Key points
The Increase in Data Requirements
One of the biggest trends, if not the biggest trend, in automated systems over recent years is the requirement for more data. Not just the quantity of data has increased, but also the quality of data. With this data companies can:
- Improve Efficiency
- Prove Compliance
- Minimise Downtime
- Empower the supply chain to work in a more unified manner.
With this increase in data comes an increase in requirements in 3 fundamental areas. The data must be generated, moved, and collated. A 4th element has also risen rapidly to prominence, data must be secured.
2 Wires. The Standard for Generating Data
Historically, data has been generated by sensors. As automation has moved forward, more complex pieces of kit have also generated data, but the vast majority of data comes from sensors. Traditionally, these sensors have communicated over 2 wires. Even as more data has become necessary, 2 wire systems still dominate the industry due to this historical precedence and ease of retrofit. Going from simple systems to more complex systems we have:
- 4-20mA – A single signal, transferred over a current lop.
- HART – A Hybrid protocol where digital data is superimposed over an analogue signal providing further data and diagnostics from a single sensor.
- PROFIBUS PA – A variant of PROFIBUS DP which supplies Data and power supplied over a single cable.
As well as other bus systems such as PROFIBUS DP, Modbus RTU and Foundation Fieldbus. But as with all these solutions the data requirements are beginning to exceed the limits of current 2-wire systems.
Moving Data From 2-wires to Ethernet
With these increasing Data requirements, manufacturers and users are exploring how these 2-wire systems can be moved to a more Ethernet based structure. Both in terms of hardware and also the data structure going forward.
For example, Ethernet APL (Advanced Physical Layer) is seen as a potential standard, which could be used to replace PROFIBUS PA, HART and any other 2-wire systems. It is a technology that allows Ethernet communication over 2 wires instead of 4 or 8 wires with intrinsic safety in the hazardous environment. It does this by combining the IEEE 802.3g standard for 10 Base-T1L communication with the IEC TS 60079-47 standard for 2 wire Intrinsically safe installations. Ethernet APL could be used to communicate over Ethernet based Fieldbuses such as PROFINET or Ethernet IP directly to the sensor or device.
Other elements for legacy systems, such as Gateways for PROFIBUS PA / PROFINET, HART IP allow for legacy devices to also take advantage of the Ethernet architecture.
Formatting Data, the Drive to Standardising Data Collation
With more data available, standards that are independent of the transmission medium / protocol are also being proposed and formalised. Data needs to be available, not just up the automation pyramid, but also at a wider range at the same level. These information models (such as the Namur Open Architecture (NOA)) can then be used on existing brownfield systems and new greenfield systems to facilitate a standard data layout. This makes data easier to handle and process when it comes from multiple sources.
Moving the Data Securely
With all this data moving via Ethernet, and wider connectivity of systems. Security must now be seen as a high priority. Whether upgrading existing systems or planning new systems, design consideration must be given to responsible access of data. Without this many potential problems can be generated, such as:
- Plant downtime – due to security issues, production must be stopped for hours or days.
- Ransomware – Production is blocked as Data is encrypted. Do you pay the costs of recovery, or rebuild the production process and hardware?
- Loss of Data – Cost of data recovery.
- Leakage of Know How – Quantify what your IP is worth.
- Reputational Damage – What is the price of your partners and customer trust.
To achieve security, a holistic approach is necessary: An adequate security concept must include the technology used, defined processes, and the people involved, i.e., it must specify both technological and organisational measures.
Many but not all threats can be defended against with appropriate technical measures. These technical measures must be supplemented by organizational measures that address personnel, procedures, policies, and practices. From the systemic point of view, further requirements and interfaces arise regarding the following:
- Network architecture of the automation solution
- Configuration of the automation solution
- User account management
- Certificate management
- Firewall settings management
- Device and patch management
- Remote Maintenance
Standardising Data Security
With regard to security standards to apply, a distinction must be made between different types of technology or networks:
- IT Information Technology Office (accounting, sales, management, …).
Here, the ISO 27001 standard for the plant owner is typically applied. - “Intermediate Layer” Factory Backbone (inventory management etc.).
Enterprise Resource Planning (ERP) or Product Lifecycle Management (PLM) domain, no classic automation.
Here, the ISO 27001 standard is typically applied. - OT Operational Technology Production area / Factory Floor with its machines and plants (ICS).
Here, the IEC 62443 standard is typically applied.
Security matters to automation systems, but how do you determine if a product or system is secure? Taking the IEC 62443 standard as an example, it specifies the processes and functions required to develop secure systems. It describes three roles (operator, integrator, and manufacturer) and defines the necessary measures. For all roles, security by design proves to be an essential condition:
- Role 1: Manufacturer or Product Supplier. With respect to the devices used to build automation infrastructures and systems.
- Role 2: System Integrator. As a system integrator, you are responsible for the standard-compliant integration and commissioning of components and systems involved into an automation solution.
- Role 3: Operator or Application/System Owner. As an application owner/operator, you are responsible for implementing and following the standard-compliant policies, capabilities, and procedures that secure the operation and maintenance of the automation solution on-site.
Other industry / national security specifications can be applied, and a few are listed in the table below. However, the international standard IEC 62443 is the only one with a cross-industry approach, addressing all participants in the value chain and enabling certification procedures.
| Standard | Target Group | Main Purpose | Focus |
|---|---|---|---|
| BDEW White Paper | Device/component manufacturers,system integrators | Security requirements for suppliers | Renewable Energy, Water |
| WIB Security Standard | Device/component manufacturers,system integrators | Device/component manufacturer certification | Oil & Gas |
| ISO/IEC 27019 | Asset owners,plant operators | IT security for Control Systems | Energy |
| NIST 800-82 | Asset owners,plant operators | Technical security recommendations | USA |
| NERC CIP | Asset owners,plant operators | Increasing reliability of energy supply infrastructure | USA, Canada |
| IEC 62443 | Device/component manufacturers,system integrators,plant operators | Requirements for secure products, secure solutions, and secure operation | General Industry Sector |
Increasing Data Requirements, Increased Responsibilities
As we can see this drive to increase the data collected from a process is driving not just a change in the hardware requirement for plant and monitoring systems. But also increasing the emphasis on standard data interfaces and especially the need to consider data security at the design stage, rather than at integration. However newer technologies and recent standard can be combined to safely bring this requirement to fruition.
