Network Equipment for Industrial Control Systems

I don’t know what it is; but there is something about building network equipment targeted at industrial control systems where the hardware manufacturer invariable loses it completely.

A bit of background – I mostly work in Transport, mostly. So when I build networks I do a sort of combination of not-quite-service-provider WANs (more below), enterprise networks (standard building/campus design) and networks for industrial systems.

When I say not-quite-service-provider WANs I mean this: They are still relatively large scale, spanning between tens of kilometers and thousands of kilometers. Number of devices range from a few dozen to a few hundred. Unlike a proper service provider – there is generally only one customer. Often they still use MPLS to separate off different security classes – control systems from CCTV, user networks from SCADA etc.

Unlike service providers there are no requirements to focus on billing and accounting. It’s all the one company (usually), and gigabit links are more than sufficient usually.

That’s the space I work in.

Every now and then I get an invite to a vendor session where they want to sell me some network equipment or another – and every now and then the vendor has made it’s niche by targeting industrial systems. Unlike some other companies (say, Cisco, Alcatel etc) who are a network equipment company first – with some equipment that fits into the industrial space – these companies are generally trying to be “the Cisco of harsh environments” or some other inane tag line.

Inevitably these companies seem to have a screw or two lose. I really don’t get it.

They try sell you on a number of features which are usually quite nice – if not exactly unique. No or low number of moving parts (good for dusty environments). Electromagnetic immunity (good for near high voltage equipment). A number of DC power options – usually redundant power supplies. Low power requirements – and low heat generation. These are all generally great features for a deployment in a remote/harsh environment.

But then…they seem to drop the ball. Invariably, these guys are absolutely in love with layer 2 networks. Half the time I think it’s because they only make switches – and generally pretty low featured switches – so they have to talk up what they do make. But then they seem to go a little to far and hype their product up as a solution for everything.

The company, who I am not going to name, that sparked this post – was trying to sell me on just this. They showed me some screen shots of their network management suite from a recent deployment. Some 50-60 switches in a massive ring. Stretched across 20-30km. Really…Really??

Their “sales engineer” even glossed over the whole routing thing in a single throw away line. Up came the network topology map – and he says – no lies “You couldn’t do this with routing, because routing takes too long”. Quickly on to the next point (something about heat resistance or something – completely irrelevant now…). But really, takes too long? I am not even 100% sure what he meant. Either 1) Routing takes to long to converge, in which case, no it doesn’t. Or 2) having to do an IP look-up at each step takes to long in which case – no it doesn’t – we can do routing in hardware these days – it’s not the 1980s, and if you are really concerned – get a MPLS switch and you go back to switching in the core. Oh, and the kicker – their switches could support up to 4096 MAC addresses. At that point it’s a fairly trivial task to turn their switching-ring nightmare in to a hub-ring from hell.

In another  sales spiel, a separate company said with pride that they has tested their horrible layer 2 everywhere solution “up to 250 devices” and were confident they could do more except for “the limits of IP addressing”. I am pretty sure their main sales engineer didn’t understand variable length subnet masks. These are 2 completely separate companies at events a couple of years apart.

Seriously, this is not comforting. The fact is, these terrible solutions get bought, and deployed a fair amount. It’s horrifying. These systems are pretty much a nightmare to maintain. Have you ever had to track down a MAC address from an ARP on the gateway through 2 or 3 switches? Let alone a ring of 50? These switch rings are always some horrible home-cooked proprietary solution with limited tools available to actually work out what traffic is going where.

So, my main point, is if you are designing a network for some kind of industrial system please don’t deploy a giant ring. If the sales guy tells you “routing is slow” or “IP Addresses can’t handle it” red flags should be rising left, right and center. You may not need a L3 device at every single site, but don’t put dozens of switches in some horrible proprietary ring.

If you need their devices at the edge for power/heat/dust reasons – go for it. Just don’t build your entire WAN around edge devices. That’s ultimately what it comes down to – these companies are building edge devices. Their sales team thinks they just need to sell the edge devices as core WAN devices to get more sales. This is not what they are designed for – or at least not what they should be used for.


This entry was posted in Uncategorized by Tom. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *