Industrial Ethernet is a current research hotspot in the field of industrial control. The focus of industrial Ethernet is to provide an interactive mechanism for the coordination and cooperation between controllers and operator stations, and various workstations using switched Ethernet technology, and to seamlessly integrate with the upper-layer information network. At present, industrial Ethernet is gradually taking the mainstream position in the monitoring layer network and is penetrating into the field device layer network. Industrial Ethernet has many advantages over previous automation technologies. However, things are relative. While enjoying the progress of open interconnection technology, we should have a deep understanding of the hidden dangers and serious consequences that may be brought about. 1 Characteristics and security requirements of industrial Ethernet Although it is derived from information networks such as Intranet and Internet, industrial Ethernet is oriented towards the production process and has high requirements for real-time performance, reliability, security and data integrity. It has the same characteristics and security requirements as information networks, but also has its own significant characteristics and security requirements that are different from information networks: (1) Industrial Ethernet is a network control system with high real-time requirements and deterministic network transmission. (2) The entire enterprise network can be divided into general Ethernet at the management level, industrial Ethernet at the monitoring level, and field device layer (such as fieldbus) according to function. The management layer general Ethernet can exchange data with the control layer industrial Ethernet, and the upper and lower network segments can communicate freely using the same protocol. (3) Periodic and non-periodic information coexist in industrial Ethernet, each with different requirements. The transmission of periodic information usually has sequential requirements, while non-periodic information has priority requirements, such as alarm information which requires immediate response. (4) Industrial Ethernet must provide minimum performance guarantee services for critical tasks, and also provide best-effort services for non-critical tasks. Therefore, industrial Ethernet has both real-time and non-real-time protocols. Based on the above characteristics, the following security application requirements apply: (1) Industrial Ethernet should ensure that real-time performance is not compromised. In commercial applications, the requirements for real-time performance are basically not related to security, while the requirements for real-time performance in process control are rigid and often involve the safety of production equipment and personnel. (2) In today's world, various competitions are extremely fierce. For many enterprises, especially those with leading technologies, the production process, which is the actual embodiment of their technology, is often the fundamental interest of the enterprise. The process flow and even operating parameters of some key production processes may become targets for theft by competitors. Therefore, data theft must be prevented in the data transmission of industrial Ethernet. (3) Open interconnection is an advantage of industrial Ethernet. Remote monitoring, control, debugging, diagnosis, etc. greatly enhance the distribution and flexibility of control and break the limitations of time and space. However, for these applications, it is necessary to ensure the legality and auditability of authorization. 2 Analysis of security issues in industrial Ethernet applications (1) In traditional industrial Ethernet, the upper and lower network segments use different protocols and cannot interoperate. Therefore, a firewall is used to prevent illegal access from the outside. However, industrial Ethernet connects the control layer and the management layer. The upper and lower network segments use the same protocol and have interoperability. Therefore, a two-level firewall is used. The second-level firewall is used to block illegal access to the internal network and to assign different authorizations to legitimate users with different permissions. In addition, filtering and login policies can be adjusted according to log records. Strict permission management measures should be taken. Permissions can be assigned according to departments or according to operations. Since the factory application is highly professional, permission management can effectively avoid unauthorized operations. At the same time, access to the operating system of critical workstations should be restricted. The built-in equipment management system must have a record review function. The database automatically records the equipment parameter modification events: who modified it, the reason for the modification, and the parameters before and after the modification, so that it can be traced. (2) Encryption can be used to prevent the theft of critical information in industrial Ethernet applications. There are currently two main cryptographic systems: symmetric cryptography and asymmetric cryptography. In symmetric cryptography, both the encryption and decryption parties use the same key and the key is kept secret. Since the key must be distributed before communication, this step is insecure. Therefore, asymmetric cryptography is used. Since industrial Ethernet sends mostly periodic short messages, this encryption method is relatively fast. It is feasible for industrial Ethernet. It is also necessary to prevent the access of external nodes. (3) The real-time performance of industrial Ethernet is currently guaranteed by the following points: limiting the communication load of industrial Ethernet, using 100M Fast Ethernet technology to increase bandwidth, and using switched Ethernet technology and full-duplex communication to shield the inherent CSMA/CD mechanism. With the open interconnection of networks and the introduction of a large number of IT technologies into automation systems, coupled with the openness of the TCP/IP protocol itself and the endless network viruses and attack methods, network security can become a prominent issue affecting the real-time performance of industrial Ethernet. 1) Virus attacks. The Internet is full of attacks by worm viruses such as Slammer and "Blaster" and other network viruses. Taking worm viruses as an example, although the direct targets of these worm virus attacks are usually PCs and servers in the information layer network, the attacks are carried out through the network. Therefore, when these worm viruses break out on a large scale, switches and routers will be the first to be affected. Users can only eliminate the impact of worm viruses on network devices by restarting switching and routing equipment and reconfiguring access control lists. Worm virus attacks can cause routing oscillations throughout the entire network, which may cause some traffic from the upper information layer network to flow into the industrial Ethernet, increasing its communication load and affecting its real-time performance. There are also many computer terminals connected to industrial Ethernet switches at the control layer. Once the terminal is infected with a virus, even if the virus does not paralyze the network, it may consume bandwidth and switch resources. 2) MAC attack. Industrial Ethernet switches are usually Layer 2 switches, and MAC addresses are the basis for the operation of Layer 2 switches. The network relies on MAC addresses to ensure the normal forwarding of data. The dynamic Layer 2 address table will be updated after a certain period of time. If a port does not receive a data packet with a source address of a certain MAC address, then the mapping relationship between that MAC address and that port will become invalid. At this point, the switch will flood packets destined for that MAC address, impacting its overall performance and reducing its table lookup speed. Furthermore, if an attacker generates a large number of packets with different source MAC addresses, the switch's MAC address table space will be filled, causing genuine data to be flooded when it reaches the switch. There have been numerous recent instances of this method of network intrusion through sophisticated attacks and switch deception. Once the mapping information between MAC addresses and network segments in the table is corrupted, forcing the switch to dump its own MAC address table and begin recovery, the switch will stop network transmission filtering, functioning similarly to a shared media device or hub. The CSMA/CD mechanism will then re-emerge, affecting the real-time performance of industrial Ethernet. Currently, the main security technologies used in information layer networks include: Flow control technology, which limits abnormal traffic flowing through ports to a certain range; Access Control List (ACL) technology, which ensures network devices are not illegally accessed or used as attack springboards by controlling access to network resources; and Secure Sockets Layer (SSL), which encrypts all HTTP traffic and allows access to the browser-based management GUI on the switch. 802.1x and RADIUS network login control uses port-based access for authentication and accountability. Source port filtering allows communication only between specified ports. Secure Shell (SSHv1/SSHv2) encrypts all data transmission, ensuring secure CLI remote access over IP networks. Secure FTP enables secure file transfer between the switch and the network, preventing unwanted file downloads or unauthorized copying of switch configuration files. However, applying these security features still presents many practical challenges. For example, switch flow control can only perform simple rate limiting on various types of traffic passing through a port, restricting abnormal broadcast and multicast traffic within a certain range, but it cannot distinguish between normal and abnormal traffic. Setting an appropriate threshold is also difficult. Some switches have ACLs, but this is ineffective if the ASIC supports few ACLs. Generally, switches cannot handle illegal ARP (origin and destination MAC addresses are broadcast addresses) attacks. Potential threats to switches include routing spoofing, spanning tree spoofing attacks, 802.1x DoS attacks, and DoS attacks on switch management systems. At the control layer, industrial Ethernet switches can draw on these security technologies, but it must also be recognized that industrial Ethernet switches are primarily used for fast packet forwarding, emphasizing forwarding performance to improve real-time performance. Applying these security technologies will face significant challenges in terms of real-time performance and cost. Currently, the application and design of industrial Ethernet are mainly based on engineering practice and experience. The network primarily facilitates data transmission between control systems and operator stations, optimization system workstations, advanced control workstations, database servers, and other devices, resulting in stable network loads with a certain degree of periodicity. However, with the increasing need for system integration and expansion, the widespread application of IT technology in automation system components, and the prevalence of B/S monitoring methods, usability research under network security factors has become essential. For example, the buffer capacity of industrial Ethernet switches under burst traffic and the impact of transitioning from full-duplex switching to shared switching on existing network performance. Therefore, on the other hand, industrial Ethernet must address these issues by starting with its own architecture. 3 Conclusion The security issues of industrial Ethernet applications share some commonalities with commercial information networks but also have significant differences. Many mature security technologies and concepts used in information networks do not consider the characteristics of industrial production and cannot be directly applied to industrial Ethernet. When applying industrial Ethernet, one cannot only consider control logic and network performance; the factors mentioned above must also be taken into account.