The completely networked machine is at the centre of digitalisation and the concepts of Industrie 4.0. But how can such a highly communicative application be designed securely? With the wireless module WLAN 1100, Phoenix Contact provides an access point that carries out this task in a user-friendly way.
In the past, protecting the machine network against malware and harmful actions proved to be simple: it was operated as a local island, to which only a restricted group of people needed access. In contrast, many people can access the networked machine, which is why new secure access concepts are required. The challenges and their solution can be seen in the example of wireless LAN access to the machine network for communication with smart devices, such as a tablet PC.
A wireless LAN password is not sufficient for numerous users
Most network devices allow access protection through user authentication via a common device password. A secure password such as this provides a high degree of protection, however, the generation of an appropriate password as well as secure documentation for it, is a burden for the machine operator. Since users often assume that access to the network is protected mechanically, they frequently lack the sensibility for problems in practice. This can be seen in network devices that are usually protected only by the password provided by the manufacturer, or a simple default password specified by the engineer. This statement often also applies to the wireless LAN password (WPA-PSK) that protects access through the WLAN access point to the machine network. Therefore, anyone who knows the passwords, or knows where they are stored, has free access to all devices in the network.
The machine control system manages the automated network administration
In an IT network, individual passwords are assigned to users by an administrator and distributed to the network devices by a server. If the access rights of a user change, the administrator specifies this in the central server. Machine networks are not usually maintained by network administrators. As a rule, the user rights and passwords once configured remain unchanged and valid for the complete duration of the use of the machine. In connection with this, the implementation of IT services, such as the integration of a radius server into the machine, also does not provide a solution, as it is not maintained by one administrator.
The challenge depicted can be bypassed by automating the network administration and having it carried out by the machine control system. Such an approach is not only cost-neutral and practical, but furthermore enables the engineer to have full control and flexibility in its implementation. An important prerequisite, however, is that the network device – in this case, the WLAN access point – includes an interface through which the machine control system can be controlled at the runtime. Phoenix Contact has therefore installed a web API interface into its network components that have been specially developed for machine building. Individual functions of the network devices can be controlled by sending HTTP-GET messages at the runtime. Furthermore, the complete module can be configured easily by the machine control system. The syntax of the commands thereby corresponds to the standard Command Line Interface (CLI). The new switches of the product range FL Switch 2000, as well as the WLAN access point of the series WLAN 1100, have such an interface.
One-time password generated with every connection established
The user who would like to connect with the machine network with their tablet PC registers their access request, for example, using the operation and monitoring terminal. The control then generates a random one-time password. It then configures and activates a virtual access point in the WLAN 1100 by HTTP-GET message. The one-time password to the new WLAN network is allocated to the user subsequently using the operation and monitoring terminal. If the user no longer needs the connection, the controller deactivates the virtual access point. Knowledge of the WLAN password as well as automatically storing it in the tablet PC is therefore no longer a security risk because a new one-time password is created and used the next time a connection is established.
The WLAN 1100 provides additional options for simple and secure access to the machine network. Therefore, up to two virtual access points can be established with individual WLAN security settings simultaneously. In addition to a unique WLAN password, the machine operator can use a configurable IP filter to limit the number of simultaneous connections for each point of access as well as limit the access to the network to the installed devices. In this way, it provides complete network access for the service engineer and simultaneously access, for example, for the machine operator who may only be permitted to view the visualisation server. Furthermore, a port-based DHCP server allocates individual and independent IP addresses to the WLAN clients for every virtual WLAN access point.
Web API interface is integrated into the components
The number of users who must have access to the devices installed in their network also increases due to the networking of the machine increasing. To this end, a security concept is required for allocating user rights and managing passwords. In contrast to IT networks, the machine control system can manage the administration of passwords and user rights in the network in an automated way. However, the network components at runtime must be able to be controlled by the machine control system via a simple interface. The switches of the product range FL Switch 2000, as well as the access points of the series WLAN 1100, provide an appropriate web API interface as new network devices for machine building.
MIMO technology always provides good reception
The new WLAN 1100 wireless module from Phoenix Contact combines access point and antenna technology in just one device. In contrast to the classic concept, it is installed like an antenna directly onto machines, mobile vehicles or control cabinets, rather than inside the control cabinet. Two integrated high-performance antennas with MIMO technology ensure good reception wherever it is needed. The WLAN 1100 enables both a cost-effective and simple WLAN connection of the machine. There is no need for expensive wireless planning or installation of antenna technology.
Because no space needs be reserved in the control cabinet for the wireless module, it can be retrofitted without difficulty. The WAN 1100 is attached using single-hole mounting and connected in the usual way with a Combicon connector and RJ45 Ethernet connector. The wireless module is suitable for rough industrial environments, as it is shockproof in accordance with IK08 and therefore even withstands stronger mechanical loads.
For more information contact Sheree Britz, Phoenix Contact, +27 (0)11 801 8200, [email protected], www.phoenixcontact.co.za
Tel: | +27 11 801 8200 |
Email: | [email protected] |
www: | www.phoenixcontact.co.za |
Articles: | More information and articles about Phoenix Contact |
© Technews Publishing (Pty) Ltd | All Rights Reserved