Hardened Networks Add Reliability to Remote Monitoring

IP-enabled video cameras have dramatically changed the way physical security can be implemented

Industrial Ethernet is a powerful tool when planning for the deployment of remote security monitoring in any setting that has environmental challenges. Physical security is a concern for most segments of national infrastructure, from public utilities and transportation systems to private industry, local governments and education. The ability to deploy a seamless, highly reliable and redundant, high-bandwidth communications network is paramount. It must convey data, video—at various levels of resolution—and VoIP-based alerts and conversations. Industrial Ethernet, which has been adopted as a global communications standard by prestigious and powerful groups such as the IEC for power utilities (IEC 68150), provides the platform for which numerous manufacturers of security appliances and other industrial equipment can create widely available, well-priced, future-proof equipment. An examination of several case studies where sensitive locations deployed Ethernet- based security monitoring systems can prove instructive.

Protecting National Infrastructure

Power utilities are at the center of a national (and international) effort to create security standards that can protect these national lifelines from intentional or inadvertent security breaches. Given the far-flung nature of the power grid, remote security monitoring enabled by an Ethernet communications network offers the most affordable answer to increased security and surveillance needs.

Nuclear Power Facility Uses Thermal Fence

A nuclear power facility installed a fully integrated perimeter alert system for simultaneous threat detection and assessment capability. The thermal fence incorporates both thermal security cameras and control and management software for the sensors deployed around the perimeter, providing a full virtual fence solution. Hardened managed Ethernet switches integrated the internal control and monitoring activities with the perimeter monitoring and alarm system.

Managed industrial Ethernet switches provide the network transport system “glue” that transfers the information collected in the field to redundant servers in the central monitoring station. Multiple resilient rings ensure high availability in an environment where failure is not an option. The same communications protocol delivers video information to the security hub that manages up to 256 VLANs, providing secure data pipes and keeping various control and monitoring channels separate within the facility.

Managed switches also can reduce traffic through the use of protocols such as Internet Group Management Protocol (IGMP). The primary goal of IGMP is to eliminate unwanted multicast traffic from video feeds. Typically, IGMP requires expensive and complex layer-3 switch/router implementations to manage multicast video streams so that they are sent only to target switches. However, this nuclear facility used a combination of layer 2 switches, implementing IGMP-Snooping (a kind of IGMP-lite) and IGMP-L2, a Belden proprietary protocol developed by its GarrettCom brand. This brand also works with layer 2 switches that provide similar results with less complexity in many applications.

Far-flung Power Gen and Substations Require Flexible Op tions Power utilities have challenges beyond the protection of a single facility. The entire smart grid consists of complex interactions among power generation equipment, substations, transmission and distribution lines and consumers.

Centralized monitoring of operational data is critical for cost-effective operation while new regulatory requirements and good practices dictate increased access security. Connectivity across the smart grid uses the full gamut of technologies available. Some networks use Gigabit fiber backbones that stretch for miles, often configured in redundant rings for resiliency. When it is neither practical nor cost effective to lay dedicated fiber cable, connections may be accomplished with the use of Ethernet over wireless Ethernet or by sending Ethernet over WAN circuits (e.g., DDS, T1/E1) from local telephone providers. A router equipped with a firewall is required at each end of the line to provide an electronic security perimeter to protect sensitive data. Further demonstrating the flexibility of IP, new routers have been developed that send data over a fiber or WAN backbone and also provide a cellular connection as backup. The flexibility of Ethernet transport equipment solves the problem of distance when aggregating security or operational activity data from remote sites for centralized monitoring, data storage and coordinated response when necessary.

Remote security applications typically consist of video cameras supplemented by access control devices that also provide personnel logging to meet NERC/CIP requirements. These security devices transmit either consistently or on an exception basis when an event occurs. The security information passes over the same communications channel as the data that is being transferred for monitoring and control of the equipment at that location. VoIP phones support secure communication when members of the maintenance or operations staff are at the remote site.

In many cases, the switches required to manage these security appliances are deployed in the field where they are exposed to temperature extremes and possibly moisture and dust; hardened networking devices are required. When the switches are installed inside remote substations, they need to be additionally hardened—sometimes called substation-level hardening— to withstand high electromagnetic radiation and the possibility of power spikes.

Crime Prevention and Personal Security

A more traditional application for many security dealers and integrators is a surveillance and security system designed to protect property and people. While a considerable number of these installations are deployed within buildings and can be supported by commercial-grade networking equipment, many others require that at least some of the networking equipment be installed in harsher environments. Industrially hardened switches, routers and other equipment are typically the best choice for installation in environments such as parking lots, garages and campuses, which are damp, dusty and regularly exposed to temperature extremes or high levels of electrical noise.

Campus Security in Weather Extremes

Campus security, like city-wide security, requires strategic planning. A college in central Florida provides video surveillance coupled with emergency phones campus-wide. This surveillance and VoIP system had the usual issues of connecting back to a central facility— with one extra consideration. Florida’s combination of frequent lightning strikes and relatively high water tables contributed to far too many failures in the emergency phone system.

The original network had two separate networks, a Cat-5e copper wire system for the emergency phones and a separate fiber optic and copper system that linked surveillance cameras. The phones were daisy-chained together while the camera system used a star topology. The campus had a shallow water table that was only 1.5 feet below the surface. During the frequent lightning strikes, electric current was conducted through the ground and found its way through the copper wiring installed, burning out the outdoor phones.

By integrating phone and camera services onto a single Ethernet network over a resilient fiber ring, the campus reduced cabling costs while increasing reliability. The new network runs over a fiber optic backbone that is terminated above the water table line on the camera and phone towers.

Because fiber does not conduct electricity, the extended use of fiber cabling, combined with a more aggressive grounding strategy that included a lightning rod on each tower, addressed the lightning issue.

To withstand the heat buildup and humidity of the Florida campuses, an industrially hardened switch, fully enclosed and with robust management capabilities, was required.

The new system is more reliable and significantly reduces deployment and maintenance costs. An automated alarm system monitors all managed switches every 10 minutes. When problems occur, the network analyst is immediately notified via email or text message. SNMP traps are stored on a syslog server for each switch and are available to help troubleshoot issues.

IP-based security devices and the associated ability to employ network convergence enable a wide variety of security applications that formerly were either impossible or impractical to deploy. Standards-based equipment and networking components not only reduce equipment, deployment and training costs, but they also provide a stable platform upon which to build future security systems. Ethernet’s ability to support data, video and voice over a single network further reduces complexity and cost in a security deployment.

Within the Ethernet community there are a variety of products designed to operate in different environmental conditions. Because security requires failsafe communication, choosing reliable equipment is a critical component of the design.

This article originally appeared in the October 2012 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3