Posts

Working Remotely to Stop Coronavirus

Companies using Skkynet software and services expect high security for their data communications. They know they can stop computer viruses by keeping all inbound firewall ports closed. Now, with the coronavirus looming large we must do pretty much the same thing in real life. We need to keep our distance and stay behind physical walls as much as possible. And yet work must go on. The data must get through. We need to work remotely, if possible.

The problem is, logging in remotely can be risky.  Typically, you need to expose your servers via the web or a VPN―and that’s a risk that our industrial control customers cannot take.  They need tighter security, to access to their process data without exposing the process servers and networks.  Skkynet’s unique tunnelling technology provides this kind of secure access.  It lets users securely push data from their plants to our SkkyHub service, where they can access it in real time, all without opening firewalls to the outside world.

A Helping Hand

We are now offering this service at no cost to help our customers weather the coronavirus storm. For the next three months any DataHub user can connect to SkkyHub free of charge. A simple tunnel connection provides a way to access data remotely, even through DMZs and proxies. The SkkyHub service includes a web-based interface, SkkyHub WebView, that lets people build dashboards to access their data and interact with their systems from home. Those who are new to WebView can quickly get up to speed, designing pages through its web interface.  With SkkyHub, users can view and operate their control systems remotely as quickly and easily as being right in the control room.

Let’s face it. These are not easy times. Some factories have been forced to shut down, and restarting will be difficult, as Matthew Littlefield at LNS Research explains in this blog, Closing Factories is Hard, Re-Opening will be Harder. Remote access can alleviate these problems to some degree, but it must be reliable and above all, secure.

In another blog, Coronavirus Lessons for Industrial Cybersecurity: Quarantines, Sid Snitkin at ARC Advisory Group compares quarantines for coronavirus to securing industrial systems, and suggests, “Use DMZs, firewalls, zero-trust access control, anti-malware software, awareness training, and security hygiene to reduce the likelihood of an initial compromise.” He also recommends system segmentation to limit lateral movement of viruses, continuous device and system monitoring, and strengthening tools to prevent future attacks.

Doesn’t that sound a little like social distancing, washing hands, not travelling, and keeping our immune systems strong? The social structures we have developed throughout history and the technical systems we have built recently are not as different as we might imagine. They both can serve us well, but we need to protect them and keep them, like ourselves, in good health.

Case Study: Siemens, Denmark

Integrating OPC servers and data from high-security facility

In a recent data integration project, Siemens engineers in Copenhagen, Denmark were able to connect equipment and instrumentation running in a high-security facility to a remote monitoring location, using the Cogent DataHub®. The goal was to allow technicians access to the machines they needed to work on, without breaching security or permitting any non-authorized personnel on site.

At first the project promised to be a typical OPC application. The main objective was to connect a chiller unit with an OPC server running at a secure facility to two SCADA systems at a monitoring station, each enabled as an OPC client. However, it soon became apparent that there would be some problems with networking. OPC networking depends on DCOM, which at the best of times can be difficult to configure and slow to reconnect after a network break. To make matters worse, the OPC server provided by the chiller manufacturer was not up to the task.

“This particular OPC server has some strange behaviors,” said Carsten Barsballe, the project leader. “It won’t run as a service, and it won’t allow remote connections using DCOM, because when you disconnect, you are not able to reconnect. So we decided to encapsulate it in the DataHub.” Carsten installed a DataHub on the same machine as the chiller’s OPC server, and configured it to run as a service, causing it to connect whenever the system starts. This allows him to use the DataHub for all OPC client connections.

At the monitoring facility, Carsten discovered another potential setback. His SCADA systems were not able to connect remotely to an OPC server. They required a local OPC connection, so Carsten decided to use the tunnelling capabilities of the DataHub. He installed two more DataHubs, one on each SCADA system machine, and configured connections across the network to the first DataHub. His SCADA systems each connected to their local DataHub, and the data link was complete. Technicians could now view data from the high-security facility from the safe distance of the monitoring location.

“The two SCADA systems are separate from the chiller unit, but fully connected in real-time, so technicians can work on them as they are used to,” said Carsten. “This is a way to keep people from touching things they don’t know about. We have lots of people working at all hours, and now there is no need to for them to be onsite at any time.”

With the chiller system up and running, Carsten plans to integrate more data sources into the system. They have a few UPS (uninterruptible power supply) units with SNMP connectivity that they need to monitor, and by adding an SNMP-OPC server, the data from these will be brought into the DataHub. After that, they will also attach an OPC server for several meter-reading input devices. All of this data will then be sent across to the SCADA systems, and made available to the service people who need access to it.

“The DataHub is running very well,” said Carsten. “We do a lot of this kind of data integration, and there will be other projects. Now we have a good feeling for this product. We have chosen the right solution.”

Case Study: Kimberly-Clark, Switzerland

Networking control and video systems for quality control using the Cogent DataHub

The Kimberly-Clark production facility in Niederbipp, Switzerland, is the leading tissue paper producer for Switzerland and Austria, supplying Hakle, Tela, Scott, Kleenex, and other popular brands of tissues for consumers throughout Europe.

In a recent upgrade to their video-based quality control system, Kimberly-Clark needed to connect their existing ABB QCS (Quality Control System) to a new, state-of-the-art Viconsys Process and Quality Vision System, to ensure the highest quality product. For implementation, they contacted Logic Park, an engineering and system integration company located near Thun, Switzerland.

“This project was a little unusual,” said Bruno Maurer, Head of Solutions at Logic Park. “The two systems had to be connected across a network. But each system was protected by a firewall, and each offered only an OPC server interface for data connections. We had to bridge these two OPC servers, passing the data across the network. Using DCOM for networking was out of the question, because it would open too many ports in the firewalls, and it is difficult to configure. What we needed was a way to tunnel the data across the network, and bridge the OPC servers at either end of the tunnel.”

To achieve these goals, Bruno turned to the Cogent DataHub®, which offers both OPC tunneling and bridging in a single, integrated product. He installed one DataHub on the same machine as the ABB QCS system, and connected it to that OPC server.

He then installed a second DataHub on the Viconsys computer, and connected it to the Viconsys OPC server. Then he configured the OPC tunnel, and was able to see both sets of data on both DataHubs. From there, it was a straightforward task to configure the necessary bridges to write data from one OPC server to the other OPC server. He had a test connection running in a several hours, and within a few days the new system was completely functional.

“The DataHub worked very well for this project,” said Bruno. “Taken by itself, the OPC tunnel is robust and secure. Combined with OPC bridging, the DataHub has given us a complete and reliable way to network real-time data.”

Case Study: ABB Energy Automation, Italy

Secure OPC tunnelling between power plants and company offices

In two recent projects, Italy’s ABB Energy Automation has developed a control solution that feeds data from power plant facilities directly to corporate offices – in real time – using the Cogent DataHub®. A key requirement was to provide a highly secure means of data transmission, with the minimal risk of break-ins. The DataHub tunnelling solution establishes a secure, reliable connection between the power plant and corporate networks.

ABB Energy Automation implements software and control systems for power plants to ensure that equipment operates at optimum speed and efficiency. For this project, it became clear that several Italian power companies would benefit substantially by monitoring the performance of the plant directly from the company offices. Mr. Michele Mannucci, ABB Project Engineer, began looking for a way to make the connection, using the most reliable and secure means available.

“Customers are very sensitive about security these days since they need to exchange information on the web,” he said. “We had OPC DA servers on our equipment, but found that using DCOM for networking was too risky. It required us to open too many ports in our firewalls. We had to find a way to avoid using DCOM.”

A search on the web brought Mr. Mannucci to the DataHub. For the first test, he connected the DataHub to the plant’s DigiVis Freelance 2000 OPC server, and then connected to an OPC client, tunnelling through the plant firewall using just one open port. With that working, he installed another DataHub on the corporate network, and then created a mirroring connection between the two DataHubs.

For the production system, the company decided to use ABB’s own proprietary OPC server on the secure LAN in the plant, and connect that to the DataHub. From the DataHub the data flows out through a single port on the plant firewall via SSL-encrypted TCP to a DataHub in the corporate offices, which is connected to the corporate LAN. The two DataHubs mirror the data, so that every data change on the plant LAN is immediately received on the corporate LAN.

“For us, this OPC tunnel is very good, because we only need to open one port, and we are secure from DCOM break-ins,” said Mannucci. “We are considering installing this same solution in our top plants.”

It took only a few days for Mannucci to go from initial testing to a working system in the first power plant. The second system was up and running in a similar time frame. Both systems have been running 24/7 since installation, with no breaches in security.

Case Study: TEVA API Pharmaceuticals, Hungary

TEVA combines tunnelling and aggregation to network OPC data through a firewall

Laszlo Simon is the Engineering Manager for the TEVA API plant in Debrecen, Hungary. He had a project that sounded simple enough. Connect new control applications through several OPC stations to an existing SCADA network. The plant was already running large YOKOGAWA DCS and GE PLC control systems, connected to a number of distributed SCADA workstations. However, Mr. Simon did face a couple of interesting challenges in this project:

  • The OPC servers and SCADA systems were on different computers, separated by a company firewall. This makes it extremely difficult to connect OPC over a network, because of the complexities of configuring DCOM and Windows security permissions.
  • Each SCADA system needed to access data from all of the new OPC server stations. This meant Mr. Simon needed a way to aggregate data from all the OPC stations into a single common data set.

After searching the web, Mr. Simon downloaded and installed the DataHub®. Very quickly he had connected the DataHub to his OPC servers and determined that he was reading live process data from TEVA’s new control systems. He was also able to easily set up the OPC tunnelling link between the OPC server stations and the SCADA workstations, by simply installing another DataHub on the SCADA computer and configuring it to connect to the OPC server stations.

“I wanted to reduce and simplify the communication over the network because of our firewall. It was very easy with the DataHub.” said Mr. Simon after the system was up and running. Currently about 7,000 points are being transferred across the network, in real-time. “In the future, the additional integration of the existing or new OPC servers will be with the DataHub.”

Case Study: Mukhaizna Oil Field, Oman

Optimizing OPC connections with the DataHub

In 2005 the Sultanate of Oman issued a Royal Decree to develop the giant Mukhaizna oil field covering a vast expanse of desert in the center and south of the country. A major worldwide producer of oil, natural gas, and chemicals was given responsibility for developing the Mukhaizna field, and from 2005 to 2008 oil recovery rates were increased by more than 600% through the use of a steam-assisted gravity drainage process. As each year goes by, the company makes every effort to continuously upgrade technology and improve productivity of the field.

Eight separate production facilities in the Mukhaizna oil field are using Rockwell PLCs, linked to Iconics HMI/SCADA systems for data visualization and operator control. This data collection and distribution mechanism worked well when first implemented, but as the number of data points increased over time it became clear to the project engineers that they needed a way to improve performance. So they began to look for a way to streamline the data flow. The solution they found not only performed well, but it created other, significant opportunities for real-time data integration.

Software Toolbox logo

At each of the eight locations, Rockwell PLCs are connected to an Iconics Genesis32 HMI through an OPC server. The TOP Server OPC server from Software Toolbox (Cogent’s Sales and Technical Partner) gathers data from as many as 20 PLCs, and feeds that to the HMI. As new equipment was brought online, the number of tags in the system approached 30,000, which is normally not a problem for TOP Server. But something was clearly different with this system and it became apparent that some sort of optimization was necessary.

Optimization

The problem was that the HMI was forcing the TOP Server to make device reads, which bypassed TOP Server’s optimization at the device level. Device reads by an OPC client are intended to cause the OPC server to get the information and reply back to the OPC client before doing anything else. While these types of calls are useful in critical situations, all communication optimization has to be done through full system design. The HMI was also requesting updates on groups of OPC tags as it needed them, but these groups were often in a different logical order than how the data points were represented on the PLC. The combined effect was forcing the TOP Server to make more requests for smaller amounts of data, slowing the data-gathering process.

“The OPC server seemed to be dying under the load,” said Juan Munoz, Project Manager for the Mukhaizna oil field project. “Even at rates as low as once per second, it was difficult to scan 30,000 tags, and get the critical data changes that we needed.” Based on his experience with the TOP Server in other projects, Mr. Munoz knew the server itself was not the issue, so he searched the Software Toolbox website for a solution and found the Cogent DataHub®.

The DataHub, developed by Cogent Real-Time Systems (a subsidiary of Skkynet), is a highly optimized data integration tool. It is a memory resident real-time database that provides quick, reliable and secure access to valuable process data and makes it available to other production and management systems, database archives, and remote clients.

Once he started configuring the DataHub, Mr. Munoz soon realized how it could solve his data flow problem. Acting as an OPC client to TOP Server, the DataHub can request data based on tag value changes (referred to as “asynchronous advise”). This means that instead of 30,000 tags per second, TOP Server only sends data for a tag when it changes value. It is free to poll the devices in the most efficient way, always keeping the DataHub up to date with the latest data values. The DataHub keeps all the latest tag values in memory, and can efficiently send them to the HMI on each poll.

“The DataHub effectively decouples the OPC server from the client,” said Mr. Munoz. “All the load is on the DataHub’s shoulders now, and the performance is much better.” The TOP Server is now free to optimize the communications to the device while the DataHub protects it from device reads. This has relieved the company from having to redesign their HMI and PLC configurations from the ground up, saving them tens of thousands of dollars in engineering and development work.

When he was satisfied with the results at the first location, Mr. Munoz began installing the DataHub at the seven other facilities. He experienced a similar performance boost, and at the same time created a new data integration opportunity. He now had most of the pieces in place to bring all of the live production data to a central location, using OPC tunnelling.

OPC tunnelling

OPC tunnelling is a reliable and secure way to connect OPC servers and clients over a network. OPC DA uses DCOM for networking, which is difficult to configure, does not respond well to network breaks, and can pose significant security risks. The DataHub mirrors data from OPC servers and clients over TCP, which is a more robust protocol for networking.

To implement OPC tunnelling, Mr. Munoz installed another DataHub on a Windows server at the Mukhaizna oil field central office. After configuring tunnelling connections between that DataHub and the remote DataHubs, he was able to access the data from all eight field locations as a single, common data set, without putting any more load on his control system. This data could now be logged and shared at the management level of the company.

Using the DataHub’s database interface, Mr. Munoz configured connections to OSIsoft PI and SQL Server databases, to record production data at the remote sites and at the central office. Historical records and reports are now available through standard tools such as SQL and Crystal Reports. Mr. Munoz also configured an OPC connection from the central DataHub to an Iconics Web HMI to give managers access to the live data from all of the eight field sites. Operators, on the other hand, continue to control the processes from the HMIs running at the remote locations.

Among the critical information that operators and management need to monitor is the available memory and status of programs running at each field location. The company was able to achieve this by configuring the DataHub’s System Monitor feature, which allowed Mr. Munoz to add points that monitor the available computer memory and status of the OPC server running at each remote location. This data is accessed locally by operators, and is also tunnelled back to the central DataHub, so it can be viewed by users of the Web HMI on the management network.

“The DataHub is very easy to use,” said Mr. Munoz. “In fact, at a recent training session we showed some other people at the company what we are doing, and they are very impressed.”

Redundancy

The most recent project that Mr. Munoz has decided to tackle with the DataHub is to implement redundancy. To provide increased availability, the company has installed an additional OPC server at some locations. Working with Win Worrall, Product Support Engineer and Developer at Software Toolbox, Mr. Munoz has implemented redundancy in the DataHub to monitor the quality of the data coming from the local OPC server.

If the quality of an indicator changes to “Bad” or “Not Connected” on the primary OPC server, DataHub immediately switches to the redundant OPC server and continues collecting data from there. Although this is currently undergoing testing before being implemented in the production facility, Mr. Munoz reports that there is no data loss during the switchover, and that the performance is very reliable.

Scripting

To gain maximum value from the DataHub, Mr. Munoz has developed a working knowledge of the DataHub Scripting feature. “The scripting language did take a little time to learn, but it is very useful for the types of scripts we need to use. We can develop scripts quickly now, because the language is object oriented.”

Starting with a demo script from the DataHub archive, Mr. Munoz has been able to access data from a legacy UNIX system and make it available through OPC. To access the data, Mr. Munoz wrote a DataHub script to read a CSV file every minute and write the values to points in the DataHub. Because the DataHub is also an OPC server, this allows points from the UNIX system to be presented as OPC tags to the HMI system.

“I am impressed with how quickly Juan has picked up the scripting,” said Mr. Worrall. “In fact, he’s pretty good at getting the most out of the DataHub in just about every way.” “We are very grateful to Win and the overall support from Software Toolbox on this project,” said Mr. Munoz. “We haven’t found many problems. In all aspects, the DataHub is performing very well.”

————
Software Toolbox and TOP Server are trademarks of Software Toolbox, Inc. Other product names, brand names and company names mentioned in this publication may be trademarks of their respective owners.