ethernet

The Emergence of Device-level Safety Communications in Manufacturing

Guest Contributor: Tom Knauer, Balluff

Manufacturing is rapidly changing, driven by trends such as low volume/high mix, shorter life cycles, changing labor dynamics and other global factors. One way industry is responding to these trends is by changing the way humans and machines safely work together, enabled by updated standards and new technologies including safety communications.

In the past, safety systems utilized hard-wired connections, often resulting in long cable runs, large wire bundles, difficult troubleshooting and inflexible designs. The more recent shift to safety networks addresses these issues and allows fast, secure and reliable communications between the various components in a safety control system. Another benefit of these communications systems is that they are key elements in implementing the Industrial Internet of Things (IIoT) and Industry 4.0 solutions.

Within a typical factory, there are three or more communications levels, including an Enterprise level (Ethernet), a Control level (Ethernet based industrial protocol) and a Device/sensor level (various technologies). The popularity of control and device level industrial communications for standard control systems has led to strong demand for similar safety communications solutions.

Safety architectures based on the most popular control level protocols are now common and often reside on the same physical media, thereby simplifying wiring and control schemes. The table, below, includes a list of the most common safety control level protocols with their Ethernet-based industrial “parent” protocols and the governing organizations:

Ethernet Based Safety Protocol Ethernet Based Control Protocol Governing Organization
CIP Safety Ethernet IP Open DeviceNet Vendor Association (ODVA)
PROFISafe PROFINET PROFIBUS and PROFINET International (PI)
Fail Safe over EtherCAT (FSoE) EtherCAT EtherCAT Technology Group
CC-Link IE Safety CC-Link IE CC-Link Partner Association
openSAFETY Ethernet POWERLINK Ethernet POWERLINK Standardization Group (EPSG)

 

These Ethernet-based safety protocols are high speed, can carry fairly large amounts of information and are excellent for exchanging data between higher level devices such as safety PLCs, drives, CNCs, HMIs, motion controllers, remote safety I/O and advanced safety devices. Ethernet is familiar to most customers, and these protocols are open and supported by many vendors and device suppliers – customers can create systems utilizing products from multiple suppliers. One drawback, however, is that devices compatible with one protocol are not compatible with other protocols, requiring vendors to offer multiple communication connection options for their devices. Other drawbacks include the high cost to connect, the need to use one IP address per connected device and strong influence by a single supplier over some protocols.

Device level safety protocols are fairly new and less common, and realize many of the same benefits as the Ethernet-based safety protocols while addressing some of the drawbacks. As with Ethernet protocols, a wide variety of safety devices can be connected (often from a range of suppliers), wiring and troubleshooting are simplified, and more data can be gathered than with hard wiring. The disadvantages are that they are usually slower, carry much less data and cover shorter distances than Ethernet protocols. On the other hand, device connections are physically smaller, much less expensive and do not use up IP addresses, allowing the integration into small, low cost devices including E-stops, safety switches, inductive safety sensors and simple safety light curtains.

Device level Safety Protocol Device level Standard Protocol Open or Proprietary Governing Organization
Safety Over IO-Link/IO-Link Safety* IO-Link Semi-open/Open Balluff/IO-Link Consortium
AS-Interface Safety at Work (ASISafe) AS-Interface (AS-I) Open AS-International
Flexi Loop Proprietary Sick GmbH
GuardLink Proprietary Rockwell Automation

* Safety Over IO-Link is the first implementation of safety and IO-Link. The specification for IO-Link Safety was released recently and devices are not yet available.

The awareness of, and the need for, device level safety communications will increase with the desire to more tightly integrate safety and standard sensors into control systems. This will be driven by the need to:

  • Reduce and simplify wiring
  • Add flexibility to scale up, down or change solutions
  • Improve troubleshooting
  • Mix of best-in-class components from a variety of suppliers to optimize solutions
  • Gather and distribute IIoT data upwards to higher level systems

Many users are realizing that neither an Ethernet-based safety protocol, nor a device level safety protocol can meet all their needs, especially if they are trying to implement a cost-effective, comprehensive safety solution which can also support their IIoT needs. This is where a safety communications master (or bridge) comes in – it can connect a device level safety protocol to a control level safety protocol, allowing low cost sensor connection and data gathering at the device level, and transmission of this data to the higher-level communications and control system.

An example of this architecture is Safety Over IO-Link on PROFISafe/PROFINET. Devices such as safety light curtains, E-stops and safety switches are connected to a “Safety Hub” which has implemented the Safety Over IO-Link protocol. This hub communicates via a “black channel” over a PROFINET/IO-Link Master to a PROFISafe PLC. The safety device connections are very simple and inexpensive (off the shelf cables & standard M12 connectors), and the more expensive (and more capable) Ethernet (PROFINET/PROFISafe) connections are only made where they are needed: at the masters, PLCs and other control level devices. And an added benefit is that standard and safety sensors can both connect through the PROFINET/IO-Link Master, simplifying the device level architecture.

Safety

Combining device level and control level protocols helps users optimize their safety communications solutions, balancing cost, data and speed requirements, and allows IIoT data to be gathered and distributed upwards to control and MES systems.

cropped-cmafh-logo-with-tagline-caps.pngCMA/Flodyne/Hydradyne is an authorized  Balluff distributor in Illinois, Wisconsin, Iowa and Northern Indiana.

In addition to distribution, we design and fabricate complete engineered systems, including hydraulic power units, electrical control panels, pneumatic panels & aluminum framing. Our advanced components and system solutions are found in a wide variety of industrial applications such as wind energy, solar energy, process control and more.

Embedding axis controllers made by any manufacturer
Guest contributor: Theobald Herrmann, Bosch Rexroth

Automating hydraulic drives as easily and conveniently as electrical ones with combined monitoring and remote maintenance of all the technologies used – this increasingly important economic requirement can be fulfilled using valves with integrated axis controllers (IAC). What can they offer and how easy is it to implement manufacturer-independent integration at controller level?

23706._iac-ventile_iac-multi-ethernet_iac-r_ia3-1200x797

Bus systems play a key role in automation. They provide a flexible way of saving time and money when integrating hydraulic drives into higher-level control networks. However, in order to give the engineering plenty of freedom, this should ideally be independent of the controller manufacturer.

Ethernet – open communications standard

The basis for this manufacturer-independent communication is the network standard Ethernet. Thanks to the large address space and switch cascading facilities, networks can then be scaled to any size and can give an almost unlimited number of participants equal bus access. The most common Ethernet-based bus systems used in industrial automation to control hydraulic axes are SERCOSProfinet RTEthernet/IPEtherCAT, Powerlink and Varan.
All these bus systems can use multi-Ethernet interfaces to provide flexible availability – both for the engineering and for the end user.

What can IAC valves achieve with multi-Ethernet interfaces?

Multi-Ethernet interfaces are a key component of control valves with integrated digital axis controllers (IAC). The integrated switch (bus in and bus out)
makes it easy to comprehensively integrate your hydraulic drives into a uniform control concept. Using standardized M12 technology also enables you
to efficiently integrate a variety of sensors. The software-based control functions are particularly interesting to users. They enable the motion control
of a hydraulic drive to be handled in the same way as an electric one, ultimately depicting the operation and control of both types of drives in exactly the same way.

23867_v2_300-768x725

 

Specific hydraulic axis control functions

Viewed precisely, an IAC (Integrated Axis Controller) is a digital controller equipped with control and regulation algorithms that is integrated into the valve together with all the necessary sensor interfaces for controlling position, pressure, force and flow. The extended function range includes alternating control (position, force) and status feedback for position control. This means that hydraulic motion sequences can be quickly implemented without the need for any programming. Another advantage is that control algorithms and parameters can be integrated into the valve and then selected by the higher-level controller as appropriate for the specific application. In this way, possibly supplemented by electric drives, they can be used as a cost-effective way of implementing tailored machine concepts and individual application requirements.

Commissioning, monitoring and engineering

Using standardized M12 technology reduces the cabling effort required and permits faster commissioning. Additional time and cost are saved by the wizard integrated into the software that guides the user through the few steps needed before final commissioning and also calculates all the necessary control parameters. Important for the plant’s availability are monitoring functions which, among other things, detect tracking errors and monitor the limits of travel.
In addition to these, some manufacturers also provide software tools to help motion control system users with commissioning and parameterization, and diagnostic functions such as multi-channel oscilloscopes and data loggers, so that the number of interfaces can be kept as low as possible – making the system faster and easier to configure.

Integrated machine safety (safe stop)

For the engineering IAC valves facilitate a modular construction system that can flexibly enhance system concepts. And not least, these include internally implemented DGUV-certificated safety functions. This gives you an economical and future-proof way to lay the foundations for safe stop, for instance by shutting down a channel as specified in EN 13849-1, and thus fulfill the requirements of the Machinery Directive even for large-scale plants.

22916_v2_300-768x702.jpg

Case study 1: High precision control tasks

The role that IAC valves play in the accuracy of machine tools is made very clear by the example of a new rotary transfer machine with 54 electrical and hydraulic CNC axes. For this new development the manufacturer not only made use of a powerful CNC system solution with real-time communication via SERCOS, but also incorporated a module in controller format with software that was already capable of taking into account all the special features of fluid technology and was thus able to separate the drive level from the control level. This enables the machine to be constructed more compactly and with lower heat input. Thanks to the stable temperature, the vibration-damped sleeves of the circular array of processing axes can achieve a repeatable precision in the hydraulic servo axes of less than +/- 1 μm, corresponding to 5 μm on the workpiece. The travel speed is up to 30m/min.

Case study 2: A retrofitted core shooting machine

In addition to new designs, IAC valves with multi-Ethernet interfaces also offer considerable potential when it comes to modernizing legacy machines. For example, the well thought-out retrofit of a 50 year old core shooter coupled with new hydraulic components resulted in significantly improved efficiency. A total of eight IAC valves regulate the hydraulic cylinders on the basis of the set positions given by a CNC controller. Their possibilities and high level of precise repeatability made it possible to reduce the figures for setup time (system changeover) and waste (nibs). Altogether, despite operating three shifts, the machine’s availability increased by more than 10%, corresponding to 500 hours. Using a secure logic controller meant that safety was also brought up to date.

Conclusion

IAC valves with multi-Ethernet interfaces and integrated axis controllers enable mechanical engineering companies to easily utilize the productivity potential offered by hydraulic and hybrid drives.

Combining them with engineering tools, including industry-specific and application-specific control structures makes it possible to cost-effectively
implement tailored machine concepts and modernizations, with the result that the manufactured results can be optimized faster and more easily.

More informationwww.boschrexroth.com/iac

Moviehttps://www.youtube.com/watch?v=fVBOYCP31P0

cropped-cmafh-logo-with-tagline-caps.pngCMA/Flodyne/Hydradyne is an authorized Bosch Rexroth distributor in Illinois, Wisconsin, Iowa and Northern Indiana.

In addition to distribution, we design and fabricate complete engineered systems, including hydraulic power units, electrical control panels, pneumatic panels & aluminum framing. Our advanced components and system solutions are found in a wide variety of industrial applications such as wind energy, solar energy, process control and more.

New Design for Hydraulic Power Units

Guest contributor:  Andreas Günder, Bosch Rexoth

Optimum power, less installation space: Thanks to new intellectual and design approaches, compact hydraulic power units increase the economic efficiency of machine tools.

Powerful force in a very confined space

In the production world, hydraulics are firmly established. Machine tool manufacturers appreciate hydraulics for their high power density, toughness and modular design. In the lower performance range up to 4 kW, however, there are also some challenges. Since the installation space is often limited, designers and technical purchasers are constantly looking for increasingly compact solutions.

Installation space is valuable

The demand for compact hydraulic drives is not only due to the structurally limited flexibility regarding extensions, modernization measures and refittings but also due to the requirements regarding acquisition costs and assembly times or structural extensions of the working space with given machine dimensions. In addition to the level of integration of the functions, energy efficiency often plays an important role as well. Last but not least, many manufacturers are following the miniaturization trend. If workpieces become increasingly smaller, the moved mass of the machine tool has to be decreased accordingly.

“Installation space eaters” hydraulic power units

To reduce the installation space, solution manufacturers can start mainly with the following components: hydraulic power unit and control cabinet. When considering this split, it becomes evident that compact power units which are also easy to integrate require completely new design approaches to eliminate all features which waste unnecessary space in the performance spectrum up to 4 kW and to ensure that the units are still compatible with many different machine designs.

Highly integrated design approaches

The features of such innovative design concepts according to the EU Eco-Design Directive 2009/125/EC for example include a tank which is optimized for efficient degassing and reduces the oil volume by up to 80 percent. A much more decisive factor for gaining space is, however, that all functions can actually be integrated in one small power unit – from an economic variable-speed drive for demand-based power output to sensor technology with filling level, temperature, pressure and filter contamination sensors to a completely wired frequency converter.

Bosch_Infografik_EN-1200x849 (1)

Compact and ready for Industry 4.0

For the future viability of this approach with regard to Industry 4.0, a data interface is essential as well. Only with permanent condition monitoring can the operating conditions be optimized comfortably and relevant faults be detected early on. With this equipment, the user only has to connect the electric power, the data interface and the hydraulic supply during installation and the hydraulic power unit is ready for operation

New cooling with heatpipe

So-called heatpipes are considered to be a space-saving innovation regarding the cooling of hydraulic power units. Their high-performance passive thermal conduction allows for a further reduction of the frame size. The heatpipes absorb the thermal energy of frequency converter, motor and hydraulic oil and efficiently transfer it to a central heat sink such as e. g. cooling water…
This ensures an intelligently optimized thermal management within the hydraulic power unit and optimally utilizes the cooling power of the cooling water. There is no need for a separate hydraulic circuit for oil cooling. This reduces installation space, noise emissions, energy consumption and possibilities for leakage.

Heatpipe – Functional principle

Basically, a heatpipe consists of air-tightly sealed copper pipes with underpressure. Inside, there is a medium which transfers thermal energy. In the temperature range of hydraulic power units, the medium may be e.g. distilled water. The boiling temperature of the water is significantly reduced by the low pressure within the heatpipe, which means that a boiling or condensation process can already take place at low temperatures.

Functionality: If you dip the heatpipe for example in hot hydraulic oil, the thermal energy at the lower immersed part of the heatpipe is transferred to the water. The water exceeds the boiling point, evaporates and absorbs a large amount of thermal energy with low temperature difference (latent heat). The water steam rises to the upper part of the heat pipe which is cooled by e. g. a cooling element. Here, the water steam condensates and gives off the thermal energy to the cooling water. Thanks to the latent heatabsorption and dissipation, the thermal conductivity of heatpipes can be up to 1000 times higher than the thermal conductivity of copper pipes. Due to the high elasticity of the copper pipes, the heat pipe can be easily shaped. In this way, ideal heat paths can be formed inside the hydraulic power unit and the installation space can be considerably optimized. Similar application ranges with equal optimization potential can be found in computer technology. Here, the thermal energy in laptops caused by heat sources such as the CPU are transferred to the central cooling elements using heatpipes.

Grafik_Heatpipe_EN.jpg

Plug & Play: no control cabinet

The frequency converter has a high potential for gaining installation space as well. If it has already been equipped with Multi-Ethernet interface for Sercos, Profinet and other standards by the manufacturer, machine and plant manufacturers are able to reduce the control cabinet requirement for the hydraulic unit by up to 100 percent. As a precondition, however, the sensor technology and the motor in the power unit have to be wired to the frequency converter in such a way that the frequency converter can control the hydraulic pressure autonomously. This means that the control cabinet can not only be designed with smaller dimensions. Sometimes it can even be completely omitted together with the corresponding installation effort and related sources of error.

Conclusion

Fully integrated small power units based on a completely innovative design approach for the performance range up to 4 kW provide machine and plant manufacturers with the advantages of hydraulic drives with very little space requirements. As an alternative to purely electrical solutions, the required energy can be converted into a linear movement in a precise and costeffective manner directly at the working area using a simple hydraulic cylinder. If sensor technology, frequency converter and data interface are integrated as well, users not only benefit from comprehensive condition monitoring but also from a significantly reduced control cabinet footprint or even from a design without control cabinet.
More information fully integrated power units: www.boschrexroth.com/cytropac

Operating principle: https://www.youtube.com/watch?v=sSPemS94G2I

cropped-cmafh-logo-with-tagline-caps.png

CMA/Flodyne/Hydradyne is an authorized Bosch Rexroth distributor in Illinois, Wisconsin, Iowa and Northern Indiana.

In addition to distribution, we design and fabricate complete engineered systems, including hydraulic power units, electrical control panels, pneumatic panels & aluminum framing. Our advanced components and system solutions are found in a wide variety of industrial applications such as wind energy, solar energy, process control and more.

Why Rexroth? Top Four Reasons to Choose Rexroth Drives & Controls

Todd Sharp, Motion Control Sales Manager, CMA/Flodyne/Hydradyne

CMA/Flodyne/Hydradyne is a leader in the design and commission of drive and control
systems for our customers for over 30 years, and one question that we often hear is “Why is Rexroth the best?”  There are many brands competing for the drive and control market, and here at CMAFH, we have working experience with most if not all of them. Our engineers program,  repair and upgrade many of the brands of control systems, and we have the ability to integrate any brand into our custom projects at our customer’s request. Having specialized in Bosch Rexroth products for many years, we understand the unique strengths of the product line.

Rexroth drives and controls can be differentiated from competing brands in four very distinct ways.

1. Product Breadth

The IndraDrive product family spans the power range from 100W to 4MW. This product family can operate as an open loop frequency drive/sensor less vector drive up to a multi-axis integrated motion and logic controller that can be either stand alone or drive resident. The IndraDrive product family also includes a cabinet free drive integrated motor. This entire IndraDrive product family is supported by the same software.Indradrive 2016 13187

  • Power range from 100W to 4MW
  • Range of technology from open loop V/F and sensor-less vector control to multi-axis integrated motion and logic control
  •  Integrated motion and logic control – controller or drive resident
  •  Cabinet free drive integrated motor

2. Connectivity

Rexroth’s drive and control platform supports all common communication buses including Ethernet I/P, EtherCAT, Profinet, SERCOS, CANopen, Powerlink, Profibus.
We can control 3rd party motors regardless of brand or type, and we can operate all common feedback types including TTL, 1vpp, Endat, Hiperface, SSI, resolver. Our drives are available with a 2nd encoder input with a 1MHZ input frequency. Our control supports all common machine programming languages like ladder, FB, ST, IL… plus all common IT and engineering languages like C#, C++, Java, Labview, Matlab.

  • Supports all common communication buses including, Ethernet I/P, EtherCAT, ProfiNet, SERCOS, CANopen, Keyvisual_inkl_Logos_w486Powerlink, Profibus
  • Controls all 3rd party motors regardless of brand or technology type
  • Operates all common feedback types (TTL, 1vpp, ENDAT, Hiperface, SSI, resolver) with drive based second encoder input with up to 1MHZ input frequency
  • Supports all common machine programming languages (ladder, FB, structured text, instruction list) plus all common IT and engineering type languages like C#, C++, Java, Labview, Matlab

3. Functionality

Whether it’s drive or controller based, Rexroth offers multi-zone tension control, vibration dampening/anti-slosh control, high speed registration control, advanced electronic camming and hydraulic control. We also support zoned safety control with safe torque off and full safe motion; controller or drive based. Yes, drive based safe motion control!

  • PMK2801_02R_WEBMulti -zone tension control
  • Vibration dampening/anti-slosh control
  • High speed registration control
  • Advanced electronic camming
  • Supports all common hydraulic functions
  • Integrated safe torque off and safe motion control

 

4. Support

Rexroth designs, engineers and manufactures all products they sell. All are standard and sold throughout the world. In the US, hundreds of local high-tech distributors are Rexroth trained and certified to provide full sales, service and application support.  Additionally, Rexroth maintains sales, service and application support facilities in every region of the US, plus scores more globally.

  •  All products are standard and sold throughout the world
  • Bosch Rexroth maintains sales, service and application support facilities in every region of the US and scores more globally
  • In the US hundreds of local high-tech distributors are Rexroth trained and certified to provide additional sales, service and application support

Bosch Rexroth_2012

Do you have questions about this post?  Please contact us:

About CMA/Flodyne/Hydradyne

cropped-cmafh-logo-with-tagline-caps.png

CMA/Flodyne/Hydradyne is an authorized  Bosch Rexroth distributor in Illinois, Wisconsin, Iowa and Northern Indiana.

In addition to distribution, we design and fabricate complete engineered systems, including hydraulic power units, electrical control panels, pneumatic panels & aluminum framing. Our advanced components and system solutions are found in a wide variety of industrial applications such as wind energy, solar energy, process control and more.

Resources:

Engineered Systems Capabilities

Shop for drives online

Indramat Repair Center

Rexroth Drives & Controls Training

Secure Protection from Attacks, Malicious Software and Unauthorized Access

Guest contributors: Gerrit Boysen and Mariam Coladonato, Phoenix Contact

High system availability is very important in process engineering, because ongoing processes must not be interrupted. A fence is a physical, easily identifiable safety measure to secure systems from unauthorized persons. In addition to such physical protections, implementing IT security practices is also becoming more important.

The current trend toward interconnectivity is driving the growing need for IT security in process engineering. Not only is there an increasing number of horizontal interconnections from one system to another, but also the field level is more connected to the office level. In addition, all levels are using more and more Ethernet components. The good news is that this interconnection increases efficiency and reduces costs. The downside of this, however, is that it also increases the risk that malicious software will quickly spread throughout all areas of a company.

In light of this information, process-engineering systems are repeatedly being threatened by new security gaps and a growing number of malicious programs. The computers and control systems used in industrial networks must have much more extensive protection from attacks, malicious software, and unauthorized access than they have so far (Figure 1).

Figure_1phoenixcon

Figure 1: The Process Analysis Center is protected by a firewall.

The security strategies used in conventional office IT, however, usually are not designed for industrial systems. Industrial networks require special protective measures. The IT systems used in production environments differ fundamentally from those used in office environments in four ways.

  1. Patches cannot typically be applied to industrial systems
  2. Industrial systems use special protocols such as OPC Classic, which are not used in the office world
  3. Large systems can have structurally identical modular assemblies with identical IP addresses
  4. Production systems often require different firewall rules and standards during maintenance and in the event of remote servicing

Office PCs usually have virus scanners that perform security updates at regular intervals. These measures do not normally work for industrial systems for a few reasons. Sometimes, the manufacturer of the operating systems or applications used in the industrial sector no longer provides security updates. In addition, test measures must be performed on industrial PCs before each operating system, antivirus software, or application update, and this cannot be done efficiently in terms of operation.

The use of specific industrial firewalls can protect these non-patchable systems against attacks from outside the network. To do this, hardware-based firewall appliances are connected between industrial PCs and outside networks. Another advantage of using external security hardware is that the system’s resources do not have to be used for security tasks (Figure 2).

Figure_2phoenixcon.jpg

Figure 2: Security example from the process industry.

Targeted restriction of network communications

With firewalls, the user can configure the protocols and ports that can be used to access the protected systems. This can prevent or at least limit the attempt of an attacker to gain access to the network through insecure ports. The Stateful Packet Inspection Firewall approach is an ideal way to manage these systems. This approach uses rules to filter incoming and outgoing data packets in both directions: from the outside to the protected internal network and vice versa. Based on the protocol, source addresses and ports and destination addresses and ports can be used to limit network communications selectively to a defined scope required for production. Here, the Connection Tracking function identifies the response packets on permitted connections and lets them through.

When selecting a suitable firewall, the engineer must ensure that the selected firewall understands any protocols used in the particular industry. Otherwise, reliable protection cannot be guaranteed. For example, office firewalls typically do not support industrial protocols such as OPC Classic, so they cannot provide appropriate protection for the application.

While conventional firewalls cannot reliably protect data traffic via OPC Classic, industrial variants – such as one with a license for OPC Inspector – can provide a suitable solution. The firewall checks the OPC Classic communications data packets and filters them precisely, based on Deep Packet Inspection. For this purpose, the Stateful Inspection principle is also applied to OPC Classic data. This means that the firewall identifies the port changes negotiated in the OPC Classic protocol and approves them dynamically. In this context, it inspects whether a port opened by OPC is used within a timeout period and whether the data traffic moving through this port corresponds to the OPC protocol. This method provides high-access security (Figure 3).

a_0065449

Figure 3: Deep Package Inspection in the OPC protocol.

Unique and clear mapping to virtual external networks

Complex production sequences are typically structured into networked, largely standalone cells. For an efficient design of the engineering, documentation, and cell operation, the use of identical IP addresses for all systems of a single type proves to be advantageous. If all communications are initiated from the internal cell networks, several identical systems can be connected with simple masquerading NAT (Network Address Translation) routers to the operator’s production network. If the higher level network also needs to establish a connection to the individual cell nodes, however, this solution is not sufficient, because the cell nodes cannot be addressed from the outside. In this case, the user requires a router that can map internal machine networks universally or selectively to unique virtual external networks using 1:1 NAT.

Because of this, an industrial firewall offers the so-called 1:1 NAT routing function, in addition to the pure NAT routing. OPC Inspector, mentioned above, allows this NAT function for the OPC Classic protocol. This sets it apart from conventional office firewalls and other industrial firewalls.

Event-controlled (de)activation of firewall rules

Different firewall rules and standards have advantages in different situations. This is because during production operation or maintenance and remote system servicing, different connections are allowed or forbidden. In practice, the user usually solves the problem by summarizing the various firewall requirements in a set of rules. This procedure inevitably lowers the level of security, because the firewall rules allow all connections required for the different operating states, even if they are not required for the current operation.

An industrial firewall solves the problem by implementing a Conditional Firewall. This function allows the firewall rules to be activated or deactivated depending on events. A variety of events – such as an externally connected button, switch, control window in a web interface, API command line, or establishing or disconnecting a VPN (Virtual Private Network) connection – can be selected to trigger a specific firewall rule (Figure 4).

Rexroth-BR_Catalog2 (1)

Figure 4: Secure remote access to the system.

Summary

The requirements placed on a firewall in a production zone are different from those in the office world. Therefore, using an industrial firewall with a NAT function can support the individual, simple segmentation of networks. This allows the Defense-in-Depth concept based on the ISA-99 and IEC 62443 international standards to be implemented even in systems using the OPC Classic protocol.