Editor’s Note: This article was contributed by Mark Wylie, a Belden manager with many years of experience working in both the controls and IT domains. He is responsible for our Industrial Ethernet Infrastructure and Certified Industrial Network programs.
There are many reasons to update your network from an ad hoc design to an industrial Ethernet infrastructure. One of them is that it allows you to separate applications that generate high volumes of traffic, such as physical security systems, from other network applications such as control systems.
Good network segmentation groups devices used for a common purpose or with common cyber security requirements into segments, making network management and expansion easier.
Today, I am going to take a look at how to integrate physical security systems that include cameras, video servers, client viewing stations and other equipment into a well-designed industrial Ethernet network.
Physical security systems often include numerous outdoor video cameras with high bandwidth transmission requirements.
Segment the Physical Security Network from Operational Networks
The most important industrial network design best practice is to segment all networks into operational zones or areas. Networks tend to grow incrementally, resulting in large, flat networks. Too often we find networks that have become vast, sprawling systems that are difficult to manage or secure.
By dividing up large networks into smaller ones, you can improve the manageability, reliability and security of your system. This is a key requirement in many standards, including the ISA IEC 62443 standard for industrial cyber security. It also makes isolating network issues much easier and improves overall system reliability.
Thus you want to organize all the components of your physical security system into one network segment.
One way to do this is by creating a subnet that physically groups the physical security equipment together into a specified range of IP addresses. This isolates the high bandwidth video traffic from controls traffic and gives you an easy way to manage network performance.
The physical security subnet can be connected to other subnets using a Layer 3 switch or router. Many of these switch and router devices can also act as packet-filters, offering limited protection against cyberattacks.
Fig. 1 A network design best practice is to segment physical security system components on a subnet or VLAN. (click here for larger image)
Virtual Local Area Networks (VLANs)
An alternative to subnets is a VLAN which creates a logical group of Ethernet devices that cannot be physically grouped. They work by having Ethernet switches insert a “tag” (basically a 4-byte field) into each Ethernet message. Other switches on the network can read this tag and make decisions on whether a message should be forwarded or not.
VLANs are great traffic management tools as they allow devices to see only the data they need. They are frequently used to isolate high bandwidth traffic, such as video and voice, when subnetting is not possible due to the physical separation of equipment.
Similar to subnetting, Layer 3 switches and routers are used to configure and enforce the VLANs, limiting the data in and out of the VLAN. Devices from multiple VLANS may connect to a switch, and devices in the same VLAN can easily communicate between one another.
The difference between video surveillance equipment in an office and in a plant is the environmental stress placed on the equipment. While office networking equipment may be lower cost, more robust equipment suitable for industrial or outdoor settings pays for itself with reduced downtime, troubleshooting and maintenance expenses.
Consider environmental challenges such as:
- Temperature Swings
- Particulates or Pests
- Humidity and Corrosion
- Electrical Noise
- Challenging Mounting
- Lack of AC Power
- Extended Distances
One way that industrial devices are categorized is by their “IP” rating. This is a rating that describes a device’s protection against solids, dust and fluids. Be sure to consult an IP rating chart and choose the appropriate one for your application.
The Importance of Power over Ethernet
What is Power over Ethernet (PoE)? It’s the practice of using a single industrial Ethernet cable to provide power and Ethernet communications to devices.
This best practice is vital when implementing physical security surveillance systems. It is not a simple process to wire and connect security cameras, card readers, routers, keypads and telephones.
Instead of using multiple cords or cables (one for power, one for pan/tilt/zoom control, and one for video), PoE gives you the ability to simplify your installation and commissioning processes by replacing multiple connectors with a single connection. This lowers costs, as fewer components are needed and the replacement process is simplified.
Planning for PoE involves:
- Determining all the pieces to be used (cameras, telephones etc.)
- Identifying the power consumption (in watts) of each device
- Totalling the power requirements of all PoE devices that will be wired to one PoE switch
Note that most devices are “standard” PoE, requiring up to 13 watts, but some may be classified as “PoE+”, ranging from 13 to 25.5 watts.
Example Application: Campus Call Station and Cameras
A campus emergency call station provides an example of how to use cameras and networking equipment to provide a reliable surveillance system. The example shown has a video camera mounted on top of a pole, an emergency strobe light, and a call station that allows someone in a remote location to summon help. Details of the application are shown in Fig. 2.
Fig. 2 A hardened industrial Ethernet switch manages network communications to and from this campus call station.
The pole-top camera monitors movement around the area, providing video feed to a remote monitoring location or a network video recording device. The call station itself provides the ability to talk between a guard or attendant and the person by the pole, generally in response to a call button.
Power over Ethernet allows a single cable to connect these multiple remote devices to the network, combining power for the device as well as signal to the network.
Generally the network component will be mounted in the base of the pole and may require a fiber link back to the main infrastructure, but will have local copper links to the end devices (the camera, call station, strobe, etc.).
The network switch may be mounted by itself inside the pole or may be mounted in a cabinet along with other electronic gear that is used to power the legacy end devices. The switch is subjected to the temperature and environmental extremes of the outside equipment as well as things that bump into the pole, generating shock and vibration. (A component diagram for this application is included in the presentation available for download at the end of this article.)
The Advantages of GarrettCom Industrial Ethernet Switches
The GarrettCom line of Ethernet switches is ideally suited for surveillance applications. The line includes unmanaged switches for single end-device connectivity (possibly remotely) as well as configurable managed switches, all of which are value priced.
GarrettCom’s product portfolio includes a full range of hardened networking devices for surveillance systems.
GarrettCom configurable managed switches can accommodate a mixture of copper and fiber signals on a unified platform. These include differing communication speed ports as well as PoE enabled ports. GigE ports can handle the data from today's Ultra HD Cameras and pass it efficiently via the network to video monitoring as well as video management and recording locations.
These switches are available with various mounting options, providing flexibility for either panel and rack or cabinet installations. In addition, the devices are environmentally hardened and deliver reliable service for years without attention.
Media converters are available to connect to legacy end devices, thus simplifying the modernization of existing infrastructures. Finally, various elements of the portfolio can be mixed and matched to satisfy any solution.
High Availability Physical Security Systems
In order to have availability for your physical security application, keep the three best practices described above in mind:
- Segment the high bandwidth surveillance network from other network segments, particularly the controls network.
- Specify industrial devices suitable for the environment.
- Use Power over Ethernet devices to reduce installation / maintenance cost and complexity.
A number of other network design principles applicable for physical security applications are discussed in the presentation available for download below.
Good luck with your designs and I look forward to hearing your comments.
1A Layer 3 switch or router is a device that connects two or more networks, such as subnets, together.
Physical Security Systems
- Blog: Physical Security Using Industrial-Strength Ethernet
- GarrettCom.com webpage: Security and Surveillance
- Blog: GarrettCom 6K Switches Provide Networking in Nuclear Plant for FLIR Perimeter Security Solution
- Webpage: Magnum 6K Managed Ethernet Switches
- Webpage: Magnum PES42 PoE Edge Industrial Ethernet Switches
- Webpage: Industrial IT Solutions
- Blog: Defense in Depth Part 2: Layering Multiple Defenses
- Webpage: Belden Certified Industrial Network Program
- Security-Today.com webpage: Giving Your Surveillance Network a Workout