ipELB

4-Port Ethernet Line Breaker with relay controlled Ethernet ports and integrated I/O module

  • ipELB stage.png

    ipELB is a cybersecurity system for industrial networks that can physically disconnect Ethernet connections. It features relay-controlled 10 Gigabit Ethernet ports, each of which can be turned on and off via a toggle switch on the device as well as remotely. Remote control is based on standardized communication protocols.

    ipELB relays

    To enable/disable the Ethernet ports, bistable relays that maintain their state even during power outages are used. Existing connections will not be affected accordingly.

    The applied SEC3ER hardware platform features a digital I/O module to control and capture digital states, and to physically disconnect up to four Ethernet port pairs. For this purpose, eight digital inputs and outputs are available, in addition to a variety of fieldbus protocols, telecontrol protocols, and established IT/cloud protocols, to monitor and control the connections of the 4-Port Ethernet Line Breaker.

    ipELB LEDs and toggle switches

    The integrated web interface provides numerous configuration settings to automate the separable Ethernet connections. It includes powerful functions for data processing and provides a digital I/O interface that can be used to create complex switching scenarios.

    Features

    • Support for 10M / 100M / 1G and 10G Ethernet
    • Transparent data transmission
    • Controlled bidirectional data exchange between systems
    • Network segmentation
    • Daisy chain of multiple SEC3ER
    • Conduct-through Power over Ethernet (PoE)

    Control Options for the Ethernet relays

    • Manually via 3-way switches
    • Using the web configuration interface
    • Digital inputs
    • Protocol-based automation
    • Timer-controllable

    Since ipELB supports communication using numerous protocols, it can be easily integrated into existing projects, as the following examples demonstrate:

    • Connection to a PLC can be realized using the S7 Protocol (RFC 1006) or Simatic Fetch/Write protocols
    • Integration into a network management system using SNMP agents
    • Integration into a SCADA/HMI system by using the protocols OPC UA, IEC 60870-5-104 or DNP 3.0
    • Connection to the corporate IT via the REST interface
    • Clustering multiple SEC3ER to implement complex architectures

    In scenarios where protocol-based control to physically disconnect network interfaces is not required, the 1-Port Ethernet A/B-Switch ERM1 can also be a suitable solution.

    The following use cases illustrate potential applications of ipELB.

Redundant ISP Integration
  • redundant ISP

    For seamless switching between redundant Internet providers (ISP), the product ipELB is ideally suited. SEC3ER, which serves as a hardware platform, can physically disconnect up to 4 Ethernet ports.

    The diagram shows the schematic structure of a corporate network. System operators can control and automate which ISP is set active by using industrial protocols. The corporate IT can also decide which connection is to be used by using the mechanical 3-way switches. The manual switching is prioritized over automation by software.

Redundancy Coupling for Standalone Systems
  • legacy redundancy

    To ensure operation and reliability of critical systems, companies deploy redundant systems. Yet many devices do not meet this requirement. With ipELB even such devices can be used for redundant operation.

    This is achieved by connecting two identically configured devices (e.g. by assigning identical IP addresses) on two Ethernet ports of the 4-Port Ethernet Line Breaker SEC3ER. The passive component remains physically separated from the network. If the active component fails, its connection is cut while the connection to the passive device is set active. An automatic redundancy control of this kind can be implemented, for example, using the digital I/O interface.

Network Segmentation
  • decouple corporate networks

    If the physical connection status of specific network segments needs to be monitored and remotely controlled, we recommend the use of ipELB.

    In case of security incidents within the corporate network, affected segments can be isolated selectively by physically separating corresponding connections. Communication on all other lines remains unaffected.

    One option for controlling (and automating) the connections is the integration of intrusion detection systems (IDS). These detect anomalies in communication and can reliably disconnect affected connections using ipELB.

Secure Remote Maintenance
  • remote access

    With the increasing degree of networking between machines and industrial facilities, the need for remote maintenance access to optimize costs is likewise growing. At the same time, this raises the risk of cyber attacks, especially if systems with deprecated security mechanisms or legacy systems are deployed.

    With ipELB, network connectivity can be provided and monitored for secure remote maintenance. If momentarily not required, the maintenance connection can be physically disconnected. Thus potential attackers have no opportunity to exploit the idle port to implant malicious code.

Configuration
  • System configuration is completely performed in a web browser. No other special configuration tools are required. A conventional notebook with a network interface and web browser are all that is necessary.

    ipConv in its current version 4 enables encrypted communication between web server and browser via the HTTPS protocol.

    ipELB main menu

    The main menu provides access to all relevant functions of ipConv, showing the overall system status at a glance.

    The following functions are available:

    • Switch between operating mode OPERATIONAL (unattended station) or MAINTENANCE (allows full access to all ipConv functions)
    • Backup and restore the complete configuration
    • License management (ADMIN)
      Installation of (DEMO-) licenses, limited or unrestricted licenses
    • Software upgrade (ADMIN)
    • Import configuration information from tables
      The Excel file can be imported directly (Supported formats: .xlsx, .xlsm, .csv)
    • Edit configuration parameters
    • Release and versioning of a station configuration
    • Start and stop the system
    • Access diagnostic data (see also Diagnostics)
    • Access process image and data simulation
    • Creation of custom logbooks
      Changes of normalized information are selectively documented in configurable logbooks for tracing or logging reasons over a period of time.
    • Access current logfiles

    The following example shows the overview of an information object taken from the node configuration (in this case for the digital I/O output DO1).

    ipELB configuration

    The category "Status", assigned to the information object, is used to display the object's value in the diagnostics area (see Diagnostics).

    ipConv enables fast and efficient processing of large volumes of data points by allowing data import from tables. These tables are based on templates and may be processed with various spreadsheet programs, such as Microsoft Excel. The extended use of formulae minimizes the amount of data that needs to be configured manually, substantially reducing the number of errors.

    ipConv datapoint table import

Diagnostics
  • ipELB allows to determine the communication status on all interfaces at a glance at any time. If there is no personnel familiar with the system present on site, it is a major advantage that a non-specialist is capable of doing so as well.

    A unique feature of ipELB is the supplied diagnostics template for visualizing and controlling the different states of the 4-Port Ethernet Line Breaker. As the following figure demonstrates, the state of each Ethernet relay can be monitored and controlled remotely through the web interface. Even without telecontrol protocols, the Ethernet connections can be set active or interrupted remotely.

    ipELB diagnostics

    With this template, digital output states can be set as well. This is particularly useful to test certain functions with remote stations. Digital input signals are visualized in this context.

    The configuration determines, which information is shown with which text or color.

    Apart from indications or measured values, command controls can also be displayed as a button, e.g. to initiate a general interrogation.

    ipConv diagnostics

    Should further diagnostic functions be required, these can be added and customized in the configuration.

Further Information
Flyer
Available Protocol Stacks

BACnet, Client

BACnet, Server

Database, Client

DNP V3.00, Master

DNP V3.00, Slave

Simatic Fetch/Write, Master

IEC 60870-5-101, Master

IEC 60870-5-101, Slave

IEC 60870-5-103, Master

IEC 60870-5-103, Slave

IEC 60870-5-104, Master

IEC 60870-5-104, Slave

IEC 61850, Client

IEC 61850, Server

Kafka, Producer

MQTT, Publisher

MQTT, Subscriber

Modbus, Master

Modbus, Slave

Modbus TCP/IP, Master

Modbus TCP/IP, Slave

OPC DAXML 1.01, Server

OPC UA 1.02, Client

OPC UA 1.02, Server

S7 Protocol, Client

SNMP, Client

Hardware
  • SEC3ER
    SEC3ER

    Relay-controlled 4-Port Ethernet Line Breaker with integrated I/O module