- June 08, 2018
- Opto 22
- OPTO 22
By Benson Hougland, Opto 22
Traditional industrial networking methods have proved workable but difficult to implement. The next generation of communication technologies may work to ease implementation while addressing security concerns.
By Benson Hougland, Vice President, Marketing and Product Strategy, Opto 22
Engineers and project managers are usually familiar with the “project triangle,” which illustrates constraints by showing “good,” “fast” and “cheap” as the triangle’s three points, with the caption, “Pick any two.” Typical project constraints make it impossible to achieve all three.
A similar concept applies to implementing industrial communications, but with “reliability,” “speed” and “security” as the triangle’s points. Good security often reduces speed, slowing data transfer rates and complicating implementation. Fast speeds may compromise reliability and security. Reliable network configurations often do not produce high-performance installations.
Even with recent advances in Ethernet and industry protocols, many in the automation field are resigned to the continuing challenges of industrial communications and accepting these constraints.
Challenges are especially high for systems with geographically widespread sites, which often rely on tenuous network links. Even where standard technologies can be made to work, they require coordinating several technical groups. Finally, the added load of industrial communications may burden the company’s network infrastructure, especially with the advent of big data and the increased traffic associated with it.
Fortunately, next-generation technologies and improved methods are becoming available to address these issues. Together, these technologies help achieve secure, fast and reliable industrial communications.
Industrial communications solutions make sense only when they provide value in terms of improved business performance. Smart sensors, intelligent devices and control systems contain a wealth of information. When you can successfully interconnect them and access this information, you benefit in many ways.
Monitoring energy usage, keeping an eye on equipment performance and identifying trends are all examples of ways data can help a company operate more efficiently. Users would prefer to concentrate more on improving performance and increasing uptime, and less on travelling to research problems in the field.
Unfortunately, industrial automation systems have historically been plagued with limited connectivity and proprietary protocols. These are issues engineers have struggled to overcome, especially as companies have incorporated newer packaged equipment and automation systems, often leaving islands of automation that do not interact with each other.
So, the first hurdle in value creation depends on establishing effective communications. Technologies and methods that lead to reliable, fast and secure networking let you focus on the newly available data, not the means of obtaining it.
Reliability Comes First
Today’s networking landscape is better than it has ever been, certainly for industrial systems. Commercial off-the-shelf (COTS) Ethernet and wireless networking, based on consumer-driven technologies, are exceptionally fast, reliable and economical—and are well understood by many users. Communication protocols are relatively open, with a handful of widely-used versions, and with options available for more specialized needs. This hardware and software is not only easy to use, but also reliable.
Operations technology (OT) personnel have traditionally engineered their own control and connection solutions for the PLC and sensor devices they used, since the means and methods were often unique to these systems. The introduction of COTS networking elements is a good thing for many reasons, but since a company’s existing Ethernet infrastructure is often leveraged to provide a solution, new issues can arise.
Nowadays, it is quite common for business information technology (IT) personnel to become involved with OT networks. Coordinating basic network connections within a site is rarely an issue. However, for more advanced configurations with multiple networks and remote sites accessed over the internet, IT support becomes much more critical.
The most common way to implement secure remote connections is by establishing a virtual private network (VPN) link between locations. This is a good technical solution, but it is relatively difficult to create and maintain. Complexity like this tends to reduce reliability.
Because typical firewalls reject incoming communication but allow outgoing communication, an attractive option is to select devices and protocols capable of working with only outbound connections. In this case, the remote device initiates an outbound conversation to achieve the communication link (Figure 1).
Figure 1, Acme Ovens: The publish-subscribe model depicted in this diagram initiates all communications as outbound connections, maintaining security while avoiding IT complications.
As a result, OT is in control again, with a reliable solution that minimizes required IT involvement. Not only that, but this approach is modular and scalable because smart devices can easily be added into the system as they become available.
Race car teams are always on the lookout for improvements to provide more horsepower and speed. Similarly, the technical community implementing industrial communications certainly welcomes newer technologies and standards that promote faster networking speeds, but simply increasing speed isn’t always necessary.
For slowly changing data sources, such as a level in a large tank, oversampling makes no sense. For quickly changing data, overly aggressive communications where they are not needed can overload and bog down a network, preventing other data from being quickly transferred. This is especially critical since many extended industrial networks are in locations or use products that offer limited bandwidth. Therefore, for industrial applications, “fast enough” is often the best goal.
When balancing communications speed versus network loading, there are two major network communication models to consider. The more typical model is called request-response, in which a client requests data from a server, which then responds. The client is usually a supervisory PC, while the servers are commonly remote PLCs or smart devices. Request-response systems continually poll for new data.
A different model called publish-subscribe often offers better performance for common industrial applications. In this model there is a central server called a broker. Any associated clients may publish data to the broker and may also subscribe to data handled by the broker.
Publish-subscribe systems minimize network usage since clients only publish data when it changes (also known as report by exception). One open-source publish-subscribe protocol is message queuing telemetry transport (MQTT), developed specifically to be lightweight and resilient over low-bandwidth networks.
The differences between request-response and publish-subscribe become apparent when network connectivity is depicted pictorially (Figure 2). In its most basic form, request-response demands that all clients constantly interact with all servers, heavily loading the network regardless of whether data is changing. In contrast, publish-subscribe minimizes network loading by following a “just enough” philosophy of transferring data only as it changes.
Figure 2, MQTT Diagram: The request-response model shown at left is a reliable but brute-force approach where everything talks with everything, imposing network burdens. The next-generation publish-subscribe model on the right is a more elegant method using a centralized broker, which can handle heavy traffic without burdening the network.
Another issue with request-response is its requirement for access through firewalls at all servers, which as noted previously takes considerable effort to implement and maintain. In contrast, publish-subscribe can use outbound communications initiated by each client, which avoids firewall and VPN concerns. Applications using the data are effectively decoupled from the devices providing the data. This model can be far easier to implement and also offers security advantages.
On the surface, is seems obvious that integrating many smart devices talking to each other is inherently less secure than operating individual smart device islands. Creating so many pathways enables many more openings for attackers. The solution lies in a layered approach addressing the physical network, the transport protocols and the applications.
From a physical standpoint, either VPNs or outbound connection schemes satisfy best practices of maintaining device security and overall network security. But, the outbound connection model provides a simple way to ensure that only configured devices initiate communications, without having to involve IT personnel. The existing network infrastructure and firewalls remain in place and administrated by IT, while the OT elements maintain access to an on-site or cloud-located broker/server.
The next layer, the transport protocol level, should always take advantage of the industry standard Transport Layer Security (TLS). TLS provides authentication and data encryption and is the same method used for online banking and payment gateways. TLS helps ensure that no outside entities can intercept or affect communications between the client and the broker.
For the publish/subscribe model, MQTT offers an additional level of security. Users can establish client identifiers and login credentials, which the broker uses to authenticate the client connections. It is even possible for the data payloads transferred using MQTT to also be encrypted.
In many ways, industrial communication security efforts also enhance underlying network reliability and data integrity. Implementing security does tax performance, since additional data and transactions must be processed to establish each secure connection. This penalty is minimized by the fact that the physical, transport and application layers have standard and efficient provisions to ensure proper security.
A Purpose-Built Solution
Industrial automation engineers have recently benefitted from the improved power and interoperability of open-standards hardware and software networking technologies. While many companies have gotten by until now with “islands of automation,” the exploding availability of IIoT instruments and other smart devices delivers more potentially valuable data than ever before if these islands are connected. With this in mind, many companies are looking at ways to improve their automation interconnections to produce more, save resources and make their personnel more efficient.
Next-generation communications work to address these issues by providing a careful balance among reliability, speed and security—often achievable using standard or open-source networking. Some automation manufacturers are releasing products that have these capabilities built in, for example, Opto 22’s groov EPIC (edge programmable industrial controller, Figure 3). Incorporating this type of controller in your automation system provides an scalable way to take advantage of next-gen communications.
Figure 3, groov EPIC: This groov EPIC from Opto 22 has the required capabilities built in, allowing it to act as a hub for a next-generation communications infrastructure.
About the Author
With 30 years’ experience in IT and industrial automation, Benson Hougland drives strategy for Opto 22 products connecting the real world to computer networks in his role as Vice President, Marketing and Product Strategy. Benson speaks at trade shows and conferences, including IBM Think, ARC Forum and ISA. His 2014 TEDx Talk introduces non-technical people to the IoT. Benson can be reached at firstname.lastname@example.orgLearn More
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe