More control for OT and IT

23 November 2020

Where is the border between automation and IT? The progress of artificial intelligence (AI), cloud technologies and simulation means that it is no longer so easy to draw a sharp line between operational technology (OT) and IT, says Andrea Rauscher, Product manager SIMATIC Siemens AG and Andreas Czech, marketing manager SIMATIC Siemens AG.

The growing complexity of the processes, and the interdependency between systems makes it more important that developers, plant operators, maintenance staff and production management maintain full control over all processes. A key driver of networking between IT and OT is the fact that companies are increasingly benefitting from the opportunities offered by digitalisation: Distributed engineering, plant simulation and virtual commissioning, and the use of AI for predictive maintenance are no longer niche applications. At the same time, the networking of automation components offers advantages in the context of plant-wide or even cross-plant visualisation and analysis of processes. For this reason, even conventional automation components, such as the PLC, are now part of an extensive network. This also increases the complexity of the tasks within the automation level. In addition to the actual machine and plant control, the correct and secure configuration of the network is now also one of the tasks for automation engineers and plant operators.

Using the appropriate tools, many tasks at the interface between IT and OT can now be performed without special expertise. These tasks include simple visualisation via a web server, with which control parameters can easily be monitored and evaluated via the production network. The new firmware version 2.9 of the Simatic S7-1500 controllers, for example, provides an editor with which corresponding visualisations can easily be compiled from graphic elements without the need for special knowledge on the part of the user. This editor, like all other tools for configuring the automation solution, is part of the TIA Portal engineering software: In the project tree there is simply another node with which the user can build the corresponding web page for the CPU. This integration of the visualisation into the automation via a web server means that the user does not need special HTML coding know-how or a separate tool for the web page creation and the configuration of an interface for the data exchange between PLC and visualisation. The handling of this ‘View-of-Things" function is similar to the creation of an operator screen for the HMI system and is also fully compatible with it – for example, the visualisation of the Simatic CPU can simply be transferred to the corresponding HMI device, where it can be supplemented with advanced functions so that it can, for example, present trend views of CPU parameters in machine-level diagnostics.

Efficient mechanisms 
While proven concepts from automation can also be used for the web-based representation of PLC parameters in the visualisation, services from IT are gaining ground in the field of network management. In firmware version 2.9, the Simatic S7-1500 controllers now also support the dynamic host configuration protocol (DHCP) and domain name system (DNS), and even facilitate administration and addressing within extensive networks involving numerous stations. Thanks to OPC UA with global discovery service (GDS), OPC UA certificates can now be managed on a central server. Among other things, this simplifies the commissioning of OPC UA devices because certificates can be easily retrieved and updated via TIA Portal or via the server.

Efficient certificate management is important because of the number of OPC UA-enabled devices in automation. The cyclic communication between OPC UA client and server, however, generates a considerable communication load, which is why users in the field of OPC UA methods should select the most efficient service for OPC UA communication in each case. With regards to time-critical information, messages also must be sent outside the cyclic communication. For such tasks, the OPC UA Alarms & Conditions mechanism is ideal. Using alarms and events, the controller can send a message from the user program in the case of unexpected events without the need for a client to poll the controller and can actively inform personnel about a fault in the system. Thus, OPC UA Alarms & Conditions supplements the existing methods with a cross-vendor and cross-platform mechanism and supports existing resources in the field of plant operation and maintenance.

Although the increasing networking of OT and IT ensures greater data transparency and more efficient access to the automation level, it also has a downside: It exposes OT components to a higher risk of attack and manipulation. It is therefore essential that users deploy appropriate security mechanisms to protect equipment, networks and systems against unauthorised access. Manufacturers such as Siemens recommend a defense-in-depth concept in accordance with ISA 99/IEC 62443. Accordingly, the security mechanisms in the Simatic S7-1500 controllers are continuously updated and improved: The controllers also support encrypted communication via the transport layer security (TLS) protocol. It is, however, equally important that the user also configures and activates the mechanisms correctly and this can pose problems – for example, because standard passwords are not changed. To support users accordingly, from the new firmware version onwards Siemens is also supplying its Simatic S7-1500 controllers pre-configured with activated security mechanisms. This ensures that no setting is forgotten or overlooked during configuration. Depending on requirements, individual mechanisms can be deactivated - this then rests on the conscious decision of the user and contributes to a greater perception of industrial security needs at the automation level.

Flexible configuration 
Efficient tools for engineering and configuration are important because of the growing number of networked components. The demands on the flexibility of machines and systems that are networked in this way are also increasing: Plant operators want to be able to modify processes simply by combining different stations and cells. For the automation engineer this generates the need for implementing a simple deterministic communication between modules or machines which functions without additional communication paths. For the Ethernet-based communication standard Profinet, the I-Device (intelligent IO-Device) function is available for this task. As an I-Device, a CPU can communicate with subordinate as well as higher-level or central controllers without the need for additional mechanisms. In this way I-Devices can be used to network and combine several modules with their own PLC – and now with Simatic S7-1500 controllers in firmware version 2.9 even to a greater or lesser extent ‘on the fly’: the I-Device functionality can now simply be activated and deactivated by command. This allows modules within a line to be switched on or off more easily than before.

As these examples show, it is important that the possibilities of automation solutions keep pace with technical development in the field of OT and IT. In this way, both machine and plant constructors and operators can benefit from the advantages offered by digitalisation, while continuing to use and further develop tried and tested concepts - and to integrate automation into the world of Big Data in a secure, controlled and smart way.

Simatic S7-1500 Firmware 2.9
The firmware update for the hardware and software controllers of the Simatic S7-1500 series will be released simultaneously with the new version V17 of the TIA Portal. The new firmware provides some of the Simatic controllers with memory optimisation and includes new functions that enable efficient engineering of networked automation solutions.

•View-of-Things: Standardised web-editor for all devices, HMI-like automation website programming (AWP).
• Integral IT-connectivity: DHCP/DNS, OPC UA with GDS for global, server-based certificate handling.
• Support of platform-independent notifications via OPC UA Alarms & Conditions.
• Advanced connectivity via media redundancy protocol (MRP interconnect) for larger Profinet ring structures resulting in more devices in total.
• ore flexible line configuration of systems by activating/deactivating I-Devices.
• Security-on-default presetting for communication and user management increase network security.

Contact Details and Archive...

Print this page | E-mail this page