Page 61 - 108
P. 61

IT Networks                               OT Networks
             Frequent network topology changes         Purpose-engineered networks
             Plug-and-play connections                 Deny-by-default security
             Unhampered connectivity                   Allowlisted fl ows
             Rapid STP for backup paths                Predefi ned failover paths
             Intermittent services with short lifetimes  Constant services with long lifetimes




            of this technology, it can open the door for multiple   is considered as a part of a control plane), while
            attack techniques.                        the data plane is where the packets are forwarded.
            Moreover, even if redundancy was not considered   SDN is all about  separating the two  planes and
            in the initial design of Ethernet networks, several   enabling network control to become programma-
            standardized variations of the Spanning Tree Pro-  ble and centralized with the underlying network
            tocol (STP) have been published to allow ring-ba-  elements abstracted from the applications and ser-
            sed topology. A ring is the easiest way to make an   vices.
            alternative path available, but the Ethernet imple-
            mentation has some constraints that limit perfor-  The separation allows a single software known as
            mance. The Ethernet switch must enable or disable   Flow Controller to manage multiple data-plane ele-
            physical links to avoid broadcast storms, and this   ments. Flow Controller can directly instruct data-
            process requires time to calculate and activate a   plane elements (i.e., routers, switches, and other
            new logical topology (convergence time) in case of   middleboxes) using a standardized and well-defi -
            a network event (i.e., a loss of a link). The perfor-  ned application programming interface (API), such
            mance of any variant of STP in an OT network is   as OpenFlow.
            unacceptable for protocols, such as IEC 61850-
            9-2 or GOOSE messages, when used for critical
            interlocking or intertrip operation.
            The following table compares characteristics of IT
            and OT networks.

            Addressing cybersecurity
            ad reliability with SDN

            Both cybersecurity and performance concerns can
            be addressed by an emerging paradigm known as
            SDN, which relies on the separation of the control
            plane from the data plane. The control plane is the
            part of a network that controls how data packets
            are forwarded—meaning how data are sent from
            one place to another (i.e., creating a routing table































                                                                                Impiantistica Italiana - Novembre-Dicembre 2023  57
   56   57   58   59   60   61   62   63   64   65   66