Industrial Ethernet Basics

1. The Priority Inversion: IT vs OT

In standard enterprise IT networking, the primary goal is protecting data (Confidentiality). In Industrial Operational Technology (OT), the primary goal is protecting physical assets and human safety (Availability). This inversion of priorities fundamentally changes how we design and troubleshoot networks.

2. The M.I.C.E. Framework: Physical Hardening

Industrial environments are hostile to electronics. The TIA-1005-A standard provides the M.I.C.E. framework (Mechanical, Ingress, Climatic, Electromagnetic) to categorize the severity of these environments.

Cabling Physics: The S/FTP Imperative

In M3/E3 zones, unshielded (UTP) cable acts as a massive antenna, picking up noise from nearby Variable Frequency Drives (VFDs). For Industrial Ethernet, we use S/FTP (Shielded/Foiled Twisted Pair). The foil protects against crosstalk, while the outer braid provides a low-impedance path to ground for common-mode noise.

Engineering Note: Always ground the cable shield at the patch panel or the industrial switch. Never "float" the ground, as an ungrounded shield can actually concentrate EMI onto the data pairs via capacitive coupling.

3. The Purdue Model: Logical Segmentation

The Purdue Enterprise Reference Architecture (PERA) remains the global standard for segmenting industrial networks. It ensures that a compromised email server in the office cannot directly command a robotic arm on the factory floor.

4. Industrial DMZ Architecture (Level 3.5)

The Industrial DMZ (iDMZ) is the most critical security layer in the Purdue Model. It acts as a "galvanic isolator" for data. No traffic should ever flow directly from Level 4 (IT) to Level 3 (OT).

6. Ring Redundancy: MRP vs DLR

In the Allen-Bradley/Rockwell ecosystem, Device Level Ring (DLR) is the dominant redundancy protocol. While MRP is open and vendor-neutral, DLR is optimized for EtherNet/IP.

• The Beacon Mechanism: The DLR "Ring Supervisor" sends out a beacon frame every 400 microseconds. If a device on the ring doesn't see the beacon within its timeout window, it immediately transitions to fault mode and starts forwarding on its alternate port. This results in recovery times of under 3ms, which is faster than most PLC scan times.
• MRP Disadvantage: While MRP is fast (10ms), it requires a more complex state machine and is generally configured at the switch level. DLR can be implemented directly on the I/O devices and drives, simplifying the cabling architecture.

7. Industrial Wireless (IWLAN): Physics of the Factory Floor

Standard Spanning Tree Protocol (STP) and even Rapid-STP (RSTP) are insufficient for industrial control. A 2-second convergence time during a cable break is enough to trip a safety interlock and shut down a multi-million dollar process.

• MRP (Media Redundancy Protocol): Standardized in IEC 62439-2. MRP defines a ring topology where one switch acts as the Media Redundancy Manager (MRM). It blocks a link to prevent loops and monitors the ring with "Test" frames. If the ring breaks, MRP recovers in under 10ms.
• PRP (Parallel Redundancy Protocol): Defined in IEC 62439-3. This is the gold standard for zero-downtime. Every packet is sent simultaneously over two completely independent LANs (LAN A and LAN B). The receiving device accepts the first packet and discards the duplicate. If one entire network is destroyed, the data continues to flow with zero failover time.
• HSR (High-availability Seamless Redundancy): Similar to PRP but uses a ring topology where packets are sent in both directions simultaneously. Ideal for substations and smart grids.

6. Determinism & TSN (Time-Sensitive Networking)

Standard Ethernet uses a "Best Effort" delivery model. In a high-precision robotic cell, this isn't good enough. You need Determinism: the guarantee that a packet will arrive within a precise microsecond window, every time.

7. Frame Structure Forensics

To troubleshoot Industrial Ethernet, you must understand the Layer 2/3 headers.

• PROFINET IRT (Isochronous): Bypasses the IP layer. The Ethernet frame uses EtherType 0x8892. It includes a Cycle Counter and Status bytes. Because there is no IP header, routing is impossible; IRT is strictly for local machine-level communication.
• EtherNet/IP (CIP over IP): Uses standard UDP/TCP headers. Real-time I/O data is typically sent via Implicit Messaging using UDP port 2222. Configuration and diagnostics use Explicit Messaging over TCP port 44818.

8. Multicast Forensics: The IGMP Crisis

Many industrial protocols, specifically EtherNet/IP, rely on Multicast (IGMP) to deliver I/O traffic to multiple controllers simultaneously.

If a network architect fails to enable IGMP Snooping and configure an IGMP Querier, the switches will treat multicast traffic as a broadcast. In a large facility with hundreds of I/O points, this creates a "Broadcast Storm" that saturates the CPU of every device on the segment.

7. Protocol Analysis: PROFINET vs EtherNet/IP

Not all Industrial Ethernet is the same. The protocols handle the OSI stack differently to achieve performance.

• PROFINET RT/IRT: Uses a specialized EtherType (0x8892) to bypass the TCP/IP stack entirely for I/O data. This reduces latency by eliminating the overhead of IP headers and port processing. IRT (Isochronous Real-Time) uses hardware-scheduled slots for sub-millisecond precision.
• EtherNet/IP: Relies on standard TCP/UDP and the Common Industrial Protocol (CIP). While more "IT-friendly" because it uses standard IP routing, it requires much more careful switch configuration (QoS and IGMP) to handle real-time traffic.
• Modbus TCP: The "grandpa" of protocols. Port 502. Extremely simple, but has zero security. No authentication, no encryption. It must be isolated in a strictly controlled VLAN with no outside access.

8. Security Architecture: IEC 62443

The ISA/IEC 62443 standard is the gold standard for OT security. It moves away from the "Meltable Perimeter" model and adopts Zones and Conduits.

• Zones: A logical grouping of assets with similar security requirements (e.g., "The Painting Cell Zone").
• Conduits: The communication paths between zones. Every conduit must be guarded by a firewall performing Deep Packet Inspection (DPI). A DPI firewall doesn't just see "TCP Port 502 allowed"; it sees "Modbus Write Command to Register 40001 is NOT allowed from this source."

11. Legacy Integration: Serial-to-Ethernet Forensics

Much of the industrial world still runs on RS-485/Modbus RTU. Integrating these into an Ethernet backbone requires Industrial Gateways.

The Latency Penalty: When a gateway encapsulates a Modbus RTU packet into TCP/IP, it must wait for the serial packet to "complete" (typically 3.5 character times of silence). If the serial baud rate is low (e.g., 9600), this adds a minimum of 4ms of delay before the Ethernet packet is even formed. Engineers must account for this "Packetization Timeout" when setting SCADA polling intervals.

12. Advanced Management: SNMPv3 vs Proprietary Tools

While IT switches are managed via SNMP or SSH, OT switches often use proprietary protocols for configuration (e.g., Profinet DCP). However, for centralized monitoring, SNMPv3 is essential.

SNMPv2 should be disabled globally in OT environments as it transmits "Community Strings" in cleartext. An attacker on Level 2 could capture the string and use it to disable ports or change VLAN assignments, effectively blinding the SCADA operators during a physical sabotage attempt.

13. Case Study: The 24V Power Ripple

We were called to troubleshoot a "ghost in the machine" where an industrial switch would reboot every time a heavy hydraulic press cycled.

The Investigation: The switch was powered by the same 24V DC DIN-rail supply as the press's solenoid valves. When the solenoids fired, they created a massive inductive kickback (voltage ripple) that dipped the 24V rail below the switch's minimum operating voltage for 50 microseconds.

The Lesson: Always use Dual Redundant Power Inputs on industrial switches. Connect one input to the machine's 24V rail and the other to a dedicated "Instrument Power" UPS. This provides both electrical and logical isolation.

14. Cable Jacket Forensics: PUR vs PVC vs LSZH

The chemistry of the cable jacket is just as important as the copper inside. In industrial settings, standard IT cable (PVC) will fail within months.

• PUR (Polyurethane): Extremely resistant to abrasion, tearing, and mineral oils. This is the standard for "Torsion" or "C-Track" cables used in robotics where the cable is constantly flexing.
• PVC (Polyvinyl Chloride): Standard for fixed installations. However, in the presence of UV light or certain chemicals, PVC leaches plasticizers and becomes brittle, eventually cracking and allowing moisture ingress.
• LSZH (Low Smoke Zero Halogen): Mandatory for tunnels, ships, and confined spaces. If a fire occurs, LSZH does not release toxic halogen gases (like Chlorine), preventing both human asphyxiation and the corrosion of nearby electronics by acidic smoke.

15. Summary of OT Networking Checklist

• Physical: Are all connectors M12 or IP67 rated? Is the cable jacket PUR for moving parts?
• Logical: Is the Purdue Level 3.5 DMZ strictly enforced with jump hosts?
• Protocol: Is IGMP Snooping enabled for EtherNet/IP? Is an IGMP Querier active?
• Redundancy: Is MRP or DLR configured? Has the convergence time been tested under load?
• Power: Are the switches fed by dual-redundant 24V DC sources?

16. Technical Encyclopedia: Industrial OT Terms