Hardened Networks Add Reliability to Remote Monitoring
IP-enabled video cameras have dramatically changed the way physical security can be implemented
- By Jim Krachenfels, TJ Roe
- Oct 01, 2012
Industrial Ethernet is a powerful tool when planning for the deployment of
remote security monitoring in any setting that has environmental challenges.
Physical security is a concern for most segments of national infrastructure,
from public utilities and transportation systems to private industry, local
governments and education. The ability to deploy a seamless, highly reliable
and redundant, high-bandwidth communications network is paramount. It must
convey data, video—at various levels of resolution—and VoIP-based alerts and
conversations. Industrial Ethernet, which has been adopted as a global communications
standard by prestigious and powerful groups such as the IEC for power
utilities (IEC 68150), provides the platform for which numerous manufacturers
of security appliances and other industrial equipment can create widely available,
well-priced, future-proof equipment.
An examination of several case studies where sensitive locations deployed Ethernet-
based security monitoring systems can prove instructive.
Protecting National Infrastructure
Power utilities are at the center of a national (and international) effort to create
security standards that can protect these national lifelines from intentional or inadvertent
security breaches. Given the far-flung nature of the power grid, remote
security monitoring enabled by an Ethernet communications network offers the
most affordable answer to increased security and surveillance needs.
Nuclear Power Facility Uses Thermal Fence
A nuclear power facility installed a fully integrated perimeter alert system for simultaneous
threat detection and assessment capability. The thermal fence incorporates
both thermal security cameras and control and management software for
the sensors deployed around the perimeter, providing a full virtual fence solution.
Hardened managed Ethernet switches integrated the internal control and monitoring
activities with the perimeter monitoring and alarm system.
Managed industrial Ethernet switches provide the network transport system
“glue” that transfers the information collected in the field to redundant servers in
the central monitoring station. Multiple resilient rings ensure high availability in
an environment where failure is not an option. The same communications protocol
delivers video information to the security hub that manages up to 256 VLANs,
providing secure data pipes and keeping various control and monitoring channels
separate within the facility.
Managed switches also can reduce traffic through the use of protocols such as
Internet Group Management Protocol (IGMP). The primary goal of IGMP is to
eliminate unwanted multicast traffic from video feeds. Typically, IGMP requires
expensive and complex layer-3 switch/router implementations to manage multicast
video streams so that they are sent only to target switches. However, this nuclear
facility used a combination of layer 2 switches, implementing IGMP-Snooping (a
kind of IGMP-lite) and IGMP-L2, a Belden proprietary protocol developed by
its GarrettCom brand. This brand also works with layer 2 switches that provide
similar results with less complexity in many applications.
Far-flung Power Gen and Substations Require Flexible Op tions
Power utilities have challenges beyond the protection of a single facility. The entire
smart grid consists of complex interactions among power generation equipment,
substations, transmission and distribution lines and consumers.
Centralized monitoring of operational data is critical for cost-effective operation
while new regulatory requirements and good practices dictate increased access
security. Connectivity across the smart grid uses the full gamut of technologies
available. Some networks use Gigabit fiber backbones that stretch for miles, often
configured in redundant rings for resiliency. When it is neither practical nor cost effective
to lay dedicated fiber cable, connections may be accomplished with the use
of Ethernet over wireless Ethernet or by sending Ethernet over WAN circuits (e.g.,
DDS, T1/E1) from local telephone providers. A router equipped with a firewall
is required at each end of the line to provide an electronic security perimeter to
protect sensitive data. Further demonstrating the flexibility of IP, new routers have
been developed that send data over a fiber or WAN backbone and also provide
a cellular connection as backup. The flexibility of Ethernet transport equipment
solves the problem of distance when aggregating security or operational activity
data from remote sites for centralized monitoring, data storage and coordinated
response when necessary.
Remote security applications typically consist of video cameras supplemented
by access control devices that also provide personnel logging to meet NERC/CIP
requirements. These security devices transmit either consistently or on an exception
basis when an event occurs. The security information passes over the same
communications channel as the data that is being transferred for monitoring and
control of the equipment at that location. VoIP phones support secure communication when members of the maintenance or operations
staff are at the remote site.
In many cases, the switches required to manage
these security appliances are deployed in the field
where they are exposed to temperature extremes and
possibly moisture and dust; hardened networking devices
are required. When the switches are installed inside
remote substations, they need to be additionally
hardened—sometimes called substation-level hardening—
to withstand high electromagnetic radiation and
the possibility of power spikes.
Crime Prevention and Personal Security
A more traditional application for many security
dealers and integrators is a surveillance and security
system designed to protect property and people.
While a considerable number of these installations
are deployed within buildings and can be supported
by commercial-grade networking equipment, many
others require that at least some of the networking
equipment be installed in harsher environments.
Industrially hardened switches, routers and other
equipment are typically the best choice for installation
in environments such as parking lots, garages
and campuses, which are damp, dusty and regularly
exposed to temperature extremes or high levels of
electrical noise.
Campus Security in Weather Extremes
Campus security, like city-wide security, requires strategic
planning. A college in central Florida provides
video surveillance coupled with emergency phones
campus-wide. This surveillance and VoIP system had
the usual issues of connecting back to a central facility—
with one extra consideration. Florida’s combination
of frequent lightning strikes and relatively high
water tables contributed to far too many failures in
the emergency phone system.
The original network had two separate
networks, a Cat-5e copper wire
system for the emergency phones and a
separate fiber optic and copper system
that linked surveillance cameras. The
phones were daisy-chained together
while the camera system used a star topology.
The campus had a shallow water
table that was only 1.5 feet below the
surface. During the frequent lightning
strikes, electric current was conducted
through the ground and found its way
through the copper wiring installed,
burning out the outdoor phones.
By integrating phone and camera
services onto a single Ethernet network
over a resilient fiber ring, the campus
reduced cabling costs while increasing
reliability. The new network runs over a
fiber optic backbone that is terminated
above the water table line on the camera
and phone towers.
Because fiber does not conduct
electricity, the extended use of fiber
cabling, combined with a more aggressive
grounding strategy that included a
lightning rod on each tower, addressed
the lightning issue.
To withstand the heat buildup and
humidity of the Florida campuses, an
industrially hardened switch, fully enclosed
and with robust management
capabilities, was required.
The new system is more reliable
and significantly reduces deployment
and maintenance costs. An automated
alarm system monitors all managed
switches every 10 minutes. When problems
occur, the network analyst is immediately
notified via email or text
message. SNMP traps are stored on a
syslog server for each switch and are
available to help troubleshoot issues.
IP-based security devices and the
associated ability to employ network
convergence enable a wide variety of
security applications that formerly
were either impossible or impractical
to deploy. Standards-based equipment
and networking components not
only reduce equipment, deployment
and training costs, but they also provide
a stable platform upon which to
build future security systems. Ethernet’s
ability to support data, video and
voice over a single network further reduces
complexity and cost in a security
deployment.
Within the Ethernet community
there are a variety of products designed
to operate in different environmental
conditions. Because security requires
failsafe communication, choosing reliable
equipment is a critical component
of the design.
This article originally appeared in the October 2012 issue of Security Today.