Application example 12/2016 Plant Wide Automation … · Application example 12/2016 Plant Wide Automation for the Food and Beverage Industry ... integrated automation communication

https://support.industry.siemens.com/cs/ww/en/view/109476976

Application example 12/2016

Plant Wide Automation for the

Food and Beverage Industry Plant Network Structure


Warranty and liability

Plant Network Structure Entry-ID: 109476976, V2.1, 12/2016 2

S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Warranty and liability

Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.

We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG.

Security informa-tion

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit http://www.siemens.com/industrialsecurity.

Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer’s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.siemens.com/industrialsecurity.

http://www.siemens.com/industrialsecurity



Table of contents


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Table of contents Warranty and liability ............................................................................................... 2

1 Overview of a plant wide automation concept for Food and Beverage Industry .......................................................................................... 5

2 General industrial network guidelines........................................................... 6

2.1 Industrial Ethernet ............................................................................. 9 2.2 PROFINET ...................................................................................... 11 2.3 Field Device Bus Systems ............................................................... 13 2.4 Industrial Wireless Communication .................................................. 14 2.5 Industrial Remote Communication ................................................... 15

3 Products and Services ................................................................................. 16

3.1 Network components ....................................................................... 16 3.2 Security assessment ........................................................................ 17 3.2.1 Hardening services .......................................................................... 19 3.2.2 Automation Firewall and appropriate Services.................................. 20 3.2.3 Virus Protection and Whitelisting Services ....................................... 21 3.2.4 Secure remote maintenance access ................................................ 22 3.2.5 Monitoring Services ......................................................................... 23

4 Network topologies ...................................................................................... 24

4.1 Machine level (simple machine group) ............................................. 25 4.2 Machine level (more complex machine) ........................................... 26 4.3 Machine level (redundant topology) ................................................. 27 4.4 Diagnose possibilities for machine topologies .................................. 27 4.4.1 NAT translation ................................................................................ 27 4.4.2 Plant wide unique IPs ...................................................................... 29 4.4.3 Use of CPs ...................................................................................... 30 4.4.4 Compare of variants ........................................................................ 31 4.5 Line level ......................................................................................... 32 4.5.1 Entry level ....................................................................................... 32 4.5.2 Redundant level............................................................................... 33 4.6 Plant level ........................................................................................ 34 4.6.1 Entry level ....................................................................................... 34 4.6.2 Redundant level............................................................................... 35

5 SCALANCE X Redundancy .......................................................................... 36

5.1 High Speed Redundancy Protocol (HRP – Siemens) ....................... 36 5.2 Standby-Connection (SIEMENS) ..................................................... 37 5.3 Passive Listening (SIEMENS) .......................................................... 38

6 Strategies of the security concept ............................................................... 41

6.1 Defense in depth ............................................................................. 43 6.2 Automation cells and security cells................................................... 45 6.3 Task-specific operation and access rights ........................................ 48

7 Converting security strategies into security solutions .............................. 49

7.1 Security cells and network architecture ............................................ 49 7.1.1 Definitions of the access points to the security cells ......................... 49 7.1.2 Secure security cell connection ........................................................ 50 7.2 Protect maintenance access ............................................................ 52 7.3 Hardening ........................................................................................ 53 7.4 Virus scanner .................................................................................. 54 7.5 Whitelisting/application control ......................................................... 55 7.6 Patch management and security updates......................................... 55

Table of contents


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

7.7 Administration and configuration ...................................................... 57 7.7.1 Administration of computers and users ............................................ 57 7.7.2 Administration of networks and network services ............................. 57 7.7.3 Administration of role-based operator authorizations ........................ 58 7.8 Logging and audits .......................................................................... 58

8 Network software support ............................................................................ 59

8.1 SINETPLAN (Siemens Network Planner) ......................................... 59 8.2 PRONETA ....................................................................................... 61 8.3 SINEMA Server ............................................................................... 62

9 Engineering – SINEMA Server integration .................................................. 64

9.1 General prerequisite ........................................................................ 64 9.2 WinCC engineering.......................................................................... 65 9.2.1 Prepare WinCC project for PDI SINEMA .......................................... 65 9.2.2 Integration in WinCC process pictures ............................................. 68 9.3 HMI Template description – “PWA_SinemaDiag_V2.fpt” .................. 70 9.4 HMI Template description – “@SinemaDiag.pdl” .............................. 70 9.5 Tips and tricks for SINEMA Server ................................................... 71 9.5.1 Unwanted Java messages ............................................................... 71 9.5.2 Adapt Java settings ......................................................................... 72 9.5.3 Delete temporary Java files.............................................................. 75

10 SCALANCE Network Components .............................................................. 76

11 References .................................................................................................... 77

12 Glossary ........................................................................................................ 79

12.1 Names and terms ............................................................................ 79 12.2 Abbreviations ................................................................................... 82

13 Related literature .......................................................................................... 83

14 History .......................................................................................................... 83

1 Overview of a plant wide automation concept for Food and Beverage Industry


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

1 Overview of a plant wide automation concept for Food and Beverage Industry

In the Food Industry is substantial room for improvement, to increase the efficiency and effectiveness of existing and planned new production lines.

An essential contribution to this will provide the integrated linking of production lines and machines from the inbound of raw material to production, packaging up to the outgoing goods, as well as the consistent recording of production parameters like quantities, machine time, etc. These data can be analyzed at management systems and sustainable measures for improvement can be initiated.

Today this partly causes big efforts, because machines and components of different manufacturers have to be linked and the collected data has to be synchronized. Therefore a plant wide integration concept for line integration from Siemens AG includes the machine level, supervisory systems up to MES (Manufacturing Execution System) from incoming goods across food processing and food packaging areas to outgoing goods and storage.

This concept contains different modules such as Line Monitoring, Line Control, Line HMI (Human Machine Interface), etc. One such module is the machine interface, which is described herein.

Brief architecture description

The following picture gives an overview about the communication between line HMI and machines. PDI interface module provides three interface DBs and the corresponding WinCC structures.

Based on requirement, OEM can choose and implement the interface at the machine level controller and WinCC can access the machine data via structure tags. Using WinCC faceplates provided, the user can operate and visualize the machine information.

DB

DB

DB

DB

DB

DB

DB

DB

DB

DB

PR

PR

ST

ST

PROFINET IE

S7-300 S7-400 S7-1200 S7-1500 SIMOTION

ST – Structured Tags (PDI)

DB – Data Blocks (PDI)

PR – SIMOTION Program (PDI)

WinCC Server

2 General industrial network guidelines


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

2 General industrial network guidelines The top priority in automation is that the monitoring of production is maintained. Even measures that are intended to prevent the spreading of security threats are not allowed to restrict this. The PWA (Plant Wide Automation) security concept is intended to ensure that only authenticated users can perform authorized (permitted) operations that have been granted to them on authenticated devices. These operations should be conducted exclusively using unique and planned access routes in order to ensure secure production and coordination during an order without placing people, the environment, the product, goods to be coordinated, or the business of the company at risk.

To do this, the PWA Network Guideline recommends employing the latest security mechanisms available. This means that all solutions and configurations have been selected as if the plant operator were to employ all currently available security mechanisms and technologies and Siemens and third-party products in order to achieve the best possible plant security. Depending on the protection requirements of the plant operator, the responsibilities present, or already implemented security mechanisms, configurations shown here can also be implemented and scaled in modified forms. However, this should be planned carefully in individual cases by all the technicians, specialists, administrators, and managers involved. In order to achieve the best possible security, modified configurations must not conflict with the fundamental principles of this security concept.

The PWA security concept is intended to simplify the cooperation of the network administrators of company networks (IT administrators) and automation networks (automation engineers) so that the advantages of the networking of production control technology can be used with the data processing of other production levels without increased security risks for both sides.

The PWA security concept is a recommendation in nature and is intended to assist SIMATIC and SIMOTION customers with the safe networking of their production units. The recommendations are based on the latest technology, current standards and the properties of the products that are used.

All the machines in an PWA should work together perfectly. Therefore, you rely upon open, integrated automation communication not just within the whole company but also for external communication. Avoid isolated automation and information technology solutions by assuring:

Continuous flow of information from the actuator/sensor level through to the corporate management level

Availability of information at any location

High-speed data exchange between the different plant sections and machines

Easy, plant-wide configuration and efficient diagnostics

Integrated security functions that block unauthorized access

Fail-safe and standard communication via the same connection



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Our range

Communication networks are of utmost importance for automation solutions. Networking for Industry stands for a diverse range of modular blocks – Designed for different Industries – which contribute to efficiently solving your communications tasks:

In the different automation areas

Across the entire workflow

For the complete plant life cycle

For your Industry

Industrial Networking offers solutions which both maximize the benefits of Ethernet and simplifies the integration to fieldbus systems. Noticeable examples are:

The development of the field level for the use of Industrial Ethernet

Complete integration from the field level to the corporate management level

The implementation of new solutions by means of mobile communication

The integration of IT technologies

Worldwide trends

Decentralization has been gaining worldwide importance for a number of years now. A distributed plant structure can reduce installation, maintenance and diagnostics costs. This involves intelligent devices working locally and being connected together across networks. Openness and flexibility are important in order to expand existing setups and to connect up different systems. For this reason, international committees define and standardize the standards for bus systems.

Communication type International Standard

Industrial Ethernet IEEE 802.3

Industrial Wireless LAN IEEE 802.11

PROFINET IEC 61158 / IEC 61784

PROFIBUS 1 IEC 61158 / IEC 61784

Due to the increased use of Industrial Ethernet in automation, two topics within Totally Integrated Automation are becoming more and more important – PROFINET and SCALANCE.

1 PROFIBUS is the global market leader among fieldbus systems



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

PROFINET

PROFINET is for increasing the productivity of your plant.

You need a seamless information flow for your strategic decisions within your company – from the first manufacturing step through operation up to the corporate management level. In order to achieve this, you rely on efficiency and transparency already during engineering.

PROFINET, the open and innovative Industrial Ethernet standard fulfills all the demands of industrial automation and ensures integrated, company-wide communication.

PROFINET also supports the direct connection of distributed field devices to Industrial Ethernet and the implementation of isochronous motion control applications. PROFINET also allows distributed automation with the support of component technology, as well as vertical integration and the implementation of safety-oriented applications. PROFINET also supports controller-controller communication.

Industrial Networking offers all the components necessary for an integrated overall solution and supports the following communication systems:

Industrial Ethernet (based on the Ethernet standard IEEE 802.3) the international standard for robust networks is the number one in industrial LAN environments. Industrial Ethernet enables powerful communication networks to be constructed over widely distributed areas.

PROFINET (IEC 61158/61784) the international standard uses Industrial Ethernet and allows real-time communication all the way to the field level, but also integrates the enterprise level. With the full utilization of existing IT standards, PROFINET allows isochronous motion control applications, efficient cross-manufacturer engineering and high availability of machines and systems on the Industrial Ethernet. PROFINET supports distributed automation (and controller-controller communication) it allows fail-safe and safety applications.

PROFIBUS (IEC 61158/61784) the international standard for the field level is the global market leader among fieldbus systems. It is the only fieldbus to allow communication both in manufacturing applications and in process-oriented applications.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

2.1 Industrial Ethernet

Industrial Ethernet provides the industrial area with a powerful network that complies with the IEEE 802.3 (Ethernet) and 802.11 a/b/g/h/n (wireless LAN) standards.

The diverse options of Ethernet and the Internet that are already available today in the office sector can also be used in factory and process automation by means of Industrial Ethernet.

Ethernet technology, which has been used successfully for decades, allows users to precisely match network performance to requirements. The user can choose the data throughput rate to suit particular needs, as integrated compatibility makes it possible to introduce this technology in stages.

Ethernet is the world's current Number 1 in the network environment and offers significant benefits:

Fast commissioning thanks to the simplest connection method

High availability since existing networks can be extended without any adverse effects

Virtually unlimited communication capabilities, since scalable performance using switching/routing technology and high data rates are available

Networking of the most varied application areas such as the office and production areas

Company-wide communication thanks to the Internet connection option, with security components providing for data integrity

Investment protection through continuous compatible further development

Precise time-based assignment of events in the overall plant by means of plant-wide clock control and distribution

SIMATIC NET, the industrial communication system from Siemens, relies on this proven technology. Siemens has already supplied several million connections worldwide in tough industrial environments subject to electromagnetic interference.

SIMATIC NET provides important supplements to Ethernet technology for industrial environments:

Network components of the SCALANCE product families for the use of wired and wireless communication in harsh industrial environments

Fast on-site assembly using the FastConnect cabling system

Failsafe networks through high-speed redundancy and redundant power supply

Continuous monitoring of network components through an effective signaling concept, and network monitoring software



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

The following communication functions and services are offered by Industrial Ethernet.

PG/OP communication Comprises integrated communication functions which allow data communication via SIMATIC, SIMOTION automation systems with every HMI device and SIMATIC PG (STEP 7). PG/OP communication is supported by PROFINET/Industrial Ethernet and PROFIBUS.

Open communication The open communication allows controllers to communicate with other controllers, PC/IPC and third-party systems using libraries.

OPC (Object Linking and Embedding for Process Control) This is a standardized, open and cross-vendor software interface. It permits interfacing of OPC-capable Windows applications to S7-communication, open communication and PROFINET.

OPC UA (Unified Architecture) OPC UA is the successor of OPC. The new OPC standard provides an operating system independent platform for communication between e.g. Windows devices, mobile devices, PLC, aso. It also provides a cross-platform service-oriented architecture (SOA) for process control, while enhancing security and providing an information mode.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

2.2 PROFINET

PROFINET – the Ethernet standard for automation

PROFINET is the leading Industrial Ethernet standard with more than 3 million nodes worldwide.

PROFINET increases the companies' success by accelerating processes, boosting productivity, and increasing plant availability. With PROFINET, Siemens applies the Ethernet standard to automation. PROFINET enables high-speed and secure data exchange at all levels, thus making it possible to implement innovative machine and plant concepts. Thanks to its flexibility and openness, PROFINET offers users maximum freedom when engineering and structuring their plant architectures.

PROFINET's efficiency means optimal use of available user resources and a significant increase in plant availability. Innovative Siemens products and the performance of PROFINET provide a sustained boost to company productivity.

PROFINET innovations

PROFINET has been expanded with several innovative features. These simplify the system configuration, in safety-critical applications for example, and support a leaner and more flexible topology in many different scenarios.

The I-Device (intelligent IO Device) function enables simple and fast controller-controller communication through direct access to the IO address image with PROFINET IO protocol. Local controllers such as the ET 200S/SP CPU can be integrated into modular machines more easily, for example.

The Shared Device function allows two controllers to access the same PROFINET IO Device, such as a distributed ET 200 or a drive in a safety application. Because fewer devices need to be installed in the field, the engineering, cabling, energy and installation costs are reduced.

Plant availability can be increased using a ring topology and the Media Redundancy Protocol (MRP). This runs directly by way of the integrated RJ45 ports on PROFINET devices and can be combined in any way with the relevant managed Industrial Ethernet switches from Siemens (for example SCALANCE X series).

More flexibility with PROFINET

Industrial Wireless LAN (IWLAN) reduces maintenance costs, increases reliability, and convinces with high communication performance. Only PROFINET allows the use of IWLAN with safety.

Safety-related communication by way of PROFIsafe reliably protects personnel, the environment, and plants.

Flexible topologies. PROFINET also enables the use of star, tree and ring topologies in addition to the linear topology.

Open standard

Thanks to its openness, PROFINET creates the basis for a uniform machine/plant automation network to which programmable controllers as well as standard Ethernet devices can be connected.

Web tools



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

PROFINET is 100 percent Ethernet and supports TCP/IP. Among other things, this enables the use of Web technologies, such as access to the integrated Web server of the field devices.

Expandability

With PROFINET, network infrastructures can be expanded as desired, even during operation.

More efficiency with PROFINET

One cable for all purposes PROFINET offers a host of functions on one cable: Machine data and standard IT data merge. This creates integration and saves costs by reducing the overhead for cabling and training overhead.

Device and network diagnostics Extensive diagnostic data can be read out from the devices to locate faults quickly. HTML standard Web sites are used for servicing PROFINET devices – locally and remotely.

Increased energy efficiency PROFIenergy switches off individual loads or entire production units during breaks – in a coordinated and centrally controlled way.

Easy cabling Fault-free establishment of industrial networks in a short time and without specialist knowledge: PROFINET makes this possible with the FastConnect system.

Fast device replacement When replacing a PROFINET device, the IO Controller detects the new device and automatically assigns its name.

High degree of ruggedness The use of switches even in field devices prevents faults in one section of the network from influencing the entire plant network. PROFINET enables the use of fiber-optic cables especially for areas that are critically sensitive to EMI.

More performance with PROFINET

Speed Fast motion control applications need high-speed data exchange. PROFINET's short cycle times increase the productivity of machines and plants.

Precision Communication by way of PROFINET is deterministic. A jitter of < 1 µs results in maximum precision cycles and thus guarantees high product quality.

Large quantity structures With PROFINET, up to 256 devices can be managed by one SIMATIC controller. The number of nodes per network is more or less unlimited.

High transmission rate By using Ethernet, PROFINET achieves a significantly higher transmission rate than previous fieldbuses. This enables problem-free transmission of even large volumes of data without affecting I/O data transfer.

Media redundancy Higher plant availability can be achieved by means of a redundant installation. This can be implemented both with the help of external switches and direct via integral PROFINET interfaces.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Fast start-up In modular plants, IO Controllers must detect new machines or plant sections quickly. With Fast Startup, PROFINET can detect devices in up to < 500 ms and connect them with the IO Controller.

2.3 Field Device Bus Systems

PROFIBUS

PROFIBUS can be used to connect field devices, e.g. distributed I/O devices or drives, to automation systems such as SIMATIC S7, SIMOTION, or PCs. PROFIBUS is standardized in accordance with IEC 61158/61784 and is a powerful, open and rugged fieldbus system with short response times. PROFIBUS is available in different forms for various applications.

PROFIBUS PA (Process Automation)

PROFIBUS PA expands PROFIBUS DP with intrinsically safe transmission of data and power (e.g. transducers in the food processing industry) in accordance with the international standard IEC 61158-2 (same protocol, different physical properties).

PROFIBUS PA is used predominantly in the hazardous areas of refineries (chemical, oil and gas).

AS-Interface

AS-Interface (Actuator Sensor Interface, AS-i) is an industrial networking solution (physical layer, data access method and protocol) used in PLC, DCS and PC-based automation systems. It is designed for connecting simple field I/O devices (e.g. binary ON/OFF devices such as actuators, sensors, rotary encoders, analog inputs and outputs, push buttons, and valve position sensors) in discrete manufacturing and process applications using a single 2-conductor cable.

IO LINK

IO-Link is the first standardized IO technology worldwide (IEC 61131-9) for the communication with sensors and also actuators. The powerful point-to-point communication is based on the long established 3-wire sensor and actuator connection without additional requirements regarding the cable material. So, IO-Link is no fieldbus but the further development of the existing, tried-and-tested connection technology for sensors and actuators.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

2.4 Industrial Wireless Communication

Overview

Within the scope of industrial communication, wireless communication opens up new perspectives – from partial modernization of a plant right up to optimizing complex logistics or production processes.

On the basis of Industrial Wireless Telecontrol, Industrial Wireless LAN and WirelessHART, Siemens offers solutions for reliable automation with Industrial Wireless Communication.

Reliable industrial wireless communication with Siemens:

Industrial RemoteCommunication

Industrial Wireless

Communication

WirelessHART

Advantages of a wireless communication network

Increased competitiveness, since greater flexibility is achieved through mobility

Maintenance work is simplified, service costs and downtimes are reduced, and personnel are used optimally

No wear and tear of rotating and moving equipment or system components

Integrated wireless network for voice and data across the divisions of the company

Remote diagnostics for different production machines from a central service location reduces service costs

Awkwardly located installations can be accessed easily; there is no need for complex wiring



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

2.5 Industrial Remote Communication

Efficient industrial remote access

Global remote access to far-flung plants, remote machines and mobile applications is gaining in significance – both in industry and in industry-related areas. With a comprehensive range of solutions for industrial remote access, Siemens offers the ideal basis for efficient and reliable monitoring and control of widely distributed plants and installations of any size.

Teleservice (remote diagnostics and remote maintenance)

Remote diagnostics and remote maintenance of production plants are indispensable in modern automation technology. They are more efficient and more cost-effective than an on-site service employee on site. This allows faults to be detected and cleared much faster, downtimes of machines are reduced and their availability is increased.

Machines and plants are increasingly operated in places which are far away from the production site. Plant constructors must nevertheless be able to provide support in the event of a fault. Especially during the warranty period this can result in high costs. TeleService helps to reduce this risk.

The possible applications for TeleService are manifold. Plants can be diagnosed, values set and data transmitted from any place on earth via a telephone cable. TeleService also enables the controllers to send text messages per SMS or email, making a significant contribution to saving travel and personnel costs in service work as well as rapidly informing key personnel when preset conditions are met e.g. critical failure, performance reports, etc.

Teleservice via IP-based networks

Optimum remote maintenance is based on reliable, permanently available, secured and economic data connections.

Depending on the application, SIMATIC NET provides the appropriate solution:

For continuous connections or simultaneous access to several plants, a solution via the Internet using SCALANCE S modules is recommended, both on the service and the plant side.

For flexible remote maintenance access from any internet connection – whether in the office, home office or hotel room – SOFTNET Security Client is the right software solution for connecting to the SCALANCE S Security Module installed in the plant.

In all cases, the communication is reliably protected by authentication and encryption via a virtual private network (VPN) tunnel, in order to rule out the possibility of industrial espionage or manipulation.

Siemens Remote Services

The service concept of Siemens Remote Services provides a powerful, secure platform for remote access to machines and plants. The inclusion of Shared Experts ensures effective support, not only from Siemens but also from the internal company specialists.

3 Products and Services


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d


3.1 Network components

SCALANCE X Industrial Ethernet Switches and Routers, SCALANCE S Industrial Security Modules and Industrial Wireless LAN (IWLAN) access points, client modules and SCALANCE M mobile radio routers that ideally meet the demands of industrial applications are available for networking the stations on the PROFINET/Industrial Ethernet.

The use of wireless communication to automation devices and industrial terminal devices helps to achieve greater flexibility. As a result you can simplify maintenance work and reduce service costs and downtimes. With Safety, even fail-safe communication is possible via a wireless network. This increases a company's competitiveness considerably.

Challenging applications with real-time requirements can be implemented in the radio field.

The use of wireless features for moving machines saves cable and servicing costs, driverless transport systems can receive data via the wireless system without requiring cables and remain flexible in the choice of route.

An overall solution comprises:

Bus system with

– Passive network components, e.g. cables

– Active network components, e.g. switches

Interfaces for connecting automation devices to the bus systems

– Integrated interfaces

– Own communications processors

Network transitions, e.g. IE/PB Link PN IO

Software for configuring the networks

Tools for maintenance and diagnostics



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

3.2 Security assessment

A security assessment is the first measure that should be taken and forms the basis for further actions. An appraisal of the current situation in the plant with regard to industrial security is influential in determining the correct measures for reducing threats. Depending on the requirements, the assessment team consists of one or several experts who analyze and assess the plant over one day or several days.

As a result of this, the security assessments produce a report which is used as a basis for further decisions on reducing risks. In this report the current level of risk, the deduced weak points, and the completeness of the security measures taken until that point are presented. Depending on the scope, the documentation also includes prioritized recommendations for the improvement and expansion of the state of system security.

Three steps to the objective:

1. Identification of the actual situation

2. Determining areas of activity

3. Individual support

Identification of the actual situation

The objective is the identification of the actual situation and the potential for improvement in relation to the security of the installation. One must also create a basis for further decisions and next steps.

Contents:

Information, motivation, and relevance in the plant

Appreciation of threats and risks

Overview of the relevant standards, regulations, and guidelines

Introduction to the SIEMENS security concept

Brief analysis of the vulnerability of the system

Result:

Reinforcing an appreciation of industrial security

Identifying areas with potential for improvement

Final report and documentation



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Determining areas of activity

The objective is the determination of areas of activity for minimizing potential dangers to the plant. Creating a basis for decision-making for the next steps.

Contents:

Requirement analysis (organization, technology, guidelines, procedures, etc.)

Appraisal (technical, organizational, etc.)

Initial technical assessment (optional)

Diagnosis, assessment, and prioritization of potential areas of activity

Creating a rough concept for next steps (optional)

Result:

Identification of weak points

Provisional concept-design and implementation planning

Documentation including cost-benefit analysis of measures

Individual support

The objective is individual support from selected security experts from the field of industrial plants and automation technology.

Contents:

Checking the security systems

Clarification of the causes of security-related incidents

Advice and implementation projects

Result:

Qualified and rapid results from the knowledge of experts that has been employed in a targeted manner and the use of a network of security specialists.

At the end of each assessment our experts produce a status report which provides a complete overview of the plant, with all the details from the actual status through to recommended measures. From this further actions are defined in joint discussions with the customer.

The available services are:

The security assessment for entire plants

Security consulting

It is recommended that a cyclical check of the security level (e.g. once per year) be performed using such an assessment in order to:

1. Be able to react to changing demands

2. Form a basis for effective security management



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

3.2.1 Hardening services

Nowadays you could not imagine industrial plants without automation systems, network components, or PCs. At the same time standard programs and operating systems are often reverted to. These offer a large number of options that are not required for the operation. Furthermore, the security features available are not sufficiently used. This constitutes an unrecognized vulnerability to attack and puts the entire production at risk.

Vulnerable areas of your systems and networks can be minimized and kept so over long periods. Unnecessary program components should be deactivated and available security mechanisms activated and configured in a plant-specific way. To do this we offer you the services necessary to effectively harden your plant.

With the hardening services for your components, we offer you comprehensive basic industrial security protection.

The following services are available:

Hardening of a PC or server

Hardening of a network component (e.g. Scalance switches)

Hardening of a SIMATIC PLC

Security consulting

These can be implemented once as a standard service or at cyclical intervals as a managed service. Hardening services allow you to concentrate on your core processes yet use optimally configured systems. The cyclical checks contained in the managed hardening service and the reports produced by it provide you at all times with a useful overview of what has changed on the individual systems and at what time, so that you can react promptly to these changes.

No additional software or hardware components are required for the hardening services. Instead, the security mechanisms that are already available are used in the best possible way, meaning your susceptibility is reduced and your system performance improved.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

3.2.2 Automation Firewall and appropriate Services

In order to avoid loss of production and downtimes, data traffic between networks must be checked, analyzed and released selectively without impairing the function of the automation system.

This is the only way to ensure the plant is optimally protected and that productivity is not compromised.

Siemens Industry Services provide operators with validated solutions in accordance with ISA 99 / IEC 62443 for secure network segmentation, threat management and secure web access, e.g. for updates from the plant. Automation firewall services are an effective way to protect your industrial plant. Additional managed services support customer-specific solutions:

Continuous monitoring of the functionality and up-to-datedness of the firewall solution inclusive reports

Services for reporting critical conditions in the plant network

The Siemens automation firewall is a tested and validated solution available as a standardized product in two performance classes (Automation Firewall 200 and 1000) for coordinated use with PCS 7 and WinCC as well as with SIMATIC NET products with supplementary services.

Comprehensive hardware & software functions for PCS 7 and WinCC projects (e.g. Stateful inspection package filter, application layer firewall, VPN gateway, antivirus scanning and IDS, URL filtering and Web proxy) will be enhanced through added integral basic services (hotline, exchange and SUS).


Automation Firewall 200

Automation Firewall 1000

Firewall implementation

Individualized firewall solutions /managed services

Security consulting



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

3.2.3 Virus Protection and Whitelisting Services

Despite the fact that the office world and the automation sector have different requirements, standard programs and operating systems are usually used. These are based on standard technologies such as Microsoft Windows and are therefore vulnerable to similar threats (for example viruses and Trojans).

Overall, this can jeopardize the entire production since the plant offers, even if unwittingly, a broad target for attack. This can result in plant operation being impaired or the plant being shut down, and also allow data espionage by other companies, to mention just a few examples.

Industrial companies should therefore consider issues such as virus protection or whitelisting services in good time.

Siemens industrial security services comprise special services with which a high level of security of individual components or complete systems can be attained. In the case of the “virus protection and whitelisting services,” security and automation experts assist with the installation of protection software which has been validated and tested for SIMATIC solutions. Virus protection recognizes the presence of viruses through known patterns and suppresses their activity. Whitelisting prevents the execution of programs that have not been explicitly released in the whitelisting software. Virus protection and whitelisting software are installed on approved systems according to the requirements arising from the plant and the PCS 7 and WinCC security concept.


Virus protection implementation

Virus Pattern Distribution

Whitelisting implementation

Security consulting

In addition to including a virus scanner and the virus scanner infrastructure, we also offer the option of having anti-virus pattern updates via the Siemens Remote Service Platform. The advantages to this are: a secured connection including an alarm if an error occurs during the update process.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

3.2.4 Secure remote maintenance access

Using the Siemens Remote Service Platform (SRS), Siemens offers efficient remote services for industrial plants. Here, Siemens supports both maintenance and the production from remote troubleshooting through to proactive and predictive condition monitoring and diagnostics.

These product and plant-specific total solutions have a high degree of standardization and are adapted to the most diverse, specific situations and requirements.

Contained within the implementation packages are:

Personalized advice with regard to the solution requirements: an actual situation and feasibility assessment; support with questions on security and safety

Needs assessment: a clarification of the customer's requirements, a customer analysis, an implementation proposal including hardware and software

Implementation and customer training: installation, configuration, and commissioning with the collaboration of the customer; user induction and training

Tests and approval

Operation

Exhaustive documentation

The available Services are:

Connection packages for different connection methods (DSL, UMTS,…)

Change option packages

Customer Web Portal accounts

Operation and Maintenance package

Technical consulting for planning and concept phase



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

3.2.5 Monitoring Services

In an industrial plant it is increasingly difficult to keep an overview of all the systems. "Are all my systems available?" and "What are their current statuses?" are questions that every plant operator asks. In conjunction with the Siemens Remote Service Platform, continuous monitoring of your systems can be performed: This monitoring can include different areas of your plant:

Process monitoring During process monitoring, following consultation with the customer, the relevant values of processes are monitored and the operators are provided with feedback as soon as a value moves beyond its predetermined boundaries.

System monitoring During system monitoring, values of components that are not relevant to processes are monitored from which conclusions may often be drawn about conditions that may later potentially lead to an impairment of your processes.

Security monitoring With security monitoring, in addition to system monitoring, system data relevant to security is monitored. Depending on the system, these can be correlated in order to be able to detect and initiate counter measures against attacks and infections at an early stage, for example.


Monitoring Services for Process-, System- and Security Monitoring

Technical consulting for planning and concept phase

Do you have any questions related to this service or can we support you with this topic?

Please contact us via:



4 Network topologies


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4 Network topologies There are multiple desirable network topologies for each part of the pant network. Hundreds of approaches to design a convenient are available in the packing industry. We think most of them use office grade components, but due to the harsh conditions and performance requirements, these networks require industrial grade solutions to handle the needs of industry. Your network should provide the reliable backing a production needs. This goal is reachable due to one point we keep in mind when we design solutions.

Simplicity

Few high reliable components with easy network structures. These networks should be scalable in cost, functions and redundancy. So we decided to split the entire network in small sub segments.

These segments are:

1. Machine Level (simple machine group)

2. Line Level

3. Plant Level

For each of the segments we suggest a redundant and a non-redundant version. Redundancy enables the network to recover from malfunction of components.

4. Entry Level

5. Redundant Level



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.1 Machine level (simple machine group)

The devices inside machines are connected with a simple line topology. This is the easiest way to connect all devices. It gives the machine builder the possibility to scale the network by simply upscale the chain.

Actual example machine level network architecture with PWA:

PROFINET

HMI

Energy

PLC

Drives

I/O

Motion

All diagnostic functions described in the suggested Industrial Ethernet switches for PWA section are available for the customer. Additional feature like Loop Detection secure the health of the network due to wrong plugged connections. With SCALANCE X300 as the central switch another option is available. The switch has the capability to perform 1:1 NAT. This gives the machine builder the possibility to reuse his SIMATIC/SIMOTION projects including the IP addresses of all devices within the machine. Minimizing efforts to use multiple of a specific machine in the same production line or network.

Separation between factory- and machine network by 2 Ethernet/PROFINET Interfaces in machine controller (e. g. SIMOTION, S7 PLC)

For modular concepts usage of same engineering projects for identical machines in same production line is possible, so the machine network can have identical addresses

Access from engineering PC in factory network to components in machine network. E. g. SINAMICS Drives with Starter or SCOUT

Integrated diagnosis through sub network borders with engineering tool



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.2 Machine level (more complex machine)

Actual example machine level network architecture with PWA and IRT:

PROFINET

HMI

Energy

Devices

Controller

PROFINET IRT PROFINET IRT

More complex machine with modular configuration

Distributed motion controller

PROFINET IRT communication between the controllers

Distributed synchronous operation or cams over controller limits



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.3 Machine level (redundant topology)

Actual example machine level network architecture with PWA and IRT 2:

PROFINET

HMI

Energy

DrivesMotion

PLC

Redundancy controller

Devices

Maximum availability for isochronous communication thanks to Media Redundancy with Planned Duplication (MRPD)

In machine network with ring topology

Duplicated message frames in both direction of the ring

Bump less switch to the secondary message frames in error situations (e.g. broken wire)

MRP supported for non-isochronous applications

4.4 Diagnose possibilities for machine topologies

A very important part of the machine network structure is the possibility to diagnose the machine components. The next chapter should give a help for the decision what machine structure should be selected.

4.4.1 NAT translation

The NAT functionality converts a Line/Plant IP to a local machine ID. This is a 1:1 connection. That means for each IP out of the machine (That is needed to diagnose, show of Webserver, aso.) has to get an IP in the line IP area.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Pro

The number of used IP can be reduced

It’s not necessary to change the IP in the machine

Contra

Extra hardware is necessary to use the NAT feature

The NAT table has to be configured

If a detailed diagnose is necessary, the number of reduced IP is low

SINEMA Server cannot handle NAT translation

Hardware with NAT features

SCALANCE S602/S604/S615/S623/S627 (Hardware NAT solution - prefered)

SCALANCE X300/XM400/X500 switch (Software NAT solution – reduced number of translations)

Line 2

Machine 1

192.1

68.0

.110.1

20.1

0.1

30

192.168.0.4

192.168.0.5

192.1

68.0

.2192.1

68.0

.3

10.1

20.1

0.1

Machine 2 (Max 99)

192.1

68.0

.110.1

20.1

0.1

31

192.168.0.4

192.168.0.5

192.1

68.0

.2192.1

68.0

.3

Machine 3 (Max 99)

192.1

68.0

.110.1

20.1

0.1

32

192.168.0.4

192.168.0.5

192.1

68.0

.310.1

20.1

0.2

PROFINET IE (MRP)Line 1

SINEMA Server Use of NAT translation

SCALANCE S SCALANCE S SCALANCE X

Plant

NOTE There is also a NAPT feature. This feature reduces the number of IPs by using ports. But no diagnose is possible!



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.4.2 Plant wide unique IPs

If plant / line / machine wide one IP area is used, diagnose functionalities will work for all components.

Pro

No extra hardware is necessary

No extra software configuration necessary

Detailed diagnose for all components possible

Contra

It’s necessary to change the IPs in the machine

High number of plant wide maintained IPs

Line 2

Machine 1

10.120.10.133

10.120.10.134

10.1

20.1

0.1

31

10.1

20.1

0.1

32

10.1

20.1

0.1

Machine 2 (Max 99)

10.120.10.143

10.120.10.144

10.1

20.1

0.1

41

10.1

20.1

0.1

42

10.1

20.1

0.2


SINEMA Server Plant wide unique IPPlant

Machine 1

10.120.10.153

10.120.10.154

10.1

20.1

0.1

51

10.1

20.1

0.1

52

NOTE It’s recommended to turn on “loop detection” in each of the used switches to avoid unwished network traffic or network outages. Unused ports could be deactivated as well.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.4.3 Use of CPs

With the use of CPs a network separation can be easily archived. But to get diagnose an IP routing is necessary. This is just available for the latest Advanced CP for S7-300/S7-400 on the CP ports. For all other devices no IP routing is available.

Pro and Contra

Description S7-300/400 Advanced CP

Other Interfaces

The number of used IP will be reduced

It’s not necessary to change the IP in the machine

All diagnostic options

IP routing

No additional hardware necessary

Local ports can be used

Web connection to devices behind the CP

Line 2

Machine 1

10.1

20.1

0.1

Machine 2 (Max 99)

10.1

20.1

0.2


SINEMA Server Use of Advanced CPPlant

Machine 3 (Max.99)

192.168.0.2

192.168.0.3

10.1

20.1

0.1

31

192.1

68.0

.1

192.168.0.2

192.168.0.3

10.1

20.1

0.1

33

192.1

68.0

.1

192.168.0.2

192.168.0.3

10.1

20.1

0.1

32

192.1

68.0

.1



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.4.4 Compare of variants

Description Use of NAT Unique IP Adv. CP

S7-300/400 2

Other CP Local Port

Connection to WebServer of devices (PLC, Switch, Panel…)

Connection from SINEMA Server to each device

3

Get SNMP information from devices

Reduce the number of total used IPs 4 /

Get topology information's from machine

2 The latest advanced CP for S7-300/400 can do IP routing. The gateway has to be configured

in underlying systems. 3 Solution is in development.

4 Not used IP can be filtered out.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.5 Line level

4.5.1 Entry level

Actual example of line-level network architecture with PWA: In

dustr

ial

Eth

ern

et

SCALANCE XR

Production Line 1

Machine 3

X-200

Machine 1

X-200

Machine 2

X-200

Machine n

X-200

Production Line 2

Machine 3

X-200

Machine 1

X-200

Machine 2

X-200

Machine n

X-200

Production Line n

The production lines connect the central machine switches in star topology or as a daisy chain to reduce the overall cabling. Additionally the requirement to build extended networks with production lines > 100 m is fulfilled, even without the usage of fiber optic connections. With fiber optics scattered production environments can easily covered. Each switch to switch connection could be several kilometers long.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.5.2 Redundant level

Actual example of line-level network architecture with PWA:

Industr

ial

Eth

ern

et

SCALANCE XR

Production Line 1

Machine 1

X-200

Machine 2

X-200

Machine n

X-200

Production Line 2

Machine 1

X-200

Machine 2

X-200

Machine n

X-200

Production Line n

When the production lines are connected as daisy chain or as star network the fail of a single device could disconnect several machines from the plant network. This is not an issue as long as all machines can be operated as a single machine. But if the machines need the network a redundant topology could be an option to consider. How could we ensure a working network even when a device or a connection fails? We transform the simple lines into rings with the Siemens High Speed Redundancy Protocol (HRP). These rings can be connected redundantly with the Siemens standby function. This ensures a running network even when a switch or a line fails. Industrial redundancy protocols involved:

● High Speed Redundancy (HRP - SIEMENS)

● Standby-Connection (SIEMENS)

● Media Redundancy Protocol (MRP - IEC 62439-2)



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.6 Plant level

4.6.1 Entry level

The picture shows an actual example of the plant-level network architecture with PWA:

SCALANCE XR

Production Line 1

Machine 1

X-200

SCALANCE XR

Machine n

Production Line 2

Machine 1

X-200

Machine n

Production Line 3

Machine 1

X-200

Machine n

Production Line n

Plant area (Industrial Ethernet)

Office area

(LAN)

The production lines are connected to central plant switches in a simple star topology. These switches are capable to handle the traffic from the lines to the upper network. These switches support Gigabit Ethernet and can interface the office networks with office grade Layer 2 redundancy protocols:

Spanning Tree Protocol (STP - IEEE 802.1d)

Rapid Spanning Tree Protocol (RSTP - IEEE 802.1d-2004)

Link-Aggregation, (LACP - IEEE 802.3ad)

Multiple Spanning Tree Protocol (MSTP - IEEE 802.1s)

Passive Listening (Siemens)



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

4.6.2 Redundant level

Office area

(LAN)

SCALANCEXR-300M

Line 1

X-200

Plant area

(Industrial Ethernet)

Line 1

X-200

Line 3

SCALANCE XR-500M

Line nLine 4

X-200

The production lines are connected redundantly to central plant switches or to some concentrator rings in a middle segment. These switches are capable to handle the traffic from the lines to the upper network with up to 10 Gigabit Ethernet. These switches interface the office grade networks with office grade Layer 2 and Layer 3 redundancy protocols:

Spanning Tree Protocol (STP - IEEE 802.1d)

Rapid Spanning Tree Protocol (RSTP - IEEE 802.1d-2004)

Link-Aggregation, (LACP - IEEE 802.3ad)

Multiple Spanning Tree Protocol (MSTP - IEEE 802.1s)

Dynamic Routing (OSPF - RFC 2328)

Redundant-Router (VRRP - RFC 5798)

The lines are interfaced with the industrial redundancy protocols:

High Speed Redundancy (HRP - SIEMENS)

Standby-Connection (SIEMENS)

Media Redundancy Protocol (MRP - IEC 62439-2)

5 SCALANCE X Redundancy


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d


5.1 High Speed Redundancy Protocol (HRP – Siemens)

A managed switch has parameter settings for a redundancy manager that opens the ring to prevent circulating frames (loops). In terms of data transmission, the ring topology becomes a linear bus. The redundancy manager (RM) monitors the ring topology by sending test frames via both ring ports and checks that they arrive at the other ring port. The other switches function as redundancy clients. There ring ports forward the test frames within the ring.

HRP principle without fault:

PROFINET IE PROFINET IE

RM

If the test frames of the redundancy manager no longer reach the other ring port due to an interruption in the ring (broken cable; device etc.), the redundancy manager switches its two ring ports through and informs the redundancy clients of the change immediately. In terms of data transmission, the ring topology becomes a linear bus again. Even if the redundancy manager fails, the ring becomes a functioning linear bus.

HRP principle with fault:


RM

The typical reconfiguration time of HRP is <300ms with up to 100 ring nodes.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

5.2 Standby-Connection (SIEMENS)

The Siemens Standby-Connection function allows the redundant coupling of High Speed Redundancy Protocol rings. Two switches within the ring are assigned parameters as the standby manager and standby partner. They negotiate (or you set) a device that activates the connection to the neighboring network segment. The other standby device deactivates its connection to the other network segment to avoid a loop.

When the link to the upper ring fails the second connection will be activated and the network is reestablished.

Standby connection principle:


RM

RM

Manager Partner

RM

RM

Manager Partner



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

5.3 Passive Listening (SIEMENS)

Siemens developed Passive Listening to support redundant connections with fast recovery between SCALANCE Industrial Ethernet networks with IT-networks supporting Spanning Tree.

Coupling between Spanning Tree Network and Industrial Ethernet:


Ethernet withSpanning Tree

Industrial

Ethernet

The passive listening function of the industrial switch supports the forwarding of STP/RSTP/MSTP etc. frames through the network without participating actively in this mechanism. This gives the STP/RSTP/MSTP network components the possibility to solve a loop at the coupling point between the different topologies.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

BPDUs (bridge protocol data unit) travelling through the network:


Ethernet withSpanning Tree

Industrial

Ethernet

BPDU

RM RM

RM

The STP/RSTP/MSTP network components will recognize the additional connection between them and will block the redundant path through the industrial network on one side. This will solve a potential loop with the connection between the networks active.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Resulting communication path between the two topologies:


Ethernet with

Spanning Tree

Industrial

Ethernet

RM RM

RM

b b

b bbf

f

ff

f

ffff

f = forwardingb = blocking

PLC

When the active connection between the network parts is disturbed due to malfunction or a broken link the STP/RSTP/MSTP network components will recognize the absence of BPDU frames on the blocked port. This leads to the switchover from blocking to forwarding at the now single connection between the parts. The connection between the networks is reestablished.

Resulting communication path between the two topologies after broken link:


Ethernet with

Spanning Tree

Industrial

Ethernet

RM RM

RM

b b

b bf

f

ff

f

ffff

f = forwardingb = blocking

PLC

6 Strategies of the security concept


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

6 Strategies of the security concept A targeted defense against every individual, current, or future possible threat or means of attack, from within or without, is no longer possible. This security concept works on general defense strategies which are intended to protect against the following attacks:

A reduction of availability (e.g. denial of service)

The bypassing of individual security mechanisms (e.g. man in the middle)

Intentional misuse through permitted operations (e.g. following password theft)

Misuse through non-configured user rights

Data espionage (e.g. recipes and operational secrets and also the functionality of plants and their security mechanisms)

Data modification (e.g. to downplay alarm messages)

Data deletion (e.g. log files to conceal attacks)

The following defense strategies function as an overall approach to accompany the required and desired types of access and possible operations, with the wide range of available security mechanisms, to form a "defense in depth" with numerous layers of security, and which are available here to SIMATIC customers as an overview and are explained step by step in what now follows.

Objective and strategy Section from the security concept

Comprehensive protection against security threats through access-based defense in depth

See chapter:

6.1 Defense in depth

Response to current and future security threats through central, group-based maintenance, care, updating, and the distributed security of the products employed with defined distribution paths

See chapter:

6.2 Automation cells and security cells

Prevention of improper use through task-specific operation and access rights of the user, software components, and devices

See chapter:

6.3 Task-specific operation and access rights

Response to current and future security threats through central, group-based maintenance, care, updating, and the distributed security of the products employed with defined distribution paths

Task based grouping and administration, central and local data storage and configuration



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Individual security measures (e.g. IPSecurity or VPN) can be used several times or fulfill different requirements at the same time. These security measures are described once centrally, and they are provided with information on this central description at the respective security solution.

As the different security measures and strategies can sometimes both complement each other positively and influence each other negatively, an appropriate balance must be striven for in individual cases between, for example, availability, security, comfort, and performance. If one of the described security solutions has such a problem, this will be brought to your attention.

The main objective of the following description of individual security strategies and their systematization is to support plant designers and operators with the sensible composition of current security measures so that future security measures can also be added in a targeted and efficient manner.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

6.1 Defense in depth

From the plant operator’s perspective, secure access to the components of their plant should be possible to perform regularly recurring tasks. This access is provided by the different components and mechanisms of process control technology and process visualization technology and is therefore subject to various risks. In what follows, these means of access will be classified more precisely from the customer's perspective as "types of access".

The strategy of defense in depth in this documentation is not a mere listing of the security measures that can be used in process control technology (e.g. encryption, authentication, authorization, etc.), but rather a description of the sensible employment of these security measures in different layers of protection, tailored precisely to types of access from the customer's perspective and presented in the following illustration as an overview.

Types of access and layers of protection:

Data

Exchange

Realtime

ControllingMaintenance Support

Physical Protection

Single Access Points

Perimeter Zones

Standardize

Application Layer

Filtering

Secure Authentication and Single SignOn

System Hardening

Operator Rights Administration

Certificate Based

Authenticated

and

EncryptedCommunication

Perimeter Zones

Standardize

Application Layer

Filtering

Certificate Based

Authenticated

and

EncryptedCommunication

All access may only be gained via uniquely authenticated network devices and by authorized users. In this overview, data exchange and real-time controlling represent the IT connections of Enterprise Resource Planning (ERP) systems at the company level, the Manufacturing Execution Systems (MES) of production planning, and the Manufacturing Control Systems (MCS) at the automation level. "Maintenance" is used here to refer to the servicing and care of the different systems; e.g. the regular loading of security updates or the gathering and evaluating of diagnostics and log files. "Support" represents any remote access required to update or upgrade the systems used or to eliminate faults on them.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Examples of types of connection

Data exchange / information exchange: Data and information exchange between different production levels, neighboring plants, onshore/offshore components, and automation and security cells

Real-time controlling / remote controlling: the control or remote support of onshore to offshore, or various plants, or between the remote control center and the plant.

Maintenance: the normal monitoring and archiving of diagnostics information, data backups, updates, or even the fine-setting of configurations

Support: all engineering activities, upgrades, or changes to the process control system, as well as error diagnostics and corrections

In the overview of the previous illustration, reference is also made to a type of access referred to as "real-time data", which constitutes a mixture of "data exchange" and "real-time controlling". This mixed type of access is usually contingent on the access technology employed or created by a grouping of several tasks by the plant operator. This mixed type of access should be avoided from a security perspective, however, as the security measures used in each case are too different and their compromise solutions often represent an increased risk.

During plant or plant migration planning, decisions must be made, using the required types of access in conjunction with the plant operator, about which of the following security mechanisms and layers of protection should be implemented:

1. Physical protection of / access control to buildings, areas, rooms, cabinets, devices, equipment, and cabling > is based on the security cells available and their managers. This is important to be able to realize a single remote station.

2. A single access point to each security cell (protected by firewall) for the authentication of: users, devices, and applications with the help of direction-controlled access controls to detect and prevent intrusion attempts.

3. Certificate-based authentication and the encryption of communication should always be employed if perimeter zones and/or standard application filtering are not available. This can be realized using a tunnel protocol; e.g. Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), and IP security filtering (IPsec); or using server-based, certificate-secured channels: e.g. a Remote Desktop Protocol (RDP) or an HTTPS Windows Server 2008 Terminal or web server using Secure Sockets Layer (SSL) technology protected by a firewall. Siemens recommends the use of a CRSP (Common Remote Service Platform) for globally available access. CRSP provides a secure, redundant, and highly available platform for remote access using IPsec and SSL. Secure connections are routed through Siemens' own platform.

4. Secure authentication and single sign on should always be employed if a Microsoft Active Domain that provides an extended authentication (including NTLM V2, Kerberos, and Secure ID Card) is used instead of rule-based authentication. This provides administrators with central, time and role-based password policies, group-based rights management, and standardized recording. Here, SIMATIC Logon provides central access protection for SIMATIC applications and for all plant areas connected to them. Both the administration of the roles of an application and their assignment to Windows groups, including the awarding of authorizations, and the features event logging and the creation of electronic signatures are made available. We recommend using Single Sign On on SIMATIC Logon.

5. System hardening means local firewall protection against access from anywhere outside of a particular security cell, the careful preconfiguration of access control lists (ACL), and their entries (ACE). This protects all remotely



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

accessible objects like files, registry entries, services, and applications (DCOM).

6. Patch management and security updates should always be performed centrally for security reasons. New patches, updates, and virus specimens are loaded by a central server –the use of Windows Server Update Services (WSUS) is recommended – and are distributed to all the devices located on the network from there. A central configuration and monitoring option is thus available. The patch server is placed in a perimeter network that is blocked by a firewall, and it accesses the Internet or an overlapping server in the company network. Only this therefore requires server access to the Internet, which increases plant security. In order to prevent negative effects from updates on the running plant, all updates should be validated in advance in a test environment. Only when it has been ensured that the updates will in no way affect the plant, are these approved for the production system.

7. Whitelisting and application control are technologies which make it possible for only defined, trusted applications to run or to make only defined file operations possible. In contrast to traditional blacklisting software (such as virus scanners) which only offers protection against known malicious software, these prevent the running of any unknown or untrusted applications. They are not a substitute for anti-virus software, but an additional component in the security concept. The collaboration of these technologies allows for any kind of local weak points in a system to be eliminated as best as possible.

8. The so-called "last line of defense" is a role-based access control system and should be applied at all levels, starting at the plant level through to the owners and their operators. Operator rights management is supported by all Siemens applications.

6.2 Automation cells and security cells

The strategy of dividing plants and plant networks into security cells increases the availability of an entire system if individual failures, or security threats which cause individual failures, can be restricted to their immediate areas of activity. For this strategy to successfully lead to the development of a modern and securely networked process automation plant, this requires the careful planning of the security cells of the plant. To do this, the plant is first divided into automation cells (process cells) and, through security measures based on this, into security cells.

Process cells represent certain production-specific zones, sections, subareas, or subsystems and must fulfill the following conditions:

A process cell must form a self-sufficient "functioning system or subsystem" that can be operated for a specific period of time without connection to other systems or subsystems; i.e. a process cell must be and stay autonomously functioning for a certain period of time.

All elements directly belonging to such a process cell and its tasks must be directly connected with each other (i.e. not through leased lines). In network technology terms, this involves a LAN (Local Area Network).

Plant units that cause high network and computer loads (e.g. when they have to be connected from the outside via a complex security mechanism) must be integrated directly into the process cell.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

One or several process cells become a security cell if the following additional conditions are fulfilled:

Only trusted and authorized persons with appropriate training should be given access to a security cell. The following are some of the access rights that must be strictly checked:

– Physical access to production areas and process control facilities

– Operation of the process control system and manual production sections

– Access to the file system and configuration of process control system stations

– Access to computer and control networks, their power supplies, and infrastructures (e.g. network services, the domain controller)

All access to a security cell may only take place following verification of the legitimacy for this. To do this, individuals and devices must be authenticated and authorized, for example.

All access must be recordable or take place under the supervision of authorized individuals; e.g. personnel access, file access, support service, etc.

The planning of security cells is based, in summary, on the actual areas of responsibility, the separable process cells, physical access options, and the network design and access protection resulting from these.

SCALANCE XR

Production Line 1

Machine 1

X-200

SCALANCE XR

Machine n

Production Line 2

Machine 1

X-200

Machine n

Production Line 3

Machine 1

X-200

Machine n

Production Line n


Office area

(LAN)

Different

Security Cells



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

This therefore makes sure, on the one hand, that in the event of temporary loss of parts of the infrastructure (e.g. the network presented in the illustration in red), the operation of individual security cells or segments can continue to be ensured. To do this, information and services required within the security cell that are generated outside of it must be cached or provided in representative form by suitable measures within the respective security cell (e.g. recipes and material data, network services such as name resolution, IP address allocation, user authentication, etc.).

SCALANCE XR

Production Line 1

Machine 1

X-200

SCALANCE XR

Machine n

Production Line 2

Machine 1

X-200

Machine n

Production Line 3

Machine 1

X-200

Machine n

Production Line n


Office area

(LAN)

Seperated

Security Cells

Furthermore, if a security threat (such as a virus, presented in red in the illustration) appears within a security cell, other security cells or their members can be protected and the entire system can therefore continue to operate while the security threat is eliminated.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

6.3 Task-specific operation and access rights

Using task-specific operation and access rights, it is possible for every user to receive the exact rights that are required for them to perform their duties. This is also referred to as the principle of least privilege.

To introduce this principle, we recommend using SIMATIC Logon with the following features:

Central administration (incl. password aging, auto logoff after inactivity time or mulltiple wrong password entries, lock screen)

Configuration at runtime (add / lock / remove user accounts)

All WinCC configurations are supported included web

Supports domain concept and Windows work groups

The basic idea of SIMATIC Logon is the central availability of users' login information (the "Single Sign On" principle). The use of SIMATIC Logon in connection with an active directory domain enables user authentication (and login) which has high availability and is fail-safe.

In addition to SIMATIC Logon we also recommend to use the Audit Trail Functions to be compliant with standards and regulations concerning traceability of changes. The Audit Trail option can be used to enable you to document production data and user actions.

7 Converting security strategies into security solutions


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

7 Converting security strategies into security solutions The successful conversion of security strategies into security solutions on PWA systems can only be achieved with the responsible cooperation of all those involved. These especially include:

The manufacturers of the used components (development, system tests, security tests)

Project designers and plant integrators (planning, assembly, factory acceptance tests)

Plant operators (operation and administration)

The strategies and their implementation must be observed and updated throughout the entire life cycle of a plant – from the start of tender preparation, planning, and design, through to migration, right up to the decommissioning of a plant.

The following aspects enable the security concept described here to have its impact on automation systems:

The employment of stable, high-availability, and system-tested SIMATIC products that have IP hardening and predefined security settings (e.g. know-how protection) and have been specially designed for use in an industrial environment.

A modern project which uses the latest technologies and standards and enables a plant design adapted to the security requirements of the customer.

The careful and responsible operation of the systems and components according to their fields of application defined by the manufacturer.

7.1 Security cells and network architecture

7.1.1 Definitions of the access points to the security cells

Network access points should:

Prevent unauthorized data traffic to the visualization and automation systems.

Enable authorized data traffic and thus the seamless, normal operation of the control and visualization systems.

Function Description

Front-Firewall Protects the perimeter and allows access to web publications from the perimeter and remote dial-in options of the back firewall.

Back-Firewall Protects the production network PCN and allows the primarily certificate-based, encrypted, and signed access of individual, trusted, remote stations and trusted networks (e.g. the MON of the production planning system MES) and remote and support access to the PCN.

Threehomed-Firewall Combined front and back firewall with its own "minimal perimeter" for scalable security solutions.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Features:

A high-quality stateful inspection firewall with the filtering of IP-based and MAC-based data traffic

Can be operated in bridge mode or router mode

Network Address Translation (NAT)

DHCP Server

VPN encryption of data transmission

Protection from espionage

Protection from manipulation

With the security cells and network design, the sphere of responsibility of the plant operator should also be precisely defined (i.e. to the IT administrators of the office network). In other words, the plant operator must uniquely possess the administrative rights and duties in his security cell. The decision about which security cells and network design should be introduced is generally influenced by the size of a plant, its spatial division, the identified risk, and the budget available. The following example configurations in the following paragraphs provide an overview.

7.1.2 Secure security cell connection

Connections between mutually trusting security cells should be made through encrypted tunnel communication; such as IPsec or an SSL / VPN tunnel, for example. The objective here is not to impede the communication within the security cell through complex security mechanisms. Only the communication that leaves the security cell is encrypted and is thus limited in its performance.

WARNING

All tunnel mechanisms and firewalls are potential "preset breaking points" of the network.

By way of example, the data transfer of a firewall is heavily restricted if the firewall goes into a secure state as a result of a detected attack. This is why the plant units must be designed in such a way that the plant remains functional even during a temporary outage of the security cell connection.

Security cell connections are realized with:

Access points (back firewall, three-homed firewall, access point firewall)

Security ballasts (SIMATIC SCALANCE S, product range of security modules)



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

A component which can accommodate such secure network cell access and the tasks of a front, back, or three-homed firewall is the so-called automation firewall. This has been validated in an industrial environment, like all SIMATIC components, and has been made operable for automation engineers using an easy-to-understand configuration wizard. You therefore obtain the protection of a professional firewall, including intrusion detection, prevention measures, and an easy-to-use / easy-to-configure user interface.

The following illustration shows a security cell connection at the plant level, implemented for industrial Ethernet with SCALANCE S security modules. The communication between automation systems that has been specially developed for industrial use cannot be tunneled through a conventional IT firewall. On the one hand, the increased computational power of an end-to-end encryption of automation systems would lead to a deterioration in performance on the whole and, on the other, such an IT firewall cannot sufficiently protect this communication, because no filter rules are available for this purpose. This task is therefore assumed by the security modules of the SCALANCE S product range that have been specially developed for this; they are enabling the protected data exchange of the automation and process control systems between machine 3 line 1 and machine 3 line 2 subsystems in the following illustration.

Industr

ial

Eth

ern

et

Automation Firewall

Security Cell 1 (Production Line 1)

Process Cell 1

(Machine 1)

X-200

Process Cell 2

(Machine 2)

X-200

Process Cell n

(Machine n)

X-200

Security Cell 2 (Production Line 2)

Process Cell 1(Machine 1)

X-200

Process Cell 2

(Machine 2)

X-200

Process Cell n

(Machine n)

X-200

S-600

S-600

IPSec Tunnel



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

7.2 Protect maintenance access

Due to the ever-growing distances between support personnel and the systems that are to be maintained (e.g. support personnel working in the field) support and remote dial-ins are gaining in significance and place high demands on security solutions because of the additional potential security risks. Firstly, additional exceptions must be defined at the access point firewalls; secondly, this could mean malicious code could be allowed to run in the plant with administrative rights from a support PC, even if this is unintentional.

In order to guarantee the best-possible security for the plant to be maintained, all access must be authenticated and authorized through a combination of several technologies and security mechanisms. A "direct dial-in" into the device to be serviced offers monitoring options that are too weak, and this is therefore not for consideration.

Remote dial in via cRSP

To enable a secure and reliable connection to the plant, Siemens offers the use of the Siemens Remote Service Platform. This offers the opportunity to access industrial plants flexibly, securely, and comprehensibly.

Facts:

More than 220,000 systems are connected to the Remote Service Platform and obtain service from it.

The Siemens Remote Service Platform can be used by both Siemens and by external customers and partners.

Safe

Transparent

Comprehensible

Controlled by the customer

State of the art security infrastructure

ISO 27001 certified operating of data centres

To use the Siemens Remote Service Platform, an access point is required in the plant. There are multiple ways of doing this:

IPSec Tunnel

SSL

Using an IPSec Tunnel

To achieve access to the Siemens Remote Service Platform using IPSec, an IPSeccapable system is required which can terminate the tunnel. This can be a router or a firewall that is already present in the system or a device supplied by Siemens. To ensure data packets are forwarded to the correct device, it is important that any port forwarding that may be required is established through the network. The ports and protocols to be forwarded are: UDP 500, UDP 4500, and IP protocol 50/51. If a device supplied by Siemens is used, then the port UDP 22 should also be forwarded.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Using SSL

For access using SSL encryption, a Windows system is required on which the Siemens Remote Service Platform SSL client can be installed. After installation and registration, the device on which the SSL client has been installed can be accessed. To enable communication with the Remote Service Platform, communication from the device to the IP address 194.138.37.194 must be possible via port 443.

7.3 Hardening

In order that the spreading of security threats can also be effectively restricted within a security cell, each individual member of a security cell must be additionally hardened. In general this hardening is achieved by:

The switching off / uninstallation of services that are not required

Restricting the external accessibility of services that are exclusively required through a local firewall

Restricting the external accessibility of services that are exclusively required by individual, recognized network devices or external applications to certain network addresses or protocols through a local firewall

Restricting the accessibility of services that are exclusively required by individual, recognized devices or users through precisely defined access authorization via a local security system (e.g. the COM / DCOM security configuration) for the administration of component services

Restricting local and remote file, registration, approval, and database access to individual, recognized, local groups, users, services, and applications

Local Windows firewall

If SIMATIC products are not to be operated within a local IP subnet, the settings of the local Windows firewall of the devices concerned must be adapted to the IP subnets used or to individual IP addresses.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

7.4 Virus scanner

The use of virus scanners within a plant is only effective if it is part of a comprehensive security concept. The use of a virus scanner on its own cannot protect a plant from security threats generally.

Virus scan client: a computer that checks for viruses and is administered by the virus scan server.

Virus scan server: a computer that administers the virus scan clients centrally, loads the latest virus signatures, and distributes these to the virus scan clients.

Basic virus scanner architecture

To fulfill the requirements mentioned in the preceding section, the simplified virus scanner architecture presented in what follows is recommended. The virus scan server receives the virus signatures from the update server of the respective virus scanner manufacturer off the Internet, or from a higher-level virus scan server from the intranet, and administers the virus scan clients. Administrative access to the virus scan server is also possible via a web console.

Internet

Virus Scan Server Web Console

Virus Scan Client Virus Scan Client Virus Scan Client

Depending on the manufacturer, it is also possible to use multiple virus scan servers. These can also be arranged into a hierarchy. After the virus scan server has received the virus signatures and these have been checked in a test facility, the virus signatures are distributed in groups to the virus scan clients.

If you require support with planning and introducing your virus scanners and/or your virus scanner infrastructure, you can find more information on this in the "Products and services" section.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

7.5 Whitelisting/application control

Whitelisting and application control are technologies which make it possible for only defined, trusted applications to run or to make only defined file operations possible. In contrast to traditional blacklisting software (such as virus scanners) which only offers protection against known malicious software, these prevent the running of any unknown or untrusted applications. Two different solutions are distinguished here:

List-based whitelisting: whether an application may run or not is checked using a list

Rule-based whitelisting (application control): whether or not an application may run, and which file operations an application may perform, is checked using a set of rules

There is no strict division between the solutions mentioned above; one often finds mixed forms of the solutions.

List-based whitelisting software is usually easier to configure and administer. The lists are usually created automatically, and as long as the installed software is not modified, no further administrative effort is required. They are therefore suited to small plants and plants that do not have a permanent IT administrator for the plant. Rule-based application control is usually more costly to administer, but it offers more options and with them highly specific restrictions to applications and file operations. It is therefore especially suited to large plants with their own IT administration for the plant.

Whitelisting / application control is not a substitute for traditional blacklisting, but rather an additional tool in a comprehensive defense in depth strategy. As whitelisting / application control software works in a more resource-saving manner than blacklist software, its use in realtime systems and lower-performance systems is preferred. However, computers that have access to the Internet or web-based intranet should always have an up-to-date virus scanner.

Siemens recommends using McAfee Application Control.

If you require support with planning and introducing your whitelisting software and/or your whitelisting software infrastructure, you can find more information on this in the "Products and services" section.

You can find further information in the references, too.

7.6 Patch management and security updates

Patch management is the scheduled approach to installing patches on plant computers:

Which patches are to be installed?

Have the patches been tested in advance for system compatibility?

When will these patches be installed?

In which sequence are these patches to be installed?

How should these patches be installed onto plant computers?



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

The patch management of a plant is only effective if it is part of a comprehensive security concept. The exclusive use of patch management and security updates cannot protect a plant from security threats for which no patch yet exists.

Patches and security updates

Type Description

Patch Microsoft uses the umbrella term "patch" to define all types of updates, service packs, feature packs, and similar installations, regardless of whether these are relevant from a safety engineering perspective.

Security update By contrast, the term "security update" is used to summarize security-specific updates only.

Use of patch management

Using patch management must not restrict a plant's operation. To ensure this, the following configurations have been tested and are recommended:

Central patch management For administrative and security engineering reasons, patch management should occur centrally. Not all computers load their patches from Microsoft; instead a server – which is preferably placed in a perimeter network – loads the patches once, centrally and distributes these to the plant computers. The plant administrator thus has central configuration and monitoring at their disposal, and the plant computers do not require an Internet connection. The patch server is placed in a perimeter network that is blocked by a firewall, and it accesses the Internet or an overlapping server in the company network.

Windows Server Update Service The use of Windows Server Update Services (WSUS) is recommended to perform central patch management. This is provided by Microsoft free of charge and offers all the functions that are required for the patch management of one or several plants. WSUS offers a wide range of different patch classes for almost all Microsoft products.

Patch management procedure As maintaining the process is the most important principle, the timing of the installation of patches must be carefully chosen by the administrator. Firstly, many patches require a restarting of the system; and secondly, there can be problems with the patches, even if only rarely. It is therefore recommended that patches be checked in advance on a separate testing system. Furthermore, one should create groups on WSUS (for example, a group with all master servers and one with all standby servers) and introduce the patches in such groups.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

7.7 Administration and configuration

7.7.1 Administration of computers and users

The administration of computers and users of a production plant should be organized via SIMATIC Logon. See also Chapter 6.3 Task-specific operation and access rights.

The basic idea of SIMATIC Logon is the central availability of users' login information (the "Single Sign On" principle). The use of SIMATIC Logon in connection with an active directory domain enables user authentication (and login) which has high availability and is fail-safe.

7.7.2 Administration of networks and network services

The administration of a production plant's local network settings, networks, and required network services can be organized centrally or decentral.

Central administration (mostly domains)

All necessary information and settings can be configured centrally:

IP address via DHCP (automatic addressing)

DNS and WINS name resolution (automatic, central name registration; can subsequently be queried by other network participants)

NTP and SNTP time synchronization

Patch and update management

Decentralized administration (mostly work groups)

All necessary information and settings must be configured locally:

IP address (is used to uniquely identify a network participant in a network)

Computer name (Page Fehler! Textmarke nicht definiert.) and NetBIOS computer name (is used to uniquely identify a computer for people and applications in a network)

Name resolution (is used to change the computer name (FQDN) and the NetBIOS computer name of a computer into an IP address)

CAUTION

Errors can occur

For larger plants the settings are the most common sources of faults, as typing errors or double usage occur easily.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

7.7.3 Administration of role-based operator authorizations

The unique identification of people and the granting of authorizations to these people are the most important security measures in every company; a person logging on to a computer is a routine, everyday task. In what follows, the features of automation with regard to the administration of role-based operator authorizations and their integration into the PWA security concept are explained.

Central and fail-safe rights administration with SIMATIC Logon

The use of SIMATIC Logon in connection with an active directory domain enables user authentication (and login) which has high availability and is fail-safe if at least two domain controllers are introduced in each domain and security cell.

Production domain user accounts that are local to the domain are used for user configuration. In addition, selected user accounts from office domains linked via a trust can also be granted access rights.

In addition to central user administration with SIMATIC Logon, there must be a local emergency operator authorization in case the SIMATIC Logon Service cannot be accessed due to a complete network failure.

Decentralized rights administration without SIMATIC Logon

The administration of operator authorizations of each SIMATIC application (e.g. the WinCC user administrator) can also take place exclusively on a local basis, but this is not recommended for security reasons.

7.8 Logging and audits

The options for detecting attempted security threats, and those that have actually happened, are developing. Owing to an obligation to provide evidence which is present in many industries, logging and event logging evaluations must increasingly be incorporated into current security concepts. However, the carrying out of processes must not be impeded by this additional obligation.

In addition to the alarm and signaling system of process control:

Local event logs

Domain controller event logs

Firewall event logs

Virus scanner logs

Audit trails

8 Network software support


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

8 Network software support Siemens support all the network supply chain with several software products. This broad portfolio ranges from the production planning until the service.

1 2Product

Design

Production

Planning 3Production

Engineering

4Production

Execution

5Service

OEMs and End Customers take advantage of PROFINET

SINETPLAN• Network planning incl.

Bandwith calculation andbottle neck analysis

PRONETA• Intelligent name assignment

• Read back actual configuration• IO checker

• Mass operations

SINEMA Server• 24/7 Monitoring

• Network- and devicediagnosis

8.1 SINETPLAN (Siemens Network Planner)

The Siemens Network Planner supports planners of automation systems based on PROFINET and supports the professional and proactive planning of a system. The software supports the planning and layout of PROFINET networks, especially if so-called “Non-Real-Time Communication” such as TCP/IP is used in addition to RT or IRT communication.

The tool calculates and simulates the network load in a PROFINET network and shows critical points where the network load is too high. In addition, it simulates the real-time data (Real-time communication between IO controllers and IO devices) as well as the Non-Real-Time communication caused e.g. by standard Ethernet nodes.

As a result, you will have you an overview and transparency about the network load of the planned network prior to installation and commissioning. If the Siemens Network Planner shows critical network sections, it is easy to redesign and restart the simulation.

In this way you can optimize the planned network, maximize exploitation of network resources, or plan reserves, and thereby avoid problems that might only become apparent during commissioning or even productive operation. This increases production availability and operational security.

Tool supported network layout and simulation right at the planning phase

Optimization of the exploitation of available network resources

Avoid downtimes from network failures and increase of production availability

Ensure operational reliability by the use of traffic shapers



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Cost optimization with “Real 1-cable solution”

Transparency of network load for IO data as well as NRT traffic down to the port level

The benefits at a glance:

Network optimization via calculation of the network load down to the port level

Increased production availability via online scan and verification of existing systems

Transparency before commissioning via import and simulation of existing STEP 7 projects

More information about SINETPLAN you can find here:

www.siemens.com/sinetplan

http://www.siemens.com/sinetplan



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

8.2 PRONETA

PRONETA is a commissioning and diagnostics tool for PROFINET networks.

PRONETA simplifies commissioning and configuration of your PROFINET network. The topology of your network is read automatically. You can manually adapt the address parameters of every PROFINET device or simply apply the parameters from a template, which can also be created with PRONETA.

You can use PRONETA to configure, control and monitor I/O modules of the SIMATIC ET 200SP, ET200M, ET 200MP, ET 200AL, ET 200eco PN and ET 200S distributed I/O systems. The test results are provided in an easy to view log.

With PRONETA, the configuration and testing of your control cabinet can begin during installation. This means there is nothing more in the way of fast and successful commissioning!

More information about PRONETA you can find here:

www.siemens.com/proneta

http://www.siemens.com/proneta



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

8.3 SINEMA Server

Network monitoring and transparent diagnostics

Network failures not only prevent access by plant operators to the field devices, but often also mean that field devices can no longer communicate with one another. In the worst case, this can bring production to a standstill.

The software SINEMA Server V13 was specially developed for industrial applications. It is possible to analyze and observe networks completely by using SNMP for all network components and evaluating SIMATIC and PROFINET assemblies in an automation environment. Collected data is saved in a long-term archive so that it can be evaluated and displayed as required. The determined network diagnosis may additionally be seamlessly integrated via OPC and web mechanisms into HMI/SCADA systems (e.g. WinCC, PCS7).

SINEMA Server V13 was specifically developed for industrial applications and provides maximum transparency in industrial networks through automatic topology recognition, constant network monitoring as well as comprehensive diagnostics and reporting functions. Network diagnostics can be easily integrated into HMI/SCADA systems such as WinCC as well as third-party systems.

SINEMA Server V13 also offers complete integration of topology into the HMI/SCADA system via web browser. Warnings and error messages can be passed on via the integrated OPC interface.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Guaranreed integration

Due to the constant expansion with PROFINET and Ethernet-based devices, Siemens offers an integrated network management system with SINEMA Server in terms of Totally Integrated Automation and Totally Integrated Power – from automation system to network components all the way to the field level including drive technology and even power supply. SINEMA Server also offers the highest level of openness for Ethernet-based devices from other manufacturers; these can be easily and conveniently detected and diagnosed by means of SNMP and can therefore be used in infrastructure networks, such as in transportation.

Monitoring of large networks is now possible

Thanks to the 500 nodes per license, SINEMA Server can be used to monitor large networks. If more nodes are required, any number of them can be monitored by a central SINEMA Server, for example, individual production cells can be centrally monitored by only one SINEMA Server station.

Key features:

Intuitive operation

Automatic device detection and generation of the network topology

Combining Network and PROFINET system diagnosis

Generation of alarms on events

Comprehensible network reports

Integration into HMI/SCADA systems

User-specific topology display

User-defined display

Diagnostics via web browser

Adaptable device profiles

Adaptable configuration limits with up to 50,000 network nodes

More information about SINEMA Server you can find here:

www.siemens.com/sinema

http://www.siemens.com/sinema

9 Engineering – SINEMA Server integration


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d


9.1 General prerequisite

To integrate the SINEMA server in the PDI project this has to be done:

1. A SINEMA server has to be installed and licensed. A downloadable version with a 21 days trail license is in the following entry available:

Sales and Delivery Release for SINEMA Server

2. The PC on which SINEMA is running has to reachable from the WinCC server.

3. All network components have to be scanned and selected.

4. Each component has to get a reasonable name in the note field (“Add / edit note”).

5. Views have to be created. 1 per plant, area (if used), line. The matching network components have to be integrated in the view (“Edit view”). These views can be used to create a Plant/Line/Area/Unit specific




S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

6. One user has to be created. This user has to be a “Standard User” or a similar non administrative user. Add the in 5. created views to the user.

9.2 WinCC engineering

The WinCC pages for SINEMA Server can be added to a running PDI WinCC project.

The PDI SINEMA Server components can be found within the entry for the Line HMI Library:


9.2.1 Prepare WinCC project for PDI SINEMA

The information’s from the SINEMA server will be read by a WinCC OPC Client. This information can be shown in a faceplate or in detail in a picture.

1. Import the necessary internal tags into the WinCC project. The tags can be found at “01_TagImport”. Open the Tag Management and do “Edit > import”.

2. Add an OPC communication channel to the WinCC Tag management.




S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

3. Right click on the OPC Groups and open “System parameters”. Press the “OPC UA server” button. There put in the IP address (Port 4841 is default for SINEMA Server) of your SINEMA Server.

4. Select the new generated connection and press the “Browse Server” button.

NOTE If it’s not possible to connect to the OPC UA Server probably the certificates are not valid. A description how the handle this issue can be found in the manuals on the SINEMA Server PC installed (“SINEMA Server V13.0 – Manual” Chapter 5).

5. Then press the “Next” button.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

6. The status tags of the created views can be found at “ViewSummery”. So the tags “NoOfNotConnectedDevices”, “NoOfNotReachableDevices” and “NoOfReachableDevices” can be selected and created by hitting the “Add items” button. In the sub folder “WorstStatus” the tag “StringValue” and the tag “NumericValue” has also to be selected.

7. Define a meaningful connection name and add a tag prefix matching to the PWA naming conventions. The Suffix has to be “_Diag”.

8. All files found at “02_GraCS” have to be copied to the WinCC project into the “GraCS” folder.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

9.2.2 Integration in WinCC process pictures

1. Change the start value of the internal tag “SinemaIPAdress” (In folder “LMS_Config”) to the IP address with the used port of the configured SINEMA Server. The default port of SINEMA Server is “80”. Example value: “10.120.10.130:80”

2. Create in each Plant, Area (if used) and Line picture a picture window (Object Name: “PW_SINEMA”) with the following parameters



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

3. Create in each Plant, Area (if used) and Line picture one “PWA_SinemaDiag_V2.FPT” object. This shows the status of this area. Connect the “UserDefined2” properties of the FPT with the matching tags created before.

4. Put this script at “Events > On Click”:

The tags for the “selected user” (“SinemaSelectedUserN”) and the matching password (“SinemaSelectedUserP”) has to be added.

The user has to be the same like in chapter 9.1 General prerequisite point 6.

5. The created tags can also be used to generate WinCC analog alarms. For example these alarms can indicate if a device in a view is not available anymore.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

9.3 HMI Template description – “PWA_SinemaDiag_V2.fpt”

The overview status of the selected view can be shown in this faceplate. On a click on this object the detail picture will be opened. This shows detailed information’s about the complete network.

The text on the bottom of the object shows the current worst status of a device of this view and the matching icon.

These are the available states with the matching icons:

Icon Description

Not reachable

Fault

OK

Maintenance demanded

Maintenance required

Not connected

9.4 HMI Template description – “@SinemaDiag.pdl”

The “@SinemaDiag.PDL” shows the status of the complete network. For details please refer to the SINEMA Server documentation.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

9.5 Tips and tricks for SINEMA Server

9.5.1 Unwanted Java messages

Using default Java settings will cause Java messages when topology is displayed in SINEMA Server. The following messages will show when entering the topology.

The options “Do not show this again…” will not help to suppress these messages.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

9.5.2 Adapt Java settings

Java Control Panel

Java settings can be modified in the Java Control Panel. Depending on the installed Java versions, it can happen that the following settings have to be done in the Java Control Panel for Java(32-Bit) and Java(64-Bit).

Settings in tab “Security”

Security level “High” is recommended when using SINEMA Server.

NOTE Layout of Java Control Panel can change with the versions of Java.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Settings in tab “Advanced”

Mixed code security verification:

Options Description

Enable – show warning if needed

This is the default setting. When a potential security risk is encountered, a warning dialog is raised. Clicking Yes blocks potentially unsafe components from running and may terminate the program. When the user clicks No, the application or applet continues execution with protections (packages or resources that are later encountered with the same names but have different trust levels, i.e., signed vs unsigned, will not be loaded).

Enable – hide warning and run with protections

This option suppresses the warning dialog. The code executes as if the user had clicked No from the warning dialog.

This option is recommended to use.

Enable – hide warning and don’t run untrusted code

This option suppresses the warning dialog and behaves as if the user had clicked Yes from the warning dialog.

Disable verification (not recommended)

This option is not recommended. This option completely disables the software from checking for mixing trusted and untrusted code, leaving the user to run potentially unsafe code without protections.

Before a signed applet or Java web start application is run, the certificate associated with the application will be checked to ensure it has not been revoked. If a certificate has been revoked, any application using that certificate is not allowed to run. This check can be disabled, but that is not recommended.



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Perform certificate revocation checks on:

Options Description

Publishers certificate only

This option will check for a certificate associated with the publisher.

All certificates in the chain of trust

This option will check for all the certificates used by the application.

This option is recommended to use.

Enable – hide warning and don’t run untrusted code

This option suppresses the warning dialog and behaves as if the user had clicked Yes from the warning dialog.

Do not check Not recommended



S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

9.5.3 Delete temporary Java files

Running into Java problems, for example the reference topology is not shown, it can help to delete the temporary Java files. Click in tab “General” the button “Settings…” (1) and then click on the button “Delete files…” (2).

1

2

10 SCALANCE Network Components


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

10 SCALANCE Network Components The SCALANCE product line is designed primarily for use in diverse industrial applications. It provides everything for ultra efficient industrial networks and bus systems.

Here you can find more information about the SCALANCE family:

http://www.siemens.com/scalance

This products are included in the SCALANCE portfolio:

Products Description

SCALANCE X – Industrial Ethernet Switches

http://w3.siemens.com/mcms/industrial-communication/en/ie/industrial-ethernet-switches-media-converters/Pages/industrial-ethernet-switches-media-converters.aspx

SCALANCE W – Industrial Wireless LAN

http://w3.siemens.com/mcms/industrial-communication/en/industrial-wireless-communication/iwlan-industrial-wireless-lan/Pages/iwlan.aspx

SCALANCE M – Industrial Routers

http://w3.siemens.com/mcms/industrial-communication/en/industrial-remote-communication/remote-networks/Pages/remote-networks.aspx

SCALANCE S – Industrial Security

http://w3.siemens.com/mcms/industrial-communication/en/ie/industrial-ethernet-security/scalance-s/Pages/default.aspx















11 References


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

11 References To ensure the future security of the collection of documents of the PWA security concept and to enable the inclusion of third-party manufacturers and their products in the security concept, the following internationally recognized standards are observed: Further measures for future security are:

Standard Description

ISA – International Society of Automation

ISA-S95 “Enterprise Control System Integration”

– Part 1: "Models and Terminology"

– Part 2: "Object Model Attributes"

– Part 3: "Models of Manufacturing Operations Management"

ISA-S99 “Manufacturing and Control System Security"

ISA 1 Reference

IEC Reference Title Owner State

ISA-99.01.01 IEC/TS-62443-1-1 Terminology, Concepts and Models

WG3 Published

ISA-TR99.01.02 IEC/TR-62443-1-2 Master Glossary of Terms and Abbreviations

WG5 Draft

ISA-99.01.03 IEC 62433-1-3 System Security

Compliance Metrics

WG4 Draft

Comments: ISA 1-1 has been ISA-99.00.01

ISA 1-3 has been ISA-99.03.03

ISA 2 Reference


ISA-99.02.01 IEC 62443-2-1 Establishing an IACS

Security Program

WG2 Published

ISA-TR99.02.02 IEC 62443-2-2 Operating an IACS

Security Program

WG10 Draft

ISA-99.02.03 IEC/TR 62443-2-3 Patch Management in the

IACS Environment

WG6 Published

ISA 3 Reference


ISA-TR99.03.01 IEC/TR 62443-3-1 Security Technologies for

Industrial Automation and

Control Systems

WG1 Published

ISA-99.03.02 IEC 62443-3-2 Security Assurance Levels

for Zones and Conduits

WG4 Draft

ISA-99.03.03 IEC 62443-3-3 System Security

Requirements and Security

Assurance Levels

WG4 Draft

Comments: ISA 3-1 has been ISA-TR99.00.01

ISA 3-3 has been ISA-99.01.03

11 References


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

ISA 4 Reference


ISA-99.04.01 IEC 62443-4-1 Specifications for Product

Development

WG4 Proposed

ISA-TR99.04.02 IEC 62443-4-2 Technical Security

Specifications for IACS

Components

WG4 Proposed

Standard Description

ISO/IEC - International Organization for Standardization / International Engineering Consortium

15408 "Information technology - Security techniques - Evaluation criteria for IT security"

17799 "Code of practice for information security management"

27001 "Information security management systems - Requirements"

62443 "Security for Industrial Process Measurement and Control - Network and System"

61784-4 "Profiles for secure communications in industrial networks"

NAMUR - International User Association of Automation Technology in Process Industries

NA 67 "Information Protection for Process Control Systems (PCS)"

NA 103 "Usage of Internet Technologies in Process Automation"

NA 115 - "IT-Security For Industrial Automation Systems"

FDA - Food Drug Administration

FDA 21 CFR 11 "guidelines on electronic records and electronic signatures"

Further measures for future security are:

Close cooperation on the security requirements of customers and plant operators (e.g. through the PCS User Club or the selection of safety critical reference systems and reference customers)

Cooperation with independent institutions and organizations (e.g. OPC Foundation, ISA, ISCI, ARC, OMAC, MsMUG, PGSF, PCSRF)

Close cooperation with other manufacturers and suppliers (e.g. Microsoft)

12 Glossary


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

12 Glossary This section defines names, terms, and abbreviations as they are used in this collection of documents.

Due to normative activities and in order to present the current PWA security concept to SIMATIC customers in a uniform and internationally recognized vocabulary of concepts and terminology, the updating of some terms from the documents used has become necessary.

Most names, terms, and abbreviations have been taken from internationally recognized standards (e.g. ISA-S95, ISA-S99) or the latest respective descriptions from the manufacturer (see source information).

12.1 Names and terms

Name Description

Plant, automation plant

A production or manufacturing facility composed of process control, process

visualization, automation, and engineering systems that are connected together

(including all distributed IOs, sensors, actuators, drives, network and software

components, buildings, control cabinets, cabling, and operation and

administration personnel)

Plant PCs/computers A computer that is clearly in the plant operator's area of responsibility and is

administered there. This also includes all process control computers.

Plant administrator A user that administers plant PCs in the plant operator's area of responsibility.

The plant administrator does not necessarily also have to be a user.

User (ISA-S99): "A person, part of an organization, or automatic process accessing a

system with or without access authorization"; a real or virtual, logged in person

(e.g. a user logged in to the desktop of the respective operating system or also

an automatic desktop login).

Operator, system operator

Is a real person logged in to the automation plant who has the appropriate

training and authority to operate the plant.

Computer name Identifies the name of a computer in a network. Refers to the host part of the

FQDN (Fully Qualified Domain Name) if a DNS assignment (the issue of a DNS

suffix) has been performed. The computer name can be the same as the

computer's NetBIOS name if the computer name is no longer than 15 characters

and both names have not been chosen to be different intentionally.

DCS distributed control system

(ISA-S99): "A type of control system in which the system components are

distributed but operated in a connected way, and where the time constants of

the connection are generally significantly shorter than with SCADA systems."

Note

"Decentralized process control systems are normally employed in connection

with continuous processes, such as the generation of electrical power, the

refining of oil and gas, chemical and pharmaceutical production, and paper

manufacturing; but also in discrete processes such as the manufacture,

packaging, and storage of automobiles and other goods."

12 Glossary


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Name Description

Domain (ISA-S99): "An environment or context which is defined by a security guideline,

a security model, or security architecture, and which includes a group of system

resources and the particular group of system entities that possess the

authorization to access these resources."

(Windows): A logical group of computers on which a version of the Microsoft

Windows operating system runs and which jointly use a central directory

database (designated as an active directory from Windows 2000 and upward). It

contains the user accounts and security information for the resources in this

domain. Each person who uses a computer within a domain is assigned a

unique user account / user name. This account can again be granted access

rights to resources within the domain.

(Windows): A structure for the administration of local Windows networks; it

equates to a local security area with the central administration of resources and

represents an administrative boundary.

Domain Controller (DC)

(Windows): In a domain, the directory is located on computers that are set up as

"domain controllers". A domain controller is a server which administers all

security-specific aspects of individual users and domain interactions. Security

and administration functions are centralized on this server.

(Windows): A server for the central authentication and authorization of

computers and users in a computer network.

Firewall (ISA-S99): "Restricts the exchange of data between two networks that are

connected together."

Note

A firewall can either be an application which is installed on a computer suitable

for general purposes or a dedicated platform (appliance) which forwards or

rejects packets in a network. Firewalls are typically used for defining zonal

boundaries. Firewalls usually work with restrictive rules that only permit the

opening of certain ports.

Firewall types Help to better distinguish between them in this collection of documents, with

regard to their tasks and places of use:

Front firewall

Protects the perimeter; only real, uniquely identified persons may gain access using verifiable communication (application filters). Uniquely identified and trusted devices can also be granted access through exceptions (e.g. via IPSec).

Back firewall

Protects the production network PCN from the perimeter and other trusted networks (e.g. the MON). Must be implemented as a performance-oriented solution for uniquely identified, trusted devices.

Three-homed firewall

Combined front and back firewall with its own "minimal perimeter" for scalable security solutions.

Access point firewall

(In special cases): exclusively during maintenance tasks, it offers access to a security cell which otherwise would not require a connection (e.g. to MES systems).

Control center (ISA-S99): "A central location from which a group of resources is operated.

Note

In industrial infrastructures, one or several control centers are normally used for

the monitoring and coordination of process sequences. Where there are several

control centers (e.g. a control center is used as breakdown protection in another

location) these are usually connected through a WAN (Wide Area Network). The

control center contains the SCADA host computer and associated display

devices for the operator, as well as supporting information systems, such as a

historian for example."

12 Glossary


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Name Description

Network names Are used to improve the assignment of groups of networked systems with

similar areas of application in this collection of documents; e.g.

ECN - Enterprise Control (Systems) Networks: is a security cell or a security

zone in which the ERP system is situated. This subnet is also often referred

to as an "office network".

MON – Manufacturing Operations Network: is a security cell or a security

zone in which the MES (Manufacturing Execution Systems) are situated.

This subnet can also be the so-called "office network". However, it could also

be a special, separated subnet or part of a PCN. In some cases, this subnet

is used by the maintenance crew.

PCN – Process Control (Systems) Network: is a security cell or a security

zone in which the MCS (Manufacturing Control Systems) are situated. This

subnet is the plant, terminal, or HMI network. It should be a specially

separated subnet. In some cases, this is used by the maintenance crew.

Perimeter network, perimeter, demilitarized zone (DMZ)

(ISA-99): "A segment of the perimeter network which is logically located

between internal and external networks."

Note

The purpose of a so-called "demilitarized zone" is, on the one hand, to enforce

the guidelines of the internal network on the outward exchange of information

and to grant non-trusted external sources only with restricted access to

information which could be released publicly; and on the other hand, while doing

this, to shield the internal network from attacks from the outside. In the context

of industrial automation and control systems, "internal network" usually means

the network or segment on which the protection measures primarily concentrate.

By way of example, a process control network can be considered an "internal

network" if it is connected to an "external" business network.

Process control network (all), control network

(ISA-99): "Those networks that are normally connected to time-critical

equipment for the control of physical processes (see "secure network").

Note

The process control network can be split into zones, and several separate

process control networks may exist within a company or location."

Process control technology (all), control equipment

(ISA-99): A category that includes decentralized process control systems,

programmable controllers, SCADA systems, assigned consoles for operator

interfaces, as well as sensor equipment and controlgears used in the field for

the administration and control of processes.

Note

The term also covers fieldbus networks in which control logic and control

algorithms are run on electronic devices, which coordinate their actions with

each other.

Process control technology and personnel (all), industrial automation and control systems (IACS)

(ISA-S99): The term includes control systems for use in production and line

plants and facilities, in building automation, in plants with geographically

distributed operation sequences such as those of utility companies (i.e.

electricity, gas, and water companies), in production and distribution systems

such as pipelines for petroleum, and in other industrial branches such as

transport networks which are controlled through automation or remote control."

Process control computer (all DCS)

This includes all plant computers that fulfill process control tasks; e.g. PCS 7

OS, PCS 7 OS Server, PCS 7 OS Client, PCS 7 Webserver and Webnavigator

Process visualization computer (all SCADA)

This includes all plant computers that fulfill operator control and monitoring

tasks; e.g. SIMATIC HMI computers, WinCC Server, WinCC Client, WinCC

Webserver and Webnavigator.

Remote access (ISA-S99): "A form of access control based on determining identity in which

identified parties and system entities subject to access control represent

function-related positions in an organization or a process."

12 Glossary


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

Name Description

Remote client (ISA-S99): "A resource outside of the control network which is temporarily or

permanently connected to a host computer in the control network via a

communication connection in order to gain direct or indirect access to parts of

control equipment in the control network."

Task-related operation and access rights (role-based access control)

(ISA-S99): "A form of access control based on determining identity in which

identified parties and system entities subject to access control represent

function-related positions in an organization or a process."

Support PC / programming device

A support employee's own mobile support PC (e.g. a support programming

device, a support laptop)

Support station A stationary support PC located either in the actual plant as an ES in the PCN

(and thus part of the plant) or set up as a remote ES in a perimeter network /

MON (and thus a trusted, remote plant PC).

Defense in depth (ISA-S99): "Security architecture that is based on the assumption that each

point representing a protective measure can and probably will be overcome.

Note

The defense in depth concept comprises a staggered, or layered, structure of

security and detection measures and mechanisms, even at the level of single-

position systems. It has the following characteristics:

Attackers must anticipate being detected if they try to break through or

bypass the individual layers.

A weak point in a layer of this architecture can be covered by defense

options in other layers.

The system security forms its own layer structure with the whole layered

structure of network security."

12.2 Abbreviations

Abbreviation Explanation

DB Data Block

F&B Food and Beverage

EM Energy Management

FPT Face

HMI Human Machine Interface

IF Interface

KPI Key Performance Indicator

LM Line Monitoring

LMS Line Monitoring System

OMAC Open Modular Architecture Controls

OPL Optimized Packaging Line

PLC Programmable Logic Controller

PDI Plant Data Interface

PCC Plant Communication Concept

WS Weihenstephan

PWA Plant Wide Automation

13 Related literature


S

iem

en

s A

G 2

01

6 A

ll ri

gh

ts r

ese

rve

d

13 Related literature

Topic

\1\ Siemens Industry Online Support

https://support.industry.siemens.com

\2\ Download page of this entry https://support.industry.siemens.com/cs/ww/en/view/109476976

\3\ Overview of the Line Integration Concept from Siemens for the Food & Beverage Industry https://support.industry.siemens.com/cs/ww/en/view/109483779

\4\ Line Integration Concept – Plant Data Interface https://support.industry.siemens.com/cs/ww/en/view/86302104

\5\ Line Integration Concept – Line Monitoring Library


\6\ Line Integration Concept – Plant Communication Concept https://support.industry.siemens.com/cs/ww/en/view/98278624

\7\ Measuring and Visualizing Energy Data https://support.industry.siemens.com/cs/ww/en/view/86299299

\8\ Siemens Industrial Security

http://www.industry.siemens.com/topics/global/en/industrial-security/pages/default.aspx

\9\ SINETPLAN – Siemens Network Planner


\10\ PRONETA - Commissioning and diagnostics tool for PROFINET networks


\11\ SINEMA Server – Network monitoring and transparent diagnostics


\12\ SCALANCE Network Components


14 History

Version Date Modifications

V1.0 05/2015 First version

V2.0 06/2016 Updated to WinCC V7.3 and SINEMA V13

V2.1 10/2016 Added a complete network concept

https://support.industry.siemens.com/













Documents

Application example 12/2016 Plant Wide Automation … · Application example 12/2016 Plant Wide Automation for the Food and Beverage Industry ... integrated automation communication