More than Just Communication - Security and Real Time


Although today’s office products use internationally recognized standards, they are not capable of meeting the wide-ranging needs posed by modern industry. Complex industrial applications call for a high level of availability, durability and, most importantly, real time capability. It is precisely in this area of conflicting priorities that industrial Ethernet comes into its own and where its needs diverge from those of the office network. The focus here is on differing approaches to the issue of information security.

We have all enjoyed drinking orange juice from a carton, but hardly anyone will be aware of the wafer-thin lining of aluminum foil that keeps the contents fresh for longer, let alone the process entailed in its manufacture. For the foil to be produced, a nine meter-long, 60 centimeter-high and up to 30 ton heavy aluminum slab has to be hot and cold rolled to create thin strips just tenths of a millimeter in thickness. In some cases this is followed by a foil rolling mill which reduces the aluminum strip to a thickness of just six micrometers. Complex control processors and peripheral devices ensure that these minimum thicknesses are precisely adhered to. The processor transmits continuous control signals to the various rolling mill drives and actuators to compensate for any deviation within the scope of the admissible tolerances. Only with this degree of precision can a nine meter-long slab be transformed into 480 uniform kilometers of foil.

Industrial applications require communication accuracy

To remain with the example of the beverage industry, the high-performance beverage filling plant is another case in point. This type of machine is capable of filling up to 70,000 bottles per hour. This equates to 20 bottles per second, each of which has to be filled, labeled and transported. The extreme demands made on dynamics, signal processing and coordination of the controls, motors, sensors and so on are not difficult to envisage. Although the individual bottles are practically indistinguishable to the human eye as they flash past, the electronic devices and systems used are required to reliably pick out and register each individual bottle with the utmost accuracy.

The vital importance of high-speed communication is also demonstrated by the example of a hot rolling mill used to process steel for the automotive industry, which demands ever more stable and lighter-weight steel grades. The cooling process following the last roll stand is instrumental in determining the mechanical properties of the steel. Exceeding the specified tolerances in the cooling temperature or the temperature profile even by only a few percent can alter the mechanical properties of the final material so decisively that it may have to be scrapped or its quality is severely compromised.

A change in the speed of the strip will frequently mean varying material properties in different sections of the same strip. To avoid this happening, a programmable logic controller monitors the optimum time for valve opening and closing, adjusts the cooling pattern and cooling zones to the varying strip speeds and controls the phase fractions along the whole cooling section in real time. Deviations from target values are corrected every 200 milliseconds and forwarded to the actuators.

These examples illustrate how much more hangs on the precision and reliability of communication in industrial plants than it does in the average office network. The faulty assignment of parts in a distribution center can result in substantial financial loss; if the motors of a paper machine are not absolutely synchronized, the resulting paper congestion can produce a complete operational shutdown; if the safety sensor of a mine pit cage fails to give off a signal, the coal will remain stuck in the shaft. The individual systems working in these generally enormous networks have to operate without a hitch and to communicate reliably with each other – irrespective of whether the individual components of an installation are supplied by a number of manufacturers each using a different communication variant.

There is another crucial factor which distinguishes the needs of the office network from those of industrial communication: the ambient conditions. Location makes an enormous difference to the installed components: an air conditioned building, an iron rolling mill or a drilling platform in the middle of the Atlantic all have quite distinct requirements. Because salty air is fatal for all electronic components, including of course communication networks, all terminals and connections have to be encapsulated against environmental influences and stowed inside a housing. This is the only way to protect all metallic components and connecting elements against the effects of salt water and corrosion. Approved for a temperature range of -40° to +70°C, the devices and connectors used for industrial communication have to be capable of withstanding even the most intensive sunlight, snow and ice. They also have to work reliably and accurately in potentially explosive atmospheres such as those encountered in mining applications, in compressor stations and painting booths. Depending on requirements, a distinction is drawn between different protection ratings which denote ability to withstand adverse conditions in light and heavy industry, in railway tunnels and on ships. These components offer enhanced immunity to electromagnetic interference, are protected from vibrations, dirt, moisture or damaging substances and are resistant to a variety of media such as oils, lubricants and acids. They are vibration-proof and capable of 35 mm top hat rail mounting.

In essence all networks are the same

In fact, all networks operate using the same underlying communication technology developed originally for the first computer network by Robert Metcalf and colleagues at Xerox PARC in 1973. Even when the international standardization institute IEEE set out the first Ethernet standard back in 1980, so creating the basis for its worldwide expansion in office networks, nobody imagined that this technology would one day transform the world of production engineering and process automation. Today, Ethernet is universally acknowledged as a communication system, is based on international standards (IEEE802.3), supports a variety of different protocols in a single network, is wirelessly available almost everywhere and has a substantially higher data throughput than current field bus systems. Using Ethernet or its industrial variants, data from every area of a company’s operations can be captured across every level – from the standalone machine through the production line to the business administration systems - using a single integral network.

Although it is true to say that most innovations and standards originate from the office environment, Ethernet technology has now become a firmly entrenched aspect of industrial applications. Technical progress made in areas such as fast Ethernet, switching and full duplex transmission have turned the “good old Ethernet” into a highly efficient communication system which has an almost magical attraction for users and manufacturers throughout every sector of industry.

The network topology used can limit the impact of a single failing component. As networks in industrial environments are frequently linked in series from one machine to the next, industrial Ethernet networks tend to be implemented in ring formation. This allows any failure to be isolated to a maximum of one switch. Despite a failing conductor, the network can continue to be fully functional. The situation with the communication content is far more complex: To allow this technology to cope with hostile industrial environmental conditions, the Ethernet has to lose any element of “randomness”. By applying what is generally termed non-deterministic behavior, information normally finds its own route in an Ethernet network. However, many industrial signals require a precise run time. They do not have the capacity to wait if a high level of network activity – for instance due to a virus scan or a system check, or during the import of new security updates – is slowing down communication. An emergency stop signal must arrive without delay, a target value input for an axis motor in a robot or a machine tool has to be processed within milliseconds if major damage is to be avoided.

To meet this need, automation system manufacturers and user organizations worked to develop different ways of adapting Ethernet to cope with the robustness and real time capability demands of modern industry. They make use of both a specifically developed system of real time communication, and also the original TCP/IP-based communication system. This allowed the use of both internationally established standard IT services and also speed-optimized real time communication with RT (Real Time) or IRT (Isochronous Real Time).

At its core, this is essentially still the “original” standard derived from the office environment. But despite extensive endeavors to achieve standardization, it has not been possible to define a single standardized application protocol tailored specifically to meet all the needs of automation technology. This situation has culminated in a series of variants such as Profinet, EtherCAT, Powerlink, Modbus-TCP, Sercos-III, Foundation Fieldbus HSE and FLNet, which are incompatible with each other. Users and device manufacturers have no choice but to adjust to an even greater variety of industrial communication systems.

“Security cell” provides a safeguard in the industrial sector

Real time and security are normally mutually exclusive requirements. A production network has to offer 100% availability. Any restriction to availability, whether as a result of faults such as an incorrect address assignment, run time errors, viruses and so on, or due to frequent maintenance work of the kind required for importing new security updates, results in enormous costs. Even if a worm or virus which gains access through an infected notebook or USB stick does not itself result in extensive damage, the network load caused by its reproduction can cause real time communication to breakdown completely, bringing the whole plant to a standstill.

In the office environment, this type of internal hazard can be countered by virus scanners and personal firewalls. In industrial control systems, conversely, after every security update a check has to be made to eliminate the possibility of repercussions for the automation software. An added impediment is that there is an enormously diverse range of different automation devices available. Even just in terms of the different product life cycles, the variety on offer is many times that of systems available for the office environment. In addition, many field devices are fitted with extremely simple processes and proprietary operating systems which, despite a web interface, do not allow for effective integration into a factory’s security system.

This means that any production network will include “users” which are unable to effectively protect themselves. This realization moved Siemens to develop the security cell. The underlying concept here is the security-oriented breakdown of production networks into network segments, each of which is responsible for protection towards the outside. These safe security modules monitor data traffic to and from the cell and check access rights. Only authorized data traffic is allowed to pass. In this way, unwanted data traffic such as that generated by viruses or worms can be effectively kept away from devices without their own intrinsic protection. Even if the network is compromised outside of the cell, communication within the cell is maintained.

Inside the cell, the security module does not affect the exchange of data. Communication between cells is effectively limited to just the cells which have to communicate. This impedes any “pests” such as viruses, worms or Trojans which might have succeeded in penetrating the cell from spreading over the whole network. To protect data leaving the security cell from espionage or manipulation, the security cell concept also includes encryption of data communication and constructs a virtual private network (VPN) tunnel between the different security cells. As well as ensuring data confidentiality, this also allows data authenticity to be guaranteed. Alongside the benefit that effective security structures can be created practically without disruption across existing networks, particular importance was attached by the developers to enabling simple and central project engineering. All the user needs to do is to determine using a security configuration tool which cells may be permitted to communicate with each other. This configuration is then transmitted by a secure connection to the individual security modules.

This ensures that real time communication is maintained within the cell and security measures are guaranteed between the cells without loss of production or any other impairment. The result is enhanced availability without risk of attack or infection by viruses or worms.