Rockwell Automation on the Move 2022 in Worcester, MA

As a Rockwell Automation systems integrator, we recently attended the much-anticipated Rockwell Automation on the Move 2022 at the DCU Center in Worcester, MA.  The last Rockwell Automation on the Move event at Worcester was on July 1-2, 2015, which is about seven years ago!

The locally sponsored event is a fantastic venue for any industrial automation or OT professional not only providing a great networking opportunity with customers, OEMs, vendors, and other systems integrators, but also providing the latest cutting-edge information regarding products, services, and solutions from Rockwell Automation.Rockwell Automation on the Move events are tailored for discovering the latest technologies and solutions through Product & Technology sessions, Hand-On Labs, and Exhibits from application and solutions companies.

We found a couple of noteworthy Product & Technology sessions that we would recommend understanding as potential solutions.

Product & Technology Session #1: PlantPAx

The first solution presented here is regarding the newest release of PlantPAx Distributed Control System, System Release 5.10.  This solution is a mature (v1.0 released in 2009) product that provides a flexible and scalable platform for the whole manufacturing plant.

For the process controller, the PlantPAx library contains add-on instructions to allow for consistent integration and faster delivery of the solution.  In System Release 5.10, many add-on instructions were combined which simplifies what instructions to use.

An interesting feature of the PlantPAx instruction is the intuitive design-time configuration interface in Studio 5000 Logix Designer.  The interface is based on the Scientific Apparatus Makers Association (SAMA) diagram interface that focuses on the data flow through the instruction.  This feature really helps to intuitively understand the PlantPAx instructions.

Example of the SAMA diagram for the Process Analog Input instruction:

When deploying the process controller in PlantPAx 5.0 and later, PlantPAx instructions are embedded in the controller firmware which executes faster than add-on instructions.  You can still utilize add-on instructions from a previous version if an existing implementation is installed.

By default, Studio 5000 will create the PlantPAx Task model for a PlantPAx program.  This task model is to ensure that an implementation of the PlantPAx system is optimized.  The Task Model creates four periodic tasks (Fast, Normal, Slow, and System).  Logic is placed in the appropriate task to ensure that process requirements are met.

Another design requirement is to create the Logical Organizer within the Studio 5000 project.  Most programmers are used to seeing the Controller Organizer where PLC logic is organized by tasks, programs, and routines.  The Logical Organizer places the programs and routines in a logical manner to align with the application layer (HMI Display).  Alarms, User Roles and Responsibility, and Security also depend upon the Logical Organizer.

Another new feature in System Release 5.0 is the Organization, Ownership, and Arbitration that are configured on the HMI and do not require Logix-based code to group equipment.  The organization function creates parent/child relationships among objects in the controller which handles the propagation of commands from parent to child and statuses from child to parent.  Ownership uses the organization to allow a parent to take ownership of a child.  Arbitration manages and prioritizes the ownership of shared equipment.  This feature is useful to command a collection of devices to work as an equipment group.

For a proper PlantPAx implementation, the proper system design should be done upfront using the PlantPAx System Estimator tool as part of the Integrated Architecture Builder software.  System Estimator tool helps define the PlantPAx system and verifies that the architecture and system elements are sized properly for solid performance and reliability.

Product & Technology Session #2: CIP Security

CIP Security is a distinctive technology that adds security-related capabilities to CIP devices on Ethernet/IP networks.  CIP (Common Industrial Protocol), CIP Security, and Ethernet/IP are all open technology standards that are managed by ODVA (www.odva.org) which is a trade and standards development organization.

In a defense-in-depth security approach, the control system architecture would have multiple layers of security in order for the system to be more resilient to attack.  If one layer comes under attack, then other layers could still provide protection.  For the CIP-connected device, Rockwell CIP Security would be the last layer of defense in order to defend itself from malicious CIP communications.

The first step for CIP Security is for each CIP device to provide an Identity and Authentication.  Each device must be able to verify that the identity of the device is authentic.  Identity and authentication helps prevent unauthorized devices from establishing connections.  A certificate is used to provide an identity based on the X.509v3 standard.  For a Rockwell system, the FactoryTalk System Services is the certificate authority, as this service signs and issues certificates for CIP devices.

The next step in CIP Security is to ensure the integrity of the data being transmitted.  CIP Security makes sure that the data has not been tampered with or falsified while in transit using Transport Layer Security (TLS) Hash-Based Message Authentication Code (HMAC).  CIP Security will reject any data that has been altered.  The attacker can see the data but can’t change the data.

Another layer of CIP Security is to ensure data confidentiality by using encryption to encode the data messages being exchanged on the Ethernet/IP network.  The encryption helps prevent viewing and snooping of the Ethernet/IP data by unauthorized parties.  The attacker cannot see the data.

Rockwell has started manufacturing devices with CIP Security capabilities only with the newest versions of hardware such as the ControlLogix 5580.  We can expect newer releases of hardware to include CIP Security in the future.  When using Studio 5000 Logix Designer, version 32 will be required to utilize CIP Security.  For devices that don’t support CIP Security, the CIP Security Proxy device (1783-CSP) may be used to utilize CIP Security for the device.

For configuring, deploying, and viewing the system security policies, FactoryTalk Policy Manager is the software tool to use.  Within FactoryTalk Policy Manager, security policies are grouped into device configuration, zones, and conduits.  Once a system security policy has been configured and deployed, one must create a backup.

Our biggest take away was how security will be most likely become a fully integrated feature of all Ethernet/IP devices.

Experienced Allen-Bradley Rockwell Automation System Integrator

Since our start 20 years ago, we’ve helped manufacturers based on Rockwell Automation’s industrial automation control, process, batching, safety and information solutions, customize and optimize their technology investment. Our team has extensive experience working with PlantPAx® DCS, Allen-Bradley ControlLogix®, CompactLogix®, MicroLogix™, and Rockwell Software® FactoryTalk® View SE & ME, AssetCentre, and FactoryTalk Batch & FactoryTalk Metrics.