Helping customers reduce cyber risk by complying with NIS2 and securely managing industrial assets

This week, I’m attending Cisco Live in Amsterdam! Together with my team, we’re excited to exchange insights and network with our customers and industry leaders. Our focus is to interact with customers firsthand, grasp their preferences, and highlight how our latest portfolio upgrades cater to their requirements.

Up to this point in the event, numerous customers have emphasized that cybersecurity in industrial settings is a primary concern, alongside the introduction of the new NIS2 regulations. Our team is present to assist customers in navigating and adhering to these latest regulations, ensuring a seamless transition as we adjust to new mandates. Let me share some insights into NIS2 and outline our investments aimed at aiding customers.

Cisco helps customers comply with NIS2 regulations to reduce cyber risk with enhanced cybersecurity capabilities

The European Union created Network and Information Security (NIS2) to update and strengthen the existing NIS1 framework, addressing emerging cybersecurity threats and evolving technological landscapes more effectively. The intent is to enhance cybersecurity resilience and coordination across critical sectors and digital service providers. It will impact more than 350,000 organizations and will extend to non-European companies that are part of the EU supply chain. This directive will be enforced as of October 18, 2024.

To comply with NIS2 requirements, customers need a good understanding of their security posture to implement cyber risk management best practices and zero-trust security policies. Meeting these requirements requires our customers to control risks from their supply chain (machine builders, control system vendors, contractors, hardware service providers, etc.) as well as risks from connected assets that now need access to external applications and cloud services. This translates into a problem of scale for our customers due to the diverse ecosystem of supply chain vendors, and tens of thousands of assets in their environments.

Cisco has comprehensive capabilities and a market-leading industrial networking portfolio, which helps our customers address these challenges. Our portfolio complies with ISA/IEC 62443 security standards so that customers can trust their supply chain.

The Industrial IoT team has been investing in enhancements to industrial security solutions, Cisco Cyber Vision and Secure Equipment Access, to help customers reduce cyber risk and drive compliance with NIS2 cybersecurity regulations as they securely connect assets in their critical infrastructure.

First, we have enhancements to Cisco Cyber Vision with new reports and risk scores from Cisco Vulnerability management. Cyber Vision software, deployed on the industrial network, builds a detailed inventory of all connected assets and their security posture. This will help customers monitor and manage cyber risks of their OT assets. The new report engine helps industrial organizations drive compliance and governance by sharing OT Security Posture insights with all stakeholders.

“With Cyber Vision, we now have the visibility into our mission-critical OT networks as a first step to mitigate vulnerabilities and improve our security posture. Cyber Vision found more than 20 instances of malware in our substations and identified features and protocols that don’t need to be active.”

 – Emerson Cardoso, Chief Information Security Officer, CPFL Energia

External users need to connect to OT assets for maintenance and troubleshooting. Operational teams can use Cisco Secure Equipment Access to remotely deploy, configure, and troubleshoot assets and applications connected to Cisco industrial routers and switches. Secure Equipment Access solution adopts a ZTNA architecture that enforces strong security controls to grant remote users access only to specific resources at specific times. Another exciting announcement is the new Secure Equipment Access dashboard that helps administrators to monitor and audit remote access activities and trends for compliance. The dashboard works to enable advanced users and partners to automate remote access workflows with a new set of APIs for easy integration with other software solutions.

“As the NIS2 cybersecurity regulation is implemented across Europe, our industrial customers need to better control remote access to their operational networks. Cisco Secure Equipment Access simplifies the enforcement of zero-trust network access policies within an OT environment. By embedding this capability into the industrial network, Cisco makes it easy for customers to deploy OT cybersecurity at scale.”

 – Damiano Di Mauro, OT Networking Solutions Team Leader, Lutech (Cisco partner)

In our journey to help customers with Cyber Vision capabilities, we are very excited to see our partner Orange launching ‘Secure Industrial LAN’ managed service for industrial organizations. They are combining the Cisco Industrial IoT networking portfolio with Cisco Cyber Vision for OT security and skilled resources from Orange Cyberdefense and Orange Business worldwide. This service can be delivered to multinational customers with production sites across the globe with a single offer.

“As industries are accelerating the digitization of their operations, they need help to manage and secure industrial networks anywhere they are on the globe. By combining Cisco’s leading industrial networking and OT security portfolio with Orange Business’ and Orange Cyberdefense’s IT and OT expertise with human resources worldwide, our Secure Industrial LAN offer is the ideal solution for industrial organizations to scale their operations, improve resilience, and meet ever-growing cybersecurity regulations.”

– Emmanuel Routier, VP Smart Industries, Orange Business (Cisco partner)

The excitement of new enhancements doesn’t just stop there. Because different industries and use cases require different network technologies and capabilities for connectivity, we are continuing to expand our industrial networking portfolio to ensure customer success for a variety of deployment scenarios and locations. Therefore, we are also announcing:

• Catalyst IW9167E is now available for hazardous environments (Class 1, Div 2), so that customers in locations such as oil & gas, chemical, and pharmaceutical can deploy Wi-Fi or Cisco Ultra Reliable Wireless Backhaul (Cisco URWB).
• The Catalyst IW9165 series now also supports Wi-Fi 6/6E as well as Cisco URWB. With different form factors, we are enabling customers to deploy in more locations such as inside a cabinet in manufacturing, and roadways intersections.
• The 5G PIM now supports both public and private standalone on Catalyst Industrial Rugged Routers (IR1100, IR1800, IR8300) for roadways (cameras and sensors at intersections), public safety (ambulances, police cars), utilities, and other mission critical industrial settings.

If you are at Cisco Live Amsterdam, come and find the Cisco Industrial IoT Team at the World of Solutions to experience live demos and a coffee machine powered by Catalyst Center and Secure Equipment Access. Innovation and a cup of coffee come together to fuel digitization and connectivity for the whole week. I look forward to seeing you there!

Source: cisco.com

Continue reading

Cisco wins Manufacturing Solution of the Year award for integrating industrial security with networking

We are thrilled to announce that Cisco’s unified OT security and networking architecture is named “Smart Manufacturing Solution of the Year” in the 2024 IoT Breakthrough Awards.

Industrial security can be a complex undertaking, and yet OT security is quintessential for modern Industrial IoT (IIoT) operations. IIoT systems generally contain a variety of interconnected systems and technologies, each with its own security needs. Some of these are older and not designed with modern security threats in mind. Furthermore, OT teams, with their limited resources, may not be able to dedicate adequate time and personnel to security, and IT teams often do not understand operations well enough. Potential production losses resulting from increased security measures can also sometimes conflict with the need to address security concerns.

OT security has, therefore, traditionally been an afterthought and built using a piecemeal approach, relying on a patchwork of solutions provided by different vendors, each designed to provide only a single security function. Customers are forced to deploy point solutions that lead to unnecessary hardware deluge, increased complexity, and an overall security solution that does not scale or deliver.

An integrated network and security architecture

At Cisco we take a simpler, scalable, and more effective approach by integrating security functions directly into the network fabric. Our innovations enable the industrial network to replace the many one-function point products.

Figure 1: Cisco industrial switches and routers integrate security functions and help eliminate many separate products

With a unified industrial security and networking architecture, Cisco brings simplicity and scale to both connect and protect operations. It reduces complexity by delivering visibility, segmentation, remote access, and other security services on Cisco industrial switches and routers without the need to introduce additional hardware.

1. Visibility into connected assets, network traffic, and assessing existing asset vulnerabilities is recognized as the first step in securing operations. Traditional security vendors provide a deep packet inspection (DPI) server for this purpose to which you need to span traffic from your switch ports, adding to the network complexity and costs. Cisco Cyber Vision runs within Cisco industrial devices and performs the same functions without the extra server, complications, and expense.

2. The second step once visibility is established is to partition your industrial network into smaller segments to contain any malware that may find its way inside, but in a way that allows legitimate traffic to flow unhindered. Traditionally, this network segmentation has been done with sets of firewalls or Access Control Lists (ACL) configuration in switches. Both are either expensive, difficult to get right and maintain, or both. Native capabilities in Cisco Industrial Ethernet Switches allow dynamic and automated multiple levels of segmentation without the firewalls or manual ACLs.

Figure 2: Cisco industrial equipment runs Cyber Vision for visibility and segmentation policies

3. A third necessity is to enable operations personnel to securely access industrial assets remotely. Traditionally, organizations have depended on solutions like VPNs that require frequent manual updates to firewall rules and jump server settings, potentially unsecure methods such as cellular gateways, to name a few. With the Secure Equipment Access solution, Cisco industrial network equipment enables secure zero-trust network access (ZTNA) by embedding ZTNA gateway functionality without the need for extra servers. Enabling remote access is now just a software feature to activate in your Cisco industrial network.

Figure 3: Cisco industrial networking hosts a ZTNA gateway for secure remote access

Put the award-winning solution to work for you

We have not only designed an award-winning architecture, but we have also made it easy for you to adopt it, meeting you in your security journey where you are and guiding you gradually to where you want to be. Our four-step process can lead you from building a solid security foundation, through visibility, remote access, and segmentation to incident reporting and response.

Figure 4: Cisco four-step journey for industrial security

The network embedded security architecture scales across all OT use cases like manufacturing, transportation, utilities, oil & gas, renewable power generation, and mining among others.

Source: cisco.com

Continue reading

The Power of LTE 450 for Critical Infrastructure

In case of disasters, a reliable communication network is critical. The emergency centers need to be able to exchange information to coordinate their response in the field. Service providers need to keep their network live. Power utilities need to be able to keep the electric grid up and running.

In Europe, the communication networks used to control components of the power grid and all other critical infrastructure, are required to remain operational for at least 24 hours in the event of a power failure. This is well beyond what most commercial cellular networks can offer.

The solution identified by the energy industry is LTE 450. Public protection and disaster recovery (PPDR) regulations in Germany, Scandinavia, and parts of Africa allow critical industries to reserve the 450 MHz band in their areas to deploy private LTE networks, replacing legacy public safety voice networks with technology capable of data transmission.

This means LTE 450 can offer privileged access to the network, without public mass market services.

A key differentiator of the LTE450 MHz band is its long-range coverage. The high frequencies can deliver higher data rates to any number of smart devices, but they are affected by rapid signal attenuation and require dense base station coverage. On the other hand, the 450 MHz band sits on the other side of the spectrum.

With commercial LTE, a complete countrywide network might require tens of thousands of base stations to achieve full geographical coverage. LTE 450 only takes a few thousand base stations to achieve the same coverage and requires less power at the edge. This results in:

• A reduced number of base stations need to be kept up and running; it’s easier to manage the network.
• It’s easier to reach rural areas due to the extended coverage.
• Backup battery power can be used to continue to connect critical devices in the event of a power failure.

In addition, the reduced attenuation coming from the low frequency signals of LTE 450, allows increased penetration through walls and other solid materials, bringing obvious advantages for devices deployed indoors, underground and in other hard-to-reach locations.

Thus LTE 450 is a resilient cellular communication network tailored to the needs of mission and business critical use cases. Few examples:

• a private wireless network to connect thousands of SCADA systems used to control and monitor substations and other renewable energy assets;
• a public network to serve a broad range of power utilities, including water, gas, heat distribution networks and smart power grids.

Cisco solution for critical networks

Cisco has introduced an LTE 450Mhz plug in module for the popular Cisco Catalyst IR1101 Rugged Router. This platform provides the ability to connect to 450Mhz networks and additionally provides a second fallback module for private 4G, 5G or commercial cellular networks.

Figure 1: The Catalyst IR1101 Rugged Router

Critical traffic (such as SCADA or other critical control traffic) can be routed via 450Mhz and non-critical traffic routed via the cellular connections.

The IR1101 rugged router also provides secure encrypted tunnels for critical traffic from the remote site to a secure headend (e.g., Utility control center).

For management of remotely deployed IR1101 routers, the Cisco Catalyst SD-WAN platform supports secure zero touch onboarding, provisioning, and visibility to allow IR1101 routers to be deployed easily in the field.

Source: cisco.com

Continue reading

SD WAN solutions for utility Distribution Automation

Networks are expanding outside traditional office buildings and into industrial fixed and mobile use cases. This results in more devices being connected to the Internet and data centers as well as increased security exposure. IoT has moved traditional networking far beyond the carpeted spaces and into industries like Fleets, Oil & Gas, Energy & Water Utilities, Remote Condition Monitoring and Control — basically anything that can establish a wide area connection. Moreover, these industrial networks are increasingly being considered critical infrastructure. In response to this expansion, Cisco has on-going innovations advancing the ways networks operate – and at the forefront of these trends is the way that SD WAN solutions enable and support industrial use cases.

Cisco Catalyst SD-WAN today is already an industry-leading wide area network solution offering a software-defined WAN solution that enables enterprises and organizations to connect users to their applications securely. It provides a software overlay that runs over standard network transports, including MPLS, broadband, and Internet, to deliver applications and services. The overlay network supports on-premises solutions but also extends the organization’s network to Infrastructure as a Service (IaaS) and multi-cloud environments, thereby accelerating their shift to the cloud.

Most utilities are used to building large networks utilizing technologies such as Internet Protocol Security (IPsec) and Dynamic Multipoint Virtual Private Network (DMVPN) to encrypt critical communications, Multiprotocol Label Switching (MPLS) for the underlying transport network, and public or private cellular for remote sites with no other WAN connectivity. Catalyst SD-WAN brings these technologies together and enables automation to greatly simplify deployments.

Automation benefits:

• Secure Zero Touch deployment of field gateways (i.e., no field staff required to configure a gateway)
• Simple provisioning of end-to-end service VPNs to segment traffic (SCADA, CCTV, PMU, IP Telephony, etc.)
• Templated configurations making it easy to change configurations at scale and push it to gateways in the field.
• Application of unified security policies across a diverse range of remote sites and equipment
• Managing multiple backhaul connectivity options at the gateway including private MPLS for critical SCADA traffic and cellular for backup and even internet-based connections for non-critical traffic, where appropriate
• Lifecycle management of gateways (e.g., firmware updates, alarm monitoring and statistics)

Cisco SD-WAN Validated Design for Distribution Automation (DA)

SD-WAN has origins as an enterprise solution using fixed edge routers of various performance capabilities and predictable enterprise traffic patterns. Utility networks present new challenges with especially when applied to Distribution network use cases:

• Connectivity to legacy serial devices not supporting Ethernet/IP
• communications (g., Modbus RTU, DNP3 over serial, IEC101 or vendor proprietary)
• Mobility needs for mobile assets to ensure resilient wide area connectivity
• New WAN interfaces including dual 4G or 5G cellular, DSL, fiber or Ethernet
• The use of NAT to allow fixed privately addressed equipment to communicate
• Requirement to encrypt SCADA traffic across the wide area network
• Applicable to both distribution substations and field area networks
• Segregation of services via VPNs in flexible topologies (Hub & Spoke, or Meshed [Fully or Partial])
• Intelligent traffic steering across multiple backhaul interfaces when needed (critical vs. non-critical traffic)

Key use Distribution Network use cases that the Cisco SD-WAN solution can address are:

Cisco IoT Solutions have introduced a new Cisco Validated Design to address an SD-WAN architecture for Distribution Automation use cases. Leveraging the Cisco Catalyst IR1100 Rugged Series Routers as an SD-WAN router with flexible modular backhaul capabilities (DSL, Fiber, Ethernet, 4/5G, 450MHz LTE) and operating as an SD-WAN controlled edge router.

Along the distribution network feeders, the IR1101 should be positioned as a Distribution Automation gateway. It can be easily mounted within a DA device cabinet (e.g. Recloser, Cap bank controller etc) and can be powered by the same DC supply (flexible 9-36VDC input). It also has extended environmental capabilities to cope with the variations in temperature, humidity, and vibration.

The new SD-WAN for Utility Distributed Automation Design Guide builds on other existing documents that describe in detail Cisco’s SD-WAN architecture and industrial IoT hardware offerings and shows how they can be combined to provide a scalable, secure network. The new Design Guide is focused on areas that are unique or at least emphasized by DA use cases in general. This document also has detailed configuration examples for many of the DA features.

Source: cisco.com

Continue reading

Cisco Catalyst IE9300 Rugged Series switches: Enterprise-grade industrial-strength

Realizing the full potential of industrial digitization requires extensive connectivity of operations assets wherever they might be – at busy city intersections, inside utility substations, in rail and subway stations, along extreme temperatures and high-vibration production lines, within wind or solar farms, in mines and in oilfields. In these kinds of harsh environments, organizations need to deploy, secure, and maintain a wide range of connected devices. Full connectivity is the starting point and needs a network that is scalable, resilient, secure, and incorporates proven IT practices to keep the network performing up to expectations.

A new class of industrial rackmount switches

In January last year, Cisco launched the first two products in the Cisco Catalyst IE9300 Rugged Series Switches portfolio. These switches are closely related to the widely adopted Cisco Catalyst 9000 family with the same hardware ASICs, the same IOS XE operating system, and offer the same level of network automation, assurance, and policy enforcement by Cisco Catalyst Center (previously known as Cisco DNA Center). This year, we are extending that portfolio with one of the industry’s most innovative and comprehensive product sets.

Figure 1: Catalyst IE9300 Rugged Series all-fiber models

The new all-fiber and all-copper models of these rackmount, Layer 3 switches deliver the same security, scalability, and automation that customers have come to expect from our Catalyst 9000 enterprise-grade rackmount switches. But the Catalyst IE9300 switches are ruggedized for industrial environments – unlocking new opportunities to bring enterprise-grade networking to industrial networks.

One switch family, unlimited possibilities

Specific features make these multifunction switches especially powerful and versatile. For example, the latest models offer higher Power over Ethernet (PoE) wattage and high PoE budget (up to 720W). That means organizations can connect more – and higher-power, higher-bandwidth – endpoints, including Wi-Fi 6/6E access points, 4K UHD and PTZ cameras, digital signage, and even thin clients and user laptops, to name a few.

These models also provide higher bandwidth – up to 2.5GE downlinks and 10GE uplinks – for high-bandwidth endpoints and to enable data to be backhauled from many access switches in field deployments such as road intersections, railroads, and manufacturing environments. For utilities, the products’ high-density fiber ports and IEC 61850 compliance make them ideal for substation automation. Across industry sectors and use cases, Software-Defined Access makes it easier to interface industrial networks with enterprise networks. They also unlock the benefits of Cisco Cyber Vision and Endpoint Analytics to enhance visibility and security throughout industrial networks.

Figure 2: Catalyst IE9300 Rugged Series all-copper models

The IE9300 family is built to withstand extreme temperatures and is hardened for vibration, shock and surge, and electrical noise. These switches offer extended durability thanks to no moving parts and their fanless, convection-cooled design. And they comply with specifications for several industries – from Intelligent Transport Systems (ITS) to utility substation environments.

To put it more conversationally, you can think of the Catalyst IE9300 Rugged Series as the Layer 3 switches that you can use for (almost) everything and (nearly) everywhere!

Use cases for the Catalyst IE9300 Rugged Series Switches

One of the best ways to illustrate the potential of these new products is to describe some of the use cases they make possible:

• High density fiber access. Fiber ports offer several benefits over copper. Fiber cables are immune to electromagnetic radiation, offer safer transmission in hazardous conditions due to their electric isolation, and can transmit data over much longer distances without experiencing signal degradation or loss of quality. Use cases for fiber include industries such as utilities that are modernizing substations using native fiber devices, and traffic backhaul from field deployments.
• Clock input and precision timing. GPS and IRIG-B inputs that allow network synchronization ensure that different devices across the network are working with the same time reference, which is crucial for applications requiring coordinated actions. For example, in energy sectors, accurate time synchronization is crucial for monitoring power grid events, fault detection, and grid stability. Further, Precision Timing Protocol (PTP) Power Profile built into the IE9300 ensures 50ns per-hop accuracy that keeps the delay within 1µs over 16 switch hops.
• Aggregation and cost-efficiency. 10G uplink fiber aggregation switch makes it possible to connect Resilient Ethernet Protocol (REP) and Media Redundancy Protocol (MRP) rings in non-climate-controlled field points-of-presence. This use case has broad potential in field deployment such as in roadways, wind, and solar farms. The 10G uplinks help avoid oversubscription that could occur in Gigabit only switches.
• Distribution layer switching. Uplink ports open new opportunities for IE9300 to be used as distribution layer switches that you can deploy right in dusty and hot environments ensuring that critical data flows smoothly between access switches and the core network. Stacking capabilities of IE9300 ensure scale and redundancy.
• High-wattage and high-density PoE. Copper models of IE9300 offer a variety of PoE options and can provide power to connected devices with a total of up to 720W per switch. Note that the IE9300 delivers 720W of PoE power while still maintaining a 1RU form factor, a first in the industry. Moreover, you can configure the switch to deliver up to 90W on a single 2.5GE port. This combines high bandwidth with high-power on a single port enabling new use cases.
• Flexibility and scalability. Although the IE9300 switches have a fixed port count, and multiple units can be stacked to increase the number of available ports while still appearing virtually as a single switch, which reduces configuration complexity. Management by Cisco Catalyst Center makes onboarding and reconfigurations easy, increasing flexibility to keep pace with operations.
• Visibility and security. Granular visibility into connected assets and network traffic is the necessary first step in ensuring operations security. Compute capabilities within the IE9300 allow it to run Cisco Cyber Vision sensors that provides visibility, risk assessments, and helps form the basis for network segmentation for security.

As you look to evolving your industrial network and gain from Industry 4.0 opportunities, look to the Catalyst IE9300 Rugged Series as your solution to connect everything – everywhere.

Source: cisco.com

Continue reading

Mining innovation: Underground mining visibility, locating assets and protecting people

Enabling autonomous operations and understanding the location of people and assets in real time are necessary for realizing fully operational smart mines. Smart mines require the ability to make good decisions based on large volumes of data, specifically within tunnels. This capability requires enhanced network availability and corresponding visualization tools to provide an intuitive understanding of the large amount of information generated.

The drive to digitize and automate underground operations requires the gathering of real-time data. Underground smart mines deal with complexities such as operations occurring in three dimensions over hundreds to thousands of kilometres; power, ventilation, and airflow considerations; potential for personal safety concerns with ambient temperatures sometimes over 45 degrees Celsius (113 degrees Fahrenheit); and airborne pollutants that can impact worker health. It is imperative for both safety and efficiency that an underground mine be able to locate people and assets as close to real time as possible.

Improving workforce productivity while increasing safety and optimizing fleet productivity and payload are key objectives in underground mining. Visualizing worker and asset locations and producing useful metrics from the increasingly digitized operational technology (OT) edge has been shown to be helpful in achieving these goals. These metrics provide inputs into both environmental management and cultural heritage protection systems, which show proximity to protected areas and prevent operations on impinging via alerts or geofencing.

Cisco’s forward thinking and commitment to the future of mining aims at digitization, automation, and net-zero emissions outcomes in mines. These objectives require network and communication reliability in order for customers to achieve high levels of visibility over their operations. To deliver on this goal, Cisco collaborates with ecosystem partners that deliver complementary solutions like GeoMoby. GeoMoby provide blueprints for reliable operational environment network infrastructure combined with a sensor-driven visualization layer that brings real-time insight into mining operations.

Solutions and benefits

• Underground mining benefits from ecosystem-based, end-to-end solutions to fulfill specific requirements for sensor-driven connectivity and augmentation such as last-mile connectivity, temporary coverage, and low-bandwidth coverage for areas without Wi-Fi.
• Cisco Spaces provides location and telemetry data for indoor and outdoor use cases. This data produces connectivity, environmental, and location-based insights for ecosystem-based solutions.

 

Opportunity with GeoMoby

• Reduction or elimination of gaps in network connectivity and communication
• All-in-one 3D map and real-time location, including existing Cisco tags and infrastructure
• Convergence between OT/IT: traffic management, ventilation automation, IoT sensors, data collection, etc.
• New solution blueprint that extends value for customers using Cisco solutions and specialist ecosystem partners such as GeoMoby

The common goal of GeoMoby and Cisco is to accelerate the digitalization of the mining industry. GeoMoby uses, extends, and enhances Cisco technology within mining operations. The result is a readily implementable mining platform that enables continual optimization of operations and safety in underground mining.

Use cases

Objective	Description	Use Cases
Improve workforce productivity	Monitor employee and contractor movements and record any delays in order to provide insightful data that can help identify areas for improvement. Enhance visibility into operations in order to optimize decision-making and increase productivity.	Contractor management Workforce management Automatic check-in and check-out Idle time detection Ventilation on demand
Increase operational efficiency of assets	Monitor vehicle movements and record any speed excess in order to identify where and when vehicles are being underutilized or overutilized. Increase efficiency by reducing fuel consumption and overall costs. Promote compliance with safety regulations.	Predictive maintenance Driver management Maintenance management Speed management Ventilation on demand
Increase worker health and safety	Monitor critical health metrics, such as temperature and blood oxygen (Spo2) levels, in real time. Enable proactive intervention by sending instant notifications in case of emergency, enabling prompt action to mitigate potential health issues and risks. Provide insightful data that can be used to evaluate the overall health of operations and make informed decisions for improved safety and productivity.	Health and safety management Collection of health metrics Enhanced compliance with regulation
Increase fleet productivity and payload	Track and analyze the payload of every asset with time stamps, distance travelled, and in-use time, enabling informed decisions on resource allocation and waste reduction. Help to increase productivity and efficiency by reducing cycle times and optimizing truck utilization.	Payload management Fleet management Payload budgeting Performance tracking
Visualize people and assets with an electronic tag board	Display real-time location data for both people and vehicles on a map and a table. Enable optimization of operations by improving safety, productivity, and efficiency. In emergency situations, help to locate personnel and assets and facilitate a prompt response by visualizing people inside the refuge room and the closest refuge room for people in danger.	Electronic tag board Emergency response management Historic location data of people and assets Offline navigation to refuge chambers or fresh air bases
Environmental management system	Provide real-time environmental data and quickly identify potential environmental risks and hazards. Send alerts for anomalies and safety risks. Provide historical data on environmental performance, enabling tracking performance over time and making data-driven decisions about operations.	Air quality management Temperature management Gas monitoring system Historical data management
Cultural heritage protection system	Track people and assets and sends alerts when they are nearing or inside protected areas. Improve compliance with regulations in order to prevent potential abuses and disruptions. Help to ensure that only authorized individuals are granted access to protected areas.	Environmental, social and governance framework (ESG) reporting Compliance with regulations

Continue reading

Something New: AP Discovery Methods for 6GHz Wi-Fi – Part 2

In Part 1 (Something Old) we looked at basic changes to the physical layer provided by wave 1 of 801.11ax, how these changes can affect performance, and how OFDMA enables the optimal use of the 6GHz spectrum. In this second article, we’ll explore “something new:” the challenges of discovery in 6GHz, new methods used for solving this, and how these new methods open 6GHz for many different use cases.

Is There Anybody Out There?

In previous generations, Wi-Fi clients would scan channels and send unsolicited probe requests to discover access points (APs). Scanning channels can be a timely process as beacons are only broadcast every 102400us so the client must dwell long enough to detect the beacon. At 6GHz this is 102400us x 59 channels (there are 59 20MHz channels in the new 6GHz spectrum) which is over 6 seconds. For the client, this loss in time represents a disruption in communication. Creating intolerable latency in voice and lost opportunity to hundreds of megabytes of data every time the client decides to scan. Furthermore, the previous process would be to send unsolicited probe requests (wildcard requests) to see how APs would respond. Now, remember, this is all a contention-based medium, so these probe requests and responses on every channel for every client create a significant amount of interference and at the very least, inefficient use of the spectrum.

Read More: 300-710: Securing Networks with Cisco Firepower (SNCF)

Over the years the IEEE has introduced measures to address these roaming challenges. 802.11k was introduced to provide clients with a list of neighboring APs, 802.11v was introduced to provide a recommended AP candidate, and 802.11r was introduced to reduce the roaming time for 802.1x clients. Not all clients and infrastructure support these measures so while they helped, they did not eliminate the need for clients to send unsolicited probes.

While these IEEE updates are still available for 6GHz, the strategy for AP discovery fundamentally changes. To start with, unsolicited probe requests are no longer allowed (with one limited exception we will discuss shortly).

Three New Methods to Improve AP Discovery

Since we have already established scanning channels at 6GHz is not allowed, there are three new methods introduced in Wi-Fi 6E for finding AP candidates.

The primary method (and the one that clients typically respond to best) is called Reduced Neighbor Report (RNR). Since most, if not all, clients will have legacy band capability, there is an Information Element (IE) embedded in the legacy band beacons that list the 6GHz SSID(s) that are available on the serving AP. The client first scans the 5GHz or 2.4GHz channels and looks for this RNR element. The RNR report contains information about the 6GHz channel, SSID, BSSID, a bit of information on the AP, and the allowed power levels (Power Spectral Density). This effectively makes the 2.4GHz and 5GHz channels a control channel for the 6GHz. Clients can then send a directed probe request to those channels that are learned in the RNR to determine which 6GHz AP to join. It is important to note there can be multiple 6GHz SSIDs included in the RNR and they do not have to match the legacy SSIDs.

The information contained in an RNR is very similar to the information provided in the previously introduced 802.11v action frame. The RNR below is from a 5GHz beacon and is advertising two SSIDs on the 6GHz channel number 5. The legacy 802.11v action report below shows similar information to the RNR but the fundamental difference is twofold:

◉ This is an action frame not part of the beacon like the RNR. It is a request-response type transaction. An RNR is broadcast in the legacy band beacons.

◉ The information in the 802.11v action frame contains information about other APs on the same frequency band. The RNR only lists SSIDs broadcasted from the 6GHz band (different frequency band) as this same AP.

Figure 1: RNR on 5GHz beacon

Figure 2: 802.11v Action Frame

What if the AP is only broadcasting 6GHz? This is an unlikely condition, but nonetheless a potential one. First, scanning can be reduced by limiting the number of channels to be scanned. This is called Preferred Scanning Channels (PSC). The PSCs are the primary channels (20MHz subchannel) of the 80MHz channels. This works well since 80MHz will often be the preferred bandwidth to operate for reasons previously discussed in part 1 of this blog series. If however, lower bandwidth channels are used without RNR or additional support from the methods below, it would be very easy for a client to miss this channel which should be a consideration when using PSC with narrower band channels.

Figure 3: Preferred Scanning Channels (red)

There are two mutually exclusive options to further enhance the AP discovery in which the AP will broadcast messages an additional 4 times between the beacons or about every 20ms (configurable from 5ms to 25ms). The first method is called Fast Initial Link Setup (FILS) and is based on a previous standard of 802.11ai. This is a very lightweight message (somewhere around 100 bytes as compared to a beacon which is 500+ bytes). The second method is called “Broadcast Probe Response” or “Unsolicited Probe Response” (UPR). Like FILS, this advertisement will be broadcast at a higher rate than the beacon. However, the UPR broadcasts everything in the probe response so while it supplies the client with more information, it is a bit heavier in the amount of data transmitted repeatedly.

Teamwork Makes the Discovery Dream Work

So how do these four methods work together? First, if there are legacy band SSIDs transmitted on the AP the expectation is that the RNR will do the work of discovering the 6GHz channel, and no other method is required. In the case where only 6GHz is broadcast from the AP the most likely scenario would be the use of PSC with either FILS or UPR. Notice UPR and FILS are exclusive options, you can only use one or the other. Early testing of client devices has seen some issues with 6GHz standalone APs not being discovered with only PSC and it is needed to have FILS (or UPR) enabled to assist a client in discovering the AP. This may change over time but for the early implementations, deploying 6GHz with only 80MHz channels and PSC enabled is a good option. This allows the primary channel to match the PSC channels. In addition, enabling FILS can provide further assistance for discovery with minimal impact on performance.

Source: cisco.com

Continue reading

Wi-Fi 6E, Something Old, Something New, Something Borrowed, Something Blue – Part 1

With the recent release of a number of Wi-Fi 6E-enabled devices at the Consumer Electronics Show (CES), now is a good time to take into account some of the benefits that Wi-Fi 6/6E provides. Wi-Fi 6/6E was not an “incremental” change, it was a major leap forward with the new innovations and most importantly, the addition of the newly allocated 6GHz spectrum (which varies across regions). In this series, we will provide the reader with an in-depth understanding of some of these advanced features in Wi-Fi 6 and how some of these features benefit them. Furthermore, we will discuss some of the new innovations built around the Wi-Fi 6E standard and how IT leaders are just starting to realize the potential for 6GHz wireless.

“Something Old”

While the ability to support multiple simultaneous users has been available prior to Wi-Fi 6E this is one “old” feature that becomes enhanced in Wi-Fi 6E. In part 1 we want to look at some of the changes to the physical layer, what changed, and how this helps your WiFi performance.

Of all the features added to Wi-Fi 6, one, in particular, will have a very significant effect on the new 6GHz band and deserves some in-depth consideration and that is OFDMA. Remember all that old 802.11ax optional capability is now mandatory at 6GHz as there is no requirement for brownfield support. There were other technologies added to the legacy bands in Wi-Fi 6 that really paved the way for substantial improvements in performance. For example, increased modulation rates (up to 1024 QAM, think of this as higher maximum throughput), better spatial isolation (BSSID Coloring/OBSS and multiple timers for IBSS and OBSS, think of this as better performance in an area with lots of clients and APs), Target Wait Time (better battery life for clients), and others.

Digging into OFDM – The Virtual Wires of Wi-Fi

OFDM is the “baseband” signal which is the underlying waveform that is used to generate the RF signal we think of as Wi-Fi from the digital input. This baseband signal is comprised of multiple “tones”. The combination of these tones is called Orthogonal Frequency Division Multiplexing (OFDM). Each tone is orthogonal to the other tones which means the information on that tone can be detected with limited interference from other tones even though they are tightly spaced together. Think of each of these tones as a wire that information can be conducted. Fewer tones mean fewer wires but higher throughput for any one wire, more tones mean more wires but lower throughput per wire. The total “available” throughput, in either case, ends up being basically the same. In 802.11ax a change was made to move from 64 tones to 256 tones (4x) in a 20MHz channel.

Figure 1. OFDM changes from Wi-Fi 5 to Wi-Fi 6

As discussed, this increase in tones has very little impact on the link available throughput but, there are other trade-offs. First, the 4x increase in tones improves the robustness of multipath (improved resistance to inter-symbol interference) but loses some effectiveness in a high-speed mobile environment (doppler shift). So, under typical indoor use, we get a benefit of a more reliable connection. The second, and biggest change is the ability to better “sub-channelize” the physical layer. This access method is called Orthogonal Frequency Division Multiple Access or OFDMA. A sub-channel or group of tones at a given time slot is considered a “resource unit” often referred to as an “RU”.

Since the ratio of the number of tones is relative to the bandwidth, in a 20MHz channel there can be up to 9 RUs (26 tone groups) for any one frame and in a 160MHz channel this could go up to 74 RUs (notice this is not 72 as there are some efficiencies due to higher ratio of usable tones at higher bandwidths). RUs can come in larger sizes also to match the resource demand. For example, with a 20Hz channel, you can additionally have 52 tones, 106 tones, or the full band on 242 tones. Furthermore, you can to some degree mix and match these different-sized RUs in the same frame. These RUs provide a mechanism to transmit to multi-users (MU) at the same time without having to rely on spatial diversity. Let’s put a number to why this is important. Take a 64-byte packet operating at some typical rate like 256 QAM with ¾ rate coding (MCS8). With 40MHz channels, one slot is capable of around 380 bytes. What happens if a 64-byte packet (typical packet) is transmitted over this 40MHz channel? Less than 20% of the channel is used, and over 80% of that resource is wasted! With the use of RU’s, we can send multiple packets at the same time and pretty much eliminate that inefficiency. Granted not all packets are 64 bytes but larger packets are broken into smaller physical layer packets called Protocol Data Units (PDUs) to be transmitted and again will not fill up the entire spectrum for all PDUs.

So how does the AP signal the client when and where its RUs are allocated since there are now multiple client packets in a time slot? This is accomplished using two mechanisms. First, there is now a new field in the preamble that provides the “where” called SIG-B. This field provides how the resource units are allocated over the slot and the per-client information that specifies which resource units are allocated for my specific client.

There are really 3 options to transmit multi-user packets at the same time:

◉ Multiple simultaneous users’ signals are transmitted using the full band but the spatial characteristics of the channel allow them to communicate with limited interference (spatial separation).

◉ Multi-User with different users assigned to different RUs (frequency separation).

◉ A combination of both.

Option 1 is a multiplier – If the channel permits sending multiple streams over the same channel the capacity of the channel grows proportional to the number of users. There are limitations to this, for example, the number of uplink spatial streams is equal to or less than the number of uplink receivers in the access point. If the AP and the environment support option 1 it would typically be used.

Option 2 is an optimization – If the network has multiple clients that support Wi-Fi 6 that have traffic to send at the same time the network will optimize by sending the traffic at the same time.

The second function that facilitates the “when” the use of multiple clients is the “trigger frame”. When the AP is ready for the clients to simultaneously send uplink information it transmits a trigger frame with the client information. The client waits for one short interframe spacing (SIF) and then transmits the uplink data on the appropriate RUs. The AP can then send back a “multi-Station ACK” allowing the multiple client uplink packets to be acknowledged simultaneously. Uplink ACKs are transmitted similarly to the uplink data with a trigger frame on the allocated RUs.

Figure 2. Trigger Frame Sequence

Given 6GHz has a much larger block of spectrum and the most common FCC regulation to deploy is based on power spectral density (PSD), which allows for more power with wider channels, it is expected that most deployments will use 80MHz or 160MHz (see 6-GHz Unlicensed Spectrum Regulations and Deployment Options White Paper). With the previous generation of one packet per time slot, 80MHz channels became very inefficient, and hence why you rarely saw this type of operation for multiple access. With 802.11ax the ability to do both frequency and spatial division, the clients can be assigned only the resources necessary for their needs no matter how wide the channel is thus making the use of these wider channels much more effective. In the 2.4GHz and 5GHz bands clients capable of supporting OFDMA had to contend for a slot with legacy clients and of course since it requires more than one client to participate in “multiple access” it would only contend for a multiuser slot if there were multiple clients that could support OFDMA with packets to transfer. At 6GHz all clients support OFDMA and hence no need to contend with legacy clients for access, every slot can transmit multiple packets. With the addition of the 6GHz channels, we will just now begin to fully benefit from the use of OFDMA.

With Wi-Fi 6 the link can now be divided into both bandwidth and time so specific chunks of resources can be “scheduled” for delivery further improving efficiency and latency (see Figure 2 below).

In addition to the improvement of efficiency in the wider band channels the “triggered multi-user access” allows for the scheduling of packets in a much more predictable manner. The 802.11ax standard does not dictate all the necessary details for managing the packet scheduling and hence this is an area where there can be some differentiation in performance between implementations. Cisco, a company with a rich history of packet scheduling and optimization is obviously exploring this area also. For example, in the data below we can see the latency comparison between a typical Wi-Fi 5 network, a Wi-Fi 6 network, and a Wi-Fi 6 network with optimization in scheduling. Notice with Wi-Fi 6 there is a substantial reduction in outlying packets exceeding the 25ms delay bound and with some optimization, a further reduction in latency can be seen. This is an example of the value of optimized scheduling with 802.11ax multi-user capability provides.

Figure 3. Packet Scheduling Improvements

Wi-Fi 6E provided a leap forward in capability. Some we could not fully recognize until 6GHz was made available. Benefits in capacity, latency, and stability are all a part of the 802.11ax update. In addition, vendors like Cisco can provide optimized packet scheduling to further enhance the user’s experience. Deploying Wi-Fi 6E capable access points will allow the operator to begin to experience these significant new enhancements in performance.

Source: cisco.com

Continue reading

Cisco Catalyst IE3100 Rugged Series switches: Big benefits, small footprint

Now making its entrance is our latest and most compact industrial managed Ethernet switch, the Catalyst IE3100 Rugged Series. First announced in February 2023, these switches are now shipping and are ready to power your industrial networks, especially in space-constrained deployments, where every inch matters.

Part of a powerhouse family

The Catalyst IE3100 is the latest addition to our comprehensive family of industrial switches—a family that includes switches in various form factors, such as rack-mount, DIN rail mount, IP67 rated, and embedded. These ruggedized switches can resist extreme temperatures, shocks, vibration, and humidity. They are specifically developed for industrial IoT networks and deliver deterministic and extremely fast resiliency for uninterrupted operations.

The Catalyst IE3100 complements the Catalyst IE3x00 family of switches that include the Catalyst IE3200, IE3300, and IE3400. The Catalyst IE3x00 family of switches are DIN rail-mounted and run the same modern IOS-XE operating system that powers our Catalyst 9000 Series enterprise switches. This family features Gigabit Ethernet copper and fiber interfaces, fast convergence in case of failure, and additional enhanced features such as Layer 2 NAT, which makes them a popular choice among many verticals such as manufacturing, roadways, railways, utilities, ports and terminals, mining, and oil and gas.

Stand-out features

In addition to combining the power of Cisco IOS XE with built-in security and Cisco DNA Center for simplified management, the Catalyst IE3100 allows customers to use existing IT investments and knowledge while offering targeted functionality expected by industrial IoT customers, such as:

1. Compact size. Reduce engineering efforts and cost when designing cabinets and other deployment considerations.

2. Fully managed. Administer with Cisco DNA Center for streamlined network management and increased network and device visibility while reducing downtime for routine maintenance.

3. Extend IT practices into your industrial network with IOS XE built-in security, and seamlessly integrate into Cisco security solutions with Cisco Identity Services Engine (ISE), Secure Network Analytics (Stealthwatch), and SecureX. Use 802.1x-based authentication, downloadable ACL lists, and dynamic VLAN assignments for network segmentation to reduce cybersecurity risk.

4. OT mindset. Integrate effortlessly into your industrial network with the features you need, such as L2 NAT for machine builders, IT and OT redundancy protocols, support for EtherNet/IP (CIP), Modbus, PROFINET, SCADA, and more.

5. Flexible deployments.Take advantage of 6, 10, or 20 Gigabit Ethernet ports with two Gigabit SFP uplink ports or two Gigabit combo uplink ports.

Use cases

Too often, unmanaged switches find their way into industrial networks, but such equipment falls short in delivering what today’s enterprises need. Unmanaged switches cannot enforce policies or prioritize or segment traffic, their open ports create security risks, and network monitoring proves difficult. In short, they cannot deliver what is needed.

Being fully managed, the Catalyst IE3100 is in control of the endpoints that get connected, how the data is prioritized for quality of service (QoS), and how the traffic is separated by VLANs. Therefore, it is a strong alternative over unmanaged switches. It is especially beneficial for machine builders who make complex, custom-built turnkey solutions, such as robots and conveyor belts, which have connected devices within their assemblies. The end users will appreciate that these solutions can seamlessly fit within their networks with improved control and an enhanced security posture.

The Catalyst IE3100 is an excellent choice for deployments in confined spaces. Space is a common consideration in cabinets that house several pieces of control equipment in addition to networking, such as those used at roadway intersections, at manufacturing plants, next to railroad tracks, and in solar and wind farms. The ability to use smaller enclosures helps to reduce engineering effort and cost.

Planning space-constrained deployments in industrial settings no longer requires a compromise between size, manageability, and security. With the Cisco Catalyst IE3100 Rugged Series Switches, OT teams can connect more devices, secure them with confidence, and manage them with limitless agility.

The Catalyst IE3100 is the most compact switch in our managed Industrial Ethernet portfolio for your space-constrained use cases.

Source: cisco.com

Continue reading

Communication Service Providers: the Potential Power Behind an Inclusive Internet

Gartner defines communication service providers (CSPs) as those who offer telecommunications services, media, information, content, entertainment, and applications services over networks. We know them as our telecommunications companies, our cable service provider, our satellite broadcast operators, and our cloud communications providers. CSPs are arguably the most important players to enable an accessible, affordable, secure, trustworthy, sustainable, and inclusive internet. But, to play a leadership role in defining the Internet for the Future, CSPs must fundamentally transform.

CSP industry economics are challenging

The current economics of the CSP industry are challenging. CSP market cap share of the internet (including infrastructure, connectivity, devices, and value-add digital services) fell from just under 30 percent in 2010 to less than six percent in 2021. CSP revenue growth is now at low single-digits at best and return on invested capital (ROIC) is barely above the cost of capital. Meanwhile, CapEx as a percentage of revenue has remained high as leading operators such as AT&T, Verizon, and Deutsche Telekom roll out their 5G networks.

CSPs must transform

To play a leadership role in defining the Internet for the Future — while also delivering positive returns to shareholders — CSPs will need to fundamentally transform. The next five years are crucial as CSPs plan to invest about $2 trillion in their networks, especially to connect rural areas and provide access to the economically disadvantaged. These companies will need to increase their ROIC by more than three percentage points, meaning boosting annual top-line growth by at least four percent, reducing operating costs by at least 10 percent year-over-year, and reducing CapEx intensity of their business by at least five percent. Achieving these benchmarks will require a fundamental rethink of the CSP business model. In the remainder of this post, we offer a road map for achieving this.

Roadmap to success: transition to platform business model

The primary shift for CSPs will be to create a platform architecture and business model to provide open-access connectivity to any service provider: a “connectivity platform as a service” (CPaaS). This layer is enabled by connectivity infrastructure as a service (CIaaS), which in turn enables customer-facing everything as a service (XaaS). Platforms lead to innovation speed by leveraging third party development. Three key areas will define success in delivering the Internet for the Future:  modernization and automation, deeper partnerships, and B2B2X business models.

Modernization and automation

CSPs will need to make major shifts in their technology architecture to take advantage of potentially massive new opportunities. Investments in these five network domains will make possible a higher degree of automation and virtualization:

◉ Service and infrastructure orchestration. CSPs can move toward a leaner, cloud-native operations support system (OSS) and to ground their business support system (BSS) in microservices that are decoupled from outdated legacy infrastructure, opening new business opportunities and monetization models.

◉ Access. CSPs can use a virtualized radio access network (VRAN) or an open radio access network (ORAN) to drive disaggregation and standardization, leading to increased vendor diversity and new partnership models while reducing the total cost of ownership across upgrade cycles. CSPs with strong integration capabilities can see significant cost savings and time-to-market benefits.

◉ Edge/MEC. Multi-access edge computing (MEC) provides an excellent platform for delivering business and consumer services while deriving the fullest value from network infrastructure. In addition, operators can benefit from the broader MEC application market to drive monetization of new and emerging 5G use cases. This is an area that will require major investments as operators increase the coverage, capability, and capacity of their MEC networks.

◉ Transport. Convergence and delayering provide a great opportunity for service providers to make their transmission networks simpler and more intelligent, unlocking capacity while simultaneously reducing CapEx and supporting delivery of new revenue streams through network as a service (NaaS) offerings.

◉ Core. 5G core deployments will enable network slicing, which will help drive new organic service revenue while further strengthening NaaS capabilities. Public-cloud offerings will help a broader range of CSPs handle ever-increasing core workloads.

Software defined networks (SDNs) and network functions virtualization (NFV) will help decouple software and upgrade cycles and lower the costs of upgrades and maintenance. In turn, increased virtualization and open standards will enable service providers to design, configure, and manage network capacity more efficiently. Similar benefits can be achieved in flattening transmission networks (e.g., with Routed Optical network solutions) where current design rules, lack of visibility, and manual configuration result in over-dimensioning and over-provisioning. Legacy transmission networks run at an average utilization rate of less than 30 percent. VRAN and ORAN will both extend these life cycles and increase the use of third-party hardware. The lengthening of life cycles, along with a reduced need for manual upgrades and repairs, will help improve productivity in network functions.

CSPs must invest in deeper partnerships

CSPs will not be able to deliver the Internet for the Future unless they fundamentally change the way they think about and implement partnerships.

◉ Hyperscalers would benefit from CSP points of presence such as central offices and base-band locations. In return, hyperscaler investments in MEC could help service providers tap into the broader application-developer market.

◉ Infrastructure Providers. While CSPs already have models in place to share towers, fiber and data center virtualization and open standards will allow for more sharing in areas such as RAN.

◉ Carrier-neutral infrastructure providers.  Tower companies and data centers are also well-positioned to drive MEC growth and could be ideal partners for service providers and hyperscalers, helping to drive standardization within markets. However, this model has limitations in terms of monetization and may raise concerns related to the hosting of CSPs’ organic networks and IT workloads.

◉ Equipment vendors. CSPs can deepen their partnerships with equipment vendors, like Cisco, to manage equipment as a service, shifting CapEx to OpEx —thereby sharing investment risks and rewards.

◉ CSPs could consider partnering with their competitors (other CSPs serving the same markets) in areas ranging from infrastructure sharing to active co-investment efforts.

◉ Solidifying government partnerships will be needed. For example, we must support the creation of a centralized infrastructure entity within single nations, as we have seen in Australia, Singapore, Mexico, Jordan, and elsewhere. Such partnerships could help CSPs cut CapEx and operational expenses.

Implementing B2B2X business models

Finally, these rising technologies will be levers not only for savings, but also growth—the kind of growth that CSPs urgently need to remain competitive and deliver on the infrastructure of the future internet. One promising avenue for growth is the boosting of consumer ARPU growth with differentiated, personalized offerings. The rollout and adoption of 5G will help enable this, especially as the metaverse evolves.

Aligning with Cisco’s purpose

It’s clear that the Internet for the Future needs to be more accessible, broadly distributed, secure, trustworthy, and ecologically sustainable. And it needs to achieve these qualities while also becoming even bigger, faster, and more capable than it already is. If CSPs can embrace transformation, they can become one of the most consequential drivers of an inclusive internet for all.

Source: cisco.com

Continue reading