Remote access: Secure desktop access to the plant

In industrial plants, PLCs run the show. At chemical giant BASF, they can now be remotely monitored and updated round the clock thanks to the TIA Portal with Industrial Security included.

An industrial communications network is a production plant’s backbone. If it works securely and reliably, the plant can operate at full productivity. But network errors can pose a threat to communication between the devices, and in a worst-case scenario production may halt altogether.

At its Antwerp site, BASF had 350 devices controlled by Simatic PLCs from Siemens. These included compressors, energy meters, charging stations, and other mission-critical devices. Ensuring all the PLCs always had the latest security updates was vital to protect them from malware, unauthorized access, and other threats.

The challenge was that the PLCs had yet to be connected on a single network, which meant Siemens’ automation team had to update every device on site by hand. With the site spanning 6 km² and updates taking several hours per device, this was a process that could take nearly a year to complete.

A new and comprehensive fiber optic automation network was ruled out for various reasons. At the same time, the new network had to offer improved security and availability, and be easy to maintain. It also had to be possible to create user groups so every plant cluster could manage their own devices.

The BASF team in Antwerp described their starting situation: “Our team was short on technical know-how for developing a concept that could meet the stringent IT requirements. That’s why we joined forces with product and service specialists from Siemens.” As a result, the Siemens team recommended rolling out a secure, dedicated network with Sinema Remote Connect at its core.

Sinema Remote Connect provides secure remote access to Scalance M-800, Scalance S-600 Industrial Security Appliances, dedicated CPs, and RTUs. This allows each device to be automatically configured and integrated remotely, eliminating an otherwise complex and time-consuming task. Sinema Remote Connect further improves security by encrypting all communications.

Sinema Server was implemented to fulfill the customer’s requirements for central network monitoring. This involved creating one user group for each plant cluster so the users could have secure access to their own devices. In addition, the software enables round-the-clock monitoring, including diagnostics for the SMTP network protocol, Profinet, and Simatic.

Following a successful test run in the lab, Siemens built out the network in stages. Close cooperation between the BASF and Siemens teams ensured the network’s central elements were completed within one month. The PLCs were then linked to the system step-by-step.

Since then, the central maintenance team at BASF has had desktop access to monitor and update all the controllers in the 16 plant clusters around the clock using the TIA Portal, thanks to Sinema Remote Connect. 

Further improvements can be made to the network monitoring process at BASF in the future using the Sinec NMS network management system developed by Siemens. Sinec NMS will further enhance transparency and ease of use by providing BASF’s technicians with desktop access to devices for prompt fault resolution, security monitoring, and device configuration with hardening.

In addition, BASF is now planning to upgrade its logistics system. The new system will also be completely integrated in the Sinema Remote Connect architecture.

May 2020