Ethernet-APL: A secure yet familiar path forward
Bringing Ethernet technology that last mile to the field instrument represents perhaps the ultimate convergence of information and operational technology (IT/OT) for the process industries. For operational technologists, itās an opportunity to fully capitalize on the dramatic advances in networking technology that have already transformed the architectures of the automation and information management systems upon which they rely. But itās also like facing the loss of a familiar old friend in the form of the 4-20mA analog loops that have served industry so well for so long.
Yes, HART-IP over Ethernet-APL replaces that analog signal with fully digitalized process variables and control signals. But it also brings forward HARTās industrywide familiarity, unrivaled interoperability ecosystem and proven utility when it comes to instrumentation monitoring and diagnostics data.
More than 30 years ago, HART was created as a command/response protocol, in which a host issues a command, and a device responds. When there are many devices in an installation and a host is communicating with many of these devices, the host needs to know the name or address of the device it wants to issue a command to. This addressing scheme is defined in the HART protocol specification.
But when HART was adapted to Internet Protocol (IP) back in 2007 to backhaul data from WirelessHART gateways, the addressing scheme defined by HART was no longer required. Rather, IP-addressing is used, and each device is assigned an IP address. Itās as simple as that: HART-IP is the same as HART, but with IP addressing. Itās the Ethernet-APL physical layer that makes it dramatically faster.
Inherent security
While Ethernet and IP represent much of whatās good in the networking world, IP-addressable devices also come with the need to address potential security concerns. āIf youāre going all digital with an IP-routable protocol, you have to ensure security,ā says Peter Zornio, CTO Automation Solutions, Emerson. āAnd with HART-IP, these security features are mandatory, not optional as they are with some other device protocols for Ethernet-APL.ā
So, with the 2020 revision 7.7 of the HART specifications, requirements for specific security suites are now specified to provide communication security, audit logs and syslogging.
Communication security requires that new devices support the industry standard Internet Protocol Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) suites. HART commands have been added to simplify security deployment and aid users in navigating multiple security options. Additional diagnostics and forensic requirements are also included.
Devices are required to capture audit logs that summarize communications activities, including records such as client identification, connection start/stop times and whether the device configuration was changed in that session.
Finally, HART-IP devices also must support syslogging, an industry standard means of publishing device events to a networkās security information and event management (SIEM) system. All HART-IP devices must support network time using either Network Time Protocol (NTP) or Precision Time Protocol (PTP). Consequently, all syslog messages from all network devices are time synchronized, enabling forensics on network-wide behavior and activities.
Combining communication security, audit logs and syslogging results in robust security for HART-IP enabled products.
āWith Ethernet-APL, operators will have the need to really be up to date with all the of the firmware and the software theyāre using,ā says Thomas Rummel, senior vice president of engineering and product management, Softing Industrial Automation. āIn the past, the attitude was āitās running now, so never change it,āā Rummel explains. āBut in the future, youāll have to ensure that all security patches are kept up to date and no back doors are left open.ā
These new requirements for intelligent device management, switch configuration and other similar tasks may well present the opportunity to have IT-trained personnel contribute more directly to the support of process operations.
āFor years, weāve talked about the convergence of IT and OT,ā notes Wally Pratt, director of field communication protocols for FieldComm Group. āAnd while thereās sometimes been resistance from the operational side of things, itās in the IT groupās wheelhouse to take to care of tasks like network security management, patching, firewall configurations and the like. Let the IT people do what they do best.ā
Easy does it
And with HART-IP, securely commissioning a new Ethernet-APL device can be just as easy as it is to securely commission a WirelessHART instrument, Pratt continues. āTake it out of the box, put it on the bench, hook up a handheld and enter a network ID and join key. Then just put it out in the plant and it works. Weāre trying to do the hard stuff inside to make it simple on the outside.ā
Both Dowās Jeff Konrad, technical solutions team leader, automation interfaces, and 3Mās Robert Sentz, senior engineering specialist, envision that Ethernet-APL field network security would be an extension of the long-established IT security practices now used at the higher levels of their companiesā Ethernet-based automation and information networks.
And when it comes to 3Mās first adventures in Ethernet-APL, āit might be nice start with something that looks very familiar,ā Sentz says. āI expect that we might want to add to whatās available in HART-IP, but starting there with the ability to grow would allow for a smoother transition.ā
Jason Urso, chief technology officer, Honeywell Process Solutions, agrees that industry shouldnāt waste a lot of time worrying about how devices talk to one another. āLetās build on a widely adopted and pervasive infrastructure where we have lots of people that understand it and know how to maintain it. We may find that new devices and different industries are better suited to other protocols than HART-IP, but Ethernet-APL doesnāt preclude us using them as well.ā
āSo, letās get this technology out to our customers as quickly as we can,ā Urso says. āSo we can learn from it, adopt and adapt.ā
