Monday, July 30, 2012

Industrial Security with SCALANCE S Modules Over IPSec VPN Tunnels (Configuration 4)

Task description
In today's automation systems, increased importance is attached to the subject of remote servicing via secured connections.
The safe access to systems from a remote place helps to cut the high costs for time-consuming trips to distant places. Whether it concerns data exchange, the diagnostics from and between production cells, or remote access to the company network – in the world of automation, the growing interaction between industrial communication systems and the IT world over IT mechanisms like e-mail, webserver and wireless LAN also brings with it some inherent risks such as hacker attacks, worms and trojans.
This application is aimed at ensuring data integrity, confidentiality and security within the industrial communication system. The servicing staff shall be able to link their PGs/PCs to the company's network or the automation-specific network over a secured connection. One essential point in implementing the automation task is the establishment of an easy and cost-effective secured connection without requiring expert IT knowledge.
The core functionality of this application is based on the SIMATIC NET industrial security concept. With this solution, risks that may arise through the consistent use of Ethernet structures and Internet technologies in sensitive areas can be eliminated. The components of this concept include the security module SCALANCE S612 V3 and the SOFTNET Security Client, for example. With these modules a secured connection can be established by means of an IPSec VPN tunnel. The most important scenarios are described in two documents.
Your Advantages in an overview:
  • protection of sensitive areas and production plants with the help of VPN tunnels
  • protection of automation cells which are not equipped with internal protection mechanisms
  • elimination of risks from the IT world (hacker attacks, worms, etc.)
  • quick and non-reactive integration into existing automation plants.
  • simple configuration of the security moduls because of a comfortable and common configuration tool.
Contents of document 1Document 1 includes four different scenarios which describe how a service technician can link his PG/PC to the company or automation network either via LAN or via WAN. These scenarios are in detail:
Scenario 1: Connecting a PG/PC to several automation cells via LAN.
Scenario 2: Connecting a PG/PC to several automation cells via WAN.
The figure below shows the structure of the individual scenarios:

The scenarios include in detail:
  • Configuration of the VPN tunnel
    • Scenario 1: in bridge mode
    • Scenario 2: in routing mode
  • Configuration of an S7 connection for communication
  • Activation of the SOFTNET Security Client
  • Set-up of a VPN connection between S612 V3 and SOFTNET Security Client
Testing is based on:
  • the access to the web server of the CP343-1 Advanced
  • the configuration / diagnosis with STEP 7
  • the data exchange between the remote stations
All test operations are demonstrated in bridge and routing mode.
Contents of document 2Document 2 is based on the constellations of document 1 and describes a remote control concept of greater complexity. In this case, a service technician can access the remote stations via a central service station and with the help of a remote control software (e.g. VNC or PCAnywhere). Basically, this concept can be realized by means of two configured VPN tunnels in routing mode.
The figure below shows the structure of this document:

The document focuses in detail on:
  • the configuration of two different VPN connections in routing mode.
  • the activation of the SOFTNET Security Client
  • the installation and configuration of a remote control software on the basis of VNC (client and server).
Test points to demonstrate the access to remote stations via VPN "routing":
  • access to the web server of the CP343-1 Advanced
  • configuration / diagnosis with STEP 7

For more information,please visit SIEMENS website

No comments:

Post a Comment