Siemens AG
Industry Sector
Postfach 48 48
90026 NÜRNBERG
GERMANY
Order number: n/a
Ⓟ
07/2014 Subject to change
Copyright © Siemens AG 2014.
All rights reserved
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe perso nal inj ury will result if proper precautions are not taken.
WARNING
indicates that death or severe perso nal inj ury may result if proper precautions are not taken.
CAUTION
indicates that minor personal injury can result if proper precautions are not taken.
NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qual if ied Per s onn el
The product/system described in this documentation may be operated only by
personnel qualified
for the speci fic
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 3
Table of contents
1 Introduction ............................................................................................................................................. 5
1.1 Introduction .................................................................................................................................... 5
2 Product overview .................................................................................................................................... 7
2.1 Basics ............................................................................................................................................. 7
2.1.1 Energy data manag em ent with B.D at a .......................................................................................... 7
2.1.2 Basic s of Acqu isit ion IPC ............................................................................................................... 9
2.1.3 Application areas of the Acquisition IPC ...................................................................................... 10
2.2 Hardware configuration ................................................................................................................ 12
2.3 Software configuration ................................................................................................................. 13
3 Initial power-on ..................................................................................................................................... 15
3.1 Overview ...................................................................................................................................... 15
3.2 Commissioning the Acquisition IPC ............................................................................................. 16
3.2.1 Installing the Acquisition IPC ....................................................................................................... 16
3.2.2 Connecting peripherals ................................................................................................................ 17
3.2.3 Completing Windows Setup ......................................................................................................... 18
3.2.4 Conf igur ing the network adapter .................................................................................................. 19
3.2.5 Logging the Acquisition IPC onto the B.Data server.................................................................... 22
3.3 Pre-configuration .......................................................................................................................... 25
3.3.1 Pre-configuration of SIMATIC DiagBase ..................................................................................... 25
3.3.2 Pre-configuration of SIMATIC NET .............................................................................................. 26
3.3.3 Pre-configuration of Windows ...................................................................................................... 27
3.3.4 Pre-configuration of B.Data .......................................................................................................... 28
3.3.4.1 Basics ........................................................................................................................................... 28
3.3.4.2 Pre-configuration of the "S7" interface ......................................................................................... 30
3.3.4.3 Pre-configuration of the "Modbus" interface ................................................................................ 31
3.3.4.4 Pre-configuration of the "OPC" interface ..................................................................................... 31
3.3.4.5 Pre-configurat io n of the "OLE -DB " inter fac e ................................................................................ 33
3.3.4.6 Pre-configurat io n of the "FT P" inter face ...................................................................................... 33
3.3.4.7 Pre-configuration of the "Simulation" interface ............................................................................ 35
3.4 Licensing ...................................................................................................................................... 36
4 Security policy ....................................................................................................................................... 37
4.1 IT security disclaimer ................................................................................................................... 37
4.2 Measures for IT security .............................................................................................................. 38
4.3 System configuration ................................................................................................................... 40
4.3.1 Basics ........................................................................................................................................... 40
4.3.2 Windows Firewall ......................................................................................................................... 41
4.3.3 Security settings ........................................................................................................................... 43
4.3.4 Patches ........................................................................................................................................ 44
4.3.5 Enhanced Mitigation Experience Toolkit ...................................................................................... 46
Table of contents
Acquisition IPC
4 Operating Instruct i ons, 04/2014, A5E34850737-AA
4.3.6 Network functionality ................................................................................................................... 47
4.3.7 User accounts ............................................................................................................................. 48
4.4 Integrating the Acquisition IPC into the local security policy ....................................................... 49
4.4.1 Overview ..................................................................................................................................... 49
4.4.2 Ensuring physical access protection ........................................................................................... 49
4.4.3 Integrating the Acquisition IPC into existing IT infrastructure ..................................................... 50
4.4.4 Implementing IT security measures against unauthorized access ............................................. 54
5 Restoration and maintenance................................................................................................................ 55
5.1 Backup and Restore .................................................................................................................... 55
5.1.1 Basics on backup and restore ..................................................................................................... 55
5.1.2 Siemens SIMATIC IPC Restore .................................................................................................. 57
5.1.3 Restoring Acquisition IPC ........................................................................................................... 58
5.1.3.1 Restoring the Acquisition IPC ..................................................................................................... 58
5.1.3.2 Resetting the Acquisition IPC to the factory settings .................................................................. 59
5.1.3.3 Res tor in g a "user gener ate d" ima ge ........................................................................................... 61
5.1.4 Backing up the Acquisition IPC ................................................................................................... 62
5.1.4.1 Creating a backup ....................................................................................................................... 62
5.1.4.2 Creating recovery medium for Acquisition IPC ........................................................................... 63
5.1.4.3 Backing up configuration settings of the Acquisition IPC ............................................................ 64
5.1.5 Mana ging lan gua ge pac k s .......................................................................................................... 65
5.2 Repair and replacement of parts ................................................................................................. 66
5.3 Backup battery ............................................................................................................................ 67
Index .................................................................................................................................................... 69
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 5
Introduction
1
1.1
Introduction
Purpose of the documentation
This document describes the characteristics and the pre-installed system configuration of the
Acquisition IPC.
Definitions and naming conventions
The following terms are used in this documentation...
●
Acquisition IPC
: This term refers to the IPC227D with pre-installed software as well as the
system configuration.
Target group
This documentation is intended for engineers, administrators and service personnel.
Required knowledge
To understand this documentation, you need knowledge of the following topics:
● Windows operating system
● Network engineering
● Security of PCs and telecommunications devices
Location of the documentation
You can access the documentation using a link on the desktop or the Start menu under
"Siemens Auto mat io n > Documentation > Manuals > [language]".
can be found on the documentation DVD.
Guide
This document consists of sections with instructions and a reference section. This
documentation covers the following topics:
● Introduction
● Product over view
● Initial power-on
Introduction
1.1 Introduction
Acquisition IPC
6 Operating Instruct i ons, 04/2014, A5E34850737-AA
● Security pol icy
● Restoration and maintenance
Position in the information landscape
You can find additional information in the following documents:
Documentation for
Brief description of rel evant content
B.Data - Operation This manual describes how to configure and operate
B.Data.
Available on the Internet
(http://support.automation.siemens.com/WW/view/en/45522
504/133300)
B.Data - Installation This manual describes how to install B.Data.
Available on the Internet
(http://support.automation.siemens.com/WW/view/en/45522
504/133300)
B.Data system description This manual presents the benefits and usage scenarios of
the energy data management system, B.Data.
Available on the Internet
(http://support.automation.siemens.com/WW/view/en/45522
504/133300)
Industry PC SIMATIC IPC227D - Operating Instructions This manual contains information on commissioning and
using the SIMATIC IPC227D.
Available on the Internet
(http://support.automation.siemens.com/WW/view/en/48958
203/133300)
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 7
Product over view
2
2.1
Basics
2.1.1
Energy data management with B.Data
Introduction
Energy efficiency is playing an increasingly important role in industry. Rising energy prices,
increasing pressure to improve profitability and the growing awareness for climate protection
are important factors for the introduction of an energy data management system.
Lack of transparency in infrastructure processes, changing cost centers and heterogeneous
system environments require an energy data management system with a comprehensive
range of interfaces.
B.Data as an energy data management system
SIMATIC B.Data meets the current requirements for an energy data management system.
The system has a positive influence on consumer behavior, opens up new procurement
options and thereby helps to save costs. With its precise automatic energy data acquisition
and processing as well as its diverse analytical and projection capabilities SIMATIC B.Data
is the ideal tool for energy data management for now and the future.
Task of data acquisition in the energy data management system
Data acquisition plays a central role in energy data management. Essential requirements for
the data acquisition include, for example:
● Acquiring measurement data from a process, for example, a plant
● Process ing the acqu ir ed m easur in g data and for m ing data recor ds
● Transfer ring the dat a records to B.Data energy data management
Product over v iew
2.1 Basics
Acquisition IPC
8 Operating Instruct i ons, 04/2014, A5E34850737-AA
The data required for successful energy data management often exist in different formats or
systems:
● Analog and digital measuring instruments
● Data from other production sites
● Archived consumption data from the previous year
The value of data acquisition is therefore determined by the available interfaces.
Architectur e of B.Data
B.Data is based on a client-server architecture that is easily integrated into your corporate
infrastructure. Stand-alone solutions are possible as well as multi-user solutions at various
locations.
B.Data consists of four components that can be installed on one or more PCs depending on
the existing infrastructure. The communication between the individual components is
automatically set up during installation.
①
SIMATIC B.Data acquisition component: Acquires and processes data such as measurement
values.
②
SIMATIC B.Data function server: Establishes communication between B.Data acquisition
component and the B.Data database server. Generates reports.
③
SIMATIC B.Data database ser ver: St ores the acquir e d measur em ent valu es and all calcu la ted
or generated data, such as reports.
④
SIMATIC B.Data client: Configuration and operation of B.Data
⑤
SIMATIC B.Data web client: Operation of B.Data via a web browser; e.g. cal lin g of generated
reports or trends but also inputting measurement values or energy efficiency measures.
Product over v iew
2.1 Basics
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 9
2.1.2
Basics of Acquisition IPC
Introduction
The Acquisition IPC is an industrial PC with pre-installed acquisition component from B.Data
that enables easy introduction into the energy data management with B.Data:
● Tested components that are suitable for continuous operation
● No maintenance required during operation
● SIMATIC NET for connecting components of an existing S7 infrastructure
● Direct connection to the field level without local configuration, for example via Modbus
driver
Acqu is ition IPC
The Acquisition IPC is designed as an interface between the process and company network /
Internet. The Acquisition IPC meets all requirements of an energy data acquisition with
B.Data:
● Acquisition of data from different data sources
● Precalculation of measurement values to form data records
● Protected transmission of data records to the B.Data server
● Caching of data records in the event of connection loss to the B.Data server
Security policy
Due to the sensitive interface between the process and company network, there are
increased security requirements for the Acquisition IPC in regard to data security and
integrity. The Acquisition IPC must be included in the local security policy before the
Acquisition IPC can be integrated into an existing IT infrastructure.
See also
Security pol ic y (Page 37)
Product over v iew
2.1 Basics
Acquisition IPC
10 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
2.1.3
Application areas of the Acquisition IPC
Introduction
The Acquisition IPC supports data acquisition from the field and/or process level. The
acquired data is forwarded to the
B.Data server via the Intranet / Internet.
Data acquisition in the Intranet
The Acquisition IPC collects data from various plants. The acquired data is forwarded to the
B.Data server and evaluated.
Product over v iew
2.1 Basics
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 11
Data acquisition via the Internet
A separate Acquisition IPC is used for each company location, which securely sends
acquired data via the Internet to the B.Data server at the company headquarters.
Product over v iew
2.2 Hardware configuration
Acquisition IPC
12 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
2.2
Hardware configuration
Hardware configuration of the Acquisition IPC
The Acquisition IPC is available with the following hardware configurations:
● Processor
– Atom E660
● RAM
– 2 GB RAM
● Mass storage
– SSD hard disk
● Software configuration
– Windows Em bed ded St and ard 7 SP 1 32-bit
● Mounting types (included in product package)
– Standard rail mounting
– Wall mounti ng
Note
A 24 V power supply is required to operate the Acquisition IPC.
Power supply recommendation: Siemens Sitop 5A 24V.
Product over v iew
2.3 Software configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 13
2.3
Software configuration
Software configurat ion of the Acquisition IPC
The following software is pre-installed on the Acquisition IPC.
● Windows Em bed ded St and ard 7 SP1 - 32-bit
● SIMATIC B.Data Acqu is itio n
● SIMATIC NET
● SIMATIC DiagBase
● Automation License Manager
Product over v iew
2.3 Software configuration
Acquisition IPC
14 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 15
Init ial power-on
3
3.1
Overview
Introduction
Note
The Acquisition IPC
should be integrated in the local security policy to ensure secure
operation.
Contact your IT security manager before commissioning the system.
Note
Data acquisition is only possible with an accessible B.Data server.
Commissioning the Acquisition IPC
The following steps are required for initial commissioning of the Acquisition IPC:
● Installing the Acquisition IPC
● Connecting peripherals
● Completing Windows Setup
● Configur ing the netw or k adapter
● Logging the Acquisition IPC onto the B.Data server
See also
Security pol icy (Page 37)
Commissioning the Acquisition IPC (Page 16)
Pre-configuration (Page 25)
Initial power-on
3.2 Commissioning the Acquisition IPC
Acquisition IPC
16 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
3.2
Commissioning the Acquisition IPC
3.2.1
Installing the Acquisition IPC
Introduction
You can find more detai led infor mation on installing the Acquisition IPC in the operating
instructions of the IPC 227D.
Requirement
● A suitable 24 V voltage supply is available.
● PE conductor is available.
● Tools for installation are available.
Procedure
1. Install the Acquisition IPC in a lockable cabinet, for example, a low-v olt age dist ri b utio n
cabinet.
Note
You can also install the Acquisition IPC in the cabinet after initial commissioning.
2. Connect the PE conductor.
3. Connect the power supply.
Result
The Acquisition IPC is installed.
Initial power-on
3.2 Commissioning the Acquisition IPC
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 17
3.2.2
Connecting peripherals
Introduction
You can find more detailed information on connecting peripherals to the Acquisition IPC in
the operating manual of the IPC 227D.
Requirement
● 24 V voltage supply is connected.
● PE conductor is connected.
● The following peripheral devices are available:
– Cable USB keyboard
– Cable USB mouse
– Monitor with DVI-D connector
Procedure
1. Connect the above-mentioned peripherals to the Acquisition IPC.
2. Switch on the Acquisition IPC.
The Acquisition IPC performs a self-test. After a successful self-test, "W ind ows Boot
Manager" is displayed.
3. Select the option "Windows Embedded Standard 7".
The operating system starts and installs the necessary software packages for the
commissioning. The Acquisition IPC restarts following the installation. The "Windows
Boot Manager" is displayed.
4. Select the option "Windows Embedded Standard 7".
Result
The setup wizard for Windows is launched for initial configuration of the system.
Alternative procedure
Alternatively, you can use a "custom" image for setting up the Acquisition IPC. To do this,
select the "Siemens SIMATIC IPC Restore" option in the "Windows Boot Manager" following
the self-test. The "Com pl eting Win dows Set up (Page 18)" step is skipped. Continue with the
"Configuring the network adapter (Page 19)" step.
Initial power-on
3.2 Commissioning the Acquisition IPC
Acquisition IPC
18 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
3.2.3
Complet ing Wi ndow s Setup
Requirement
● The setup wizard for Windows has been launched for initial configuration of the system.
● A network cable is not connected
Procedure
1. If an additional language pack is installed on the Acquisition IPC, you will be prompted to
select a language. Otherwise, "English (U.S.)" is selected.
2. Enter a user name and optionally the computer name.
The user is assigned administrator rights and has full access to the Acquisition IPC. The
computer name is usually composed of the entered user name and the suffix "-ACQ".
3. Enter the passw ord for the us er.
The following rules apply to the password:
– At least 12 characters
– User name may not be included
– Three of the following criteria must be fulfilled: Uppercase letters, lowercase letters,
numbers, special characters
4. Accept the licensing conditions.
5. Select the time zone and time of day.
The initial configuration of the system is completed.
6. Read and accept the disclaimer on IT security.
The disclaimer is displayed each time you start the operating system.
Result
The initial configuration of the system is completed. The Windows Desktop is displayed.
The local time is used as time stamp by B.Data drivers that do not support time stamping of
the data source.
See also
Resetting the Acquisition IPC to the factory settings (Page 59)
Implementing IT security measures against unauthorized access (Page 54)
Initial power-on
3.2 Commissioning the Acquisition IPC
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 19
3.2.4
Configuring the network adapter
Introduction
The Acquisition IPC has two interfaces that are represented by two network connections
after completing the Windows setup:
①
Represents the physical interface "X2P1"
Use this interface to connect the Acquisition IPC to the process network. This interface is
configured for data acquisition in SIMATIC NET.
②
Represents the physi ca l interf ace "X1P 1"
Use this interfac e to connect the Acquisition IPC to the Intranet / Internet in order to connect
to the B.Data server.
Requirement
● The Windows Desktop must be displayed after completion of the Windows setup.
● A network cable for connecting to the process network is available.
● A network cable for connecting to the Intranet is available.
● Network cables are uniquely marked to avoid confusion, for example, by different colors
● IP configuration data for both network connections are available.
Initial power-on
3.2 Commissioning the Acquisition IPC
Acquisition IPC
20 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Procedure
1. Open the "Network Connections" in the Control Panel.
2. Assign descriptive names to clearly distinguish the two network connections:
– Local Area Connection: For example "Process Connection"
– Local Area Connection 2: For example "Intranet"
3. Configure the IP addresses for both network connections.
Static and dynamic IP addresses are supported. IPv6 is disabled and not supported.
Note
Remote desktop connection from the process network
If you want to access the Acquisition IPC from the process network via a Remote Desktop
connection, additionally specify the IP address of an accessible node in this network as
the "Default Gateway" for this network connection.
4. Connect the Acquisition IPC to the process network:
– Insert the network cable into the "X2P1" port to connect to the process network .
– Select "Work network" as the network profile.
5. Connect the Acquisition IPC to the Intranet:
– Insert the network cable into the "X1P1" port to connect to the Intranet / Internet.
– Select "Public network" as the network profile.
6. Give both networks descriptive names:
– Open "Networ k and Shar i n g Center " in the Contr ol Pa nel.
– Click on the icon to the left of the network profile.
– Enter the nam e.
7. Finally, clearly mark the two "X1P1" and "X2P1" ports on the Acquisition IPC, for
example, us ing col ored lab els .
Initial power-on
3.2 Commissioning the Acquisition IPC
Acquisition IPC
22 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
3.2.5
Logging the Acquisition IPC onto the B.Data server
Overview
In the B.Data acquisition configuration, you establish the logical connection between the
acquisition component and the B.Data server. The B.Data acquisition component is installed
together with the "B.Data Acquisition" software component.
You need the following data to log on the acquisition component onto the B.Data server:
● Address and port of the B.Data server
● B.Data user name and password
● Name of the "Hardwar e " object in B.Data
You can use the wizard for entering the data if the B.Data server can be reached in the
network. Otherwise enter the data directly. The acquisition component is logged on as soon
as the specified B.Data server can be reached.
The figure below shows the layout of the B.Data acquisition configuration after logon:
①
Navigation area
②
Display and configuration area. The content depends on the selection in the navigation area.
Initial power-on
3.2 Commissioning the Acquisition IPC
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 23
Requirement
● The "B.Data Acquisition" software component is installed on the PC.
● Microsoft Internet Information Service (IIS) is installed on the PC.
● The PC is connected to the B.Data server (optional).
● The "Hardware" object is set up on the B.Data server.
● A user with the "Configure acquisition" authorization is set up on the B.Data server.
Procedure
1. Double-click the "B.Data Acquisition Configuration" icon on the Windows Desktop:
The Internet Explorer starts. The welcome page of the "B.Data Acquisition Configuration"
is displayed.
2. Log on using your Windows user data of the acquisition component.
The "Status" page of the B.Data acquisition configuration is displayed. If the acquisition
component is logged on to the B.Data server yet, the "Configure the acquisition" dialog is
displayed.
3. Select the required option in the "Configure the acquisition" dialog:
– Starting the connection wizard
– Configur ing the co nnect ion manu al ly
4. Enter the following connection data:
– Address and port of the B.Data server
– B.Data user name and password
– Name of the "Hardware" object in B.Data
Note
Only with manual configuration: If you are using the name of a "Hardware" object that is
already conne
cted to another acquisition component, the existing connection is replaced.
Initial power-on
3.2 Commissioning the Acquisition IPC
Acquisition IPC
24 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Result
The "Acquisition ID" is generated and entered for the connection between the acquisition
component and the B.Data server if you have used the wizard. Otherwise an attempt is
made to establish the connection with the specified data every time you start the acquisition
component. The acquisition ID is generated and entered as soon as the B.Data server can
be reached. The readiness of the acquisition configuration depends on the configured start
delay time of the acquisition service.
The figure below shows a correctly configured connection to the B.Data server:
Initial power-on
3.3 Pre-configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 25
3.3
Pre-configuration
3.3.1
Pre-configuration of SIMATIC DiagBase
Introduction
The "SIMATIC IPC DiagBase" software provides functions for viewing, monitoring and
controlling the Acquisition IPC:
● Monitoring of the temperature
● Monitoring of the battery voltage
● Monitoring of drives with S.M.A.R.T. functionality
● Watchdog
● Operating hours counter
● Management of the BIOS
● Configuration of the display elements of the Acquisition IPC
You can find more detailed information on the topic "SIMATIC IPC DiagBase" in the
operating instructions for IPC227D.
Pre-configuration
In the Acquisition IPC's factory state, the "Watchdog" functionality is configured as follows:
● An automatic hardware reset is performed for a system shutdown. After the system
reboots, data acquisition continues automatically.
Note
Since the data acquisition for B.Data runs over Windows services, no logon to the system is
necessary.
Initial power-on
3.3 Pre-configuration
Acquisition IPC
26 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
3.3.2
Pre-configuration of SIMATIC NET
Introduction
SIMATIC NET is a communication solution for various Siemens products and protocols in
industrial environments. SIMATIC NET enables consistent communication between different
automation components and devices.
SIMATIC NET provides the ideal interface to integrate or connect the Acquisition IPC in the
local automation world.
Pre-configuration
In the Acquisition IPC's factory state, SIMATIC NET is configured as follows:
● The "S7" protocol is enabled.
● The "SIMAT IC NET SO FTNET-IE S7 LE AN " license i s installe d.
● All other protocols are disabled.
● The "PROFINET I/O" adapter is disabled.
Note
If you need the disabled protocols or adapters for data acquisition, you can enable them
again using the "Siemens Communication Settings" application.
Additional licenses may be required to use other protocols or adapters.
"SIM ATIC NET SOFTNET-IE S7 LEAN" license
The "SIM ATIC NET SO FTNET-IE S7 LE AN " licens e e ntit les you to set up a total of eight
connections to the following data sources:
● S7 controllers with absolute addressing of the memory areas
● Other S7 stations via the integrated OPC server
See also
Licensing (Page 36)
Initial power-on
3.3 Pre-configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 27
3.3.3
Pre-configuration of Windows
Introduction
The Acquisition IPC is designed and optimized as an acquisition component for continuous
operation. Since the data is acquired from the process via Windows services, it is not
necessary for a user to logon to the Acquisition IPC.
Note
The functionality of the
Acquisition IPC can be limited to its intended use by installing
additional software.
Pre-configuration
In the factory state:
● The energy options are set to "Continuous operation" and "Maximum performance".
● All non-relevant data acquisition functions are disabled.
● Services running in the background are preferred.
● Properties such as memory paging or indexing are disabled for the SSD hard drive.
● System events are primarily recorded only for the functions of the data acquisition.
Notes on use
Create a recovery medium.
Remote access on the Acquisition IPC
Access from another PC via Remote Desktop is only allowed from the process network. This
PC must additionally meet the higher safety requirements of the Remote Desktop Protocol.
The user created within Windows Setup has the right for remote access by default. If
necessary, create an additional user with restricted rights. Assign this user the right for
remote access.
See also
Backing up the Acquisition IPC (Page 62)
Initial power-on
3.3 Pre-configuration
Acquisition IPC
28 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
3.3.4
Pre-configuratio n of B. D ata
3.3.4.1
Basics
Introduction
The Acquisition IPC supports the following interfaces for data acquisition:
● "S7" interfac e
You use the "S7" interface to retrieve data from an S7 controller with the help of SIMATIC
NET. You address the memory areas of the S7 controller absolutely.
● "Modbus" interface
You use the "Modbus" interface to retrieve data from measuring devices with Modbus
support and Ethernet interface, for example, SENTRON PAC measuring devices. The
"Modbus" interface supports the following modes:
– Modbus TCP
– Modbus RTU over TCP
● "OPC" interface
You use the "OPC" interface to retrieve the data provided by an OPC server. The "O PC"
interface supports the "OPC-DA" specification
● "OLE-DB" interface
The "OLE DB" interface allows access to Excel tables as well as complex databases such
as SQL Server or Oracle.
● "FTP, sFTP" interface
You use the "FTP, sFTP" interface to read data from ASCII files. The structuring of the
content is determined by the parser, which simultaneously represent the link between the
file and the interface. These ASCII files can be located in a local directory or on an FTP
server.
If the FTP server supports "sFTP", the files are transferred over a secure connection.
● "Simulatio n" int erfac e
You use the "Simulation" interface to simulate data acquisition. You can monitor the
accessibility of the Acquisition IPC via this interface, for example.
Note
For some interfaces, additional rules in the Windows Firewall are pre
-defined, but not active.
You can activate these rules if needed.
Initial power-on
3.3 Pre-configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 29
Pre-configuration
The following sections describes the pre-configuration of the individual interfaces on the
Acquisition IPC:
● Configuration in the factory state
● Notes on use
● Measures for commissioning
Configuration of the data acquisition
Use the "Acquisition Wizard" in B.Data to configure data acquisition. The acquisition wizard
will assist you in entering the necessary information in each case and is used to create data
points with suitable parameters. Once you have run the acquisition wizard, the respective
acquisition structure is completely laid out. Data can be acquired.
You can find more detailed information on this topic in the operating instructions for B.Data.
Initial power-on
3.3 Pre-configuration
Acquisition IPC
30 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
3.3.4.2
Pre-configuration of the "S7" interface
Configuration in the factory state
The physical interface "X2P1" set as the interface for the "KERNEL (B.Data)" software
access point. The name in Windows is "Intel® 825 74L G igabit N etwork " .
Additional firewall rules: Yes (incoming)
● "Public" network profile: Prepared, but not enabled.
● "Home" / "Work" network profile: Enabled
Notes on use
Using the the preset connection, data can can be acquired from all nodes in the network that
support the "S7" protoc o l.
The local time is used for time stamping of data records.
Measures for commissioning
Check the system time and configure time synchronization, if needed.
If you need more than eight connections to S7 controllers, procure an additional "SIMATIC
NET SOFTNET-I E S7 " lic ense.
If you want to use another physical interface instead of the preset physical interface, "X2P1",
change the configuration of "PG/PC Interface" in the Control Panel using the "Set PG/PC
Interface" configuration software.
Initial power-on
3.3 Pre-configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 31
3.3.4.3
Pre-configuration of the "Modbus" interface
Configuration in the factory state
Additional firewall rules: Yes (outgoing)
● "Public" network profile: Prepared, but not enabled.
● "Home" / "Work" network profile: Enabled
Notes on use
Data can be acquired from all nodes in the network that support the Modbus protocols
"Modbus TCP" or "Modbus RTU over TCP".
The local time is used for time stamping of data records.
Measures for commissioning
Check the system time and configure time synchronization, if needed.
3.3.4.4
Pre-configuration of the "OPC" interface
Configuration in the factory state
A local OPC server is pre-installed by the SIMATIC NET installation.
Additional firewall rules: Yes (incoming)
● "Public" network profile: Prepared, but not enabled.
● "Home" / "Work" network profile: Enabled
Notes on use
You configure the connections to other network nodes from the Siemens product range via
the local OPC server.
Note
To configure connections to network nodes from other manufacturers, either install an
additional OPC server or an "OPC TCP tunneling" product.
The DCOM technology for establishing a connection between the OPC client of B.Data and
an ex
ternal OPC server in the network is not supported for security reasons.
The local time is used for time stamping of data records.
Initial power-on
3.3 Pre-configuration
Acquisition IPC
32 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Measures for commissioning
You configure connections to the nodes in a network in order to configure the "OPC"
interface in B.Data via the Acquisition Wizard.
● Use COML-S7.
You can find more detailed information in the documentation for SIMATIC NET.
● Integrate the Acquisition IPC as a station in a STEP 7 project.
You can find a configur at io n exampl e for STE P 7 Profes s iona l V12 in the docu m entat io n
directory of the Acquisition IPC. This configuration example contains a network topology
with a Acquisition IPC and several CPUs, including the types S7-300 and S7-1200. The
data blocks of the CPU are accessed symbolically.
You have two options for using this example configuration for the Acquisition IPC:
– You can configure the hardware configuration and adapt the station name on the
Acquisition IPC in the "Station Configuration" editor. You can load the project in the
Acquisition IPC using the "Devices & Networks" editor in the TIA Portal.
– Alternatively, you can configure the hardware and create an *xdb type file for the
Acquisition IPC in the TIA Portal. You can then import this file in the "Station
Configuration" editor on the Acquisition IPC.
You can find more detailed information about this topic in the documentation for SIMATIC
NET and in the information system of the TIA Portal.
Initial power-on
3.3 Pre-configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 33
3.3.4.5
Pre-configuration of the "OLE-DB" interface
Configuration in the factory state
The following standard OLE DB providers are installed among others:
● Microsoft OLE DB Provider for Oracle
● Microsoft OLE DB Provider for SQL Server
● Microsoft OLE DB Simple Provider
Additional firewall rules: No
Notes on use
Data can be accessed by all databases in the network that are supported by the OLE DB
providers mentioned above.
A connection is required to the data source with the data to be queried for the configuration
of the "OLE DB" interface in B.Data.
Measures for commissioning
If needed, install additional OLE DB providers based on the data source to be used.
3.3.4.6
Pre-configuration of the "FTP" interface
Configuration in the factory state
A local FTP server is configured on the Acquisition IPC. "C:\BData\GUI\FTP" is configured
as the directory for the FTP server. Access authorization is given to all Windows users that
belong to the "SIMATIC FILE ACCESS" group.
You can access this FTP directory as follows:
● Through the "File and Printer Sharing for Microsoft Networks" under the share name,
"SIMATIC_BDATA_FTP".
● Through the default FTP access, for example, "ftp://localhost"
The "FTP_Import_Task" task is configured in the Windows Task Scheduler to transfer ASCII
files from the FTP directory to the B.Data acquisition component . This task is started
automatically with the B.Data function, "HotFolder". The "FTP_DeleteOldFiles" task deletes
the ASCII files in the "D:\BData\mcl\..." directory every three months. The "D:\BData\mcl\..."
directory contains the files for control purposes that have already been imported.
Additional firewall rules: Yes (incoming/outgoing)
● "Public" network profile: Prepared, but not enabled.
● "Home" / "Work" network profile: Enabled
Initial power-on
3.3 Pre-configuration
Acquisition IPC
34 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Notes on use
The following figure shows the process of data acquisition from two FTP servers:
①
Data storage from an external PC via Windows File Sharing in the FTP directory
②
Data acquisition from local FTP server
③
Data acquisition from an external FTP server If the external FTP server supports "sFTP", you
can also configure a "secure connec tion" using the "Acquisition Wizard".
④
The evaluation of the content starts as soon as new ASCII files are stored in the FTP
directory. The ASCII files must be available in specific formats that are defined by the parser.
⑤
After a successful data transfer, the ASCII files are moved to the "D:\BData\mcl\..." directory.
The contents of the directory are deleted every three months with the FTP_DeleteOldFiles"
task.
Measures for commissioning
Create a Windows user with limited rights to enable the user to store data in the local FTP
directory. Assign this user to the "SIMATIC FILE ACCESS" user group.
Adapt the "FTP_Import_Task" task in the Windows Task Scheduler.
Note
If you configure the task, "FTP_Import_Task" B.Data clie
nt, the pre-configured task on the
Acquisition IPC is overwritten.
Change the Windows task, "FTP_DeleteOldFiles", depending on the use, if necessary.
Initial power-on
3.3 Pre-configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 35
3.3.4.7
Pre-configuration of the "Simulation" int erfac e
Configuration in the factory state
None.
Notes on use
The "Simulation" interface generates data with no real data source.
The local time is used for time stamping of data records.
Measures for commissioning
None.
Initial power-on
3.4 Licensing
Acquisition IPC
36 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
3.4
Licensing
Introduction
The "Automation License Manager (ALM)" is pre-installed on the Acquisition IPC for
management of licenses.
The license required for the use of SIMATIC NET is already installed. The licenses required
for data acquisition are installed on B.Data server.
Note
Notes on security
Read the follow ing infor m at ion abo ut hand l ing the "Aut omation License Man ager":
•
The transfer of licenses from the intranet / Internet is disabled for security reasons.
Transfer licenses exclusively via USB storage media. Adhere to the guidelines for the
secure handling of USB storage media.
•
Always keep the installation of the "Automation License Manager" current by performing
updates.
Installing additional licenses
Additional licenses can be made available on a USB storage medium.
1. Start the "Automation License Manager" on the Acquisition IPC with "Start > All Programs
> Siemens Automation > Automation License Manager".
2. Connect the USB storage device.
3. Transfer the license.
See also
Pre-configuration of SIMATIC NET (Page 26)
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 37
Security policy
4
4.1
IT security disclaimer
Note
Siemens provides automation and drive products with ind
ustrial security functions that
support the secure operation of plants or machines. They are an important component in a
holistic industrial security policy. With this in mind, our products undergo continuous
development. We therefore recommend that you ke
ep yourself informed about new features
and updates for our products. You can find information and a newsletter at Internet
(
http://support.automation.siemens.com).
Note
To ensure the secure operation of a plant or machine, it is also necessary to take suitable
preventive action (e.g. cell protection concept) and to integrate the automation and drive
components into a state
-of-the-art, holistic industrial security policy for the entire plant or
machine. Third
-party products that may be in use should also be taken into consideration.
You can find additional information in the Internet
(
http://www.siemens.com/industrialsecurity).
Note
Defense in depth
Read the information on "Industrial Security" in the Internet
(
http://www.industry.siemens.com/topics/global/en/industrial-
security/concept/Pages/defense
-in-depth.aspx).
Note
Security Guidelines for PC-based Automation Systems
Read the information and recommendations in "Security Guidelines for PC
-based
Automation systems" in the Internet
(
http://support.automation.siemens.com/WW/llisapi.dll?aktprim=4&lang=en&referer=%2fWW
%2f&func=cslib.csinfo&siteid=cseus&switchLang;55390879;1.x=34&switchLang;55390879;1
.y=4&groupid=4000003&extranet=standard&viewreg=WW&nodeid4=20229695&objaction=c
s
open).
Security pol icy
4.2 Measures for IT security
Acquisition IPC
38 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
4.2
Measures for IT security
Introduction
To be used as intended, the Acquisition IPC requires communication between networks with
different security levels. In extreme cases, the Acquisition IPC will record consumption data
from a closed, unsecured process network. The consumption data are transmitted to a
B.Data server via the Internet.
Reducing present threats is part of the package of measures that goes beyond the life cycle
of the Acquisition IPC. Typical threats are for example:
● Infection with malware
● Manipulation of data
● Denial of service at tack s
● Unauthorized use
Since technology will evolve over the life cycle of the Acquisition IPC and new risks may
arise, the following applies:
● The package of measures for IT security included ex works is the best compromise
between functionality and security.
● Nevertheless, the measures taken for IT security only serve as a very good starting point,
which the user must adapt, expand, and check on a regular basis.
Note
Delineation of responsibility
IT security is the responsibility of the user, because the security measures tak
en can only
represent a starti ng poi nt.
Siemens AG recommends that you immediately install all available updates in the categories
of "Security Update" and "Important Update".
The installation of additional software is permitted, but the responsibility o
f the user .
Note
Installing updates additional software can compromise the functionality of the system. Install
updates and additional software only after testing them in a project's test environment.
Intended use
The intended use of the Acquisition IPC is to record consumption data and transfer the data
to a B.Data server. The Acquisition IPC is equipped in performance and security exactly for
this purpose. Its (additional) use as an office or engineering PC is not permitted.
Security pol icy
4.2 Measures for IT security
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 39
IT security measures for the Acquisition IPC
The security of the Acquisition IPC within the context of its intended use is mainly achieved
by limiting functionality.
● You will learn what measures have been taken for system hardening in the "System
configuration" section.
● The "Integrating the Acquisition IPC into the local security policy" section provides
recommendations for additional security measures.
See also
System configuration (Page 40)
Integrating the Acquisition IPC into the local security policy (Page 49)
Security pol icy
4.3 System configuration
Acquisition IPC
40 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
4.3
System configuration
4.3.1
Basics
Introduction
The security-related system configuration ex-factory is designed for the highest possible
level of security that is possible within the scope of its intended use. This security is
essentially achieved by functional limitations to the operating system.
System configuration
The following provides an overview of the security-relevant system configurations of
Acquisition of IPC after the initial commissioning:
● Windows Firewall
The existing "Public" and "Work" / "Home" network profiles in Windows have been
adapted.
● Patches
In the factory state, the acquisition IPC contains the most current patches available at the
conclusion of development for the operating system and installed additional software.
● Enhanced Mitigation Experience Toolkit
A utility program is installed that is designed to prevent the exploitation of security
vulnerabi lit ies in installed softwar e prod uc ts .
● Security settings
Supported services have been kept to a minimum and adapted to the configuration of the
operating system.
● Network functionality
Unnecessary protocols and functionalities are disabled.
● User accounts
For security reasons, a user account is created only during commissioning.
Security pol icy
4.3 System configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 41
4.3.2
Windows Firewall
Introduction
The Windows Firewall is enabled by default for the Acquisition IPC. The Windows Firewall
plays a central role in the security policy of the Acquisition IPC. The Acquisition IPC features
two network interfaces that are adapted to the particular network profile and thus the security
level during the initial commissioning.
The effectiveness of the Windows Firewall is determined by the selected network profile. If
you are connecting to a network in Windows for the first time, you are prompted to select the
network profile.
If you have a separate firewall, you need the following rule for communication with the
Acquisition IPC of B.Data server:
● 1 outbound IP4 connection with the B.Data port (default: 4444)
"Public" network profile
The "Public" network profile is intended solely for the communication of the Acquisition IPC
with the B.Data serv er:
● All inbound connections are blocked.
● Only a few outbound connections are enabled which are required for communication with
the B.Data server.
● All firewall rules are configured through Group Policy.
"Work" and "Home" network profiles
The "Work" and "Home" network profiles are configured identically. This network profiles are
solely
intended for the communication with the
process network
:
● All outbound connections are enabled.
● The following services and functions are allowed for inbound connections:
– Access to the core network functionality
– B.Data communication
– File and printer sharing
– Network discovery
– File transfer via FTP
– Internet access (only from the local subnet)
– Remote Desktop (only from the local subnet)
Security pol icy
4.3 System configuration
Acquisition IPC
42 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Note
Firewall rules with "disabled" status can be set to "enabled" by a user with administrator
privileges, for example, to extend functions.
System configuration in the factory state
The "Public" and "Work" / "Home" network profiles ex-factory are configured as described
above. During initial commissioning, you
must
assign a network profile for the connection to
the process and company network.
Note
Automatic network discovery prevents changing the network profile
If the associated network connection is not assigned a gateway, Windows cannot identify the
network.
Remedy: In the network properties of the connection under "Default Gateway", enter the IP
address of any permanently avai
lable network node.
In its factory state, the Acquisition IPC can be reached via the "ping" network function. If
needed, enable the following firewall rules of the "Public" network profile:
● "Network discovery (LLMR-UDP-in)"
● File and Printer Sharing (Echo Request - ICMPv4)
Recommendation for runtime
Following commissioning, clearly mark the network ports on Acquisition IPC, for example,
using colored labels. Use network cables with corresponding colors.
Assign descriptive names to the network and the network connections in the operating
system name, for example, "Process network".
See also
Integrating the Acquisition IPC into existing IT infrastructure (Page 50)
Configur ing the netw or k adapter (Page 19)
Security pol icy
4.3 System configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 43
4.3.3
Security settings
System configuration in the factory state
Around 500 security-related settings have been adapted in the operating system.
Background services are kept to a minimum or run with restricted rights.
The following guidelines apply to the lo gon pas s word i n Wind ows :
● At least 12 characters
● Three of the following character types must be included:
– Upper-case letters
– Lower-case letters
– Numbers
– Special characters
● No user name or logon name can be included.
Note
A user account that has been locked due to repeated incorrect entry of the password is
released again after 15 minutes.
Recommendation for runtime
NOTICE
Change the password at regular intervals
In order to avoid restricting runtime operation, the validity of the password should not expire
automatically.
Change the password regularly to ensure the access security.
Security pol icy
4.3 System configuration
Acquisition IPC
44 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
4.3.4
Patches
Introduction
Patches fix vulnerabilities or errors in the software or upgrade to functions that were
previously not available.
System configuration in the factory state
In the factory state, the acquisition IPC contains the most current patches available at the
conclusion of development for the operating system and installed additional software. The
functionality of the Acquisition IPC in accordance with the intended use is ensured with
system tests by Siemens AG.
NOTICE
There may be unresolved vulnerabilities during initial commissioning
Usually, between the end of development and delivery of the Acquisition IPC, there is a
period containing several patch cycles.
If available, install the latest patches for the operating system and additional software in a
secure environment.
Recommendation for runtime
Keep the Acquisition IPC up-to-date after commissioning by installing patches at regular
intervals:
● Operating system: If possible, use the "Windows Update" to install security-related
patches. Siemens AG recommends that you keep the patches current for the following
Microsoft categories:
– Security Update
– Hotfix
– Service Pack
● Additional software: Install these patches at regular intervals if possible. In particular,
check the availability of patches for the following additional software, for example:
– Adobe Acrobat Reader
– Microsoft .NET-Framework
– Microsoft XML Parser
– B.Data
– SIMATIC NET
Security pol icy
4.3 System configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 45
NOTICE
Installation of the latest patches can impair the function of the Acquisition IPC
Especially security updates, for example, can impair or change the network functionality.
After installing patches, check whether data acquisition is working correctly.
Alternatively, you can test the effect on the functionality using a test system. This procedure
is recommended if you are using multiple Acquisition IPCs.
Security pol icy
4.3 System configuration
Acquisition IPC
46 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
4.3.5
Enhanced Mitigation Experience Toolkit
Introduction
Microsoft's "Enhanced Mitigation Experience Toolkit" is a utility program that is designed to
prevent the exploitation of security vulnerabilities in installed software products.
You can find additional information on this topic in the Internet under the keyword "Enhanced
Mitigation Experience Toolkit". You can find the documentation in the Acquisition IPC Start
menu under "Start > A ll Pro grams > Enhanced Mitigation Experience Toolkit > EMET > Us e r
Guide".
System configuration in the delivery state
The following software is protected by default for the Acquisition IPC:
● Internet Explorer
● B.Data
● Software that is included in Microsoft's standard list (approx. 60 products from various
manufacturers)
If the "Enhanced Mitigation Experience Toolkit" detects potential unauthorized access, close
the corresponding software. Such an event is entered in the "Event Viewer" in Windows.
Recommendation for runtime
Especially if problems occur after installing additional software, you can define exceptions or
a different reaction in the "Enhanced Mitigation Experience Toolkit"
.
Security pol icy
4.3 System configuration
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 47
4.3.6
Network functionality
Introduction
Any network activity poses a security risk. Therefore, the Acquisition IPC network
functionality is limited to the necessary minimum.
System configuration in the delivery state
Protocol / service / component
Status
Operating system
-
IPv4 protocol
Supported
IPv6 protocol
Disabled
IPv6 components
Disabled
Automation License Manager
-
Transfer of licenses over the network
Disabled
SIMATIC NET
-
OPC protocols not needed by B.Data
Disabled
SIMATI C Shell
Disabled
Modules for PROFINET I/O and LLDP/DCP
Disabled
S7 protocol
Enabled
Recommendation for runtime
If you share a folder for network access, restrict the share to the respective folder. Reduce
access rights to the necessary minimum.
Security pol icy
4.3 System configuration
Acquisition IPC
48 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
4.3.7
User accounts
Introduction
No user account is preconfigured in the factory state of Acquisition IPC. You set up the user
account for security reasons only during the initial commissioning. Set up additional user
accounts, if possible with restricted rights, in accordance with the local safety policy.
System configuration in the factory state
During initial commissioning, set up a user account that is assigned to the "Administrators"
user group. The "Administrators" user group has full access rights to the operating system
level.
The following user groups are defined:
● SIMATIC FILE ACCESS
User group with access to the shared B.Data directory in which the ASCII files are saved
via FTP or Windows file sharing.
● SIMATIC NET
User group for using OPC.
● Siemens TIA Engineer
User group for using engineering tools such as WinCC or STEP 7.
● SIMATIC HMI
User group for using SIMATIC HMI components.
Recommendation for runtime
If you create additional users, assign them to one or more user groups.
NOTICE
Assign additional users to the user groups intended for this in the local security policy
The "Administrators" group has full access to all the configuration settings of the operating
system, including user permissions.
Assigning a user to the "Administrators" group represents a significant security risk.
Security pol icy
4.4 Integrating the Acquisition IPC into the local security policy
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 49
4.4
Integrating the Acquisition IPC into the local security policy
4.4.1
Overview
Introduction
The integration of the Acquisition IPC in the local security policy essentially involves
deliberation and actions on the following points:
● Ensuring physical access protection
● Integrating the Acquisition IPC into existing IT infrastructure
● Implementing IT security measures against unauthorized access
Before commissioning the Acquisition IPC, it may be necessary to perform another risk
analysis from which the effective measures are derived.
NOTICE
Measures for the local security policy must be regularly reviewed and adapted
The integration of the Acquisition IPC in the local security policy does not end with its
commissioning. All security measures must be regularly reviewed and adapted to the
current state of art when needed.
4.4.2
Ensuring physical access protection
Introduction
Measures for physical access protection directly prohibit access to the Acquisition IPC. In
addition to access controls for the production area, physical access protection essentially
means the installation of the Acquisition IPC in a lockable cabinet.
Recommendations for physical access protection
Take into account the following recommendations when integrating the Acquisition IPC in the
local security poli cy:
● Install the Acquisition IPC in a lockable cabinet.
● Appoint specific contact persons who have access to this cabinet.
● Place the keyboard and mouse in lockable drawers as well.
● Prohibit the use of Bluetooth keyboards with the Acquisition IPC.
● Use only USB storage devices with trusted content.
Security pol icy
4.4 Integrating the Acquisition IPC into the local security policy
Acquisition IPC
50 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
4.4.3
Integrating the Acquisition IPC into existing IT infrastructure
Introduction
Within the framework of its intended use, the Acquisition IPC forms an interface between the
process network and the company network / Internet. Depending on the security policies in
effect, it may be necessary to perform a new risk analysis before integrating the Acquisition
IPC in an existing IT infrastructure.
The following figure shows the communication paths required by the intended use of the
Acquisition IPC.
①
The Acquisition IPC transmits data from the process network to a B.Data server via an
outbound connec tion.
②
Inbound connect ion s are
not
permitted. Use a
separate
router to configure inbound
connections.
The following deliberations and actions are essentially needed for the integration of the
Acquisition IPC in an existing IT infrastructure:
● Configuration of a company firewall
● Integration of an update server
● Integration of a time server
● Use of a virus scanner
Security pol icy
4.4 Integrating the Acquisition IPC into the local security policy
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 51
Topology examples
The following topology examples show the use of one or more Acquisition IPCs:
● Acquisiti on of consu mption data in a local area netw or k
● Acquisition of consumption data directly over the Internet
● Acquisition of consumption data from two company sites via the Internet
Acquisition of consumption data in a local area network
In this topology example, the consumption data from the factory floor of a small
manufacturing company are recorded and transmitted to the B.Data server in the
administration building. There is no connection to the Internet.
①
Connection from the Acquisition IPC to the process network. Required network profile: "Home" /
"Work"
②
Connection from the Acquisition IPC to the Intranet. Required network profile: "Public"
Taking into c onsideration the local security policy as well as the availability of data sources,
update servers and additional firewalls, you can select a security lev el lower than the network
profile, "Home" / "Work".
Security pol icy
4.4 Integrating the Acquisition IPC into the local security policy
Acquisition IPC
52 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Acquisition of consumption data dire ctly over the Internet
In this topology example, building management records the consumption data from two
property locations. The consumption data are transmitted to a B.Data server in the
administration building via the Internet. The two Acquisition IPCs are connected directly to
the Internet.
①
Connection from the Acquisition IPC to the process network. Required network profile: "Home"
/ "Work".
②
Connection from the Acquisition IPC to the Internet. Required network profile: "Public".
③
Router with additional firewall
The following rule must be defined in the firewall settings:
• 1 outbound IPv4 connection with the B.Data port (default: 4444)
Security pol icy
4.4 Integrating the Acquisition IPC into the local security policy
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 53
Acquisition of consumption data from two company sites via the Internet
In this topology example, the consumption data are recorded in a large industrial company
with two locations. The B.Data server is located at the company headquarters. The
consumption data from the production site are transferred over the Internet.
①
Connection from the Acquisi
tion IPC to the process network. Required network profile: "Home"
/ "Work"
②
Connection from the Acquisition IPC to the company network (Intranet). Required network
profile: "Public"
Taking into c onsideration the local security policy as well as the availability of data sources,
update servers and additional firewalls, etc., you can select a security level lower than the
network profile, "Home" / "Work" network profile can also be selected.
③
Router with additional firewall
The following rule must be defined in the firewall settings:
• 1 IP4 connection wi th the B.Data port (default: 4444)
④
Router with additional firewall to connect the update server ⑤ with the proc ess network.
⑤
PC to provide updates for operating systems and virus scanners in the company and process
network.
Use of anti-malware software
No anti-malware software is pre-installed on the Acquisition IPC. The use of anti-malware
software, including automatic updating, is strongly recommended. You can also use
Whitelisting software to define applications that are allowed to run on the Acquisition IPC.
See also
Windows Firewall (Page 41)
Security pol icy
4.4 Integrating the Acquisition IPC into the local security policy
Acquisition IPC
54 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
4.4.4
Implementing IT security measures against unauthorized access
Security updates for operating system and installed additional softwar e
Security updates for the operating system or the provision of updated virus signatures can
be implemented via an update server, for example. You should preferably place the update
server in the process network.
Secure handling of passwords
When working with passwords, adhere to the following recommendations:
● The password should only be known by legitimate users.
● Entrust pass wor ds only to author ized us ers .
● Change the password at regular intervals in accordance with the password rules. Always
assign a new password.
● Only use cabled input devices.
Physical access protection
Simple biometric access controls and wireless connections increase the security risk.
Instead, adhere to the recommendations for physical access protection.
See also
Ensuring physical access protection (Page 49)
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 55
Restoration and maintenance
5
5.1
Backup and Restore
5.1.1
Basics on backup and restore
Introduction
The Acquisition IPC is delivered with a pre-installed operating system. The image for
creating a Recovery DVD is stored in a hidden partition on the hard drive. You can use the
"Siemens SIMATIC Restore" application to access the hidden partition. The application can
be started via the boot menu of the Acquisition IPC.
Partitioning the hard disk
The following figure shows the partitions of the Acquisition IPC hard disk:
"Restore": Hidden. Contains the "Factory Settings" image of the factory state.
"System": Operating system and configuration data
"Data": User data
Note
Recommendation for data organization
When the Acquisition IPC is restored, the "System" partition is deleted at the very least.
Save all individually created data and additionally purchased licenses, preferably in the
"Data" partiti on.
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
56 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Images
An image is a file with the following content:
● Partition data
● Content of the "System" partition
There are two images for the Acquisition IPC:
● "Factory Settings" image:
This image contains the settings for the Acquisition IPC in its factory state. You cannot
overwrite or delete this image.
● "User generated" image
You can create this image at any time, for example, after the configuration of the
Acquisition IPC. Each additional "user generated" image overwrites the previous "user
generated " image.
Each of the two images is stored in the "Restore" partition. You can back up the content of
the "Restore" partition to a USB storage device.
See also
Creating recovery medium for Acquisition IPC (Page 63)
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 57
5.1.2
Siemens SIMATIC IPC Restore
Siemens SIMATIC Restore
The "Siemens SIMATIC IPC Restore" application is used for the following tasks.
● Creating a recovery medium
● Resetting the Acquisition IPC to the delivery state
● Creating a user-defined backup
● Restoring a user-defined backup
● Managing lan gua ge pac ks for the inter face lan gua ge of the Acquisition IPC
The application can be started via the boot menu of the Acquisition IPC.
Language packs
You can install up to two different language packs on the Acquisition IPC:
● Basic language
The language in which the user interface is displayed. "English" is set as the basic
language by default. You cannot delete the basic language.
● Addition al langua ge
You can set the additional language as the basic language. The previous basic language
then becomes the addit io n al langua ge. You may delete the additional language.
See also
Creating a backup (Page 62)
Restoring the Acquisition IPC (Page 58)
Managing lan gua ge pac ks (Page 65)
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
58 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
5.1.3
Restoring Acquisition IPC
5.1.3.1
Restoring the Acquisition IPC
Introduction
You create an image with the "Siemens SIMATIC IPC Restore" application.
Rules:
● If the Acquisition IPC is booted from a USB storage device, you can restore only the
images from the USB storage device.
You can additionally restore the entire hard disk.
● If the Acquisition IPC is booted without a USB storage device, only the image of the
"Restore" partition in the Siemens SIMATIC Restore application is available.
Restoring the entire hard disk
NOTICE
All data on the hard disk are deleted
The hard drive is formatted and all data will be deleted.
Before you restore the hard disk, ensure that:
• The data of the "System" and "Data" partitions are backed up.
• The licenses are backed up.
The "Restore complete system disk" command restores all partitions of the hard disk, for
example, after a hard disk replacement:
1. The hard disk is formatted and then partitioned.
2. The content of the "System" partition is restored based on one of the following ima ges :
– "Factory settings"
– "User generated"
See also
Restorin g a "user gen erate d" ima ge (Page 61)
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 59
5.1.3.2
Resetting the Acquisition IPC to the factory settings
Introduction
You can restore the "system" partition from the local hard disk or from a USB storage device.
Note
All data on the "System" partition are deleted.
Requirement
● The data of the "System" and "Data" partitions, including the licenses, are backed up.
● When restoring from a USB storage device:
– A recovery medium has been created.
– Booting from USB is enabled in BIOS.
Procedure
1. To restore the backup from a USB storage device, connect the USB storage device to the
Acquisition IPC.
2. Restart the Acquisition IPC.
3. Select the command "Siemens SIMATIC Restore" from the boot menu.
The "Siemens SIMATIC IPC Restore" application starts. The application starts
automatically when booting from a USB storage device.
4. If you have booted from the hard disk:
– Select the menu command "Restore SIMATIC B.Data Acquisition IPC" and click
"Next".
5. If you have booted from a USB storage device:
– Select the menu command "Restore SIMATIC B.Data Acquisition IPC" and click
"Next".
– If you want to restore the "System" hard disk partition, select the menu command
"Restore existing system partition only" and click "Next".
– If you want to restore the complete hard disk, select the menu command "Restore
complete sys tem disk " and c lick "Next".
The entire hard disk is formatted and then partitioned again.
The "System" hard disk partition is restored with the "Factory Settings" image.
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
60 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
6. Restart the Acquisition IPC once the restore is successfully completed.
The setup wizard for Windows is launched for initial configuration of the system after
rebooting.
7. Configure the following settings:
– Country settings with time zone and keyboard layout
– User name and PC name
– Password
– Windows updates
– Time
– Network settings
Result
The restoration of the Acquisition IPC is completed.
See also
Creating recovery medium for Acquisition IPC (Page 63)
Completing Windows Setup (Page 18)
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 61
5.1.3.3
Restoring a "user generated" image
Introduction
You can restore the "system" partition from the local hard disk or from a USB storage device.
Note
All data on the "System" partition are deleted.
Requirement
● The data of the "System" and "Data" partitions, including the licenses, are backed up.
● When restoring from a USB storage device:
– A recovery medium has been created.
– Booting from USB is enabled in BIOS.
Procedure
1. To restore the backup from a USB storage device, connect the USB storage device to the
Acquisition IPC.
2. Restart the Acquisition IPC.
3. Select the command "Siemens SIMATIC Restore" from the boot menu.
The "Siemens SIMATIC IPC Restore" application starts. The application starts
automatically when booting from a USB storage device.
4. Select the menu command "User generated Backup/Restore" and click "Next".
5. If you have booted from the hard disk:
– Select the menu command "Restore User generated Backup" and click "Next".
6. If you have booted from a USB storage device:
– Select the menu command "Restore SIMATIC B.Data Acquisition IPC" and click
"Next".
– If you want to restore the "System" hard disk partition, select the menu command
"Restore existing system partition only" and click "Next".
– If you want to restore the complete hard disk, select the menu command "Restore
complete sys tem disk " and c lick "Next".
The entire hard disk is formatted and then partitioned again.
The "System" hard disk partition is restored with the "user generated" image.
7. Select the menu command "Restore User generated Backup" and click "Next".
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
62 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Result
The "System" partition is deleted and then restored from the image.
See also
Restoring the Acquisition IPC (Page 58)
Creating recovery medium for Acquisition IPC (Page 63)
5.1.4
Backing up the Acquisition IPC
5.1.4.1
Creating a backup
You create backups with the "Siemens SIMATIC IPC Restore" application.
Note
The "Siemens SIMATIC IPC Restore" application is designed exclusively for backing up the
configuration data of the Acquisition IPC. You need to use a separate backup solution to
back up the data generated at runtime.
The following backups are supported:
● Creating a recovery medium for the "Restore" partition1
● Backing up the "System" partition2
1: Only possible on USB storage devices
2: Only possible on local drives
You can use backups for commissioning multiple Acquisition IPCs.
See also
Creating recovery medium for Acquisition IPC (Page 63)
Backing up configuration settings of the Acquisition IPC (Page 64)
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 63
5.1.4.2
Creating recovery medium for Acquisition IPC
Introduction
Acquisition IPC is supplied without a Recovery DVD. The "Factory Settings" image with the
factory state of the Acquisition IPC is stored on the "Restore" partition instead.
Recommendation: When the Acquisition IPC is switched on for the first time, create a
backup of the "Restore" partition on a USB storage device.
Requirement
● A bootable, blank USB storage device with the Windows file system must be available.
● Windows has been properly shut down.
● The "Restore" partition is unchanged.
Procedure
1. Reboot the Acquisition IPC.
2. Select the command "Siemens SIMATIC IPC Restore" from the boot menu.
The "Siemens SIMATIC IPC Restore" application starts.
3. Select the menu command "Copy Restore to USB-FlashDrive" and click "Next".
The required memory is determined and displayed.
4. Connect the USB storage device to the Acquisition IPC, which has at least the indicated
minimum amo unt of memory.
5. Select the USB storage device and click "Accept selection".
Result
The following images are copied to the USB storage device:
● "Factory Settings" image
● If created: "User generated" image
You can use this USB storage device to restore the entire disk partitions of the Acquisition
IPC.
See also
Creating a backup (Page 62)
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
64 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
5.1.4.3
Backing up configuration settings of the Acquisition IPC
Introduction
You can back up the "System" partition as a "user generated" image in the "Restore"
partition. If you have already created a "user generated" image, it is overwritten.
Recommendation: If you have configured the Acquisition IPC and connected it to the
network, you should back up the configuration settings as a "user generated" image.
Procedure
1. Restart the Acquisition IPC.
2. Select the command "Siemens SIMATIC IPC Restore" from the boot menu.
The "Siemens SIMATIC IPC Restore" application starts.
3. Select the menu command "User generated Backup/Restore" and click "Next".
4. Select the menu command "Capture Backup of system partition" and click "Next".
Result
The "user generated" image is created and saved in the "Restore" partition.
If you want to additionally save the "user generated" image on a USB storage device, create
a recovery medium.
See also
Creating a backup (Page 62)
Creating recovery medium for Acquisition IPC (Page 63)
Restoration and maintenance
5.1 Backup and Restore
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 65
5.1.5
Managing language packs
Introduction
You set the user interface language and the keyboard layout of the Windows operating
system in the "Sie mens SI MAT IC IPC Res tor e " app lic atio n.
English is set as the interface language by default. If you need a different language, install
an additional language pack.
Requirement
● The "Siemens SIMATIC IPC Restore" application has started.
● The "Manage Windows Language" command is selected.
Installing a language pack
1. Select the language pack that you want to install.
The installed language is set as an additional language.
You can set the language as the basic language.
Setting the language as the basic language
1. Select a language pack that has been already installed.
2. To set the selected language as a basic language, click on "Set language to
<language>".
The selected language is set as the basic language.
Removing a language pack
1. Select the language pack that you want to remove.
Note
You can only remove additional languages.
If you want to remove
a basic language, you must first specify a language other than the
basic language.
2. To remove the select ed lan guag e, cl ick on "Remov e <langu age > lan gu age pac k".
Restoration and maintenance
5.2 Repair and replacement of parts
Acquisition IPC
66 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
5.2
Repair and replacement of parts
Sending the Acquisition IPC for repair
If you need to send the Acquisition IPC in for repair, please make the following preparations:
1. If you are using additional licenses, back up the licenses to an external storage medium.
2. Back up the configuration settings of the Acquisition IPC.
3. Note changed BIOS settings (optional).
After the repair
When you receive Acquisition IPC back from repairs, restore it with following steps:
1. Restore the changed BIOS settings (optional).
2. Restore the "User-defined" backup.
3. If you are using additional licenses, transfer the licenses from the external storage
medium.
See also
Backing up configuration settings of the Acquisition IPC (Page 64)
Restorin g a "user gen erate d" ima ge (Page 61)
Restoration and maintenance
5.3 Backup battery
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 67
5.3
Backup battery
Regular replacement of the backup battery
The service life of a backup battery is approximately 5 to 8 years, depending on the
operating conditions. Replace the backup battery at regular intervals.
Additional inform ation
Read the additional information on handling the backup battery in the documentation for your
SIMATIC IPC
Restoration and maintenance
5.3 Backup battery
Acquisition IPC
68 Operati ng I nst ruct i ons, 04/2014, A5E34850737-AA
Acquisition IPC
Operating Inst ructi ons, 04/2014, A5E34850737-AA 69
Index
"
"FTP" interface
Pre-configuration, 33
"Modbus" interface
Pre-configuration, 31
"OLE-DB" interface
Pre-configuration, 33
"OPC" interface
Pre-configuration, 31
"S7" interfac e
Pre-configuration, 30
"Simulatio n" int erfac e
Pre-configuration, 35
A
Acquisition IPC
Backup battery, 67
Completing Windows Setup, 18
Configur ing the netw or k adapter , 20
Connecting peripherals, 17
Hardware configuration, 12
Initial power-on, 18
Installing, 16
Remote access, 27
Repairing, 66
Software configuration, 13
B
B.Data acquisition configuration, 22
Logging an acquisition component onto B.Data, 23
Backup battery, 67
C
Configure
Network Adapter, 20
Connecting
Keyboard to the Acquisition IPC, 17
Monitor to the Acquisition IPC, 17
Mouse to the Acquisition IPC, 17
Peripherals to the Acquisition IPC, 17
Power supply to the Acquisition IPC, 16
D
Definitions and na min g conv entio ns , 5
G
Guide, 5
I
Initial power-on
Acquisition IPC, 18
Installing
Acquisition IPC, 16
Intended use, 38
IT security
Delineation of responsibility, 38
Local security policy, 49
Measures, 38
System configuration, 40
L
Licenses
transfer, 36
Licensing, 36
Location of the documentation, 5
Logon
Acquisition component with B.Data, 23
P
Position in the information landscape, 6
Pre-configuration
"FTP" interface, 33
"Modbus" interface, 31
"OLE-DB" interface, 33
"OPC" interface, 31
"S7" interfac e, 30
"Simulatio n" int erfac e, 35
SIMATIC IPC DiagBase, 25
Windows, 27
Purpose of the documentation, 5
