New developments in secure networking

22 November 2021

Simatic S7-1500 Advanced Controllers are optimally equipped for the digital transformation. With optimised firmware, they are. setting new standards for functionality, convenience, availability, and security – especially as part of a larger network. 

As more and more challenges arise, increasing numbers of companies are seizing the opportunities offered by both digitalisation and the networking of automation components. Distributed engineering, plant simulation, virtual commissioning and the use of artificial intelligence (AI) for predictive maintenance, for example, as well as plant-wide or even multi-plant process visualisation and analysis have already proven their benefits. That’s why customary automation components such as PLCs have become established parts of company-wide and global networks. This fusion of operational technology (OT) and information technology (IT) does, however, involve increasing security risks for automation systems. The processes and the way they are networked are growing in complexity, which makes it all the more important to keep them completely under control. 

One thing that’s certain is that IT connectivity makes automation more flexible and dynamic. What’s become normal for computer workstations in the home office, for example, is now reality in automation: With the Simatic S7-1500 controllers, the new firmware V2.9 enables a server with DHCP (Dynamic Host Configuration Protocol) and a server with DNS (Domain Name System) to take over the task of allocating devices, even within extended Profinet networks. While the DHCP server automatically assigns IP addresses and thus makes the devices accessible, the DNS server allocates names to these IP addresses. There’s no need for labor-intensive manual programming to establish which participants the PLC communicates with at any given time.

And there’s another new function offering improved convenience: Firmware V2.9 now makes it possible to activate and deactivate the I-Device (intelligent device) functionality from the user program via a function module, which means modules within a line can now be switched on or off more easily than was previously the case. In intralogistics, for example, driverless vehicles – known as AGVs (Automated Guided Vehicles) – can autonomously check in at every warehouse cell to store or retrieve products there and then check out again. This is another case where automated processes are taking the place of manual engineering. At the same time, LED error alerts are no longer used to communicate when the AGV controller checks out since the V2.9 process deactivates communication between the I-Device and the higher-level computer.

OPC UA – you bet!
Siemens supports the multi-platform, multivendor, Ethernet-based OPC UA (Open Platform Communications Unified Architecture) communication standard, which provides the best preconditions for digitalising even complex automation solutions in the age of Industrie 4.0. Thanks to the new Alarms & Conditions function in firmware V2.9, if unexpected events occur in the system or machine, the controller will send an alert to enable the operator to respond swiftly to malfunctions or maintenance requirements. 

In addition, the Global Discovery Server (GDS) now makes it possible to centrally manage OPC UA certificates. Because of security requirements, these certificates must be renewed at roughly two-year intervals. To ease the load on service technicians, GDS makes the certificates available and updates them automatically while they’re still current, thus avoiding costly machine downtimes and time-consuming service deployments.

Security at the product end 
Digitalisation and the increased networking of machines and industrial plant also have a downside since they mean that plant operators face greater security risks. With its end-to-end defense in depth strategy, Siemens therefore targets all aspects of cybersecurity for Industry, an area in which it’s setting new global standards. It goes without saying that a particular focus is placed on security at the product end – for example on further optimising the firmware of the Simatic S7-1500 controllers.

In addition to the many security functions already in place, such as the authentication and encryption of program components, Siemens has focused its new firmware version and TIA Portal V17 on ensuring the security of communications. When supplied, every controller with firmware V2.9 is already encrypted with a unique certificate, and users can also select their own encryption. That makes it possible to establish secure communication between the programming or HMI device and Simatic S7 CPU based on TLS (Transport Layer Security), the latest encryption protocol for secure data transmission via the internet, thus ensuring the best protection against any third-party access. Confidential, sensitive configuration data is also encrypted, and therefore protected, with user-defined passwords.

It’s more important than ever to take account of increased security requirements, given the risk of cyber-attacks, and Siemens wants to provide its customers with the most secure controllers for automation available on the world market. That’s why firmware V2.9 and TIA Portal V17 represent the completion of a paradigm shift: Whereas users previously had first to activate security features such as four-stage PLC access protection, all protection functions are now preset and active as a standard feature. Conversely, users must make a deliberate choice if they don’t want to enter a password or transmit a certificate, for example. In such cases, a security wizard in TIA Portal V17 will offer detailed information about the consequences.

And there are still more improvements: Simply by updating the firmware to version V2.9, all Simatic CPU 1518s get a significant memory boost: 50% more working memory and 200% more data memory. It doesn’t get any more convenient or any cheaper than this since there’s no need to invest in new hardware – updating your existing devices is enough.

Greater availability 
A CPU typically communicates with I/O devices via Profinet. To increase the availability of systems, redundant Profinet rings with a maximum of 50 such devices and Media Redundancy Protocol (MRP) come into play. For example, if communication is not interrupted by a defective connecting cable or switch, the CPU will receive the transmitted protocol back again at the end of the ring. But if it’s interrupted, the CPU will send the protocol in both directions via the ring to ensure all participants are still reached. 

Now it is possible to use MRP Interconnect to combine up to eleven such rings via switches, and thus integrate eleven times the number of devices into the redundant architecture. That boosts the availability of extended systems with very large numbers of participants accordingly – for example, kilometre-long tunnel structures or baggage conveyors in airport logistics systems. And even in cases where tunnel systems consisting of several physically separated segments must be centrally monitored, the combination of MRP rings – one for each tunnel segment, in this case – can be a practical option. All Simatic S7-1500 CPUs with firmware V2.9 support the Scalance XR500, XM400, XC200, XF204-2BA and XP200 Industrial Ethernet switches, which are suitable for use as MRP-I switches.

Availability, security, convenience – our innovations show we are the right partner if you want to play it safe by taking advantage of the many opportunities offered by digitalisation and networking.
Integration of additional runtime applications made easy
Growth in advanced controllers: The Simatic S7 CPU 1518 MFP multifunctional platform integrates controller and PC functions in a single device. This involves expanding a controller to include complex tasks that were previously outsourced to a PC – high-level language applications in C/C++ such as protocol converters or database applications. Data presentation using Simatic Industrial OS as an operating system can run both synchronously (for example, for brief mathematical calculations) and asynchronously (for example, to further process data from the controller) with regard to the normal cyclical controller program. What’s new is that data can be exchanged between the controller and Simatic Industrial OS in real time via internal communication. 

An initial co-creation project, involving the migration of a complex real-time controller solution to a Simatic CPU 1518 MFP with TIA Portal for a system engineer in the metal industry, has been brought to a successful conclusion: The internal communication standard mentioned above assures a constant, high-precision exchange of data between the applications during runtime. 

In addition to the Simatic CPU 1518 MFP, Siemens is developing a TM MFP technology module that can be combined with any Simatic S7-1500 CPU from CPU 1511 onwards for situations involving fewer substantial systems and quantity structures. As a result, Simatic S7-1500 lets you scale multifunctional applications, which opens up new paths and opportunities for Industrie 4.0 applications in both brownfield and greenfield systems – for example, machine-level data analysis using edge computing. 

Contact Details and Archive...

Print this page | E-mail this page