Kepware OPC UA Network configuration upgrade
Applied Projects Engineering completed an OPC Server upgrade where all PLC devices using Kepware where reconfigured to use OPC UA as part of a cyber security upgrade project. The site was fitted with multiple pieces of equipment which exclusively used S7 300, S7 1200 and S7 1500 PLC’s as the basis of control. A survey of the Automation network was completed with recommendations for the client. A new network architecture was agreed along with relevant Hardware / Software Configuration specifications which detailed changes to PLC – OPC Server settings. All changes completed where fully tested and validated to ensure the system operated as expected in a qualified state.
Example Site Automation and Information Systems Architecture
Understanding the need for this Upgrade
The retrieval of data from industrial controllers forms the basis of modern process analysis from automated manufacturing equipment. In a typical automation infrastructure, middleware OPC Server applications such as Kepware are used to transfer production values of significance between the production instrumentation and Automation systems such as a HMI – SCADA – DCS – Data Historian – MES etc.
Cyber security is well established in IT infrastructure projects however the focus on cyber security in automation infrastructure is far more niche. When a PC – Server based application speaks to another PC – Server based application on a separate piece of hardware, the range of security settings in the modern operating systems are extensive. Legacy Automation logic controllers (PLC) do not have adequate protection mechanisms in place meaning that the software cannot protect itself from an external instruction when connected to a network. Malware has been designed to explore a network for PLC’s and then to explore for variable/parameter lists does exist.
Typical PLC in a cabinet which is the source of equipment control - Instrument Signal Analysis
Open Drivers
The core of the problem is the use of well-established drivers which are open for analysis by malware. The more stressing issue is that the malware can modify a parameter such as a recipe set point in a piece of equipment. The legacy PLC’ cannot defend themselves when using the traditional communication drivers. There is no ability to know if the instruction has come from a DCS or HMI or from a Malware program hidden somewhere on the network.
OPC Server Options
When a device is created in an OPC Server program such as Kepware, the communication method is selected. In the case of a siemens PLC the typical TCP/IP Ethernet option has been selected. This requires the PLC to be fitted with an internal ethernet port or additional ethernet card. Access to the OPC Server may have encryption - authorisation options however the encryption – authorisation options just aren’t there in the older PLC’s. The most common work around has been to provide protection through segregation of the Automation Network in terms of physical access to network systems.
Kepware with an OPC UA channel and not simply an OPC Server interface
Modern PLC configuration options and Legacy Drivers
The use of modern PLC’s with the legacy communication drivers is common practice due to the reliability and comfort Automation engineers have with using established methods. Due to this comfort, configuration on the Modern PLC is often set as open with no authorisation required to access tags as the production system runs live.
Options exist for security settings including authorised user accounts, OPC Server Tag specific interfaces, white lists for specific IP Address’s, OPC UA certificates and more defined code protection with change control. These modern security options exist due to experience over time and should be used where possible.
An S7-300 which cannot use the OPC UA method of communication directly
Non OPC UA enabled applications
Some external applications rely on the legacy drivers such as data logging database software interfaces. If the interface only supports the traditional TCP/IP ethernet communication for an S7 PLC for example, pressure should ideally be placed on the software vendor to update to a more secure medium. The work around here is to ensure the local network switch configuration only allows a specific device to interact with the PLC which minuses the risk through segregation.
Example OPC UA IO Map
Required Documentation and Validation needs
Configuration changes can have highly negative impact if completed without sufficient thought. A concept survey report should always be completed to act as a forum for agreement when assessing the impact of change. The basics of defining what applications use data from each PLC is required and then what documents hold configuration detail for communication. The report should allow an approval of strategy which is then outlined in further detail in a validation plan. Design documentation updates and specific test installation and Qualification Protocols need to be created with multiple approvals. The core goal of a validation process in this upgrade is to focus on the important areas being considered so that the updates do not stop all systems from continuing to operate as expected.
For details, reach out to - contact@appliedprojectsengineering.com