Beckhoff: System-integrated overcurrent protection with EtherCAT
Industrial Ethernet Book Issue 17 / 38
Request Further Info   Print this Page   Send to a Friend  

Great walls ... and small gates

China's Great Wall was constructed to secure the country's territory from outsiders who might inadvertently or deliberately invade it. IT and Building Automation Systems (BAS) professionals have each constructed their own elaborate walls to deter similar trespassing. Driven by a need for effective energy management solutions and ubiquity of web technology, both the IT and BAS communities are having to open small gates in their respective walls to accommodate overlapping territory.
By Andy McMillan

The sheer complexity of Enterprise IT systems and the multipath data flows they encompass makes it very difficult to fully assess the impact of adding unfamiliar components or transaction types. Virtually all IT groups maintain infrastructure elements supporting mission-critical business applications. Through hard experience, IT professionals have learned that accidents, mistakes, carelessness and malicious behaviour can all result in costly system downtime or data loss. Their response has been to secure the IT infrastructure at multiple levels.

Sophisticated network management tools have evolved to implement the security and complexity of the systems they maintain. Even so, complete analysis or precise modelling of real-world systems is beyond the reach of most IT groups placing a reliance on perceived wisdom. Following such best practice eliminates the need for detailed analysis in many situations and minimises the risk in many others.

BAS professionals have been involved in a similar, parallel endeavour for building automation systems. Modern BA implements complex, distributed systems that control heating, cooling, lighting, security and other building systems. They perform real time control, data collection and data processing functions. Real time control functions include discrete activities, such as unlocking a door when an appropriate code is entered, and continuous activities such as adjusting air vent dampers to maintain specified room temperatures. Data collection and processing functions are diverse, ranging from maintaining a rolling 30-day building temperature profile to generating monthly reports on energy use. Like the IT counterparts, BA systems are mission critical and must be secured against both inadvertent and deliberate tampering.

The BAS industry has evolved its own set of standards and best practices over the years for much the same reasons as the IT industry. However, the process has left them generally different from the IT counterparts. This dichotomy came about for several reasons, including:

  • Requirements are somewhat different for each domain;
  • Characteristics of devices used show some difference;
  • Different people in user organisations typically handle each domain;
  • Different suppliers serve the two markets;
  • Different industry organisations serve the two communities.

Parallel standards and practices have not been a problem historically because the systems were installed separately and the areas of overlap were small enough that the cost of duplication was relatively insignificant. Web technology and recent trends in building automation have increased the areas of overlap - motivating integration between the two domains. As a result, differences in standards and practices are becoming a bigger issue for many organisations.

Energy management particularly challenges BAS professionals. Higher costs and increasing volatility of energy prices has pushed demands for real time monitoring and control of energy usage. Enterprise management now takes a heightened interest in energy data aggregation across geographically distributed sites. Since duplication of IT wide-area data communications is not practical, it is driving a need for BAS interfaces to the Enterprise network infrastructure.

Other common areas include integrated security access control, building management outsourcing, environmental control and lighting control. Realising this demands best practices of both IT and BAS together with the involvement of both in the decision process.

Borrowed technology

The building automation industry has incorporated commercial technology borrowed from the IT community - Ethernet, TCP/IP, web servers, Intranets, XML and PC workstations, etc. Many suppliers, though, have adopted technologies without regard for the best practices that make those technologies effective in IT environments. For example, some suppliers have developed building automation systems with web-based interfaces requiring the use of a custom web server or special firewall ports rather than using a standard server like Apache or IIS. Other suppliers provide products where the communications between the building automation system and desktop PCs use protocols such as BACnet and LONworks which are unknown in the IT world. Integrating these systems with a company's IT infrastructure can seem risky because they violate some of the most basic IT best practices.

Most IT professionals recognise that the introduction of non-standard comms over the IT infrastructure creates operational and maintenance risks. Given the potentially high cost of system failures, IT professionals are rightly risk-averse and therefore strongly resist any effort to introduce such non-standard solutions. So, how can an organization bring about the necessary integration of these systems?

The simplest approach (from a technical point of view) is to select building automation products that are IT-friendly in the first place. Such products use the IT infrastructure with minimal variance from IT accepted standards such as limiting the use of BAS-specific communications protocols to interactions among BAS controllers. For communications between BAS devices and IT servers/workstations they use XML over http making them compatible with standard firewall configurations and network operation norms.

Even with the most IT-friendly BAS solution may still have some special requirements. For example, one of the most common is a need for BAS controllers to have dedicated IP addresses. Over all, achieving the necessary level of IT and BAS system integration in these circumstances largely comes down to careful planning and reasonable accommodation.

IT friendly

As the BAS industry continues to evolve, suppliers will migrate to IT-friendly solutions. For now though, it is not always be practical to drive BAS purchasing decisions from the perspective of the IT integration effort. Legacy systems compatibility, cost constraints, functionality requirements and many other things may lead to the adoption of a BAS that is distinctly out of alignment in the context of standard IT environments such that cost-effective integration at an acceptable level of risk may not be easy. One approach adopted by some users is to install a parallel Ethernet infrastructure for the BAS system. A single point of interconnection between the two systems is provided through a carefully managed router or application gateway. In other cases, the BAS system uses the enterprise infrastructure, but is isolated as a separate segment via intelligent switches. It may be contained within a Virtual Local Area Network (VLAN).

The use of the enterprise network backbone for BAS system communication and IT integration offers substantial operational and cost benefits to facility managers. Since the enterprise network is designed and maintained by the IT group, the facility manager does not need to deal with it. Or housing a BAS data server in the IT group takes advantage of the IT group's expertise in server administration, backup and support. However, use of the enterprise backbone also creates some issues for the facility manager.

Common backbone caveats

One issue relates to denial of service events. IT professionals strive to protect their enterprise networks from the impact of viruses and worms. In reality, though, complete protection still eludes most organisations. As a result, facility managers using the enterprise network for BAS connections must design their systems to operate safely even when backbone connections are lost.

Another issue relates to the need for continuous coordination between facility management and the IT group. Failure to maintain coordination can lead to unacceptable BAS system interruptions. For example, IT network reconfigurations that are transparent to typical computing devices (such as PCs and printers) can adversely affect BAS devices, especially if they use fixed IP addressing.

For many organisations there is a growing business benefit in effectively linking BAS with IT systems. The technologies employed in the two domains are converging and over the next 3-5 years seamless integration may come about through industry acceptance of a web services solution. In the meantime there are several approaches to achieving some level of integration while maintaining appropriate security for each system. IT-friendly products, isolation of BAS within the IT infrastructure and parallel infrastructures have all been successfully employed. To make any solution effective though, requires a good working relationship between the facility management team and the IT Department. Where the two are successful at working together the IT and the building automation systems are both properly secured, yet usefully interconnected. Somewhat like having two Great Walls that intersect at a pair of small, matching gates.

Andy McMillan is president and CEO of Teletrol Systems

Source: Industrial Ethernet Book Issue 17 / 38
Request Further Info    Print this Page    Send to a Friend  


IoT World 2020
Accelerate your HART data at the speed of Ethernet
Industry of Things World

Get Social with us:

© 2010-2020 Published by IEB Media GbR · Last Update: 05.06.2020 · 18 User online · Privacy Policy · Contact Us