In recent years, the generation of data to create ever better transparency and control of production has become a decisive competitive factor. IIoT has also contributed to more manufacturing systems being connected to IT or cloud systems. This places higher demands on access security, which Phoenix Contact meets with the Secure Edge Box.
The solutions used for data acquisition usually have different interfaces, and support different communication protocols. In addition, exceptions must be set in the rules of the IT firewalls so that each of the systems can reach the individual peers. This makes the systems confusing and difficult to administer. Furthermore, the risk of a cyberattack increases because there are too many uncontrolled and open access points to the company and its production area. In addition, the diversity of the solutions requires a high level of expertise from employees in order to parameterise and maintain the systems. For this task, it may be necessary to call on external help – be it from other company locations or from the application experts of the respective manufacturers. For this purpose, a standardised and secure remote connection to the peer must be set up. At best, a secure edge interface is established between manufacturing and other networks. To support users, Phoenix Contact offers a Secure Edge Box that solves the above challenges.
Signal light for checking VPN connections
Protecting production against attacks and sabotage should be a top priority in every company. Controlling incoming and outgoing data traffic and dividing the network into small areas (network segmentation) can prevent, or at least make it more difficult for malware to infect and spread. This task is performed by the Secure Edge Box. An industrial firewall router – the mGuard firewall – separates the lower-level network from the rest of manufacturing. In addition, incoming and outgoing data traffic can be limited by firewall rules. The user can either enter the rules directly in the device via a web interface, or manage and transfer them centrally – even for several mGuard firewalls in groups – using the mGuard Device Manager tool.
All devices in the separate area can be accessed via a VPN connection if required. The establishment of the VPN connection is controlled and monitored directly via a switch on the Secure Edge Box. In this way, employees in production always have control over whether someone is connecting remotely to the area, machine or system. A signal light on the top of the box is also used for monitoring, which visually indicates the status of the VPN connection setting.
Additional security settings via a managed switch
There is a second switch on the front of the box that controls the DMZ (demilitarised zone) port of the firewall router. The service technician on site is granted access to certain devices in the area via this port. Only the devices to which the service technician must have access can be reached via the subnet of the DMZ port. Another digital input on the firewall router is used to query the door switch. If the control cabinet door is opened and there is a potential risk of tampering on site, the mGuard firewall can send an alert to a configurable receiver.
A managed switch with 16 ports from the powerful FL mGuard 2000 series is used for networking in this area. Additional security settings can be made when configuring the switches. These range from user administration, with adjustable password complexity and detailed port access configurations, to authentication on a RADIUS (Remote Authentication Dial-In User Service) or LDAP (Lightweight Directory Access Protocol) server. Adding up to three more switches to the control cabinet creates additional connection options. The connections for the power supply are already preinstalled.
Edge PC for data acquisition and forwarding to a cloud
The edge PC with PLCnext Runtime that is installed in the Secure Edge Box can be upgraded via the PLCnext Store or remotely via Proficloud, and can take on many tasks. The PLCnext Store is the digital marketplace of the PLCnext Technology open ecosystem, from which users can download apps and function blocks onto their PLCnext Control. Two approaches can be realised by using the edge PC. First, it is possible to implement purely local data acquisition with visualisation and anomaly detection. In this way, for example, energy data or analogue sensor data is transmitted to the edge PC via MQTT or OPC UA. The user can then store the data in a database and use the open source application, Grafana, to display it in a clear, hierarchical and target group-oriented manner.
With the second approach, the data is forwarded to an online hosted cloud. In this case, the edge PC normalises the data, compresses it, and stores it temporarily if the online connection is not available. By using the graphical development tool Node-Red, the user can also access numerous open source libraries to process the data between these steps. This means that communication can be implemented with almost all systems, as their adaptation in Node-Red ensures the necessary compatibility.
To increase the availability of the data, both approaches can be used in parallel so that the user can access the data even if there is no online connection. Additional apps for detecting data anomalies can be installed on the edge PC via the PLCnext Store. Learned signal sequences are monitored by the software, and corresponding messages are generated. Regulatory intervention in the process is also possible.
Ready-made, functionally extendable control cabinet solution
The Secure Edge Box can be ordered as a ready-made control cabinet solution. In addition to CE marking, it complies with the UL 508A standard. Due to the space available, the box can be functionally extended, for example with additional switches or other components. The user simply specifies the devices when placing the order. The main switch and the operating elements for controlling the VPN tunnel and the DMZ port are located on the front of the box. The signal tower, which indicates an active VPN connection, is mounted on the top of the control cabinet. Up to 60 cables can be fed into the box from the bottom using a cable entry system. The user only needs to supply them with power and a network on site. Then the solution is ready for use.
The Secure Edge Box can be used to secure a network area in order to protect production against cyberattacks. To this end, incoming and outgoing data traffic is controlled and restricted. The integrated edge functionality allows data to be received, processed and forwarded – both locally and in the cloud.
| Tel: | +27 11 801 8200 |
| Email: | sbritz@phoenixcontact.co.za |
| www: | www.phoenixcontact.co.za |
| Articles: | More information and articles about Phoenix Contact |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version