Homepage » Instrumentation & Automation »

How to improve industrial security in large brownfield plants

How to improve industrial security in large brownfield plants
Update management for the plant network

Advertisement
In industrial plants, PLCs run the show. The chemical giant, BASF, has a large number of PLCs that needed to be automatically updated. But with multiple firewalls to navigate and many third-party devices involved, integrating them into a single network would be a challenge. Until the solution Sinema Remote Connect from Siemens was brought to the table.

An industrial network is a production plant’s backbone. As long as it’s strong, secure, and reliable, productivity can run at full steam. But should a network error occur, devices may become inaccessible or stop communicating. In a worst case scenario, production may halt altogether.

At its Antwerp site, BASF had 350 devices controlled by Simatic PLCs from Siemens. This included PLCs running compressors, energy meters, charging stations, and other mission critical devices. So keeping all PLCs updated with the latest security updates was vital to protect them from malware, unauthorized access, and other threats. But the PLCs had yet to be connected to a single network. This meant Siemens’ on-site automation team had to update every device manually. With the site spanning 6 km2 and updates taking several hours, this was a process that could take a full year to complete.

BASF knew it needed an automation network. But installing one hadn’t been feasible for two key reasons. Firstly, the site housed 16 plant clusters with their own firewalls and third-party devices. Secondly, the site’s vast size meant installing a new fiber optic network, which was not financially viable. BASF approached Siemens for new ideas.

Experts in complexity

With its track record of successfully implementing networks in complex industrial environments all over the world, BASF was confident Siemens could devise an effective solution. And upon receiving their request, Siemens jumped into action, bringing in network specialists to assist its on-site automation team.

This BASF Antwerp team says, “We are familiar with networks, Siemens and PCS 7, but our team was short on technical know-how for developing a concept that could meet the stringent requirements imposed by the IT department. So, we joined forces with product and service specialists from Siemens to create the concept.”

In addition to improving security and reliability, BASF wanted a network that would be easy to manage and master. They also wanted to be able to create user groups, so every plant cluster could manage their own devices. After assessing all the requirements, Siemens’ team planned the rollout of a secure, dedicated network with Sinema Remote Connect at its core.

Connections via VPN tunnels

The first challenge was devising a network that could securely connect technicians and devices across 16 plant clusters. A challenge Sinema Remote Connect easily solved.

Using Sinema Remote Connect, Siemens created VPN tunnels, connecting every PLC and user through the Sinema Remote Connect server. An inventory of the security certificates for every device and user was also created in the server. This meant that whenever a connection was requested, the certificates would be checked and verified before the connection was approved. Sinema Remote Connect further improved security by encrypting all communications using OpenVPN.

Another advantage of Sinema Remote Connect is that it can provide remote access to Scalance M-800 as well as Scalance S-600 Industrial Security Appliances and dedicated CPs and RTUs. This allows each device to be configured and integrated automatically, eliminating an otherwise complex and time-consuming task.

Providing technicians with central access to the PLCs in all parts of the BASF plant was realised by Sinema RC Client. Once all groups and rights in the Sinema Remote Connect server were configured, Sinema RC Client’s address book function enabled every technician to see the parts of the network they have access to.

Transparent processes

To fulfill BASF’s requirements for central network monitoring, the Sinema server was implemented. Siemens’ team created one user group for each plant cluster so they could access their own devices and monitor their performance in private. In addition, the Sinema server’s network monitoring software would provide BASF with around the clock monitoring, and diagnostics, including diagnostics for SNMP, Profinet, and Simatic.

Putting it to the test

Before rolling out the network, Siemens ran a proof of concept project in the lab. This project was to verify how devices would respond when added to the network and whether firewall rules needed to be modified.

“We wanted to ensure we developed a network that would meet the stringent requirements for security, seamless implementation, and ease of use,” says BASF Antwerp. “The proof of concept project translated into significant time savings, while for the businesses on-site, it meant better service.”

Along with saving time and lowering risk, the proof of concept project enabled Siemens to develop workflows for installing and managing devices. Siemens trained BASF’s technicians these workflows through a workshop, so they could manage the network independently.

“Good preparation is the key to success,‘‘ says Bert Vanstraelen, Service Engineer at Siemens Customer Services in Belgium. “Giving BASF’s technicians training in the new system will ensure they can perform their own maintenance in the future without IT support.”

Rolling out

Following the successful test project, Siemens built out the network in stages. Close cooperation between BASF and Siemens’ team ensured the network’s central elements were completed within one month. The PLCs were then linked to the system step-by-step, allowing the network to grow organically. With the successful implementation of Sinema Remote Connect, BASF now has the reassurance knowing all PLCs across 16 plant clusters can be monitored and updated around the clock by their central maintenance team using the TIA Portal – the engineering platform for automation from Siemens.

At a ground level, desktop access through Sinema Remote Connect means Siemens’ automation team no longer has to travel around to the different plants. This has freed Siemens’ technicians to focus on providing high quality services across BASF’s site.

Future upgrades planned

There are now plans to further improve the network monitoring with Siemens’ Network Management System, Sinec NMS. This will further enhance transparency and ease of use by providing BASF’s technicians with desktop access to devices for prompt fault resolution, security monitoring, and device configuration with hardening.

The project’s success also reinforced the value that BASF has for both Siemens’ technology and its expertise, especially when overcoming complex challenges. In fact, the project has been such a success that the company is now planning to upgrade their logistics systems. The new system will be completely integrated into the Sinema Remote Connect architecture. Siemens’ team will be there to support them on every step of the way.

Siemens AG, Nuremberg, Germany


Author: Maximilian Korff

Product Sales Development,

Digital Industries,
Process Automation,

Siemens


The automation solution from Siemens integrates 16 plant clusters with different network infrastructures
Picture: Siemens

At a glance:   Project BASF Antwerp

  • BASF’s Antwerp site had PLCs spread across 6 km², which had to be manually updated
  • The PLCs belonged to 16 plant clusters with different network infrastructure
  • The Sinema server enabled the creation of user groups for each plant cluster and provided desktop access to devices and diagnostics
  • Scalance S615 Industrial Security Appliances made both Siemens and third-party controllers accessible from central Sinema Remote Connect server
  • Sinema Remote Connect enabled the creation of secure and centrally managed VPN tunnels
  • A proof of concept project was completed before rolling the entire system out
  • A task that would have taken a year to complete, can now be done automatically
Advertisement
Current issue
Titelbild cpp chemical plants   processes 2
Issue
2.2020
READ
Headlines
Processes below 100°C controlled by vacuum steam
Cold steam
All Whitepaper

All whitepapers of our industry pages

Current Whitepaper

New filtration technology for highly corrosive media

Advertisement
Advertisement

Industrie.de Infoservice
Vielen Dank für Ihre Bestellung!
Sie erhalten in Kürze eine Bestätigung per E-Mail.
Von Ihnen ausgesucht:
Weitere Informationen gewünscht?
Einfach neue Dokumente auswählen
und zuletzt Adresse eingeben.
Wie funktioniert der Industrie.de Infoservice?
Zur Hilfeseite »
Ihre Adresse:














Die Konradin Verlag Robert Kohlhammer GmbH erhebt, verarbeitet und nutzt die Daten, die der Nutzer bei der Registrierung zum Industrie.de Infoservice freiwillig zur Verfügung stellt, zum Zwecke der Erfüllung dieses Nutzungsverhältnisses. Der Nutzer erhält damit Zugang zu den Dokumenten des Industrie.de Infoservice.
AGB
datenschutz-online@konradin.de