IT/OT convergence means that the real world of automation merges with the digital world of IT. However, it is important to note that industrial networks in OT and office networks in IT have very specific requirements that must be taken into account when connecting the two worlds to ensure a reliable data exchange.

This also applies to new trends such as virtualization. In recent years, the virtualization of servers has established itself as the standard in the IT environment. Companies have realized that by consolidating servers, they can increase their efficiency and reduce costs.

Now a similar trend is emerging in OT, in which not only servers, but also programmable logic controllers (PLCs) and industrial PCs are to be virtualized. But what does the network architecture look like that is to form the basis for meeting the requirements of this technology?

Server virtualization is basically a technology that allows the setup and operation of multiple virtual servers on a single physical server. This ensures the efficient utilization of hardware resources by abstracting the underlying physical infrastructure and enabling the dynamic allocation of computing power, memory, and storage to virtual machines (VMs). On the other hand, PLC virtualization involves abstracting the physical PLC hardware and running multiple virtualized instances of controllers on a single physical device. SCADA applications can also be migrated from physical devices onto VMs.

Advantages for OT virtualization

Virtualization offers several advantages in the OT context. One of them is cost savings. By virtualizing servers and PLCs, companies can consolidate their hardware infrastructure – thus reducing the number of physical devices needed. This consolidation results in cost savings in terms of hardware procurement, maintenance, power consumption, and space requirements. Ultimately, this also promotes the sustainability aspect of companies.

The efficient use of resources is a second advantage of virtualization in OT. By dynamically allocating computing resources such as processors (CPUs), memory, and storage based on demand, companies can optimize the resource utilization. This ensures that resources are used efficiently.

Flexibility and scalability are also improved through virtualization. VMs can be easily created, cloned, and migrated, allowing companies to quickly adapt their production to changing operational needs. In addition, this scalability improves the efficient resource allocation and the ability to scale the system up or down as needed.

Simplified management is a fourth advantage of the virtualization. Centralized management tools and platforms optimize the management, configuration, and monitoring of virtualized servers and PLCs. This centralized control improves the operational efficiency and reduces the complexity of managing a large number of physical devices.

The virtualization also provides a secure and isolated environment for testing and development purposes. Virtualized servers and PLCs can be replicated, allowing the creation of separate environments to test new applications, configurations, or updates without impacting the production environment. Production downtimes or even planned outages during maintenance windows can thus be reduced.

Although virtualization offers numerous benefits, it is important to carefully plan, configure, and consider specific OT requirements such as real-time capabilities, high availability, and functional safety. When implemented effectively, virtualization can therefore significantly improve the efficiency, flexibility, and reliability of OT systems.

Virtualization as a Service and further solutions

As one of the leading industrial software companies, Siemens has proven expertise in complex OT environments and, with SIMATIC Virtualization as a Service, offers a perfectly coordinated, hardened, system-tested, and preconfigured virtualization platform for industry. Ready-made virtual machines can run on it – including the new SIMATIC S7-1500V, a virtual PLC (vPLC). This vPLC is available in the Industrial Edge ecosystem as an Industrial Edge app and enables the virtualization of PLCs in OT environments. The configuration will continue to be supported in the TIA Portal. This allows companies to seamlessly integrate the vPLC into their automation solutions, and efficiently implement their projects with the support of the TIA Portal.

The underlying know-how differs between IT service providers and OT experts. To bring both worlds together, Siemens offers corresponding training, services, and solutions consisting of hardware and software.

For a successful introduction of virtualization in OT, it is important to consider a network concept that is aligned with the virtual automation and provides optimal performance and investment protection. The implementation of a network concept based on network components from the SCALANCE family and SINEC software tools for network management offers stable connectivity and seamless integration with Siemens’ industrial automation systems. This helps to ensure reliable and efficient communication between the virtual and physical devices in the OT environment, promote smooth operations, and maximize the benefits of the virtualization.

Location of the virtualization environment

When planning a network for modern manufacturing, the location of the virtualization environment should be taken into account. In the simplest case, all applications and PLCs of a single machine or production cell are consolidated on an industrial PC (IPC) within the existing environment. The requirements for the network change only at the cell level. When selecting the virtualization environment, attention should be paid to real-time capability in terms of program processing, but also in terms of the network. In particular, the data exchange between SIMATIC S7-1500V and the actuators and sensors via PROFINET places high demands on this.

In order to make even better use of the advantages of virtualization, it is necessary to consolidate the applications and PLCs of a production area or a production line. In this case, there are other points to consider. Consolidation at the aggregation layer increases the demands on the availability, scalability, and real-time capability of this network layer enormously.

For instance, a failure of a network connection lasting less than 10 ms could lead to a failure of the PROFINET communication with all virtual controllers – thus causing a failure of the entire production plant. Furthermore, it should also be noted that due to the consolidation of the automation technology, a very large number of PROFINET devices communicate via the aggregation network, and therefore the scalability of this network layer plays a major role. But also cybersecurity aspects and those of the functional safety need to be examined more closely in this case.

The availability of the network is the basis for success

Within the cell or machine networks, the proven redundancy mechanisms based on the Media Redundancy Protocol (MRP) can continue to be used. This enables an efficient and reliable operation of the cell networks using the entire PROFINET ecosystem. Several cell networks are combined in an aggregation layer.

This consolidation simplifies the entire network structure and enables a seamless integration with other systems. To ensure seamless redundancy and minimize downtimes, the connection between the cells and the aggregation layer is established via the Parallel Redundancy Protocol (PRP). This standardized protocol (IEC62439-3) has already proven itself for many years in the field of energy supply and is now finding its way into the networks for automation technology.

Through targeted duplication of the data packets, transmission via redundant paths, and subsequent de-duplications, a seamless redundancy is achieved without any switching times. The server cluster, on which the vPLC is also hosted, is likewise connected via PRP, which increases availability accordingly and minimizes the impact of network interruptions.

Network scalability and QoS ensure flexibility

Several measures can be implemented to improve the network performance. On the one hand, the aggregation layer is equipped with bandwidths of up to 10 Gbit/s. This enables lower latency and increased network traffic – avoiding congestion and ensuring smooth communication across different segments of the network. In addition, a Quality of Service (QoS) system will be implemented that is specifically based on the Class of Service (COS) for PROFINET. This QoS framework prioritizes critical traffic, such as real-time control signals, by giving strict priority and allocating the necessary network resources. By minimizing latency and providing time-sensitive data in a timely manner, this approach guarantees an efficient and reliable communication.

Cooperation with leading manufacturers of virtualization environments ensures that these measures take effect not only in the physical but also in the virtual network – thus enabling a real-time capable, scalable, and highly available overall solution to be set up.

Cybersecurity needs to be considered

To implement cybersecurity in OT, Siemens recommends a multi-layered approach based on the proven “Defense in Depth” concept. This involves implementing multiple layers of security mechanisms to protect against different types of cyber threats. This approach ensures that even if one layer of defense is breached, additional layers are in place to mitigate the risk and prevent further unauthorized access.

In addition to cell protection firewalls, the implementation of SINEC software tools further increases the security of virtualized PLCs. SINEC Security Monitor tool continuously monitors the network for suspicious activity or anomalies, and provides real-time alerts and notifications to administrators. This enables a rapid detection and response to potential security incidents.

With the help of the SINEC Security Inspector tool, regular security assessments of the entire automation environment can be carried out. This helps identify vulnerabilities, misconfigurations, or compliance gaps that could potentially be exploited by cyber threats. By conducting security inspections on a regular basis, companies can proactively address security vulnerabilities and ensure the continued integrity and security of their virtualized network environment. Both tools SINEC Security Monitor and SINEC Security Inspector are operated on-premise.

SINEC Security Guard, on the other hand, is an intuitive cloud-based Software as a Service that automatically scans for vulnerabilities and enables security management. Thanks to being hosted in the Siemens cloud, the operator does not have to worry about anything else. The software can automatically assign known cybersecurity vulnerabilities to the production components of industrial plants.

In this way, operators and automation experts can identify existing security risks in their OT assets in the production without special cybersecurity know-how. They also receive a risk-based threat analysis. SINEC Security Guard then recommends risk mitigation measures and sets specific priorities. Finally, the defined remedial measures can be planned and tracked using the tool’s integrated task management.

By combining the “Defense in Depth” approach, the implementation of cell protection firewalls, and the use of the SINEC software tools, companies can significantly improve the cybersecurity of their virtualized environments. This comprehensive approach helps mitigate the risk of cyber threats, protect sensitive data, and ensure uninterrupted and secure OT operations.

Conclusion

Even though companies are still in the early stages of virtualization in OT, the corresponding requirements should already be taken into account today when planning networks.

As a reliable partner, Siemens offers not only the automation systems, but also the necessary network infrastructure and matching consulting. Thanks to many years of expertise in industrial automation systems and advanced network functions, Siemens’ SCALANCE products ensure stable connectivity and seamless integration with SIMATIC S7-1500V and other devices in the OT environment. This enables a reliable and efficient communication, promotes smooth operations, and maximizes the benefits of the virtualization.

By working with Siemens, companies can begin their journey towards virtualization with the confidence that they have a reliable and trusted partner to provide both the vPLC solution and the necessary network infrastructure. With the comprehensive support and solutions, companies can effectively plan and implement virtualization in their OT networks – thus paving the way for future industrial environments in a digital factory.

Wolfgang Schwering, Portfolio Owner Blueprints/Systems for Industrial Networks Digital Connectivity and Power, Siemens