Auto Manufacturer Looks to Scalable Solution for Increased Network Security and Performance

VPN routers save money and allow plant floor personnel to maintain and control access to their automation systems.

Productivity pinch points always prevent processes from moving forward, regardless of whether the issues are related to workflow, product flow, or information flow. This is especially true when a plant floor control system doesn’t keep pace with advancements in industrial networking technology and modern manufacturing information systems.

This was the case with one Detroit area automotive manufacturer that sought to upgrade its control network to improve performance, reliability, and security. There were conflicting network schemes, costly individual network drops for each PLC, and frequent network storms. A solution was needed to address existing issues with a network that could be configured and maintained by plant floor personnel.

The importance of network security is rapidly increasing throughout many industries, and the automotive industry is no different. To maintain tight security, this manufacturer’s IT department wanted to retain some measure of control. Specific network security concerns included viruses, unauthorized PLC access, and the potential for unwanted remote PLC code changes.

Not only did the auto manufacturer require a user-configurable and maintainable solution, it also wanted to maintain isolation between the plant and company networks. The network solution also had to limit the number of Ethernet drops, permit zone-to-zone communication, and restrict communications to only the plant-to-IT direction. To meet these requirements, the company chose a flexible, economical, and user-friendly routing and firewall device that suited both plant floor engineering and IT.

Network Architecture Evolution

The plant floor is where products are made and work happens. The company manufactures components for some of its vehicle brands at this plant. Workflow is strategically divided into zones that contain combinations of Auto Stations, Manual Stations, and Test Stands.

Auto Stations are composed of an HMI, PLC I/O, RFID readers, motor drives, nutrunners, robots, cameras, and/or other Profinet- or Ethernet-enabled devices. As the name implies, automated assembly work is performed within an Auto Station using various types of CNCs, robots, and other machines. Nutrunners are a type of assembly tool driven either by servo motors or pneumatically. Many have torque measurement and torque limiting capabilities. Manual Stations are similar to Auto Stations, but don’t have drives or robots because operators assemble parts by hand within these stations. Test Stands don’t contain HMIs, drives, or robots.

The original plant floor network architecture didn’t connect to the company-wide network and the IT department didn’t manage it. In this architecture, a peer-to-peer Ethernet network connected the entire plant PLC population. This caused a host of problems, including a peer-to-peer PLC network that didn’t connect to main company network; no support from IT for the plant floor network; frequent network storms; different departments applying different network strategies; network security concerns, including viruses, unauthorized PLC access, and remote PLC code changes; and increased costs due to separate network drops per PLC.

The plant’s second-generation network architecture was a step up because communications from the plant floor to IT was added. But this interim solution wasn’t optimal, as it required all the PLCs to directly communicate with servers on the IT company network. The direct communication raised technical issues and blurred lines of responsibility between the plant floor and IT. This interim solution also required a second Ethernet port to be added to each PLC in the form of an expensive Ethernet communications processor. The resulting network used the first Ethernet port for peer-to-peer communications among the PLCs, and the second port for direct communication to IT.

An Innovative Design

To address its network issues, the auto maker decided on an innovative network design using a common family of network security products that could accommodate all its applications. A PLC at each station or stand connects to a managed switch using the controller’s built-in Ethernet port. Depending on the function of the station, the managed switch is linked via Ethernet to other devices, including HMIs, RFID readers, safety components, and cameras.

Each zone accommodates up to 48 stations and/or stands. A lower-level managed switch at each station connects to a higher-level managed switch for its zone, so there is one higher-level managed switch per zone. This switch connects to a VPN router module, all of which connect to the Secondary Distribution Router (SDR).

The SDR manages the data flow from all the zones connected to it, and connects to the Main Distribution Frame (MDF). The MDF connects to the company-wide Ethernet backbone and IT network.

The VPN router modules and all plant floor components comprise the Controls Production Network (CPN) that is configured and maintained by plant floor personnel. Components above the CPN (i.e., in the IT network) are called the Manufacturing Production Network and are configured and maintained by IT. Thus, the VPN router modules are the line of demarcation between the plant floor and IT networks. As such, these modules are the key component in implementing the new network scheme.

Powerful New Advantages

Using the VPN routers within this new network architecture provides a host of benefits, including:

• A common product family that allows applications to be scaled as necessary
• Firewall capabilities within the VPN routers, reducing the number of devices needed
• Fewer device-type spares that need to be stocked
• Common devices that allow parts sharing among plants
• Product reliability and built-in diagnostics that increase uptime
• Minimizing Ethernet drops that reduce network traffic, project costs, and required maintenance
• Facilitating the transition of IT and control engineering departments from internal competitors to internal solution partners

The new network eliminated the need for an expensive communications processor at each PLC. At $1,000 per communications processor, this represented significant savings.

The VPN routers enable the IT network to have direct access to the PLCs, but only to pull information up to IT. No communication is allowed from IT to the plant floor, eliminating the possible crossover of viruses and other cyber threats.

The VPN routers include a network address translation (NAT) feature that allows network IP address modification, remapping, and/or reuse. The CPN contains many PLCs and other Ethernet-enabled devices; assigning each one a unique IP address wasn’t an optimal solution.

With NAT enabled, specific address ranges can be reused on different zones that aren’t connected to each other directly. The only PLCs that are assigned a unique or static IP address are those connected to the company network. The NAT feature of the VPN security modules provides the necessary translation between the static and dynamic IP addresses.

The VPN routers allow plant floor personnel to control what the company IT network can see on the plant floor. They also enable plant floor personnel to limit exactly what devices can be connected to the plant floor network. The VPN routers prevent the company network from flooding the CPN with broadcast messages, as well as CPN traffic not relevant to IT from infiltrating the company network.

Secure Solution Partners

One of the primary goals of the automotive manufacturer was to obtain a common network security solution scalable for all its applications. The company also required a network security device that the plant could maintain. Although the company’s goals were focused, strategies for reaching these goals differed between the IT and manufacturing departments.

One of the disagreements concerned internal ownership and control of the Ethernet network. The vendor project manager convinced the automotive company that it could save money by departmental partnering on the security solution. IT could still be involved with security management, but it wouldn’t have to provide 24/7 support.

Additionally, the IT department came to realize the importance of security when it comes to keeping a plant running. IT networks can tolerate occasional downtime, but must never lose critical data related to certain key financial and other parameters. Put another way, not being able to process payments to suppliers for a few hours isn’t critical, but losing data concerning how much is owed to which supplier would be disastrous.

IT users are somewhat tolerant of slow access speeds and response times, and networks are designed accordingly. IT users must also have access to the outside world via email and the Internet. On the other hand, manufacturing networks must maintain uptime and response times at all costs. Lost data isn’t a show stopper, and access to the outside world isn’t normally required; in fact, it must be severely restricted or eliminated to maintain security.

Recognizing these differences led IT and manufacturing to create essentially two networks, the CPN and the Manufacturing Production Network. The VPN routers are the point where these two networks connect, making these components critical to the entire network scheme.

Reaching a common ground via the VPN routers created clear dividing lines for IT and manufacturing regarding their respective responsibilities. It also allowed them to determine what is and is not allowed regarding plant floor to IT communications. Designing the networks as described above allowed the control system professionals within manufacturing to become responsible for plant network security, with IT monitoring their activities via the VPN routers. IT and manufacturing partnered in this solution, whereas previously they were internal competitors. The use of the VPN router was a key component in this partnership.

Security is now determined between the departments, and manufacturing retains responsibility for maintaining the physical hardware in the CPN, including the VPN routers. The new network architecture helped IT and manufacturing transition from internal competitors to solution partners.

Have an Inquiry for Siemens about this article? Click Here >>