ApplicationsSeptember 1, 2020

Improving industrial security in large brownfield plants

Industrial Security for Brownfield Plants

In industrial plants, PLCs run the show. Chemical giant BASF had a large number of PLCs and they wanted to update automatically. But with multiple firewalls to navigate and many third-party devices involved, integrating them on a single network would be a challenge.

An industrial network is a production plant’s backbone. As long as it’s strong, secure, and reliable, productivity can run at full steam. But should a network error occur, devices may become inaccessible or stop communicating. In a worst case scenario, production may halt altogether.

At its Antwerp site, BASF had 350 devices controlled by Simatic PLCs from Siemens. This included PLCs running compressors, energy meters, charging stations, and other mission critical devices. So keeping all PLCs updated with the latest security updates was vital to protect them from malware, unauthorized access, and other threats. But the PLCs had yet to be connected on a single network. This meant Siemens’ on-site automation team had to update every device on foot. With the site spanning 6 km² and updates taking several hours, this was a process that could take a full year to complete.

BASF knew it needed an automation network. But installing one hadn’t been feasible for two key reasons. Firstly, the site housed 16 plant clusters with their own firewalls and third-party devices. Secondly, the site’s vast size meant installing a new fiber optic network was not financially viable. BASF approached Siemens for new ideas.

Experts in complexity

Industrial Security for Brownfield Plants

The automation solution integrates 16 plant clusters with different network infrastructures. One user group for each plant cluster enables access to devices and monitoring performance in private.

With its track record of successfully implementing networks in complex industrial environments all over the world, BASF was confident Siemens could devise an effective solution. And upon receiving BASF’s request, Siemens jumped into action, bringing in network specialists to assist its on-site automation team.

This BASF Antwerp team said, “We are familiar with networks, Siemens and PCS 7, but our team was short on technical know-how for developing a concept that could meet the stringent requirements imposed by the IT department. So, we joined forces with product and service specialists from Siemens to create the concept.”

In addition to improving security and reliability, BASF wanted a network that would be easy to manage and master. It also wanted to be able to create user groups so every plant cluster could manage their own devices. After assessing all the requirements, the team planned the rollout of a secure, dedicated network with Sinema Remote Connect at its core.

Secure access for remote networks

The first challenge was devising a network that could securely connect technicians and devices across 16 plant clusters. A challenge Sinema Remote Connect easily solved.
Using Sinema Remote Connect, the solution created VPN tunnels connecting every PLC and user through Sinema Remote Connect server. An inventory of the security certificates for every device and user was also created in the server. This meant that whenever a connection was requested the certificates would be checked and verified before the connection was approved. Sinema Remote Connect further improved security by encrypting all communications using OpenVPN.

Another advantage of Sinema Remote Connect is that it would provide remote access to Scalance M-800 as well as Scalance S-600 Industrial Security Appliances and dedicated CPs and RTUs. This would allow each device to be configured and integrated automatically, eliminating an otherwise complex and time-consuming task.

Providing technicians with central access to the PLCs in all parts of the BASF plant was realized by Sinema RC Client. Once all groups and rights in the Sinema Remote Connect server were configured, Sinema RC Client’s address book function would enable every technician to see the parts of the network they can access.

Transparent network monitoring

To fulfill BASF’s requirements for central network monitoring, Sinema Server was implemented.
The engineering team created one user group for each plant cluster so they could access their own devices and monitor their performance in private. In addition, Sinema Server’s network monitoring software would provide BASF with around the clock monitoring, and diagnostics, including diagnostics for SNMP, Profinet, and Simatic.

Putting it to the test

Industrial Security for Brownfield Plants

Sinema Remote Connect and Rack PCs enable a secure and centrally managed VPN connection.

Before rolling out the network, the team ran a proof of concept project in the lab. This project was to verify how devices would respond when added to the network and whether firewall rules needed to be modified.

“We wanted to ensure we developed a network that would meet the stringent requirements for security, seamless implementation, and ease of use,” said BASF Antwerp. “The proof of concept project translated into significant time savings, while for the businesses on site it meant better service.”
Along with saving time and lowering risk, the proof of concept project enabled development of workflows for installing and managing devices. Siemens trained BASF’s technicians in these workflows in a workshop, so they could manage the network independently.

“Good preparation is the key to success,” said Bert Vanstraelen, Service Engineer at Siemens Customer Services in Belgium. “Giving BASF’s technicians training in the new system will ensure they can perform their own maintenance in future without IT support.”

Rolling out

Following the successful test project, Siemens built out the network in stages. Close cooperation between BASF and Siemens’ team ensured the network’s central elements were completed within one month. The PLCs were then linked to the system step-by-step, allowing the network to grow organically.

With the successful implementation of Sinema Remote Connect, BASF now has the reassurance knowing all PLCs across 16 plant clusters can be monitored and updated around the clock by their central maintenance team using the TIA Portal – the engineering platform for automation from Siemens.

At a ground level, desktop access through Sinema Remote Connect means Siemens’ automation team no longer has to travel around the different plants. This has freed Siemens’ technicians to focus on providing high quality services across BASF’s site.

Future upgrades planned

There are now plans to further improve the network monitoring with Siemens’ Network Management System Sinec NMS. Sinec NMS will further enhance transparency and ease of use by providing BASF’s technicians with desktop access to devices for prompt fault resolution, security monitoring, and device configuration with hardening.
The project’s success also reinforced to BASF the value of both technology and expertise at overcoming complex challenges. In fact, the project has been such a success. BASF is now planning to upgrade its logistics systems. The new system will be completely integrated to the Sinema Remote Connect architecture, and the team will be there to support them every step of the way.

Summary

BASF’s Antwerp site had PLCs spread across 6 km² that had to be updated manually. The PLCs belonged to 16 plant clusters with different network infrastructure. Sinema Server enabled the creation of user groups for each plant cluster and provided desktop access to devices and diagnostics.

Scalance S615 Industrial Security Appliances made both Siemens and third-party controllers accessible from central Sinema Remote Connect server. Sinema Remote Connect enabled the creation of secure and centrally managed VPN tunnels. A proof of concept project was completed before rolling out the entire system. A task that once took a year can now be completed automatically.

BASF now has a secure, strong central update management for the plant network and can provide a higher quality service across the Antwerp site.

Maximilian Korff, Digital Industries, Process Automation, Siemens.