Sunday, July 29, 2012

Industrial Security with SCALANCE S Modules Over IPSec VPN Tunnels (Configuration 4)

Task description
In today's automation systems, increased importance is attached to the subject of remote servicing via secured connections.
The safe access to systems from a remote place helps to cut the high costs for time-consuming trips to distant places. Whether it concerns data exchange, the diagnostics from and between production cells, or remote access to the company network – in the world of automation, the growing interaction between industrial communication systems and the IT world over IT mechanisms like e-mail, webserver and wireless LAN also brings with it some inherent risks such as hacker attacks, worms and trojans.
This application is aimed at ensuring data integrity, confidentiality and security within the industrial communication system. The servicing staff shall be able to link their PGs/PCs to the company's network or the automation-specific network over a secured connection. One essential point in implementing the automation task is the establishment of an easy and cost-effective secured connection without requiring expert IT knowledge.
The core functionality of this application is based on the SIMATIC NET industrial security concept. With this solution, risks that may arise through the consistent use of Ethernet structures and Internet technologies in sensitive areas can be eliminated. The components of this concept include the security module SCALANCE S612 V3 and the SOFTNET Security Client, for example. With these modules a secured connection can be established by means of an IPSec VPN tunnel. The most important scenarios are described in two documents.
Your Advantages in an overview:
  • protection of sensitive areas and production plants with the help of VPN tunnels
  • protection of automation cells which are not equipped with internal protection mechanisms
  • elimination of risks from the IT world (hacker attacks, worms, etc.)
  • quick and non-reactive integration into existing automation plants.
  • simple configuration of the security moduls because of a comfortable and common configuration tool.
Contents of document 1Document 1 includes four different scenarios which describe how a service technician can link his PG/PC to the company or automation network either via LAN or via WAN. These scenarios are in detail:
Scenario 1: Connecting a PG/PC to several automation cells via LAN.
Scenario 2: Connecting a PG/PC to several automation cells via WAN.
The figure below shows the structure of the individual scenarios:

The scenarios include in detail:
  • Configuration of the VPN tunnel
    • Scenario 1: in bridge mode
    • Scenario 2: in routing mode
  • Configuration of an S7 connection for communication
  • Activation of the SOFTNET Security Client
  • Set-up of a VPN connection between S612 V3 and SOFTNET Security Client
Testing is based on:
  • the access to the web server of the CP343-1 Advanced
  • the configuration / diagnosis with STEP 7
  • the data exchange between the remote stations
All test operations are demonstrated in bridge and routing mode.
Contents of document 2Document 2 is based on the constellations of document 1 and describes a remote control concept of greater complexity. In this case, a service technician can access the remote stations via a central service station and with the help of a remote control software (e.g. VNC or PCAnywhere). Basically, this concept can be realized by means of two configured VPN tunnels in routing mode.
The figure below shows the structure of this document:

The document focuses in detail on:
  • the configuration of two different VPN connections in routing mode.
  • the activation of the SOFTNET Security Client
  • the installation and configuration of a remote control software on the basis of VNC (client and server).
Test points to demonstrate the access to remote stations via VPN "routing":
  • access to the web server of the CP343-1 Advanced
  • configuration / diagnosis with STEP 7

For more information,please visit SIEMENS website

Wireless Data Communication via GPRS with S7-1200 and CP 1242-7, Scenario 1

Problem   In a stormwater retention basin, excess water is stored to relieve the sewer system. There is a continuous filling level measurement in the stormwater retention basin. An electronically controlled sluice S1 is opened as soon the capacities in the sewage system allow it. The automated plant should be coupled wireless with a control room and should fulfill these requirements for the communication:
  • The measured level will be sent cyclically from the Remote Station to the Central Station
  • In case of maintenance or critical filling levels in sluice S1, an alarm will be sent immediately from the Remote Station to the Central Station
  • The sluice S1 can be opened and closed manually via the Central Station
The wireless data transmission is done via GPRS. A standard PC or ICP will be used as platform for the Central Station. Visualization and operation of the process in the Remote Station will be achieved via a standard HMI-system also installed at the Central Station. A continuously archiving of the process values in the Central Station for further processing is required.
This application example (configuration example CE-X21, Scenario 1) shows how the given tasks can be solved with SIMATIC components. The focus is on the GSM/GPRS Modem CP 1242-7 GPRS, the automation system SIMATIC S7-1200 and the Telecontrol Server Basic Software, which allow the communication between Remote Stations and the Control Room (Central Station) based on GPRS.

Central station
The Central Station consists of a Box PC SIMATIC IPC627C (2). The software components Telecontrol Server Basic (3) and WinCC flexible 2008 (4) are installed on the Box PC. The power supply is provided via a SIMATIC PM1207 Power module (1). The IPC is connected to the Internet via a standard DSL-Router.
Remote station
A GSM/GPRS Modem CP 1242-7 GPRS (2) is coupled via a bus interface to the SIMATIC S7-1200 controller 1211C (3). The GSM/GPRS Modem has a SIM card (5). For coupling with the air interface a quad band GSM/GPRS antenna ANT 794-4MR (4) is used. The power supply of all components is provided via a SIMATIC PM1207 power module (1).

For more information,please visit SIEMENS website