Annex E — Approved Manufacturing Operations Switch Families

Referenced by MSA § 2.4 and § 8.4. Vendor lock-in only within a Manufacturing Operations network. Different networks may use different vendors with the same functional capabilities. Convergence to a single plant-wide family is a maturity goal, not a starting state.

Required capabilities for any approved switch family

A switch family is eligible for this register if and only if it provides, at the same firmware revision across the family:

E.1 Static routing. Static-routing-capable per MSA § 4.3. Line-speed routing between subnets in hardware (ASIC/silicon), not software. Per Gary’s call: software-implemented routers always introduce delay; line-speed ethernet-to-ethernet routing is now baseline.

E.2 Per-port ACLs. Per-packet filtering at line speed. Required for MSA § 3.5 / § 3.8 / § 4.5 enforcement.

E.3 DHCP block control. Ability to block DHCP requests crossing a specific port/direction (per Annex D / MSA § 3.8).

E.4 Broadcast block control. Ability to block broadcast traffic crossing a specific port/direction.

E.5 RSPAN / port-mirroring lifecycle controls. Sessions can have a declared lifetime and be torn down explicitly (per Annex D guarantee and MSA § 3.6). The RSPAN-left-up failure mode Gary described must be preventable here.

E.6 Priority queuing for control-signal traffic. Per MSA § 3.2 / Annex D priority enforcement. Switch must honor at least the CS-HIGH / CS-NORMAL / IT-NORMAL three-class priority model.

E.7 SNMP and syslog. For § 2.2 monitoring obligation.

E.8 PTP support. Precision Time Protocol for soft-real-time control network synchronization. Gary’s note: “you can with the precision time protocol” — required where the network carries soft-real-time interlocks.

E.9 Firmware audit trail. Firmware revision queryable via management interface. Required for § 2.4 (“same firmware revision across the network”).

E.10 No phone-home, no vendor cloud dependency. Per industrial independence principle and MSA § 4.5 (no IT-side or vendor-side reach into the MO network). The switch must operate fully air-gapped from the vendor.

Approved families

Each Manufacturing Operations network selects one family from this register and locks to it.

Family A — Industrial managed switch, mid-market

Family B — Industrial managed switch, premium tier

Family C — Industrial managed switch, automation-vendor branded

(Specific vendor and model entries to be filled in by procurement at approval. This annex describes the policy. The vendor list is appended below as it’s approved.)

Per-network family assignments

Procurement rules

P.1 A network’s family is fixed at network deployment. Mid-life family changes are network rebuilds, not upgrades. Plan accordingly.

P.2 All switches in a network are from the same family at the same firmware revision. Per Gary on the call: “Within a network it has to be… because switches implement different features in different fashions, even at the firmware level for consistent behavior within a network, you need every switch to be from the same manufacturer.”

P.3 Spare-switch inventory is held at one revision behind production (for rollback) and the production revision. No older spares; no newer spares.

P.4 Firmware upgrades within a network happen as a coordinated event across all switches in that network. Mixed-revision operation is permitted only during the upgrade window itself.

P.5 A network may not deploy a feature not in this annex’s capability list (E.1–E.10) and rely on it for production. Vendor-specific features above E.1–E.10 are allowed for convenience but production behavior must remain explainable from the policy capabilities alone.

Convergence track

Per MSA § 8.4 — over time, the plant may converge on a single family across all networks. The convergence rule:

1. Convergence is never forced at the cost of capability fit. A premium-tier network does not downgrade to match a mid-market one.
2. Convergence happens at network rebuild events, not in-place.
3. Convergence is measured at joint review (§ 8.1) as a maturity metric, not enforced as a deadline.
4. Convergence does not override § 2.4 — within any one network, the same-family rule holds always.

Disqualifying features

A switch family is removed from this register if it:

• Implements phone-home or cloud-dependency that cannot be disabled and audited (violates E.10)
• Cannot block DHCP or broadcast from specific ports (violates E.3, E.4)
• Implements RSPAN/port-mirroring without a tear-down lifecycle (violates E.5 — this is the literal failure Gary described in his GM RSPAN outage)
• Embeds remote-management features that cannot be turned off
• Has been demonstrated to leak controller traffic across a routing boundary it claimed to enforce
• Has a vendor lifecycle that no longer supports security patching of the approved firmware track

Disqualification is permanent for that family on the affected revision. The family may be reconsidered on a clean revision after the underlying defect is remediated.

Open items

• Initial vendor evaluation. Each of Families A/B/C above needs to be matched to specific vendor SKUs after evaluation against E.1–E.10. Joint review with procurement.
• Firmware track baseline. Each approved family needs a chosen firmware track with a documented patch cadence. Until the cadence is documented, no family is fully approved.
• Independent verification of E.10. Many vendors claim no phone-home but ship telemetry in their default config. Verification by network capture during evaluation is required.
• Cross-vendor interlock compatibility. When two MO networks use different families, the long-distance interlock (Annex B) must pass through both vendor stacks cleanly. Test before production registration.