Task description
In today's automation systems, increased importance is attached to the subject of remote servicing via secured connections.
The safe access to systems from a remote place helps to cut the high
costs for time-consuming trips to distant places. Whether it concerns
data exchange, the diagnostics from and between production cells, or
remote access to the company network – in the world of automation, the
growing interaction between industrial communication systems and the IT
world over IT mechanisms like e-mail, webserver and wireless LAN also
brings with it some inherent risks such as hacker attacks, worms and
trojans.
This application is aimed at ensuring data
integrity, confidentiality and security within the industrial
communication system. The servicing staff shall be able to link their
PGs/PCs to the company's network or the automation-specific network over
a secured connection. One essential point in implementing the
automation task is the establishment of an easy and cost-effective
secured connection without requiring expert IT knowledge.
Solution
The core functionality of this application is based on the SIMATIC NET
industrial security concept. With this solution, risks that may arise
through the consistent use of Ethernet structures and Internet
technologies in sensitive areas can be eliminated. The components of
this concept include the security module SCALANCE S612 V3 and the SOFTNET Security Client,
for example. With these modules a secured connection can be established
by means of an IPSec VPN tunnel. The most important scenarios are
described in two documents.
Your Advantages in an overview:
- protection of sensitive areas and production plants with the help of VPN tunnels
- protection of automation cells which are not equipped with internal protection mechanisms
- elimination of risks from the IT world (hacker attacks, worms, etc.)
- quick and non-reactive integration into existing automation plants.
- simple configuration of the security moduls because of a comfortable and common configuration tool.
Contents of document 1Document 1 includes four different scenarios which describe how a service technician can link his PG/PC to the company or automation network either via LAN or via WAN. These scenarios are in detail:
Scenario 1: Connecting a PG/PC to several automation cells via LAN.
Scenario 2: Connecting a PG/PC to several automation cells via WAN.
The figure below shows the structure of the individual scenarios:
The scenarios include in detail:
- Configuration of the VPN tunnel
- Scenario 1: in bridge mode
- Scenario 2: in routing mode
- Configuration of an S7 connection for communication
- Activation of the SOFTNET Security Client
- Set-up of a VPN connection between S612 V3 and SOFTNET Security Client
Testing is based on:
- the access to the web server of the CP343-1 Advanced
- the configuration / diagnosis with STEP 7
- the data exchange between the remote stations
All test operations are demonstrated in bridge and routing mode.
Contents of document 2Document 2 is based on the
constellations of document 1 and describes a remote control concept of
greater complexity. In this case, a service technician can access the
remote stations via a central service station and with the help of a
remote control software (e.g. VNC or PCAnywhere). Basically, this
concept can be realized by means of two configured VPN tunnels in
routing mode.
The figure below shows the structure of this document:
The document focuses in detail on:
- the configuration of two different VPN connections in routing mode.
- the activation of the SOFTNET Security Client
- the installation and configuration of a remote control software on the basis of VNC (client and server).
Test points to demonstrate the access to remote stations via VPN "routing":
- access to the web server of the CP343-1 Advanced
- configuration / diagnosis with STEP 7
For more information,please visit SIEMENS website |
