Industrial

Communication in
Food & Beverage
Siemens
Plant Network Structure Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/109476976 Support
 Legal information

Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several
components in the form of text, graphics and/or software modules. The application examples are
a free service by Siemens AG and/or a subsidiary of Siemens AG ("Siemens"). They are
non-binding and make no claim to completeness or functionality regarding configuration and
equipment. The application examples merely offer help with typical tasks; they do not constitute
customer-specific solutions. You yourself are responsible for the proper and safe operation of the
products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the
application examples used by technically trained personnel. Any change to the application
examples is your responsibility. Sharing the application examples with third parties or copying the
application examples or excerpts thereof is permitted only in combination with your own products.
The application examples are not required to undergo the customary tests and quality inspections
of a chargeable product; they may have functional and performance defects as well as errors. It is
your responsibility to use them in such a manner that any malfunctions that may occur do not
result in property damage or injury to persons.

Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without
limitation, liability for the usability, availability, completeness and freedom from defects of the
application examples as well as for related information, configuration and performance data and
any damage caused thereby. This shall not apply in cases of mandatory liability, for example
under the German Product Liability Act, or in cases of intent, gross negligence, or culpable loss of
life, bodily injury or damage to health, non-compliance with a guarantee, fraudulent
non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for
damages arising from a breach of material contractual obligations shall however be limited to the
© Siemens AG 2019 All rights reserved

foreseeable damage typical of the type of agreement, unless liability arises from intent or gross
negligence or is based on loss of life, bodily injury or damage to health. The foregoing provisions
do not imply any change in the burden of proof to your detriment. You shall indemnify Siemens
against existing or future claims of third parties in this connection except where Siemens is
mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any
damage beyond the liability provisions described.

Other information
Siemens reserves the right to make changes to the application examples at any time without
notice. In case of discrepancies between the suggestions in the application examples and other
Siemens publications such as catalogs, the content of the other documentation shall have
precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.

Security information
Siemens provides products and solutions with Industrial Security functions that support the secure
operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary
to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept.
Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines
and networks. Such systems, machines and components should only be connected to an
enterprise network or the Internet if and to the extent such a connection is necessary and only
when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends that product updates are applied as soon as they are available
and that the latest product versions are used. Use of product versions that are no longer
supported, and failure to apply the latest updates may increase customer’s exposure to cyber
threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed
at: https://www.siemens.com/industrialsecurity.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 2
 Table of contents

Table of contents
Legal information ......................................................................................................... 2
1 Industrial Communication in Food and Beverage Industry .......................... 5
2 Driver for an industrial network concept ........................................................ 8
2.1.1 High availability .................................................................................... 9
2.1.2 Robustness ........................................................................................ 10
2.1.3 Flexibility ............................................................................................. 10
2.1.4 Security – network security and access control ................................. 10
2.1.5 Moving units ....................................................................................... 11
2.1.6 Safety – plant and operational safety ................................................. 11
2.1.7 Determinism ....................................................................................... 12
3 General industrial network standards ........................................................... 13
3.1 Industrial Ethernet .............................................................................. 16
3.2 PROFINET ......................................................................................... 18
3.3 Field Device Bus Systems.................................................................. 22
3.4 Industrial Wireless Communication .................................................... 23
4 Standards for specific requirements ............................................................. 24
4.1 Siemens redundancy technology ....................................................... 24
4.1.1 High Speed Redundancy Protocol (HRP) .......................................... 24
4.1.2 Standby-Connection ........................................................................... 25
© Siemens AG 2019 All rights reserved

4.1.3 Passive Listening (with PROFINET 2.2) ............................................ 26

4.1.4 RSTP+ ................................................................................................ 28
4.2 Generic redundancy technology ........................................................ 29
4.2.1 Media redundancy protocol IEC 62439-2 (MRP) ............................... 29
4.2.2 MRP Interconnections IEC 62439-2 ................................................... 29
4.2.3 Media Redundancy with Planned Duplication of Frames
(MRPD)............................................................................................... 30
4.2.4 Parallel Redundancy Protocol (PRP – IEC 62439-3) ......................... 31
4.2.5 High available Seamless Redundancy protocol (HSR - IEC
62439-3) ............................................................................................. 32
4.3 Network Address Translation (NAT) .................................................. 33
5 Network topologies ......................................................................................... 35
5.1 Design of shop floor networks ............................................................ 35
5.2 Segmentation ..................................................................................... 36
5.3 Industrial Backbone layer ................................................................... 37
5.3.1 Office/enterprise connection to production ......................................... 37
5.3.2 DMZ (demilitarized zone) ................................................................... 41
5.4 Aggregation layer ............................................................................... 42
5.5 Cell or machine layer .......................................................................... 43
5.5.1 Simple machine group ........................................................................ 44
5.5.2 Complex machine ............................................................................... 45
5.5.3 Redundant topology ........................................................................... 46
5.5.4 Diagnosinge possibilities for machine topologies .............................. 46
6 Remote Access ................................................................................................ 50
6.1 VPN Tunnel ........................................................................................ 50
6.2 cRSP .................................................................................................. 51
6.3 SINEMA Remote Connect.................................................................. 52
6.3.1 Jump Host Application with SINEMA Remote Connect ..................... 53
7 Security in Industrial Networks ...................................................................... 55
7.1 Service portfolio for Security .............................................................. 56

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 3
 Table of contents

7.1.1 Assessing security.............................................................................. 56

7.1.2 Implementing security ........................................................................ 56
7.1.3 Managing security .............................................................................. 57
8 Products and Services for Industrial Networks ........................................... 58
8.1 Network components .......................................................................... 58
8.2 Network software support................................................................... 59
8.2.1 SINETPLAN (Siemens Network Planner) .......................................... 60
8.2.2 PRONETA .......................................................................................... 62
8.2.3 SINEC NMS ....................................................................................... 63
8.3 Services portfolio for industrial networks............................................ 64
8.4 Industrial Networks Education ............................................................ 65
9 References ....................................................................................................... 66
10 Glossary ........................................................................................................... 69
10.1 Abbreviations ...................................................................................... 69
10.2 Links and literature ............................................................................. 70
10.3 Change documentation ...................................................................... 70
© Siemens AG 2019 All rights reserved

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 4
 1 Industrial Communication in Food and Beverage Industry

1 Industrial Communication in Food and

Beverage Industry
As things are, there is still substantial room for improvement in the food & beverage
industries. This includes increasing operational efficiency and effectiveness of
existing and planned new production facilities, among other issues.
An essential contribution to this will be provided by the integrated linking of
production lines and machines from the inbound of raw material to production,
packaging up to the outgoing goods, as well as the consistent recording of
production parameters like quantities, machine time, etc. It will be possible to collet
data across all areas of the production facility and have it analyzed by IT or even
cloud-based systems, to enable the derivation of sustainable improvement
measures.
Today this can be very time-consuming, because machines and components of
different manufacturers must be linked and the collected data must be
synchronized. Therefore, a plant-wide network concept from Siemens AG includes
the horizontal integration from incoming goods across food processing and food
packaging areas to outgoing goods and storage and vertical integration from
machine level, supervisory systems, MES (Manufacturing Execution System) up to
office IT. This concept describes different layers such as industrial backbone and
aggregation, and cell/machine level. The dimensioning of the layers can vary
according to the size of the plant.
© Siemens AG 2019 All rights reserved

Brief description of the architecture

The following figure shows an overview of a possible campus network in which
both the classic IT infrastructure, including intranet, Internet, and the datacenter are
illustrated schematically, as well as the connection to the industrial infrastructure.
When looking at the picture, it is noticeable that some network components are
shown on a gray background (core layer). These components are not the focus of
the industrial network components but are part of the standard IT infrastructure of a
location.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 5
 1 Industrial Communication in Food and Beverage Industry

Office Network
Core Layer
WAN External
WAN Core Internet
Router Firewall
Firewall / IDS Firewall / IDS

L3 Connection

Backbone 1 Backbone n
Industrial Datacenter

Backbone Layer
L3 Connection L3 Connection

Server
Distribution Layer

L3 Connection
Aggregation 1-n Aggregation 1-n

Aggregation Layer
Aggregation 1-1 Aggregation 1-2

Industrial Network
Standby Feature L3 Connection

Cell 1-1-n Cell 1-1-n Cell 1-1-n Cell 1-1-n Cell 1-2-n Cell 1-2-n
Cell 1-1-1 Cell 1-1-2 Cell 1-1-3 Cell 1-1-4 Cell 1-2-1 Cell 1-2-2
Sync
Access Layer

Cell Layer
Line
Ring

Tree/Star

Figure 1: Production network as basis for reliable automation and digitalization systems
© Siemens AG 2019 All rights reserved

in Food & Beverage

Having been a trusted partner by electrifying and automating several industrial plants worldwide,
Siemens is now a trusted partner for Digitialization, striving to be the pioneer within this new age
of production, whether in the discrete or process industries.
Digitalization is already changing every aspect of our customers' business in the near future and
the right communication networks are the basis for this. Enterprise and production networks
look completely different, but are still connected with a defined interface. We want to connect
these two “worlds” while making sure that the requirements of each are met.
Looking at the picture above, the suggested way is to establish a production network to create a
structured and reliable platform to support different communication needs. The production cell
level is already responsible for production. The industrial backbone level is also an integral part
of the production network and in collaboration and alignment with IT, as an interface to
interconnect production with the enterprise network.
IT and production have to agree about the need to fulfill the automation requirements in order to
ensure that the production runs 24/7. The suggested way us to have a defined backbone for the
industrial side. The production cells are often managed by automation experts who are
familiarized with the requirements in the OT space. But now, with the need for more and more
communication based on Ethernet and for access to this data from anywhere in the world and to
connect different production lines, the need for full IT involvement is growing.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 6
 1 Industrial Communication in Food and Beverage Industry

Why a dedicated communication network within responsibility of production?

We need to make sure that this whole network and the horizontal M2M communication that is
required, is fully managed and still all the requirements in the automation/OT space.
In this way, even if there is a failure in the evening, someone capable of solving this issue, for
example, is needed 11.00 pm, without having to wait for several hours until IT with an SLA
Agreement arrives on site.
Co-operation on an equal footing, a clear communication channel and a defined interface are
necessary. “We invite you to a dialogue with IT”
© Siemens AG 2019 All rights reserved

Figure 2: Digitalization results in a closer connection between IT and OT

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 7
 2 Driver for an industrial network concept

2 Driver for an industrial network concept

Conventional network technologies and components are designed to support office
IT (Information Technology) networks, which are used in the daily business of a
company. They are the backbone of any office environment and enable shared
office printers, e-mail, external internet access, and VoIP services. A service
interruption may have financial implications, but not in terms of health, safety or the
environment.
In stark contrast, industrial communication technologies and components are
designed to be used in extreme harsh environments and support critical
applications. In this case, a service interruption in an industrial network can have
severe financial implications and bring an entire operation to a grinding halt.
IT (Information Technology) and OT (Operational Technology) networks look
completely different, but still have to be connected with a defined interface. We
want to connect these two worlds, but we still want to make sure that we meet the
requirements of each. For example, in production networks, a high availability is
necessary to ensure an up-time of 99% or more e.g. by redundancy structures. On
the other hand, in the office environment, user experiences via reliable delivery of
business-critical apps play a key role. In IT, transparency is essential for getting
end-to-end user, device and application visibility while in OT, transparency enables
visibility of industrial processes. In both worlds (IT and OT) cybersecurity plays a
key role, with the aim of secure users, devices, applications and the production
environment from cyber-attacks.
© Siemens AG 2019 All rights reserved

Figure 3: Not all things are alike – There are differences between both worlds

Against this backdrop, there are many stringent customer requirements for an
industrial network. In particular, the safety of a plant and its particular requirements
relating to functionality and flexibility must be taken into account. With the
increasing communication between office and production networks, additional
security measures are unavoidable to achieve a suitable security level for the plant
components. A consensus must be found between user-friendliness, flexibility, and
compatibility of a production network on the one hand and the security and
protection on the other hand. This consensus can be achieved with network
components specially developed for the industrial environment. They must provide
functionality that ensures smooth operation of a production plant and nevertheless
allows reliable and secure network communication.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 8
 2 Driver for an industrial network concept

The following subchapters deal with typical customer requirements to give a clear
picture of the production-related requirements; a brief overview is given here:

Figure 4: Industrial Networks have critical requirements which need to be addressed

2.1.1 High availability

© Siemens AG 2019 All rights reserved

High availability is an absolute necessity for a production plant and if this is not the case,
economic and other damage can result for a company. For this reason, when operating a
production plant, availability must be ensured. This can be achieved, for example, by setting up
the components redundantly. In particular for a production network, this means that network
connections must be designed redundantly and be operable and activated in case of
errors/faults. In addition to having redundant devices, there are special network protocols which
allow redundancy in a network.

Figure 5: High Availability

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 9
 2 Driver for an industrial network concept

2.1.2 Robustness

There are individual environmental conditions in the plants of diverse companies around the
globe. The devices used must be capable of withstanding these particular conditions. This also
applies to network products. They must, for example, be able to resist high temperatures or
dusty and corrosive climatic conditions of an industrial factory building or similar locations and
nevertheless perform their functions reliably and without errors. These requirements apply not
only to the devices but to all accessories such as cabling or antennas.

Figure 6: Robustness

2.1.3 Flexibility

Since production is permanently being optimized and needs to be adapted to innovations,

flexibility plays an important role in this environment. For this reason, the network components
and topologies used need to take this aspect into account. In particular, the network cabling and
the design of the devices must be taken into account to cope with harsh industrial environments
that are subject to continuous change.
© Siemens AG 2019 All rights reserved

Figure 7: Flexibility

2.1.4 Security – network security and access control

Every production area must be protected against unauthorized access. Here, security measures
must be considered in order to implement them, for example with firewall systems and a
suitable cell protection concept. Secure remote access also needs to be taken into account, e.g.
for third-party manufacturers, to allow maintenance work on defined plant sections.

Figure 8: Security

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 10
 2 Driver for an industrial network concept

2.1.5 Moving units

Parts of production or a warehouse can include moving systems such as forklift trucks, rail
vehicles, or portable mobile devices. These usually also require a connection to IT systems.
Especially for rail vehicles or AGVs,1 Siemens provides a solution with the IWLAN RCoax cable
to allow uninterrupted IWLAN communication along a preset path.

Figure 9: Mobile Applications

2.1.6 Safety – plant and operational safety

Safety functions serve to protect people and machines. This includes the option of an immediate
emergency stop of a machine and direct forwarding to the suitable controller. This is possible,
for example, not only with cabled solutions, but also via industrial WLAN (IWLAN). The safety
signals need to be transferred reliably and with the highest priority, regardless of the media.
© Siemens AG 2019 All rights reserved

Figure 10: Safety

1 Automated Guided Vehicle

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 11
 2 Driver for an industrial network concept

2.1.7 Determinism

Industrial networks are used for the most part for control processes with processing taking place
cyclically. Determinism is a basic requirement such kind of processes. The cyclical processing is
the basic difference of the communication in the industry in comparison with client server
applications in IT. Some applications require short, fast deterministic cycle times to quickly bring
machines into a safe state. Examples of this are PROFIsafe applications in which people and
machines work with each other in coexistence.
With regard to the safety requirement, the following must apply: The signal transmission must
be performed and completed within a defined response time. If network devices cannot
implement this requirement, for example, an emergency stop cannot be performed although an
emergency stop switch has already been activated. At the heart of this problem is the aspect of
synchronous operation. Only if the sensors, controllers, and actuators work synchronously, are
operation and the expected work result ensured. There must be determinism for a machine to
machine (M2M) architecture, regardless of whether communication takes place via a cable or
wireless.

Figure 11: Determinism

© Siemens AG 2019 All rights reserved

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 12
 3 General industrial network standards

3 General industrial network standards

The top priority in automation is to guarantee the monitoring and operability of the
production. Even measures that are intended to prevent the spreading of security
threats are not allowed to restrict this.
To achieve this, the F&B Network Guideline recommends employing the latest
security mechanisms available. This means that all solutions and configurations
have been selected as if the plant operator were to employ all currently available
security mechanisms and technologies and Siemens and third-party products in
order to achieve the best possible plant security. Depending on the protection
requirements of the plant operator, the existing responsibilities, or already
implemented security mechanisms, configurations shown here can also be
implemented and scaled in modified forms. However, this should be planned
carefully in individual cases by all the technicians, specialists, administrators, and
managers involved. In order to achieve the best possible security, modified
configurations must not conflict with the fundamental principles of the security
concept.
This document is intended to simplify the cooperation of the network administrators
of company networks (IT administrators) and automation networks (automation
engineers) so that the advantages of the networking of production control
technology can be used with the data processing of other production levels without
increased security risks for both sides.
This document is a recommendation and is intended to assist SIMATIC,
© Siemens AG 2019 All rights reserved

SCALANCE and SIMOTION customers in the secure networking of their production

units. The recommendations are based on the latest technology, current standards
and the properties of the products that are used.
All the machines in a shop floor should work together perfectly. Therefore, you rely
upon open, integrated automation communication not just within the whole
company but also for external communication. Avoid isolated automation and
information technology solutions by assuring:
• Continuous flow of information from the actuator/sensor level through to the
corporate management level

• Availability of information at any location

• Accessibility of all devices from sensor up to IT infrastructure.

• High-speed data exchange between the different plant sections and machines

• Easy, plant-wide configuration and efficient diagnostics

• Integrated security functions that block unauthorized access

• Fail-safe and standard communication via the same connection

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 13
 3 General industrial network standards

Our range
Communication networks are of utmost importance for automation solutions.
Networking for Industry stands for a diverse range of modular blocks – designed for
different industries – which contribute to efficiently solving communications tasks:
• In the different production areas

• Across the entire workflow

• For the complete plant life cycle

• For your industry

Industrial Networking offers solutions which both maximize the benefits of Ethernet
and simplifies integration into fieldbus systems. Noticeable examples are:
• The development of the field level for the use of Industrial Ethernet

• Complete integration from the field level to the corporate management level

• The implementation of new solutions by means of mobile communication

• The integration of IT technologies

© Siemens AG 2019 All rights reserved

Worldwide trends
Decentralization has been taking on increasing importance worldwide for a number
of years now. A distributed plant structure can reduce installation, maintenance and
diagnostics costs. This involves intelligent devices working locally and being
connected together across networks. Openness and flexibility are important in
order to expand existing setups and to connect up different systems. For this
reason, international committees define and standardize the standards for bus
systems.

Communication type International Standard

Industrial Ethernet IEEE 802.3

Industrial Wireless LAN IEEE 802.11

PROFINET IEC 61158 / IEC 61784

PROFIBUS 2 IEC 61158 / IEC 61784

2 PROFIBUS is the global market leader among fieldbus systems

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 14
 3 General industrial network standards

Industrial Networking offers all the components needed for an integrated overall
solution and supports the following communication systems:
• Industrial Ethernet and Industrial Wireless LAN (based on the Ethernet
standard IEEE 802.3 and 802.11 a/b/g/h/n/ac wireless LAN standards). The
international standard for robust networks is the number one in industrial LAN
environments. Industrial Ethernet enables powerful communication networks to
be constructed over widely distributed areas.

• PROFINET (IEC 61158/61784)

The international standard uses Industrial Ethernet and allows real-time
communication all the way to the field level, but also integrates the enterprise
level. With the full utilization of existing IT standards, PROFINET allows
isochronous motion control applications, efficient cross-manufacturer
engineering and high availability of machines and systems on the Industrial
Ethernet. PROFINET supports distributed automation (and controller-controller
communication) it allows fail-safe and safety applications.

• PROFIBUS (IEC 61158/61784)

The international standard for the field level is the global market leader among
fieldbus systems. It is the only fieldbus to allow communication both in
manufacturing applications and in process-oriented applications.
© Siemens AG 2019 All rights reserved

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 15
 3 General industrial network standards

3.1 Industrial Ethernet

Industrial Ethernet provides the industrial area with a powerful network that
complies with the IEEE 802.3 (Ethernet). The diverse options of Ethernet and the
Internet that are already available today in the office sector can also be used in
factory and process automation by means of Industrial Ethernet.
Ethernet technology, which has been used successfully for decades, allows users
to precisely match network performance to requirements. The user can choose the
data throughput rate to suit particular needs, as integrated compatibility makes it
possible to introduce this technology in stages. Ethernet is currently the protocol
number 1 in the network environment and offers significant advantages such as:
• Fast commissioning thanks to the simplest connection method
• High availability since existing networks can be extended without any adverse
effects
• Virtually unlimited communication capabilities, since scalable performance
using switching/routing technology and high data rates are available
• Networking of the most varied application areas such as the office and
production areas
• Company-wide communication thanks to the Internet connection option, with
security components providing for data integrity
• Investment protection through continuous compatible further development
• Precise time-based assignment of events in the overall plant by means of
© Siemens AG 2019 All rights reserved

plant-wide clock control and distribution

SCALANCE, RUGGEDCOM and SIMATIC NET, the industrial communication

system from Siemens, relies on this proven technology. Siemens has already
supplied several million connections worldwide in tough industrial environments
subject to electromagnetic interference.
SCALANCE, RUGGEDCOM and SIMATIC NET provide important supplements to
Ethernet technology for industrial environments:
• Best-in-class industrial network components of the SCALANCE and
RUGGEDCOM product families for the use of wired and wireless
communication in harsh industrial environments
• Fast on-site assembly using the FastConnect cabling system
• Failsafe networks through several redundancy mechanisms and redundant
power supply
• Continuous management of network components through an effective
signaling concept, and network management software SINEC NMS

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 16
 3 General industrial network standards

The following communication functions and services are offered by Industrial Ethernet.

• PG/OP communication
Comprises integrated communication functions which allow data
communication via SIMATIC, SIMOTION automation systems with every HMI
device and SIMATIC PG (STEP 7). PG/OP communication is supported by
PROFINET/Industrial Ethernet and PROFIBUS.

• Open communication
The open communication allows controllers to communicate with other
controllers, PC/IPC and third-party systems using libraries.

• OPC (Object Linking and Embedding for Process Control)

This is a standardized, open and cross-vendor software interface. It permits
interfacing of OPC-capable Windows applications to S7-communication, open
communication and PROFINET.

• OPC UA (Unified Architecture)

OPC UA is the successor of OPC. The new OPC standard provides an
operating system independent platform for communication between e.g.
Windows devices, mobile devices, PLCs etc. It also provides a cross-platform
service-oriented architecture (SOA) for process control, while enhancing
© Siemens AG 2019 All rights reserved

security and providing an information mode.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 17
 3 General industrial network standards

3.2 PROFINET

PROFINET – the Ethernet standard for automation

You need a seamless information flow for your strategic decisions within your
company – from the first manufacturing step through operation up to the corporate
management level. In order to achieve this, you already rely on efficiency and
transparency during engineering.
PROFINET, the open and innovative Industrial Ethernet standard, fulfills all the
demands of industrial automation and ensures integrated, company-wide
communication.
PROFINET also supports the direct connection of distributed field devices to
Industrial Ethernet and the implementation of isochronous motion control
applications. PROFINET also allows distributed automation with the support of
component technology, as well as vertical integration and the implementation of
safety-oriented applications. PROFINET also supports controller-controller
communication.
PROFINET is the leading Industrial Ethernet standard with more than 21 million
nodes worldwide.
© Siemens AG 2019 All rights reserved

Figure 12: PROFINET is the leading Industrial Ethernet standard

PROFINET increases companies success by accelerating processes, boosting

productivity, and increasing plant availability. With PROFINET, Siemens applies
the Ethernet standard to automation. PROFINET enables high-speed and secure
data exchange at all levels, thus making it possible to implement innovative
machine and plant concepts. Thanks to its flexibility and openness, PROFINET
offers users maximum freedom when engineering and structuring their plant
architectures.
PROFINET's efficiency means optimal use of available user resources and a
significant increase in plant availability. Innovative Siemens products and the
performance of PROFINET provide a sustained boost to company productivity.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 18
 3 General industrial network standards

PROFINET innovations
PROFINET has been expanded with several innovative features. These simplify
the system configuration, in safety-critical applications for example, and support a
leaner and more flexible topology in many different scenarios.
The I-Device (Intelligent Device) function enables simple and fast controller-
controller communication through direct access to the IO address image with the
PROFINET -protocol. Local controllers such as the SIMATIC ET 200S/SP CPU can
be integrated into modular machines more easily, for example.
The Shared Device function allows two controllers to access the same PROFINET
Device, such as a distributed SIMATIC ET 200 or a drive in a safety application.
Because fewer devices need to be installed in the field, the engineering, cabling,
energy and installation costs are reduced.
Plant availability can be increased using a ring topology and the Media
Redundancy Protocol (MRP). This runs directly by way of the integrated RJ45 ports
on PROFINET devices and can be combined in any way with the relevant
managed Industrial Ethernet switches from Siemens (for example
SCALANCE X series).

More flexibility with PROFINET

• Industrial Wireless LAN (IWLAN) reduces maintenance costs, increases
reliability, and convinces with high communication performance. Only
PROFINET allows the use of IWLAN with safety.
© Siemens AG 2019 All rights reserved

• Safety-related communication by way of PROFIsafe reliably protects

personnel, the environment, and plants.

• Flexible topologies. PROFINET also enables the use of star, tree and ring
topologies in addition to the linear topology.

• Open standard

• Thanks to its openness, PROFINET creates the basis for a uniform

machine/plant automation network to which programmable controllers as well
as standard Ethernet devices can be connected.

• Web tools

• PROFINET is 100 percent Ethernet and supports TCP/IP. Among other things,
this enables the use of Web technologies, such as access to the integrated
Web server of the field devices.

• Expandability

• With PROFINET, network infrastructures can be expanded as desired, even

during operation.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 19
 3 General industrial network standards

More efficiency with PROFINET

• One cable for all purposes
PROFINET offers a host of functions on one cable: Machine data and standard
IT data merge. This creates integration and saves costs by reducing the
overhead for cabling and training overhead.

• Device and network diagnostics

Extensive diagnostic data can be read out from the devices to locate faults
quickly. HTML standard Web sites are used for servicing PROFINET devices –
locally and remotely.

• Increased energy efficiency

PROFIenergy switches off individual loads or entire production units during
breaks – in a coordinated and centrally controlled way.

• Easy cabling
Fault-free establishment of industrial networks in a short time and without
specialist knowledge: PROFINET makes this possible with the FastConnect
system.

• Fast device replacement

When replacing a PROFINET device, the Controller detects the new device
© Siemens AG 2019 All rights reserved

and automatically assigns its name.

• High degree of ruggedness

The use of switches even in field devices prevents faults in one section of the
network from influencing the entire plant network. PROFINET enables the use
of fiber-optic cables especially for areas that are critically sensitive to EMI.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 20
 3 General industrial network standards

More performance with PROFINET

• Speed
Fast motion control applications need high-speed data exchange. PROFINET's
short cycle times increase the productivity of machines and plants.

• Precision
Communication by way of PROFINET is deterministic. A jitter of < 1 µs results
in maximum precision cycles and thus guarantees high product quality.

• Large quantity structures

With PROFINET, up to 256 devices can be managed by one SIMATIC
controller. The number of nodes per network is more or less unlimited.

• High transmission rate

By using Ethernet, PROFINET achieves a significantly higher transmission rate
than previous fieldbuses. This enables problem-free transmission of even large
volumes of data without affecting I/O data transfer.

• Media redundancy
Higher plant availability can be achieved by means of a redundant installation –
even bumpless (zero delay). This can be implemented both with the help of
external switches and direct via integral PROFINET interfaces.
© Siemens AG 2019 All rights reserved

• Fast start-up
In modular plants, Controllers must detect new machines or plant sections
quickly. With Fast Startup, PROFINET can detect devices in up to < 500 ms
and connect them with the Controller.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 21
 3 General industrial network standards

3.3 Field Device Bus Systems

PROFIBUS
PROFIBUS can be used to connect field devices, e.g. distributed I/O devices or
drives, to automation systems such as SIMATIC S7, SIMOTION, or PCs.
PROFIBUS is standardized in accordance with IEC 61158/61784 and is a powerful,
open and rugged fieldbus system with short response times. PROFIBUS is
available in different forms for various applications.

PROFIBUS PA (Process Automation)

PROFIBUS PA expands PROFIBUS DP with intrinsically safe transmission of data
and power (e.g. transducers in the food processing industry) in accordance with the
international standard IEC 61158-2 (same protocol, different physical properties).
PROFIBUS PA is used predominantly in the hazardous areas of refineries
(chemical, oil and gas).

AS-Interface
AS-Interface (Actuator Sensor Interface, AS-i) is an industrial networking solution
(physical layer, data access method and protocol) used in PLC, DCS and PC-
based automation systems. It is designed for connecting simple field I/O devices
(e.g. binary ON/OFF devices such as actuators, sensors, rotary encoders, analog
inputs and outputs, push buttons, and valve position sensors) in discrete
manufacturing and process applications using a single 2-conductor cable.
© Siemens AG 2019 All rights reserved

IO LINK
IO-Link is the first standardized IO technology worldwide (IEC 61131-9) for
communication with sensors and also actuators. The powerful point-to-point
communication is based on the long-established 3-wire sensor and actuator
connection without additional requirements regarding the cable material. So, IO-
Link is not a fieldbus but the further development of the existing, tried-and-tested
connection technology for sensors and actuators.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 22
 3 General industrial network standards

3.4 Industrial Wireless Communication

Overview
Within the scope of industrial communication, wireless communication opens up
new perspectives – from partial modernization of a plant right up to optimizing
complex logistics or production processes.
We are offering SCALANCE W products for applications with wireless LAN and
SCALANCE M products for mobile wireless. There is a wide variety of different
country variants and approvals.
The use of wireless LAN in the industrial environment can present several
challenges. For some industrial applications it might be an advantage to bring
determinism in the air. This is possible with the iPCF (industrial point coordinated
function) method. With the standard wireless method DCF (distributed coordinated
function) more or less, every participating device is responsible for the
communication by itself, with iPCF is the Access Point responsible for the
coordination of sending and receiving frames.
Applications such as cranes, overhead monorails or AGVs depend on industrial
functions in the WLAN and can only be designed and conceived as "fat access
points". The reason is the absence of “iFeatures" in controller-based systems.
These applications must be considered as separate machines. These systems
require deterministic communication that can only be ensured by the “iFeatures".
Protection against unauthorized access via the wireless interface is ensured on the
© Siemens AG 2019 All rights reserved

one hand by encrypting the communication Advanced Encryption Standard (AES)

and on the other hand by the industrial Point Coordinated Function (iPCF) protocol
used. This protocol is a proprietary protocol specifically developed by Siemens for
industrial application. iPCF is designed to have a kind of determinism at the air
interface. Furthermore, reliable redundancy is also possible via WLAN. Thanks to
the iFeature iPRP (industrial Parallel Redundancy Protocol), which can be
activated on SCALANCE W devices by a KEY-PLUG (for IEEE 802.11n devices) or
CLP (for IEEE 802.11ac devices).

Advantages of a wireless communication network

• Increased competitiveness, since greater flexibility is achieved through mobility

• Maintenance work is simplified, service costs and downtimes are reduced and
personnel are used optimally

• No wear and tear of rotating and moving equipment or system components

• Integrated wireless network for voice and data across the divisions of the
company
• Remote diagnostics for different production machines from a central service
location reduces service costs
• Moving installations can be accessed easily; there is no need for complex
wiring

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 23
 4 Standards for specific requirements

4 Standards for specific requirements

4.1 Siemens redundancy technology
4.1.1 High Speed Redundancy Protocol (HRP)

A managed switch has parameter settings for a redundancy manager that opens
the ring to prevent circulating frames (loops). In terms of data transmission, the ring
topology becomes a linear bus. The redundancy manager (RM) monitors the ring
topology by sending test frames via both ring ports and checks that they arrive at
the other ring port. The other switches function as redundancy clients. There ring
ports forward the test frames within the ring.

HRP principle without fault:

RM
© Siemens AG 2019 All rights reserved

Figure 13: HRP principle without fault

If the test frames of the redundancy manager no longer reach the other ring port
due to an interruption in the ring (broken cable; device etc.), the redundancy
manager switches its two ring ports through and informs the redundancy clients of
the change immediately. In terms of data transmission, the ring topology becomes
a linear bus again. Even if the redundancy manager fails, the ring becomes a
functioning linear bus.
PROFINET IE PROFINET IE

HRP principle with fault:

RM

Figure 14: HRP principle with fault

The typical reconfiguration time of HRP is <300ms with up to 50 ring nodes.

Plant Network Structure PROFINET IE PROFINET IE

Entry-ID: 109476976, V2.2, 06/2019 24
 4 Standards for specific requirements

4.1.2 Standby-Connection

The Siemens Standby-Connection function allows the redundant coupling of High

Speed Redundancy Protocol rings. Two switches within the ring are assigned
parameters as the standby manager and standby partner. They negotiate (or you
set) a device that activates the connection to the neighboring network segment.
The other standby device deactivates its connection to the other network segment
to avoid a loop.
If the link to the upper ring fails, the second connection will be activated and the
network is reestablished.
Standby connection principle:

RM RM

Manager Partner Manager Partner

© Siemens AG 2019 All rights reserved

RM RM

Figure 15: Standby connection principle

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 25
 4 Standards for specific requirements

4.1.3 Passive Listening (with PROFINET 2.2)

Siemens developed Passive Listening to support redundant connections with fast

recovery between SCALANCE Industrial Ethernet networks with IT-networks
supporting Spanning Tree.
Coupling between Spanning Tree Network and Industrial Ethernet:

Ethernet with
Spanning Tree

Industrial
Ethernet
© Siemens AG 2019 All rights reserved

Figure 16: Coupling between Spanning Tree Network

and Industrial Ethernet

The passive listening function of the industrial switch supports the forwarding of
STP/RSTP/MSTP etc. frames through the network without participating actively in
this mechanism. This gives the STP/RSTP/MSTP network components the
possibility of solving a loop at the coupling point between the different topologies.
PROFINET IE PROFINET IE

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 26
 4 Standards for specific requirements

BPDUs (bridge protocol data unit) travelling through the network:

Ethernet with
BPDU
Spanning Tree

RM

Industrial
Ethernet

RM RM

Figure 17: BPDUs travelling through the network

The STP/RSTP/MSTP network components will recognize the additional

connection between them and will block the redundant path through the industrial
© Siemens AG 2019 All rights reserved

network on one side. This will solve a potential loop with the connection between
the networks active.
If the active connection between the network parts is disturbed due to malfunction
or a broken link, the STP/RSTP/MSTP network components will recognize the
absence of BPDU frames on the blocked port. This leads to the switchover from
blocking to forwarding at the now single connection between the parts. The
connection between the networks is reestablished.
PROFINET IE PROFINET IE

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 27
 4 Standards for specific requirements

4.1.4 RSTP+

Redundancy protocols Multiple Spanning Tree Protocol (MSTP), Rapid Spanning

Tree Protocol (RSTP) and Spanning Tree Protocol (STP) as well as RSTP+ for
redundant integration of MRP rings into an RSTP network. This means part of a
network can be connected redundantly to a higher-level company network. The
reconfiguration time of the network is in the seconds range and it therefore takes
longer than the ring redundancy method.
RSTP+ is a SCALANCE specific extension of RSTP which allows the redundant
integration of MRP rings into an RSTP network. It is generally possible to manage
such a network solely with RSTP. However, in a ring topology, MRP is the more
efficient and faster method. The MRP ring redundancy mode is not affected by
RSTP+ because both modes work independently of one another. Another use case
is the redundant linking of MRP rings. It is also possible to connect two RSTP
networks over one MRP ring with RSTP+. This is not possible without RSTP+
because Spanning Tree is disabled at the ring ports.
In principle, all devices at the connection points between RSTP network and MRP
ring must support the RSTP+ method. All other devices in the MRP ring must
forward BPDUs (Bridge Protocol Data Unit).
© Siemens AG 2019 All rights reserved

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 28
 4 Standards for specific requirements

4.2 Generic redundancy technology

4.2.1 Media redundancy protocol IEC 62439-2 (MRP)

MRP is a standardized layer 2 redundancy protocol which is recommended in the

PROFINET standard. It has a convergence time of 200 ms with 50 devices in the
ring. The MRP frames move only within each ring and are not transferred between
different rings.

4.2.2 MRP Interconnections IEC 62439-2

MRP Interconnect is used to couple two redundant MRP rings. The requirement for
MRP Interconnection is that MRP is used in all rings involved. Four devices are
involved in the redundant coupling of two rings with MRP-Interconnection. One
media redundancy interconnection manager (MIM) and three media
interconnection clients (MIC).
© Siemens AG 2019 All rights reserved

Figure 18: MRP Interconnections

Depending on the connection status, the Interconnection ports send the MIC
(media redundancy interconnection client) status messages (link-up or link-down)
to the MIM. Interconnection ports are ports between which the primary or
secondary connection is established. The MIM is thus always informed about the
connection status between the Primary MIC and the Primary Coupled MIC
(“primary connection") as well as its own connection to the Secondary Coupled
MIC (“secondary connection"). In regular operation, data exchange between the
two rings takes place via the primary connection and the MIM blocks its
Interconnection port. If a link-down of the primary connection is signaled to the
MIM, it switches its Interconnection port to the status "Forwarding" and data
exchange between the two rings takes place via the secondary connection
between MIM and Secondary Coupled MIC. It has a convergence time of 200 ms.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 29
 4 Standards for specific requirements

4.2.3 Media Redundancy with Planned Duplication of Frames (MRPD)

Redundant systems require a switching time to detect interruptions and to switch

over to redundant structures. However, these switching time do not always entirely
meet the requirements of the plant’s application. For high-dynamic applications or
for process engineering, for example, short interruptions are unacceptable. The
requirements are met based on a ring topology of the MRP (Media Redundancy
Protocol) extension “Media Redundancy with Planned Duplication of frames
(MRPD)”. During a device or line failure in the ring, all other devices continue to be
supplied with IO data without interruption.
MRPD is specified by the IEC 61158 standard and specially developed for
PROFINET IRT (Isochronous Real Time). In the event of an error it ensures a
bumpless switching of the ring topology by achieving a reconfiguration time of 0
ms. To avoid interruptions in the event of an error, the PROFINET devices that
participate in the ring, send their data in both directions. Since the devices receive
these data at both ring ports, there is no reconfiguration time for the ring.

The following prerequisites must be met for the use of the media redundancy with
MRPD:
• All participating devices must support MRPD, including the terminals at the
switch, which through a ring component cyclically exchanges IRT data.
• MRP is configured for all participants in the ring. The MRP role “Not device
in the ring” is assigned to all devices that are not in the ring
© Siemens AG 2019 All rights reserved

• IRT is configured for all participating components

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 30
 4 Standards for specific requirements

4.2.4 Parallel Redundancy Protocol (PRP – IEC 62439-3)

The "Parallel Redundancy Protocol" is a redundancy protocol for Ethernet

networks. It is defined in Part 3 of the IEC 62439 standard. The devices of the
SCALANCE X-200RNA, SOFNET-IE RNA and RUGGEDCOM RS950G, RSG9xxR
product line support the PRP method. The areas of application of PRP are
distributed real-time applications with high reliability demands that depend on the
high availability of the network. Compared with classic fault-tolerant networks, PRP
provides bumpless redundancy. This redundancy method allows data
communication to be maintained without interruption/ reconfiguration time if there
are interruptions in the network. Other redundancy methods have a network
reconfiguration time of, for example 200ms (MRP, 50 nodes in the ring) or 300ms
(High Speed Redundancy, 50 nodes in the ring) and therefore, cannot be used for
substation applications or other applications that require high network availability.
The PRP method has the advantage that it uses parallel, separate networks made
up of standard network components. The end devices that use this method are
connected to the two networks via a preceding device or via two integrated device
interfaces. This means that the frame of the end device can be transferred at the
same time via both networks. If a transmission path is interrupted, the frame arrives
at its destination via the second path.
The disadvantage is the need of two independent parallel networks which has a
high impact of the costs.
© Siemens AG 2019 All rights reserved

Figure 19: Parallel Redundancy Protocol

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 31
 4 Standards for specific requirements

4.2.5 High available Seamless Redundancy protocol (HSR - IEC 62439-3)

The "High-availability Seamless Redundancy" protocol is a redundancy protocol for

Ethernet networks. It is defined in Part 3 of the IEC 62439 standard. The devices of
the SCALANCE X-200RNA, SOFNET-IE RNA and RUGGEDCOM RS950G,
RSG9xxR product line support the HSR method. The areas of application of HSR
are distributed real-time applications with high reliability demands that depend on
the high availability of the network. Compared with classic fault-tolerant networks,
HSR provides bumpless redundancy. This redundancy method allows data
communication to be maintained without interruption/reconfiguration time if there
are interruptions in the network. Other redundancy methods have a reconfiguration
time of, for example, 200ms (MRP, 50 nodes in the ring) or 300ms (High Speed
Redundancy, 50 nodes in the ring) and therefore cannot be used for substation
applications or other applications that require high network availability. The HSR
method has the advantage that the communication redundancy is achieved by the
configuration as a ring. This means there is no need for other standard network
components (switches) within a network. The end devices that use this method are
connected to the two networks via a preceding device or via two integrated device
interfaces. This means that the frame of the end device can be transferred at the
same time in both directions of the ring. If a transmission path is interrupted, the
frame arrives its destination via the other path. The devices of the SCALANCE X-
200RNA product line are used to connect end devices without integrated HSR
interfaces to HSR networks.
© Siemens AG 2019 All rights reserved

Figure 20: High available Seamless Redundancy protocol

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 32
 4 Standards for specific requirements

4.3 Network Address Translation (NAT)

NAT exists in multiple variations. Depending on the purpose and requirements, it is
possible to implement one of these variations.

Figure 21: Network Address Translation

Source NAT and Destination NAT

In general, a distinction is made in NAT between Source NAT and Destination
© Siemens AG 2019 All rights reserved

NAT, depending on which address of the IP packet is being translated.

If it is the address of the sender that has to be modified, this is referred as a
"Source NAT translation", as in this case the source IP address of the packet is
being changed.
If, on the other hand, the address of the receiver is being changed, this is referred
to as a "Destination NAT translation" as in this case the Destination IP address of
the packet is being changed.
There are several terms for NAT translations, which are also implemented and
interpreted differently depending on the manufacturer. However, all of these are
modifications of Source and/or Destination NAT. Further examples:
• Source NAT terms: Src-NAT, Source NAT, SNAT, Masquerading, ...

• Destination NAT terms: Dest-NAT, Destination NAT, DNAT, Redirect,

Forwarding, ...

• 1:1 NAT, binat, double NAT, ...

• NAPT, ...

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 33
 4 Standards for specific requirements

Network Address and Port Translation (NAPT)

NAPT is a special form of the Destination NAT in which the destination port is
translated in addition to the destination IP address.
Usually with NAPT the addresses of a private network are assigned via a public IP
address and specifically assigned ports. This has the advantage that only one
public IP address is required for all the nodes in the private network.

NAT Pros and Cons

Pro NAT Contra NAT

o Multiple machine networks with the
same IP range ➔ series machine
manufacturing
o It is a kind of protection for the
machine/cell network
o No care about a holistic plant IP concept
for integrating the machine into the
network
o On the surface, the use of IP address can
be reduced
o NAT is an advantage for OEM machine
builders to keep the IP configuration
© Siemens AG 2019 All rights reserved
o Specific NAT hardware is necessary
o The NAT table for each machine must be
adapted
o Each access to a device behind the NAT must
be configured and needs an additional IP
address of the source network
o Network monitoring and management for
NAT networks is only possible if the NMS and
the NAT devices supports “NAT MIB tables
v2”. Network monitoring and management
for NAT network is challenging. However,
devices like the SCALANCE S Series and

simple and protect their network from SINEC NMS that support the NAT MIB tables
external access. enable the monitoring of the complete
solution
o It is more complex to operate, maintain and
troubleshot a network with multiple NAT
subnetworks.

NOTE NAT may be an advantage for OEM machine builders in keeping the IP
configuration simple and protecting their network from external access.

The administration of networks with NAT subnetworks is more demanding if

holistic network management and monitoring is required. Without a proper
planning, the visibility of the network behind the NAT device may be limited.
The benefits of unique IP addresses are higher than the efforts required to
configure NAT.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 34
 5 Network topologies

5 Network topologies
There are multiple desirable network topologies for each part of the plant network.
Hundreds of approaches to design a convenient are available in the industry. We
think most of them use office grade components, but due to the harsh conditions
and performance requirements, these networks require industrial grade solutions to
handle the needs of industry. Your network should provide the reliable backing a
production needs. This goal is reachable due to one point we keep in mind when
we are designing solutions.

This chapter describes a typical architecture, which can be customized according

to local requirements. The amount of aggregation inks or the complexity of the
backbone can be adopted to the needs of the customer. The main arguments are:
• Separation of different production cells

• Amount of automation equipment connected

• Use of other functionalities such as fire system, access control system,

camera system.

5.1 Design of shop floor networks

© Siemens AG 2019 All rights reserved

Typically networks within production facilities can be split into three areas.

Office Network
Core Layer

A
WAN External
WAN Core Internet
Router Firewall
Firewall / IDS Firewall / IDS

L3 Connection

Backbone 1 Backbone n
Industrial Datacenter

Backbone Layer
L3 Connection L3 Connection

Server
Distribution Layer

B
L3 Connection
Aggregation 1-n Aggregation 1-n
Aggregation Layer

Aggregation 1-1 Aggregation 1-2

Industrial Network

Standby Feature L3 Connection

Cell 1-1-n Cell 1-1-n Cell 1-1-n Cell 1-1-n Cell 1-2-n Cell 1-2-n
Cell 1-1-1 Cell 1-1-2 Cell 1-1-3 Cell 1-1-4 Cell 1-2-1 Cell 1-2-2
Sync
Access Layer

Cell Layer

Line
Ring
C
Tree/Star

Figure 22: typically networks with production facilities

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 35
 5 Network topologies

A Enterprise Network

The Enterprise Network is managed by IT and contains all kind of office-related

services. In order to achieve the different requirements of the enterprise network
and the manufacturing, the networks are separated. Typically, a Layer 3 separation
is used to avoid cross effects between the networks but allow specific data to be
transferred.

B Production Backbone and Aggregation layer:

The production backbone is implemented as central data communication layer. It

combines the communication of all underlaying productions cells and connects
data centers and the demilitarized zone (DMZ).
Additional aggregation layers can be added optionally to combine different
production cells and implement load balancing and network segmentation based
on communication relations.

C Production Cell:

Production cells are separate network zones for different assembly lines,
production cells or machines. Within this area, workplaces are grouped by security
standards, communication relationships, production specific layouts or delivery
scopes of different OEMs within the plant. Production cells can be small tree, star
© Siemens AG 2019 All rights reserved

or line networks or can also contain redundant ring structures if the production
process demands such solutions.

5.2 Segmentation
A functional segmentation of the production network into IP subnets provides is
one of the core tasks of planning a reliable automation network. Segmentation
brings several benefits:
• Security protection against unauthorized access (deliberate or accidental)
• Stability “Not to sink the entire ship” in case of failures (reduce the size of the
broadcast domain)
• Performance guarantee for the different segments

Typical criteria for choosing the borders between different segments are:
• Amount of notes within a cell
• Product specific areas (Production area, Packaging area, Utility area)
• Machine builder or system integrator specific areas

Network segmentation can be implemented by using virtual LANs (VLAN 3s). If

individual production VLANs should not be able to communicate with each other,
this must be prevented by a suitable ACL 4. An ACL is assigned to a port and
specifies the communication allowed for this port. With an ACL, care must be taken
that the processing is sequential. If a frame arrives at the port, the first matching
entry is used on the frame. All following entries of the ACL are no longer taken into
account for this frame. Per switch a total of 256 rules can be used; they can be
selected from a maximum of 128 predefined rules.

3 Virtual Local Area Network

4 Access Control Lists

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 36
 5 Network topologies

5.3 Industrial Backbone layer

The connection between IT and OT should be directly to the core switches, using
at least Layer 3 separation, however a firewall with DMZ between these two areas
is to prefer. This is intended to avoid mutual influence of the industrial and other
network segments. At the same time the direct connection to the IT core allows
high-performance communication with the datacenter, in which important MES and
ERP systems are made available.

5.3.1 Office/enterprise connection to production

Practice has shown that production networks require stronger protection against
unauthorized access due to longer machine runtimes compared to normal PCs.
Office networks, whose computers are continuously maintained and secured by
patch management, antivirus programs and software distribution systems, are less
vulnerable. In contrast, in production it is rather careless to patch machine
computers or provide them with antivirus programs without consulting the
manufacturer of the machine. Updates can, for example, lead to unforeseen
problems due to incompatibility of the software or hardware. In addition to this,
antivirus programs may have unwanted effects on communication and cause a
plant standstill or similar. For this reason, in production particular caution is
necessary and the use of antivirus programs and the fast import of updates or
patches must be planned with farsightedness and be well thought out.
© Siemens AG 2019 All rights reserved

The future management and maintenance of the connection of the production

network is just as important as the points already mentioned when planning or
redesigning the network.
The figure below shows the schematic connections of the production network to the
enterprise network. The term connection implies the assumption that the
production and enterprise network are different areas. Strictly speaking this is
correct, since the requirements coming from production are characterized by high
availability, robust devices and fast switchover times. Accordingly, the protocols
used in the industrial production environment have been developed differently from
those used in the office environment. This is one of the reasons why it makes
sense to separate production from the enterprise network via layer 3. This thought
is explained in detail in the following chapters.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 37
 5 Network topologies

Office Network
Core Layer

WAN External
WAN Core Internet
Router Firewall
Firewall / IDS Firewall / IDS

L3 Connection

Backbone 1 Backbone n
Industrial Datacenter

Backbone Layer
L3 Connection L3 Connection

Server
Distribution Layer

L3 Connection
Aggregation 1-n Aggregation 1-n

Aggregation Layer
Aggregation 1-1 Aggregation 1-2

Industrial Network
Standby Feature L3 Connection

Cell 1-1-n Cell 1-1-n Cell 1-1-n Cell 1-1-n Cell 1-2-n Cell 1-2-n
Cell 1-1-1 Cell 1-1-2 Cell 1-1-3 Cell 1-1-4 Cell 1-2-1 Cell 1-2-2
Sync
Access Layer

Cell Layer
Line
Ring

Tree/Star
© Siemens AG 2019 All rights reserved

Figure 23: Boarder between IT and OT

Connection types:
1. Layer 2 connection

In some cases a layer 2 network in the production is necessary. This should be

seen as an exception and is not the preferred solution. However, when it cannot be
avoided, great care must be taken that production and enterprise network does not
disturb each other.

Switches from the enterprise network usually use RSTP5 and/or MSTP6. They can
be connected to the production backbone with device or path redundancy. Some
devices from enterprise switch manufacturers do not support RSTP, these should
be set to MSTP. The switches in the production backbone must have "passive
listening" activated to allow the device-redundant link. With path-redundant
connections, RSTP should be activated on the according ports of the production
switch.

RSTP and MSTP are point-to-point protocols; the information is only exchanged
between neighboring devices with so-called BPDUs7. The "passive listening"
function, however, allows transparent forwarding of the entire information, i.e. the
BPDU frame. If this frame arrives at a device with RSTP capability, the information
can be evaluated normally. With this function it is possible to ensure that no loops
result even in this constellation.

5 Rapid Spanning Tree Protocol

6 Multiple Spanning Tree Protocol
7 Bridge Protocol Data Unit

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 38
 5 Network topologies

With a layer 2 connection, network errors from the enterprise can affect
production and in the other direction network errors in production can affect the
enterprise network. This makes troubleshooting much more difficult since the
CAUTION sources of the errors cannot be clearly assigned to a segment. In addition to this,
the consequences of such errors can affect all areas of the network.

2. Static routing with VRRP8

Static routing requires manual entry of bidirectional routes. The manual entry of
routes has the advantage that only the networks that are entered explicitly are
routed. The management of static routes can be very time-consuming for large and
complex networks. If the interface also involves a gateway for which different
administrators are responsible, this may lead to delays in the entry of the relevant
routes. This is a clear disadvantage of static routing.

As already mentioned, availability is mandatory in production networks. This is the

reason why VRRP should be used. With the VRRP protocol several routers can be
combined to form a logical and redundant router under a virtual IP 9 and MAC10
address. One router is active and works with the virtual IP and MAC address as
master. The passive router (slave) monitors the active router. If the slave detects
that the active router is no longer responding, it adopts the virtual IP and MAC
address and therefore ensures the functionality of the network and the gateway.
This happens unnoticed for the client devices. This is because they only have one
© Siemens AG 2019 All rights reserved

entry, the virtual IP, for their default gateway.

During design, it must be taken into account that a maximum of 52 VRRP
interfaces can be created for each SCALANCE X - layer 3 switch. The VRRP MAC
addresses depend on the so-called VRRP ID. This can have values between 1 and
255. This results in MAC addresses between 00-00-5e-00-01-01 and 00-00-5e-00-
01-ff, where 00-00-05 stands for the VRRP and CARP11 identifier according to
IANA. Communication between the routers is done via the multicast address
224.0.0.18 (01-00-5e-00-00-12).

3. Dynamic routing RIP12 / OSPF

The advantage of dynamic routing protocols is the automatic learning of the paths
between the individual networks. This is the reason why dynamic routing protocols
are better suited for larger or complex networks. If individual connections fail,
alternative paths are automatically searched, or known paths are enabled for
communication. The SCALANCE X 400/500 families support the protocols RIP and
OSPF for the dynamic creation of the routing table.

RIP
RIP is a "distance vector" protocol. It is based on the Bellmann-Ford algorithm and
is available as version 2. RIP aligns its routing tables to the neighboring routers.
This is achieved with "advertisements" which are sent every 30 seconds. The
extent of the network may only be a maximum of 15 hops. Changes to the routing
are only disseminated slowly in the network, due to the time-controlled updates of

8 Virtual Routing Redundancy Protocol

9 Internet Protocol
10 Media Access Control
11 Common Address Redundancy Protocol, functionality similar to VRRP
12 Routing Information Protocol

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 39
 5 Network topologies

30 seconds. Version 2 already supports event-controlled updates and although this

speeds up convergence times, RIP nevertheless converges more slowly compared
with OSPF. Advantages of RIPv2 are the variable subnet mask, the multicast route
updates, and the option of authenticating the updates. The multicast address used
for this is 224.0.0.9. The updates are distributed using UDP on port 520. The use of
RIP is currently decreasing. It is usually only used for compatibility purposes when
older devices do not support any other protocol than RIP.

OSPF
OSPF is a "link state" protocol. It is based on the Dijkstra algorithm. OSPF sends
incremental updates if changes have occurred in the network. In addition to this,
"summary information" messages are sent every 30 minutes. All routers in the
same "area" have the same network topology databases. Fast convergence times
are achieved due to event-based updates. Another advantage of OSPF is the
option of using several routes with the same metric at the same time, known as
"ECMP13". This allows load balancing over multiple paths, which in turn means an
increase in availability.
The OSPF routers use the multicast addresses 224.0.0.5 and 224.0.0.6 for
communication within broadcast domains. Multicast 224.0.0.5 is used for
communication between all "Shortest Path First" routers. Multicast 224.0.0.6 is
used for the communication between the DR14 and the BDR15 and for all routers
that send "link state update" and "link state acknowledgement" packets to the DR.
© Siemens AG 2019 All rights reserved

NOTE The routes are learned automatically and if the network grows, routing adjusts
without big effort. Changes to the routing both within the production network as
well as in the enterprise network require less effort than with static routing.
Therefore we recommend using a dynamic routing protocol like OSPF for
connecting to the office IT environment.

13 Equal Cost Multipath

14 Designated Router
15 Backup Designated Router

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 40
 5 Network topologies

5.3.2 DMZ (demilitarized zone)

Sometimes also named as perimeter network, the DMZ provides a separation

between the internal trusted and external untrusted network. This is achieved by
implementing a physical or local subnetwork, that exposes internal services for
external applications. All external communication ends up within the DMZ. This
gives additional time to detect and defend against attacks before they reach the
underlaying automation network.
Typical applications within a DMZ are:

• Antivirus servers
• Windows patch & update servers
• Webservers & Fileservers
• Secure remote access servers (VPN) and Jumphosts
• Network monitoring and maintenance tools
A DMZ can be build up in two ways:

• A single firewall with at least 3 network interfaces can be used to create a

network architecture containing a DMZ. The external network is formed on the
first network interface, the internal network is formed from the second network
interface, and the DMZ is formed from the third network interface.
• The most secure approach is to use two firewalls to create a DMZ. The first
© Siemens AG 2019 All rights reserved

firewall (also called the "front-end" or "perimeter" firewall) must be configured

to allow traffic destined to the DMZ only. The second firewall (also called
"back-end" or "internal" firewall) only allows traffic from the DMZ to the internal
network. The highest level of security can be achieved by choosing two
different firewall solutions for the front-end and back-end firewall

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 41
 5 Network topologies

5.4 Aggregation layer

This aggregation level can be used for a practical division/distribution of the
industrial network. This division can be based on communication relations,
responsibilities, the local situation, and/or security requirements. This level is not a
mandatory requirement for the setup of an industrial network. If none of the
reasons listed above exist, this level can be omitted in smaller networks.

Enterprise Network
Core

WAN External
WAN Core Internet
Router Firewall
Firewall / Firewall /
DMZ DMZ

L3 Connection

Backbone 1 Backbone n
Production Datacenter

Production Backbone
Distribution

L3 Connection L3 Connection

Server

Standby Feature L3 Connection

Cell 1-1-n Cell 1-1-n Cell 1-1-n Cell 1-1-n Cell 1-2-n Cell 1-2-n
Cell 1-1-1 Cell 1-1-2 Cell 1-1-3 Cell 1-1-4 Cell 1-2-1 Cell 1-2-2
Sync

Production Cell
Access

Line
Ring

Tree/Star

Figure 24: Aggregation layer

© Siemens AG 2019 All rights reserved

The production lines are connected to the central plant backbone topology. These
switches are capable of handling the traffic from the lines to the upper network.
These switches support Gigabit Ethernet up to 10Gbps Ethernet and can interface
the industrial Datacenter and the office network with Layer 2 or Layer 3 protocols.
The connectivity of the cells/production lines may use variable single or redundant
connection and protocols. Regarding the cell protection, a common practice is the
connectivity via firewall with or without NAT functionality

Layer 2 protocols:
• Rapid Spanning Tree Protocol (RSTP - IEEE 802.1d-2004)

• RSTP + (Siemens)

• MRP / MRP Interconnection (MRP IEC 62439-2)

• Link-Aggregation, (LACP - IEEE 802.3ad)

• Multiple Spanning Tree Protocol (MSTP - IEEE 802.1s)

• Passive Listening (Siemens)

Layer 3 protocols:
• Static Routing

• Virtual Router Redundancy Protocol (VRRP - RFC 5798)

• Dynamic Routing (OSPF - RFC 2328)

• Routing Information Protocol (RIP v1/v2 RFC1058 / RFC2453 )

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 42
 5 Network topologies

5.5 Cell or machine layer

The typical setup of a cell includes industrial client devices that can be assigned to
this based on the production process, their security settings, communication
relations, or the local situation.
At this point, we should briefly deal with the difference between safety and security.
In automation, the term safety is used often and the meaning is related to the
protection of personnel and the environment. This is one of the most important
functions in an industrial network and relates particularly to the interaction of
personnel with automated machines. Safety is an end-to-end relationship for safety
client devices. The media (black channel) between these devices must be
designed for the transfer of this information. Here, the network must ensure that the
frames (Ethernet frames) transferred are delivered isochronously within the defined
time (a few milliseconds). If these frames are not delivered, the machine must
change to a secure state. What still needs to be mentioned here is that thanks to
Siemens' own WLAN transfer protocol iPCF 16, the SCALANCE WLAN access
points are also capable of ensuring deterministic communication through the air
and therefore provide safety through WLAN.
To summarize, safety serves to physically protect life and limb. Security, on the
other hand, defines the digital protection of the availability and integrity of the plant
and therefore the productivity.
Here, a distinction must be made between internal security, protection against
mistakes and unauthorized network access, and external security, protection from
unauthorized physical access, spying and sabotage. Among other things, we talk
© Siemens AG 2019 All rights reserved

of a cell protection concept here. The cell protection concept segments an

industrial network into individual protected automation cells. Within the cell, all
devices can communicate securely with each other. The connection of the
individual cells to the industrial network is via the cells' own firewalls or
communication processors. Cell protection reduces the vulnerability of the entire
production plant against an incident and therefore increases availability. At the
same time, networks with different protection needs are physically separated.
For use of network components in the cell, devices with DIN rail mounting are
suitable; due to their compact design, these devices can be integrated in the
control cabinets of the relevant machine and provide a robust fan-less design and
a port configuration suitable for the application. The switches with their securing
collars and the "Fast Connect" connectors and cables developed specially for
industrial use allow simple assembly of machine connections during commissioning
or expansion of the system. Due to this design of the connectors and securing
collars, the electrical contacts can be protected from tensile strain and a reliable
contact can be established between the plug and socket.
Just as flexible as the design of the switches and their installation are the possible
network topologies. Depending on the purpose and requirements, linear, star or
ring network topologies can be set up.

16 Industrial point coordinated function

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 43
 5 Network topologies

5.5.1 Simple machine group

The devices inside machines are connected with a simple line topology. This is the
easiest way to connect all devices. It gives the machine builder the possibility of
scaling the network by simply upscaling the chain.

Actual example machine level network architecture:

PROFINET

HMI

Energy

PLC
© Siemens AG 2019 All rights reserved

I/O
Drives
Motion

Figure 25: machine level network architecture

All diagnostic functions described in the suggested Industrial Ethernet switches are
available for the customer. Additional feature like Loop Detection secure the health
of the network due to wrong plugged connections. With SCALANCE XC-200 as the
central switch, another option is available. The switch has the capability to perform
1:1 NAT. This gives the machine builder the possibility to reuse his
SIMATIC/SIMOTION projects including the IP addresses of all devices within the
machine, thereby minimizing efforts to use multiple of a specific machine in the
same production line or network.

• Separation between factory- and machine network by 2 Ethernet/PROFINET

Interfaces in machine controller (e. g. SIMOTION, S7 PLC)

• For modular concepts, it is possible to use the same engineering projects for
identical machines in the same production line, so the machine network can
have identical addresses

• Access from engineering PC in factory network to components in machine

network. E. g. SINAMICS Drives with Starter or SCOUT

• Integrated diagnosis through sub network borders with engineering tool

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 44
 5 Network topologies

5.5.2 Complex machine

Actual example machine level network architecture with IRT:

PROFINET

HMI
Energy

PROFINET IRT
PROFINET PROFINET

Controller
© Siemens AG 2019 All rights reserved

Devices

Figure 26: machine level network architecture with IRT

• More complex machine with modular configuration

• Distributed motion controller

• PROFINET IRT communication between the controllers

• Distributed synchronous operation or cams over controller limits

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 45
 5 Network topologies

5.5.3 Redundant topology

Actual example machine level network architecture with Devices (system

redundancy S2).
PROFINET

HMI
Energy

PLC Redundancy controller

Motion Drives
© Siemens AG 2019 All rights reserved

Devices

Figure 27: Redundant topology

• Maximum availability for isochronous communication thanks to Media

Redundancy with Planned Duplication (MRPD)

• In machine network with ring topology

• Duplicated message frames in both directions of the ring

• Bump-less switch to the secondary message frames in error situations (e.g.

broken wire)

• MRP supported for non-isochronous applications

5.5.4 Diagnosinge possibilities for machine topologies

A very important part of the machine network structure is the possibility of

diagnosing the machine components. The next chapter should give a help for the
decision of what machine structure should be selected.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 46
 5 Network topologies

Use of CPs

With the use of CPs, a network separation can be easily archived. But for
diagnosis, an IP routing is necessary. This is just available for the latest Advanced
CP for S7-300/S7-400 and S7-1200/S7-1500 on the CP ports. For all other
devices, no IP routing is available.

Plant SINEC NMS Use of Advanced CP

Line 1 Line 2
PROFINET IE (MRP)

10.120.10.2
10.120.10.1

Machine 1 Machine 2 (Max 99) Machine 3 (Max.99)

192.168.0.3 192.168.0.3 192.168.0.3

© Siemens AG 2019 All rights reserved

10.120.10.131

10.120.10.132

10.120.10.133
192.168.0.1

192.168.0.1

192.168.0.1
192.168.0.2 192.168.0.2 192.168.0.2

Figure 28: Use of Advanced CPs

NOTE The use of CPs enables the implementation of network segmentation, but also
limits diagnostic features and access to all devices. Therefore we do not
recommend the use of CPs for network segmentation.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 47
 5 Network topologies

NAT translation

The NAT functionality converts a Line/Plant IP to a local machine ID. This is a 1:1
connection. That means that for each IP out of the machine (that is needed to
diagnose, show of Webserver, aso.) has to get an IP in the line IP area.
• Extra hardware is necessary to use the NAT feature

• The NAT table has to be configured

• If a detailed diagnosise is necessary, the number of reduced IP is low

Hardware with NAT features

• SCALANCE S-615/SC-600 (Hardware NAT solution - preferred)

• SCALANCE XM-400/XR-500/XC-200/XP-200 switch (Software NAT solution –

reduced number of translations not recommended)

Plant SINEC NMS Use of NAT translation

Line 1
© Siemens AG 2019 All rights reserved

10.120.10.1

PROFINET

Machine 1 Machine 2 (Max 99)

10.120.10.130
192.168.0.1

192.168.0.5 192.168.0.4
10.120.10.131
192.168.0.2

192.168.0.1
192.168.0.3

192.168.0.2

192.168.0.4 192.168.0.3

SCALANCE SC

Figure 29: Hardware with NAT features

NOTE There is also a NAPT feature. This feature reduces the number of IPs by using
ports. But no diagnose is possible.

Based on our expertise, we recommend using hardware NAT solutions with the
SCALANCE S which also provide additional security features such as firewall or
VPN tunnels.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 48
 5 Network topologies

Plant wide unique IPs

If one IP area is used plant / line / machine wide, diagnostic functionalities will work
for all components.
• No extra hardware is necessary

• No extra software configuration necessary

• Detailed diagnostics for all components possible

• It is necessary to change the IPs in the machine

Plant SINEC NMS Plant wide unique IP

Line 1 Line 2
PROFINET IE (MRP)

10.120.10.2
10.120.10.1
© Siemens AG 2019 All rights reserved

Machine 1 Machine 2 (Max 99) Machine 1

10.120.10.134 10.120.10.144 10.120.10.154

10.120.10.131

10.120.10.141

10.120.10.151
10.120.10.132

10.120.10.142

10.120.10.152

10.120.10.133 10.120.10.143 10.120.10.153

Figure 30: Plant wide unique IPs

NOTE It is recommended to turn on “loop detection” in each of the switches used to

avoid unwished network traffic or network outages. Unused ports could be
deactivated as well.

This is the preferred solution if access from the top level to the sensors with full
functional scope is targeted.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 49
 6 Remote Access

6 Remote Access
Due to the ever-growing distances between support personnel and the systems
that have to be maintained (e.g. support personnel working in the field) support and
remote dial-ins are gaining in significance and place high demands on security
solutions because of the additional potential security risks. Firstly, additional
exceptions must be defined at the access point firewalls; secondly, this could mean
malicious code could be allowed to run in the plant with administrative rights from a
support PC, even if this is unintentional.
In order to guarantee the best-possible security for the plant to be maintained, all
access must be authenticated and authorized through a combination of several
technologies and security mechanisms. A "direct dial-in" into the device to be
serviced offers monitoring options that are too weak, and this is therefore not for
consideration.
In addition to the connection of machines, the segmentation of individual
manufacturing areas or individual cells and their protection, maintenance access is
an important topic for the people responsible for production. If errors occur, it is
important for production that the manufacturer of the production machines can
have remote access to the defective machine quickly and without complications. To
meet this requirement, several issues must first be clarified. How can we make
sure that no additional areas of production are disturbed as a result of the remote
access? Can it be ensured that this access cannot be used as a back door to the
overall production network or even the enterprise network? Does the company
© Siemens AG 2019 All rights reserved

have a security policy that must be taken into account? Is a different department
responsible for remote access?
The different options for implementing remote access are described in the following
chapters.

6.1 VPN Tunnel

One simple option to allow remote access is to set up a VPN 17 IPsec18 connection
between the machine manufacturer and production. SCALANCE M industrial
routers or SCALANCE S Industrial Security Appliances are placed at both ends of
the tunnel and each one receives a public IP address to be reachable from the
Internet. With industrial routers or SCALANCE S Industrial Security Appliances
devices, VPN tunnels with IPsec and X.509v3 certificate authentication or with
PSK19 can be established without complications. A SCALANCE M or S firewall can
terminate VPN tunnels.

17 Virtual Private Network

18 Internet Protocol Security
19 Pre Shared Key

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 50
 6 Remote Access

6.2 cRSP
To enable a secure and reliable connection to the plant, Siemens offers the use of
the Siemens Remote Service Platform. This offers the opportunity to access
industrial plants flexibly, securely, and comprehensibly.
Facts:

• More than 220,000 systems are connected to the Remote Service Platform
and obtain service from it.

• The Siemens Remote Service Platform can be used by both Siemens and by
external customers and partners.

• Safe

• Transparent

• Comprehensible

• Controlled by the customer

• State of the art security infrastructure

• ISO 27001 certified operating of data centers

© Siemens AG 2019 All rights reserved

To use the Siemens Remote Service Platform, an access point is required in the
plant. There are multiple ways of doing this:
• IPsec Tunnel

• SSL

Using an IPsec tunnel

To gain access to the Siemens Remote Service Platform using IPsec, an IPsec
capable system is required which can terminate the tunnel. This can be a router or
a firewall that is already present in the system or a device supplied by Siemens. To
ensure that data packets are forwarded to the correct device, it is important that
any port forwarding that may be required is established through the network. The
ports and protocols to be forwarded are: UDP 500, UDP 4500, and IP protocol
50/51. If a device supplied by Siemens is used, then the port UDP 22 should also
be forwarded.

Using SSL
For access using SSL encryption, a Windows system on which the Siemens
Remote Service Platform SSL client can be installed is required. After installation
and registration, the device on which the SSL client has been installed can be
accessed. To enable communication with the Remote Service Platform,
communication from the device to the IP address 194.138.37.194 must be possible
via port 443.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 51
 6 Remote Access

6.3 SINEMA Remote Connect

SINEMA RC is a VPN rendezvous server which supplements the remote
connection portfolio. With this server, a configuration for SCALANCE S as well as
the complete SCALANCE M portfolio and selected CPs and RTUs and the
SINEMA RC client can be created. These configurations are retrieved from the
server using a pull function via HTTPS. The clients then establish a VPN tunnel to
the central rendezvous server. Since the VPN protocol is based on OpenVPN, it is
also possible to terminate tunnels from generic OpenVPN clients on the server.
Based on the users, user groups and communication relations defined on the
server, communication between the individual tunnels, which are terminated on the
SINEMA RC, can be controlled. All certificates of the SINEMA RC can be exported
with suitable rights.
An additional advantage may be the key-switch-function at the SCALANCE S
which allows the operator to enable the VPN tunnel only by using the key switch.
© Siemens AG 2019 All rights reserved

Figure 31: SINEMA Remote Connect

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 52
 6 Remote Access

6.3.1 Jump Host Application with SINEMA Remote Connect

For medium-sized and large companies it is normal to have central gateways to the
Internet to optimize the management effort for protection and monitoring. In this
case, the tunnel at the gateway from the Internet would be terminated in the
intranet. To arrive at the relevant machine, the IP packet would need to be
transported through the intranet all the way to the machine. IT managers will not
like the idea of third-party companies using the enterprise network as a transfer
network for remote access to the machine. As an alternative, a different setup as
shown on the following page can be implemented.
An IPsec VPN tunnel is set up via the Internet between the machine manufacturer
and the company network. This is terminated in the DMZ20 of the company and
routed via the company firewall. An additional VPN tunnel from the DMZ to the
machine network channels the traffic for the maintenance access. In addition, this
kind of maintenance access can be improved from a security perspective by using
a jump host in the DMZ. This jump host can act as a platform for maintenance
personnel (e.g. third parties) and provides them after successful authentication with
a desktop environment and the necessary tools to access the machine.
With SINEMA Remote Connect and a Jump Host application in a DMZ, a service
technician can be able to have remote access to the plant.
© Siemens AG 2019 All rights reserved

Figure 32: Jump Host Application with SINEMA Remote Connect

The recommended solution to fulfill the requirements above described is based on

SINEMA Remote Connect Appliance and requires the SINEMA Remote Connect
Server as software. The SINEMA Remote Connect Client and the SCALANCE
S615 (or other SCALANCE M and S devices or selected CPs and RTUs) serve as
remote ends.
To fulfill the company’s security requirements, a DMZ has been set up with the
required servers. In combination with VPN connections and a remote desktop
connection, the service technician is able to access remotely the plant without
direct access to it.

20 Demilitarized Zone

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 53
 6 Remote Access

Characteristics
The solution described in this application has the following characteristics:
• User management and connection management via a central server
application.
• No direct access to the plant possible due to the implementation of a DMZ.
• Secured and remote access worldwide to the plant.
• Controlled, encrypted data traffic between users, widely distributed plants and
machines through a VPN tunnel.
• Verification of the SINEMA Remote Connect Server by fingerprints.
• Low investment and operating costs for monitoring and controlling remotely
connected substations.
• High degree of security for machines and plants through the implementation of
the cell protection concept.
• Protocol-independent, IP-based communication.
Easy connection of terminal units (e. g. SCALANCE S615) and SINEMA Remote
Connect Client using the auto configuration interface.

https://support.industry.siemens.com/cs/ww/en/view/109746841
© Siemens AG 2019 All rights reserved

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 54
 7 Security in Industrial Networks

7 Security in Industrial Networks

Hand in hand with the increasing digitalization of industrial automation systems go
ever-deeper integration, vast volumes of data and the adoption of open standards
to provide the necessary direct access across all levels.
This trend has a significant dark side, however, in the form of increasing
vulnerability to cyber-attack. For-reaching integration, mushrooming data volumes
and universal standards make it much easier for attackers and malware to access
systems. Studies and incidents show, not only are OT networks and production
areas recognized as lucrative targets for attacks, but the people behind these
attacks are becoming more aggressive in their tactics, using more effective tools
and applying more resources to the attacks.
The reality today is that industrial systems face also professionally implemented
attacks. The "cyber war" is already upon us. The new threat situation this presents
demands a fundamental rethink of information security, access protection and the
whole process of establishing industrial security concepts. The attackers are
upgrading their arsenal; never has it been more important for automation and
production system vendors and operators to take on the threat they pose.

Organizational and technical measures must be carefully coordinated: a holistic

security concept relies on people, processes and technologies working in unison to
achieve the necessary level of protection. While this document focuses on network
security and secure remote access, there are more areas that need to be taken in
© Siemens AG 2019 All rights reserved

consideration for a holistic security concept:

• Plant security
• System integrity
• Roles and rights concepts
• Possible attack scenarios in product development and production

The document “Security concept for process and discrete industries provides a
deep dive into this topic.

https://assets.new.siemens.com/siemens/assets/public.1503485245.618c6572c64
a2737e8ee59de5397110cab29e657.whitepaper-security-2016-v10-en.pdf

NOTE To ensure a maximum level of security, you should follow documentations and
recommendations from the vendor. Specific checklists for SCALANCE system
hardening are available:
https://support.industry.siemens.com/cs/ua/en/view/109745536

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 55
 7 Security in Industrial Networks

7.1 Service portfolio for Security

With Siemens Industrial Security Services, industrial companies benefit from the
comprehensive know-how as well as the technical expertise of a global network of
specialists for automation and cybersecurity. The holistic approach of the industry-
specific concept is based on state-of-the-art technologies as well as the applicable
security rules and standards. Threats and malware are detected at an early stage,
vulnerabilities analyzed in detail, and appropriate comprehensive security
measures are initiated. Continuous monitoring gives plant operators the greatest
possible transparency regarding the security of their industrial facility and optimal
investment protection at all times.
More information:
https://new.siemens.com/global/en/products/services/industry/digital-industry-
services/industrial-security-services.html

7.1.1 Assessing security

Comprehensive analysis of threats and risks

Assessing security includes the comprehensive analysis of threats, identification of
risks, and concrete recommendation of security measures.
• Analysis of threats
•
© Siemens AG 2019 All rights reserved

Identification of risks
• Examination and classification of vulnerabilities
• In accordance with IEC 62443 and ISO 27001 as well as the SIMATIC PCS 7,
WinCC and SINUMERIK security concept
• Recommendation of suitable security measures

7.1.2 Implementing security

Detailed consultation and planning for industrial security

Implementing security refers to the implementation of protection measures to raise
the security level of plants and manufacturing facilities

• Risk reduction via multiple implementation steps

• Security and awareness training
• Network security consulting
• In accordance with IEC 62443 and the SIMATIC PCS 7, WinCC and
SINUMERIK security concept
• Installation of virus protection, whitelisting, firewalls, and patches
• Documentation and backups
• Industrial anomaly detection

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 56
 7 Security in Industrial Networks

7.1.3 Managing security

Proactive avoidance of security gaps

Managing security refers to the regular monitoring and updating of implemented
measures thanks to dedicated operation centers for cyber security.
• Support through a competent network of security experts
• Monitoring and update of security measures
• Validation and configuration (HW and SW)
• Information on released vulnerabilities and patch status via the Security
Vulnerability Information App
© Siemens AG 2019 All rights reserved

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 57
 8 Products and Services for Industrial Networks

8 Products and Services for Industrial

Networks
8.1 Network components
SCALANCE X Industrial Ethernet Switches and Routers, SCALANCE S Industrial
Security Appliances, Industrial Wireless LAN (IWLAN) access points, client
modules and SCALANCE M mobile wireless routers meet the requirements of
industrial applications and are available for networking the stations based on
PROFINET/Industrial Ethernet.
An overall solution comprises:

• Bus system with

– Passive network components, e.g. cables

– Active network components, e.g. switches

• Interfaces for connecting automation devices to the bus systems

– Integrated interfaces

– Its own communications processors

© Siemens AG 2019 All rights reserved

• Network transitions, e.g. IE/PB LINK PN IO

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 58
 8 Products and Services for Industrial Networks

This following products are included in the SCALANCE portfolio:

Products Description

SCALANCE X – Industrial Ethernet Switches

http://w3.siemens.com/mcms/industrial-
communication/en/ie/industrial-ethernet-switches-media-
converters/Pages/industrial-ethernet-switches-media-
converters.aspx

SCALANCE W – Industrial Wireless LAN

http://w3.siemens.com/mcms/industrial-
communication/en/industrial-wireless-communication/iwlan-
industrial-wireless-lan/Pages/iwlan.aspx

SCALANCE M – Industrial Routers

http://w3.siemens.com/mcms/industrial-
communication/en/industrial-remote-communication/remote-
networks/Pages/remote-networks.aspx
© Siemens AG 2019 All rights reserved

SCALANCE S/SC – Industrial Security Appliances

https://w3.siemens.com/mcms/industrial-
communication/en/ie/network-security/Pages/network-
security.aspx

8.2 Network software support

Siemens support the whole network supply chain with several software products.
This broad portfolio ranges from the production planning through to the service.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 59
 8 Products and Services for Industrial Networks

8.2.1 SINETPLAN (Siemens Network Planner)

The Siemens Network Planner supports planners of automation systems based on

PROFINET and supports the professional and proactive planning of a system. The
software supports the planning and layout of PROFINET networks, especially if so-
called “Non-Real-Time Communication” such as TCP/IP is used in addition to RT
or IRT communication.
The tool calculates and simulates the network load in a PROFINET network and
shows critical points where the network load is too high. In addition, it simulates the
real-time data (Real-time communication between IO controllers and IO devices)
as well as the Non-Real-Time communication such as that coming from standard
Ethernet nodes.
This gives you an overview and transparency of the network load of the planned
network prior to installation and commissioning. If the Siemens Network Planner
shows critical network sections, it is easy to redesign and restart the simulation.
In this way you can optimize the planned network, maximize exploitation of network
resources or plan reserves, and thereby avoid problems that might only become
apparent during commissioning or even productive operation. This increases
production availability and operational security.
• Tool supported network layout and simulation right at the planning phase

• Optimization of the exploitation of available network resources

• Avoid downtimes from network failures and increase of production

© Siemens AG 2019 All rights reserved

availability

• Ensure operational reliability by the use of traffic shapers

• Cost optimization with “Real 1-cable solution”

• Transparency of network load for IO data as well as NRT traffic down to the
port level

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 60
 8 Products and Services for Industrial Networks
© Siemens AG 2019 All rights reserved

Figure 33: SINETPLAN

The benefits at a glance:

• Network optimization via calculation of the network load down to the port level

• Increased production availability via online scan and verification of existing

systems

• Transparency before commissioning via import and simulation of existing

STEP 7 projects

You can find more information about SINETPLAN here:

www.siemens.com/sinetplan

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 61
 8 Products and Services for Industrial Networks

8.2.2 PRONETA

PRONETA is a commissioning and diagnostics tool for PROFINET networks.

PRONETA simplifies commissioning and configuration of your PROFINET network.
The topology of your network is read automatically. You can manually adapt the
address parameters of every PROFINET device or simply apply the parameters
from a template, which can also be created with PRONETA.
You can use PRONETA to configure, control and monitor I/O modules of the
SIMATIC ET 200SP, ET200M, ET 200MP, ET 200AL, ET 200eco PN and ET 200S
distributed I/O systems. The test results are provided in an easy to view log.
With PRONETA, the configuration and testing of your control cabinet can begin
during installation. This means there is nothing more in the way of fast and
successful commissioning!
© Siemens AG 2019 All rights reserved

Figure 34: PRONETA

You can find more information about PRONETA here:

www.siemens.com/proneta

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 62
 8 Products and Services for Industrial Networks

8.2.3 SINEC NMS

SINEC NMS is a new generation of the Network Management System (NMS) for
the Digital Enterprise, one that’s equipped to deal with more and more complex
network structures in an increasingly digital world. This system can be used to
centrally monitor, manage, and configure networks with 50 to 12,500 devices
around the clock. SINEC NMS is therefore the first choice for complex network
structures, and it is paving the way for the digital transformation of industry – in all
industries and regardless of network size. The scalability of SINEC NMS means it
can grow in parallel as the network becomes larger and more complex.
© Siemens AG 2019 All rights reserved

Figure 35: SINEC NMS

Identifying changes in industrial networks early on and preventing failures is

necessary to ensure the productivity of industrial plants and to minimize
downtimes. The solution is SINEC NMS as it constantly monitors the network, 24/7,
and depicts the diagnostic states of the network devices live. Furthermore,
statistics over any period of time can be displayed and evaluated. The advantage
is, for example, that undesirable errors can be detected early thanks to the colored
diagnostic display. Furthermore e-mail notification provides timely information
about any changes in the network.

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 63
 8 Products and Services for Industrial Networks

Managing efficiently with SINEC NMS

New components can be easily integrated into the network, while existing ones can
be configured and continuously maintained. The configuration is policy-based so
that it can be applied generically to many different components. For large-scale
networks in particular, this means major time savings when it comes to
configuration and troubleshooting.

SINEC NMS is divided into two levels to efficiently manage large-scale networks:
As the central entity, the control level quickly displays a clear view of the network's
overall status. Operations are also managed here. These operation levels, in turn,
are distributed throughout the network and implement the configuration settings
from the control level on all devices.

SINEC NMS is the central element of our complete portfolio for all aspects of
industrial networks, which consists of components, software, trainings, services,
and support. Our portfolio covers all network elements and assists companies in
training their employees to maximize data security and availability.

Benefits
• Comprehensive monitoring for large and complex networks

• Policy-based configuration of the network infrastructure

© Siemens AG 2019 All rights reserved

• Central firmware management with topology-based rollout

• Suitable for multi-sector use in all industries

• Easy integration of new network components

• Flexible scalability for required device quantity

• Continuous maintenance for existing components

• Quick response if an error occurs

• Convenient remote network management

8.3 Services portfolio for industrial networks

Siemens provides a wide range of services from design to implementation of
industrial networks. This includes:
• On-Site Service / Support
• Design and Consulting
• Integration and Deployment
• Training and Services

More information:
https://new.siemens.com/global/en/company/topic-areas/industrial-communication-
networks/professional-services.html

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 64
 8 Products and Services for Industrial Networks

8.4 Industrial Networks Education

Planning and implementing industrial networks and connecting them to a corporate network
demands a lot of ability and accessible specialist knowledge. The same applies when a
communication network needs to be secured, diagnosed or optimized. That is why we have
developed a training program and subsequent certification that is aligned with international
Industrial Ethernet standards. Each certificate documents tested network skills as part of the
overall Siemens industrial networks training program. In our Industrial Networks Education
courses, the participants learn to design and implement wired and wireless data networks and
connect them to a corporate network. Additionally, the participants receive instruction on how to
secure, diagnose and optimize industrial communication networks. Certification can also be
offered to supplement almost all training courses.
For beginners, our certification program offers initial training in Industrial Networks (Siemens
ITIN) where they are provided with network technology basics. The course Siemens Certified
Professional for Industrial Networks (Siemens CPIN) prepares them for mastering three specific
topics of tasks regarding practical industrial networks. The Siemens Certified Expert for
Industrial Networks (CEIN) course rounds out their knowledge and, additionally, provides them
with comprehensive expertise in industrial networks. With this training and certification
programs, Siemens offers unique qualification in a special field that combines in-depth
knowledge with broad, multidisciplinary expertise.
For further information related with our Industrial Networks Education program, please refer to:
https://new.siemens.com/global/en/company/topic-areas/industrial-communication-
networks/education.html
© Siemens AG 2019 All rights reserved

Figure 36 Modular courses

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 65
 9 References

9 References
To ensure the future security of this document and to enable the inclusion of third-
party manufacturers and their products in the security concept, the following
internationally recognized standards are observed: Further measures for future
security are:

Standard Description

ISA – International Society of Automation

• ISA-S95 “Enterprise Control System Integration”

– Part 1: "Models and Terminology"

– Part 2: "Object Model Attributes"

– Part 3: "Models of Manufacturing Operations Management"

• ISA-S99 “Manufacturing and Control System Security"

© Siemens AG 2019 All rights reserved

ISA 1 IEC Reference Title Owner State

Reference

ISA-99.01.01 IEC/TS-62443-1-1 Terminology, Concepts WG3 Published

and Models

ISA-TR99.01.02 IEC/TR-62443-1-2 Master Glossary of Terms WG5 Draft

and Abbreviations

ISA-99.01.03 IEC 62433-1-3 System Security WG4 Draft

Compliance Metrics

Comments: ISA 1-1 has been ISA-99.00.01

ISA 1-3 has been ISA-99.03.03

ISA 2 IEC Reference Title Owner State

Reference

ISA-99.02.01 IEC 62443-2-1 Establishing an IACS WG2 Published

Security Program

ISA-TR99.02.02 IEC 62443-2-2 Operating an IACS WG10 Draft

Security Program

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 66
 9 References

ISA 2 IEC Reference Title Owner State

Reference

ISA-99.02.03 IEC/TR 62443-2-3 Patch Management in the WG6 Published

IACS Environment

ISA 3 IEC Reference Title Owner State

Reference

ISA-TR99.03.01 IEC/TR 62443-3-1 Security Technologies for WG1 Published

Industrial Automation and

Control Systems

ISA-99.03.02 IEC 62443-3-2 Security Assurance Levels WG4 Draft

for Zones and Conduits

© Siemens AG 2019 All rights reserved

ISA-99.03.03 IEC 62443-3-3 System Security WG4 Draft

Requirements and Security

Assurance Levels

Comments: ISA 3-1 has been ISA-TR99.00.01

ISA 3-3 has been ISA-99.01.03

ISA 4 IEC Reference Title Owner State

Reference

ISA-99.04.01 IEC 62443-4-1 Specifications for Product WG4 Proposed

Development

ISA-TR99.04.02 IEC 62443-4-2 Technical Security WG4 Proposed

Specifications for IACS

Components

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 67
 9 References

Standard Description

ISO/IEC - International Organization for Standardization /

International Engineering Consortium

• 15408 "Information technology - Security techniques -

Evaluation criteria for IT security"

• 17799 "Code of practice for information security

management"

• 27001 "Information security management systems -

Requirements"

• 62443 "Security for Industrial Process Measurement and

Control - Network and System"

• 61784-4 "Profiles for secure communications in industrial

networks"

NAMUR - International User Association of Automation

Technology in Process Industries

• NA 67 "Information Protection for Process Control Systems

© Siemens AG 2019 All rights reserved

(PCS)"

• NA 103 "Usage of Internet Technologies in Process

Automation"

• NA 115 - "IT-Security For Industrial Automation Systems"

FDA - Food Drug Administration

• FDA 21 CFR 11 "guidelines on electronic records and

electronic signatures"

Further measures for future security are:

• Close cooperation on the security requirements of customers and plant

operators (e.g. through the PCS User Club or the selection of safety critical
reference systems and reference customers)

• Cooperation with independent institutions and organizations (e.g. OPC

Foundation, ISA, ISCI, ARC, OMAC, MsMUG, PGSF, PCSRF)

• Close cooperation with other manufacturers and suppliers (e.g. Microsoft)

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 68
 10 Glossary

10 Glossary
This section defines names, terms, and abbreviations as they are used in this
collection of documents.
Due to normative activities and in order to present the current network concept to
SIMATIC customers in a uniform and internationally recognized vocabulary of
concepts and terminology, the updating of some terms from the documents used
has become necessary.
Most names, terms, and abbreviations have been taken from internationally
recognized standards (e.g. ISA-S95, ISA-S99) or the latest respective descriptions
from the manufacturer (see source information).

10.1 Abbreviations

Abbreviation Explanation

AGV Automated guided vehicle

CP Communication Processor
© Siemens AG 2019 All rights reserved

DMZ Demilitarized Zone

F&B Food and Beverage

IRT Isochronous Realtime

IT Information Technology

KPI Key Performance Indicator

NAT Network Address Translation

OT Operational Technology

PLC Programmable Logic Controller

VLAN Virtual Local Area Network

VPN Virtual Private Network

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 69
 10 Glossary

10.2 Links and literature

Table 10-1
No. Topic
\1\ Siemens Industry Online Support
https://support.industry.siemens.com
\2\ Link to this entry page of this application example
https://support.industry.siemens.com/cs/ww/en/view/109476976
\3\ Overview of the Line Integration Concept from Siemens for the Food & Beverage
Industry
https://support.industry.siemens.com/cs/ww/en/view/109483779
\4\ Line Integration Concept – Plant Data Interface
https://support.industry.siemens.com/cs/ww/en/view/86302104
\5\ Line Integration Concept – Line Monitoring Library
https://support.industry.siemens.com/cs/ww/en/view/99410631
\6\ Line Integration Concept – Plant Communication Concept
https://support.industry.siemens.com/cs/ww/en/view/98278624
\7\ Measuring and Visualizing Energy Data
https://support.industry.siemens.com/cs/ww/en/view/86299299
\8\ Siemens Industrial Security
http://www.industry.siemens.com/topics/global/en/industrial-
security/pages/default.aspx
© Siemens AG 2019 All rights reserved

\9\ SINETPLAN – Siemens Network Planner

http://www.siemens.com/sinetplan
\10\ PRONETA - Commissioning and diagnostics tool for PROFINET networks
http://www.siemens.com/proneta
\11\ SINEC NMS – Network Management System for industrial networks
http://www.siemens.com/sinec-nms
\12\ SCALANCE Network Components
http://www.siemens.com/scalance

10.3 Change documentation

Table 10-2
Version Date Modifications
V1.0 05/2015 First version
V2.0 06/2016 Updated to WinCC V7.3 and SINEMA V13
V2.1 10/2016 Added a complete network concept
V2.2 06/2019 Updated Portfolio / Split of Security and Network content

Plant Network Structure

Entry-ID: 109476976, V2.2, 06/2019 70