow, deny, or take some other action on the packet. Generally speaking, firewalls can be either routed or transparent, and the type you will need depends on the requirements of your application. Unlike routed firewalls, transparent firewalls allow you to keep the same subnet so that you can easily add firewalls to an existing network.
With transparent firewalls, you also do not need to change the network topology. Transparent firewalls are suitable for protecting critical devices or equipment inside a control network where network traffic is exchanged within a single subnet. Furthermore, you do not need to reconfigure IP subnets because transparent firewalls do not participate in the routing process.
2Detect threats and protect critical data
Firewalls are akin to gatekeepers. Unfortunately, determined intruders may still be able to get through the gates on a segmented network. That’s why you need to constantly check the traffic that passes through the gates you have established. One way to achieve this is to filter out unwanted commands such as write or configure commands that could cause industrial processes to fail when needed or unnecessarily trigger a safe state during production.
Therefore, it is important for industrial secure routers and firewalls to support industrial protocol filtering at the command level — read, write, etc. — for more fine-grained whitelisting control. To secure the transmission of confidential data, consider building secure tunnels for site-to-site communications. In some scenarios, communications over public or untrusted networks will definitely require secure encrypted data transmissions. Under such circumstances, consider VPN capability when choosing industrial secure routers and firewalls.
3Getting firewalls and network under control
In industrial applications, hundreds or thousands of firewalls could be installed to control data traffic and protect field equipment from malicious attacks. Furthermore, even more IP addresses could be on a network. As networks continue to expand, managing all of the devices, firewall rules, and IP addresses become more complicated. Therefore, network address translation (NAT) provides a very important function when deploying industrial secure routers and firewalls. NAT allows the reuse of machine IP address schemes on the same network and the connection of multiple devices to the Internet, using a smaller number of IP addresses. This not only significantly reduces maintenance efforts and administrative overhead, but also provides simple network segmentation. In addition, it enhances security for private networks by keeping internal addressing private from the external network.
Finding the right secure router or firewall for an application brings you to the halfway mark in successfully beefing up industrial network security. Using these criteria to help you make the right choice can remove some of the guesswork. For instance, a highly integrated industrial multiport secure router with firewall/NAT/VPN and managed Layer 2 switch functions provides everything that is needed. Nevertheless, whatever solution you ultimately choose, it should fit the specific application requirements. DW
Moxa www.moxa.com
Internet of Things
Rapid roaming wireless technology addresses sensor-cable connectivity issues
Increasingly, modern factories are relying on Artifi cial Intelligence (AI) driven processes to optimize every step of production. Previously, sensors used to collect data for AI were connected with slow cable-driven serial protocols with RS-232 cables or twisted pairs for RS-422/485. With the development of newer technologies, however, there has been a transition to Ethernet-based communication. Two main factors played a key role in this process: one, the price of Ethernet nodes went down with the advent of cheap microcontrollers that included fully integrated Ethernet communication hardware in one chipset, and two, sophisticated new sensors came to market that were not compatible with old serial buses. WIFI communication has become a key technology to deliver metrics om sensors, providing eedom om cables and to allow unrestricted 3D movements by a client in motion such as a vehicle or robot. The trouble is that 802.11ac wireless communication extends only 100 meters, a distance normally not su cient for reliable service and requiring multiple access points be installed to cover a large area of operation. A moving vehicle or robot needs to constantly switch over communication to the next strong signal access point. The best solution is the implementation of 802.11r across the in astructure that manages the switch-over mechanism with below 50 ms transition. However, some areas of a factory or warehouse may not support 802.11r. To address this this situation, the ARS-7235-AC-T is an enhanced WIFI client that monitors surroundings and prepares new possible access point connection opportunities before die-down and drop-off connection processes take place. This unit is a dual-radio industrial WAP, with Rapid
Roaming protocols to seek a new AP when communication is still healthy, assuring superior throughput and faster transitions with below 150 ms switch time.
IEEE 802.11R wireless roaming
Roaming has been a desired feature in wireless devices for decades. In 2002, the IEEE 802.11r standard was introduced and is still under heavy development with major fundamentals published in IEEE 802.11r-2008. The main goal of 802.11r was to hand over wireless connections between numerous APs along a client travel path without significant delay. It has been particularly important for Voice over Internet Protocol (VoIP) applications where human conversation requires 50 ms or better of transmission time to avoid undesired noticeable interruptions. The 802.11r standard allowed for speed with secure and seamless handoffs where authentication and Quality of Service (QoS) configurations were preconfigured ahead of switching to the next AP. It made for a stable throughput of data without delays caused by the regular authentication process.
To implement 802.11r, the wireless infrastructure needs to support this standard. This typically will require significant additional investment as most systems that support 802.11r must have a Wireless LAN Controller in addition to the APs that are then controlled by the Wireless LAN Controller. Applications where necessary infrastructure does not exist and there are cost restrictions, then Rapid Roaming technology can provide many of the same advantages at lower cost.
Infrastructure requirements for rapid roaming
The following is needed for the infrastructure: 1) Same Service Identifier (SSID) 2) Same Password 3) Same Security Mode 4) Sand Band 5) Same Channel Width
For the rapid roaming technology to work correctly, it is necessary to use an access point with the same SSID and security key. When rapid roaming is enabled, the client device will be
Fastener Engineering
This area has long been one of the most read and sought after by our engineering audience! From screws to bolts and adhesives to springs, these critical but often overlooked components are the key to every successful design.
FastenerEngineering.com will serve readers in the mechanical design engineering space, providing news, product developments, application stories, technical how-to articles, and analysis of engineering trends. This site will focus on key issues facing the engineering markets around fastener technology, along with technical background on selected components.
ADDITIONAL RESOURCES: • Special print section in select issues of Design World • Fastener Engineering monthly newsletter
Engineering
September 2019 A supplement of Design World
covering nuts, bolts, rivets, screws, u-clips, eye bolts, washers and more.
LEARN MORE AT: FASTENERENGINEERING.COM
Internet of Things
Warehouse wireless system
confi gured to scan for the surrounding APs. It is necessary to set slow scan time intervals to speci relatively slow scans when Received Signal Strength Indication (RSSI) signal levels are high and the client device can comfortably concentrate on delivering the maximum data throughput. Next, speci the RSSI threshold level that will indicate an imminent need for a new connection. When this level is reached, the client device will be performing fast scans looking for a new AP. When it is detected, it will authenticate and auto-connect to the new AP while simultaneously dropping the current connection. This active process eliminates weak signals deprived of links and prepares a new connection ahead when needed. Additionally, there are two modes of channels for scanning. One mode is “standard” and it works when all the channels are scanned. The other mode is “intelligent” and it works when a client device, for example, goes back and forth along the same APs. In this scenario, it can learn those APs channels and look for them automatically, further speeding up the reconnection process.
Warehouse wireless system
One example of where this scenario plays out is in a warehouse application with autonomous robots that move about the warehouse stocking shelves and fulfi lling orders. Here, a legacy WIFI network was already in place to support employees connecting their PCs, tablets and phones, but the network did not have the necessary equipment to support 802.11r. Antaira was able to provide the solution by fi tting each of the robots with an ARS-7235-AC wireless router that could implement Rapid Roaming technology at a action of the cost of installing an entirely new wireless network. DW
Antaria www.antaira.com
REGISTRATION IS NOW OPEN
