Avatar

Co-authored by Roland Wagner, CODESYS.

Virtualization is well accepted in enterprise IT. Creating virtual versions of computing resources such as servers and storage, enables the consolidation of multiple physical resources into a single virtual environment. This allows for more efficient utilization of hardware and better resource management.  The value derived includes reduced capital expenditures, lower maintenance costs, increase flexibility and improved cybersecurity.

However, virtualization is not so prevalent in industrial environments. Industrial Automation and Control Systems (IACS) hardware resources in these environments, such as Programmable Logic Controllers (PLC), Industrial PCs (IPC), and Human Machine Interfaces (HMI), have existed as discrete resources. With digitization, the number of such hardware resources has risen rapidly and so has the time and expense of monitoring, updating, and troubleshooting, which could require extended downtimes and productivity losses. An additional consideration is Industry 4.0 that increases the amount of compute resources in production systems with data collection and analysis.

IACS compute assets can be virtualized to reap its benefits, but it requires special considerations. Manufacturing processes are significantly more sensitive than IT processes to network issues like delay, latency, jitter, and packet loss.” Since virtualization removes direct or close connectivity of compute assets with the controlled machines, the network must step up and adhere to stricter performance requirements.

Why virtualization on the factory floor?

Virtualization can bring several benefits in industrial sectors. Manufacturers can consolidate PLCs, IPCs, HMIs, Gateways, and other physical compute resources currently on their factory floors onto local virtual machines which run on a hyperconverged compute and storage infrastructure. Existing PCs and workstations (IPCs and HMIs) can be replaced by thin clients with a smaller footprint connected to the corresponding virtual desktop. Virtual PLCs (vPLC) running in the hyperconverged infrastructure would interface with the sensors, actuators, and machines they control via the converged network. This arrangement has many advantages:

  • Scalable and agile operations: Virtualization enables manufacturers to easily scale their operations by adding or removing virtual machines as required. It also facilitates the deployment of new applications or updates without disrupting production processes. Adapting to changing conditions, product redesigns, etc., is easier by updating operating parameters in software IACS.
  • Increased security: Removing discrete hardware from the factory floor minimizes the potential avenues that an attacker can exploit to gain unauthorized access to manufacturing assets and processes. Virtualization can improve the security of IACS by isolating critical control systems. By separating networks and implementing security measures at the virtualization layer, manufacturers can minimize the risk of unauthorized access or malware propagation.
  • Improved disaster recovery: Virtualization allows for efficient backup, replication, and restoration of virtual machines, making disaster recovery planning and execution more streamlined. It enables manufacturers to recover from system failures or disasters, reducing downtime and minimizing any impact more quickly on production.
  • Better sustainability: Consolidation of compute and storage resources into a set of central services helps reduce the total energy requirements. In addition, easier access to more processing data can help increase efficiencies, reduce waste, and lower energy consumption.
  • Testing and development: Virtualization provides an ideal environment for testing and development activities. Manufacturers can create virtual replicas of their production systems for testing new software, configurations, or system updates, ensuring they do not impact the actual production environment.

In summary, as Dr. Henning Loeser from Audi (see interview link below) states, manufacturers can move from a model where they buy a new “box” to get more features in the plant to one where they buy new software to get more features.

Figure 1. From direct wired to virtualized control systems powered by CODESYS

What are the networking requirements for IACS virtualization?

IACS virtualization requires specific networking requirements to ensure the reliable and secure operation of virtualized systems. Some key networking considerations for IACS virtualization include:

  • Support for tunneling Layer 2 protocols: Virtualization of IACS moves PLCs with direct or a simple Layer 2 connection to controlled equipment, to a data center, which necessitates traversal through routers, requiring Layer 3 communication. However, since several popular control protocols operate at Layer 2, these protocols need to be tunneled as payload in Layer 3 packets to avoid large, cumbersome, and fragile VLAN deployments.
  • Improvements in redundancy: A resilient network helps preserve production continuity by maintaining high availability, eliminating packet loss, and ensuring continuous communications even during failure of individual components.
  • High bandwidth: The network equipment and infrastructure must be capable of supporting a higher bandwidth and corresponding throughput to handle the volume of traffic that can be expected to increase once virtualization places more packets on the network.
  • Determinism: QoS mechanisms should be implemented to prioritize and ensure that critical control system traffic is given higher priority over non-critical traffic. This helps prevent delays or interruptions in real-time control communications in a deterministic manner and provide consistent networking experience for the IACS applications.
  • Visibility, security, and access: The production network should support strong in-depth security measures to protect the virtualized IACS environment. This can include built-in security sensors designed to monitor and analyze IACS traffic, strong access controls, and effective segmentation to maintain zones of trust and minimize malware propagation. Network security should be considered at both the virtualization layer and the physical network layer. Moreover, the network should provide zero-trust network access (ZTNA) for staff and other personnel to securely log into production assets for regular monitoring and maintenance.
  • Scalability and flexibility: The network infrastructure should be scalable to accommodate the growing demands on virtualized systems. This includes considering factors such as network capacity, scalability of switches and routers, and the ability to add, remove, and reconfigure virtual machines as needed.
  • Network monitoring: Continuous monitoring of the network infrastructure is important to detect and respond to any anomalies or security incidents promptly. Network monitoring tools and techniques can help identify performance issues, network bottlenecks, or potential security breaches.

Cisco and CODESYS jointly enable IACS virtualization

Cisco industrial networking incorporates advanced innovations that can help virtualize IACS assets. Cisco products and solutions in networking, management, computing, and security provide the basis of this virtualization.

Figure 2: Architectural schematic for control systems virtualization

Catalyst Industrial Ethernet switches provide high-capacity packet switching and lossless resiliency required for uninterrupted connectivity of IACS equipment. Coupled with their support for industrial protocols, resiliency features, edge-compute capabilities, security sensing and applying or enforcing segmentation through access control, make them the industrial switches of choice.

Cisco Catalyst Center, the network management platform, directs all functions of the network from onboarding devices, configurations, performance monitoring, proactive troubleshooting, access policies, etc., and ensures that the network is always ready.

Cisco Identity Services Engine (ISE) is a comprehensive security policy management platform that is used to ensure secure network access and enforce security policies. It allows organizations the control over who can access their network and what resources they can access.

Cisco Cyber Vision running within Cisco industrial networking equipment provides visibility to identify connected assets, network traffic, and security vulnerabilities. Using this level of visibility, you can define zones and conduits as per ISA/IEC 62443 and use ISE, Catalyst Center, and Cisco industrial switches to enforce segmentation.

Cisco Unified Computing System (UCS) brings together compute, networking, and storage in a single system to power your applications, including virtualization. As compared to traditional servers that are monolithic, complex to deploy, and even more complex to adapt to workload demands, UCS is a unified system on which you can provision and balance resources to meet virtualization workloads easily.

The CODESYS Development System is an integrated development system (IDE) in accordance with IEC 61131-3 for programming the control logic and contains various textual and graphical editors. Additional functions can be configured in the CODESYS Development System, e.g., user interfaces/HMI screens, fieldbus and I/O configuration, safety-relevant logic functions, data exchange with various other participants in the network, as well as coordinated motion control systems or robot kinematics.

Time to get started is now

Admittedly, virtualization of IACS is not mainstream, and it may not be on your radar quite yet. But with all the benefits it can offer, it is easy to see how it will be a gamechanger soon. In fact, Audi, the German manufacturer of technologically advanced luxury cars has embraced virtualization and is transforming its production lines. Watch Dr. Henning Löser, head of Production Labs, Audi, explains why Audi turned to Cisco industrial IoT solutions to create its next-generation smart factories. It’s not too early to start laying the networking foundation for the future of manufacturing.

If you are visiting SPS IPC Drives 2023, that runs from November 14-16 in Nuremberg, Germany, don’t miss the joint Cisco and CODESYS demonstration of virtual controllers in manufacturing environments in the CODESYS booth (#677 in hall 7).

Learn more



Authors

Paul Didier

Solution Architect

Manufacturing Industry