Two essential characteristics of digitalization are an increasing degree of networking of industrial plants, as well as a rise in decentralized intelligence. In an industrial plant, more devices are capable of delivering data apart from their intended purpose. At the same time, this extra amount of data can be transferred faster.

IIoT and the cloud

To harness data generated by the “Industrial Internet of Things” (IIoT), creating knowledge and economic benefits from the data, flexible and scalable storage and computing capacities are required. Providing these properties are cloud-based systems – such as the open MindSphere IoT operating system.

Should all available information be directly transferred to the cloud? This is only partially recommended. Where previously the question was “how to even generate the required data”, the question to increasingly ask now is “where does a precompression of data make sense”?

Although the bandwidth made available by the infrastructure often increases, it is not necessarily by as much as the increase in the amount of data. Forward-looking planning can help avoid future bottlenecks. In this regard, a solution integrated into the plant controller offers advantages. For instance, data can be preprocessed with the controller acting as a data concentrator, and helping to avoid unnecessary network loads. In addition, a communication processor with security features can be used as well.

On the other hand, in some cases and most likely existing facilities, users might not want to or are not able to change the actual controller program. In this case, a separate device can offer connectivity options while leaving your engineering system untouched.

So, the data is generated and a platform for the analysis, e.g., MindSphere, is identified. But how does the actual, secured data transfer to the cloud take place? In general, two methods of cloud connection can be distinguished–either via external hardware or as an integrated solution, e.g., as a communication processor for the controller.

Various ways can be used to make a cloud connection – depending on the available equipment and actual use case.

Cloud to controller connectivity

An integrated solution like the new Simatic CP 1545-1 communications processor enhances the existing Simatic S7-1500 hardware used as a plant controller with the possibility of securely sending data to the cloud. This approach offers several advantages.

On one hand, the controller already present as a data aggregator is available for preprocessing data. Plant manufacturers already possess the process know-how required for this, so the cloud connection can thus be directly incorporated during the creation of the control program.

On the other hand, existing or required hardware can be used to compute values, while the communication processor provides the needed cloud protocols such as Message Queuing Telemetry Transport (MQTT).

Ultimately, however, it is not always possible to directly access all measured values available in a plant. Even though the degree of networking and especially the proliferation of the Ethernet infrastructure continues to increase, it is not always sensible to run this networking down to the lowest sensor level. For economic reasons, the sensor level is often still connected via bus systems or analog signals. Having said that, information from sensors connected in this way is available in the plant controller, and can be utilized for higher-level analysis by means of an integrated cloud connection.

Easy-to-use for existing facilities

With the external variant, information from the plant is collected by a separate device and sent to the cloud by means of secure communication. Such a solution is always advisable whenever the machine or plant controller is to remain untouched, and the automation must not be affected by security updates. Besides the already available Ruggedcom RX1400, there are two ways to connect existing systems with the Industrial IoT Gateway Simatic CloudConnect 7. Simatic CC712 facilitates connection of a Simatic S7-300 or S7-400 via Industrial Ethernet by means of the S7 protocol. With Simatic CC716, on the other hand, up to seven Simatic S7 controllers can be connected via Industrial Ethernet or Profibus/MPI interfaces.

With the latter solution, the existing automation program does not have to be changed in order to select and transfer the essential information. In addition, the data read by CloudConnect 7 from lower-level Simatic S7 stations can be made available as OPC UA variables (server). This enables standardized data exchange, for example with MES systems or HMI and third-party controllers. The open Message Queuing Telemetry Transport (MQTT) cloud protocol is used in all cases. This established standard makes it possible to transfer data to MindSphere, the IoT operating system from Siemens. Direct connection to platforms such as Microsoft Azure, IBM Cloud or Amazon Web Services (AWS) can also be implemented.

Cloud security essential

Whenever cloud-based systems are talked about, data is transmitted over enterprise or even public networks. Data security should therefore always be part of the overall concept, as is the case with the “Security-in-Depth” concept from Siemens. Consequently, the data transfer to MindSphere is always encrypted based on certificates.

Special attention, however, should also be paid to the actual connection of the automation cell or plant. Since a connection to the higher-level network is necessary for the cloud connection, there always is a potential access point for attackers. The severity of the potential threat strongly depends on the higher-level network and its protective measures. In many cases, an additional protective mechanism in the cell makes sense, because access authorization can then be controlled independent of any higher-level mechanisms.

Two different protective concepts suggest themselves. One with separate hardware, such as a Scalance SC632-2C Industrial Security Appliance for the connection via the existing company network, or a WAN router for wired or mobile network communication.

In each case, the Scalance functions as a configurable firewall, among other things. If correspondingly set up, all devices in the subordinate network can be accessed IP-based.
For the integrated solution with Simatic S7-1500, the communication processer Simatic CP1545-1 offers not only a separate network connection but also a built-in firewall. The operating status of the CP has no effect on the actual controller. Even in the case of a denial-of-service attack from outside that impairs the functioning of the CP, the actual controller can continue working unaffected. With this solution, a network separation is always realized: The controller can be reached from the higher-level network, but access to subordinate devices is blocked because no IP routing takes place.

Summary

With the CP 1545-1, a cloud connection tailored to the individual requirements of the plant can be implemented. For the processing of the data, all programming means familiar from the Simatic S7-1500 are available. An individual protection of the controller or the automation system makes sense and is already provided by the communication processor.

Frederik Nitsche, Product Management, SIMATIC communication products, Siemens