An introduction to

Simple network management protocol (SNMP)

The OT and IT worlds are extremely dissimilar. In our OT world, every production facility is different than every other production facility. Where we use many unique and special devices on the factory floor, IT systems rely on a handful of device types.

Routers, switches, PCs and UPS systems comprise most of the devices in an IT system. Walk into a random manufacturing cell, and you never know what device you might find, but look at corporate IT networks and you can’t tell one from another. This uniformity allows IT systems to manage everything through a single, universal language: SNMP.

Featured SNMP Products

view all our SNMP gateways

What is SNMP?

SNMP (Simple Network Management Protocol) emerged in the 1980s as a simple protocol for monitoring devices in an enterprise IT system. It provides a simple, efficient way to monitor and manage all their devices. The SNMP protocol quickly gained traction due to its universal application and its role as a foundational component of all enterprise IT systems and is now gradually working its way into the OT world.

SNMP provides users with an open way to monitor devices to collect information or identify critical and non-critical events including:

  • High CPU usage
  • Bandwidth
  • Dropped Ethernet packets
  • Fan speeds
  • Temperatures
  • Cycles
  • Battery and toner levels
  • Many other network, processing and environmental attributes

Why does SNMP Matter in OT Networks?

SNMP is a valuable communications technology for OT.

Production control system owners can obtain health data, event conditions, asset inventory and other status information from SNMP-enabled devices within a production control system. These are the same types of benefits that SNMP offers to enterprise IT systems.

Except for managed switches, SNMP is typically found in ancillary devices not connected to the control system. Therefore, it is not a technology for real-time control or acquisition of time-series data, and should never be used to transfer any data that is integral to the control of any machine or system on the plant floor.

Further, SNMP variables are timestamped when they arrive at the Network Management System, not when they are read. That makes them useful for coarse health and event indicators but nearly useless for any high-resolution forensic-type analysis.

How are SNMP Networks Organized?

SNMP implements a three-component model consisting of a managed device, an agent and a network management system (NMS).

A managed device is a network node that reports information over SNMP. Typical managed devices in an enterprise IT network include routers, managed switches, access points, bridges, computers, printers and everything else you find in an IT system. In a factory floor network, managed devices include industrial switches, Uninterruptible Power Supplies (UPS), gateways, printers and weigh scales. SNMP-managed devices incorporate an agent.

An agent is a software module that forms the SNMP message reporting the data to the Network Management System.

A Network Management System (NMS) is a software component that collects data from the SNMP agents.

Like what you’re reading?

Subscribe to our Automation Education email series to learn the ins and outs of the top industrial protocols in a byte-size bi-weekly format!

The Three Versions of SNMP

Over its almost 50-year life, as Ethernet network technology evolved, SNMP technology evolved without losing support for earlier versions. There are now three common SNMP versions: v1, v2c and V3.

You can compare these versions to Goldilocks in the bear’s house:

  • V1 is too soft – it’s simple without any security.
  • V3 is a more complex specification with high-end security.
  • V2c is just right – enhanced over V1 with some additional security.

All three are in use. Network Managers System (NMS) applications work with any of them.

How is Data Organized in an SNMP Device?

SNMP data is organized as a structured tree with leaves and branches called a Management Information Base (MIB). Vendors assign long tags known as Object Identifiers (OIDs) to data items in the tree. For example, the number of ports on a managed switch is accessed via the tag “1.3.6.1.4.1.8691.7.7.1.1.0 ”.

The Structure of Data in an SNMP device is common, meaning that the identical tools can be used to access any SNMP device through its agent.

There are two types of MIBs in an SNMP device. “Standard MIBs” are MIBs created by the IETF (Internet Engineering Task Force) that organize the typical common network functions you would find in many devices (i.e., IP and TCP MIBs).

“Enterprise MIBs” are vendor-specific and organize manufacturer-specific features of a particular device. For example, a printer manufacturer may have Enterprise MIBs detailing the toner and paper tray levels.

What Are the Seven Basic SNMP Message Types?

The seven message types in SNMP are GET, GET-NEXT, GETBULK, GET-RESPONSE, SET, TRAP and INFORM.

SNMP Message Type Initiated By Description
GET (GET Request) NMS or another SNMP Requestor Read the current value of one or more variables
GET-NEXT NMS or another SNMP Requestor Return the next variable value in the MIB tree
GET BULK NMS or another SNMP Requestor Combines a set of Get-Next messages into a single transaction
GET-RESPONSE An Agent The Agent sends a GetResponse PDU (Protocol Data Unit) to the manager containing response from the last data request.
SET NMS or another SNMP Requestor Write a value to a variable
TRAP An Agent An Agent sends a Trap PDU on an important or critical change of state.
INFORM An Agent An Agent sends an Inform PDU on an important or critical change of state when the Agent wants to ensure the message is received by the NMS.
  • GET and GET-NEXT messages retrieve data from an agent in a device.
  • GET BULK messages combine multiple GET-NEXT messages into a single transaction.
  • SET modifies the value of a variable in an agent. SET is often disabled in OT unless explicitly required and controlled.
  • GET-RESPONSE is the response message for GET and GET-NEXT messages.
  • TRAP messages are the equivalent of alarms. TRAP and INFORM are two of the messages initiated by an agent.
  • INFORM messages are similar to TRAP messages, but INFORM messages are retried if there is no acknowledgement from the NMS.

How Does an SNMP Protocol Operate?

SNMP is a connectionless protocol in which an SNMP Network Manager sends protocol packets to agents on SNMP devices without first establishing a dedicated link to the device. This is like the Internet Protocol (IP), another connectionless protocol that sends data without first establishing a dedicated link to the destination device.

Most SNMP protocol communication consists of an NMS polling agent for data. Polling architecture works well for network protocols like SNMP since there is no real-time data on the network. Printer levels, number of operating cycles and other such data are seldom time-dependent.

SNMP Event Notification

Where event notification is important, SNMP uses TRAP or INFORM messages. TRAP messages are issued to inform an NMS about data or events that are more critical and can’t wait for the next polling cycle, while INFORM messages are used for data or events that are so critical that the agent must make certain they are delivered.

By contrast, users should use polling for routine status information. However, SNMP traps should be used to proactively signal immediate, event-driven alerts on important problems or critical failures.

SNMP Use Cases on the Production Floor

SNMP use cases include:

  • Network switch monitoring
  • Wireless infrastructure monitoring
  • UPS and power monitoring
  • Industrial PCs/servers and virtualization hosts (where permitted)
  • Gateways and protocol appliances
  • Environmental monitoring (panels, rooms) when SNMP-capable sensors exist
  • Alarm to an operator display
  • Alarm to maintenance dispatch

How Secure is SNMP?

Devices with SNMPv1 and v2c provide an easy-to-use attack vector for malicious actors, as many users never change the default password, called a community string, set by the device vendor. The primary risk with these versions is that the community string is transmitted in clear text and easily captured by a malicious actor monitoring traffic.

SNMPv3 is much more secure and more available in newer rather than legacy devices, offering enhanced security through authentication, encryption and message integrity. It is much more secure than SNMPv2 in preventing unauthorized access and data tampering, and it provides more granular user permissions and aligns with many common manufacturing compliance regulations.

If you must use v1 or v2c devices, or want to harden your SNMPv3 environment, consider the following risk mitigation strategies:

  1. Use router or firewall rules to limit SNMP requests to authorized SNMP network management systems.
  2. Replace the vendor default community string with a long, unpredictable string.
  3. Restrict SNMP access to read-only at all v1 and v2c devices.
  4. Enable SNMPv3, if available.
  5. Use a VLAN for all SNMP traffic – this is the typical approach used in corporate enterprise IT networks.
  6. Use an encrypted tunnel for SNMP v1 and v2c message traffic. An encrypted tunnel prevents outsiders from obtaining the community string.
  7. Monitor all SNMP access by purchasing only SNMP devices that log access.
  8. Enable rate limiting on SNMP devices to prevent Denial of Service (DOS) attacks.
  9. Limit MIB exposure by restricting access to the particular MIBs needed by other tools.
  10. Disable all unused community strings.

Limitations of SNMP

SNMP limitations result from its inefficiency, insecure nature and non-standard implementations.

  • SNMP is inefficient – Because it uses a poll/response model, it can be inefficient when polling is poorly designed or overused. As the network grows, careful polling intervals and object selection must be used to avoid increased CPU overhead.
  • SNMP is insecure – The majority of legacy SNMP devices in the field use v1 and v2c, which transmit community strings in the clear. Newer devices support v3.
  • Vendor Models are often not standardized – Vendors create inconsistent, hard to use MIB data models, which creates operational complexity.

What Are the Ten Most Important SNMP Concepts?

  1. SNMP is a critical technology that enterprise IT systems use to monitor IT networks and it is becoming more important on the factory floor.
  2. SNMP is required in PROFINET devices and you may find it in some EtherNet/IP devices as well.
  3. SNMP uses UDP as its transport mechanism. UDP is a “fire and forget” message with no receipt acknowledgement to the sender. SNMP overcomes that “fire and forget” operation when necessary with INFORM messages.
  4. Most legacy SNMP devices on the factory floor don’t support the more cybersecure SNMP v3.
  5. Traps simply mean alarms in SNMP. Trap messages are collected by various monitoring and diagnostic applications.
  6. Vendors typically provide the SNMP MIB databases on their websites. There are tools that you can use to browse an SNMP database. These tools allow authorized users to connect to the device and view the status of variables in the device.
  7. The client-side or network manager of an SNMP network resides at a central location. The network manager collects messages from the SNMP agents.
  8. The MIB files provided by vendors can be compared to XML files. The data in the MIB is important because it provides not only variable names, but also metadata, such as the data type. These text files are often loaded into a network manager so it can properly access a device.
  9. There are standard OIDs for device types. For example, there are standard OIDs for the data in managed switches.
  10. There is no certification process for SNMP devices and some vendors deviate from the standard in important ways.

SNMP FAQs

A trap is a proactive alarm message from an SNMP device agent to a Network Management System (NMS) that informs the NMS of a critical failure or an important status change on an SNMP device.

A community string is a simple password required to access an SNMPv1 or v2c device. Community strings are generally well-known and often set to the default password provided by the device vendor. Users should always change the community string to a more secure password string.

SNMPv3 offers secure username/password/encryption methods, while v1 and v2c use simple password strings transmitted in the clear.

The architecture of the SNMP network varies depending on the complexity of the production system, the SNMP use case and the plant’s cybersecurity requirements. In some plants, there is a single SNMP NMS located in the enterprise IT network. In other plants, an NMS can be found in every production cell.

In SNMP, an OID (Object Identifier) is a unique, hierarchical string of numbers that serves as an address for managed objects (such as device stats, interfaces, settings) within a network device’s MIB (Management Information Base). An OID identifies a specific variable location by providing a map of all the branches and trunks of the MIB tree. OIDs provide a standardized way to query and manage network elements, allowing monitoring systems to pinpoint data like a device’s uptime, a port’s bandwidth or a sensor’s temperature.

Solutions

Connect Allen-Bradley PLC to SNMP

Connect a Modbus RTU Server to SNMP

Connect PROFINET IO Controllers to SNMP

Connect Modbus TCP Servers to SNMP

Connect a Modbus TCP Client to SNMP

For more information on our SNMP products:

solutions@rtautomation.com

1-800-249-1612

Contact form