Acquisition IPC 1 ___________________ Introduction 2 ___________________ Product overview SIMATIC B.Data Acquisition IPC Operating Instructions 04/2014 A5E34850737-AA 3 ___________________ Initial power-on 4 ___________________ Security policy Restoration and 5 ___________________ maintenance Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION indicates that minor personal injury can result if proper precautions are not taken. NOTICE indicates that property damage can result if proper precautions are not taken. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. Trademarks All names identified by (R) are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Industry Sector Postfach 48 48 90026 NURNBERG GERMANY Order number: n/a 07/2014 Subject to change Copyright (c) Siemens AG 2014. All rights reserved Table of contents 1 Introduction ............................................................................................................................................. 5 1.1 2 3 4 Introduction .................................................................................................................................... 5 Product overview .................................................................................................................................... 7 2.1 2.1.1 2.1.2 2.1.3 Basics ............................................................................................................................................. 7 Energy data management with B.Data .......................................................................................... 7 Basics of Acquisition IPC ............................................................................................................... 9 Application areas of the Acquisition IPC ......................................................................................10 2.2 Hardware configuration ................................................................................................................12 2.3 Software configuration .................................................................................................................13 Initial power-on ..................................................................................................................................... 15 3.1 Overview ......................................................................................................................................15 3.2 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 Commissioning the Acquisition IPC .............................................................................................16 Installing the Acquisition IPC .......................................................................................................16 Connecting peripherals ................................................................................................................17 Completing Windows Setup .........................................................................................................18 Configuring the network adapter ..................................................................................................19 Logging the Acquisition IPC onto the B.Data server....................................................................22 3.3 3.3.1 3.3.2 3.3.3 3.3.4 3.3.4.1 3.3.4.2 3.3.4.3 3.3.4.4 3.3.4.5 3.3.4.6 3.3.4.7 Pre-configuration ..........................................................................................................................25 Pre-configuration of SIMATIC DiagBase .....................................................................................25 Pre-configuration of SIMATIC NET ..............................................................................................26 Pre-configuration of Windows ......................................................................................................27 Pre-configuration of B.Data ..........................................................................................................28 Basics ...........................................................................................................................................28 Pre-configuration of the "S7" interface .........................................................................................30 Pre-configuration of the "Modbus" interface ................................................................................31 Pre-configuration of the "OPC" interface .....................................................................................31 Pre-configuration of the "OLE-DB" interface ................................................................................33 Pre-configuration of the "FTP" interface ......................................................................................33 Pre-configuration of the "Simulation" interface ............................................................................35 3.4 Licensing ......................................................................................................................................36 Security policy ....................................................................................................................................... 37 4.1 IT security disclaimer ...................................................................................................................37 4.2 Measures for IT security ..............................................................................................................38 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 System configuration ...................................................................................................................40 Basics ...........................................................................................................................................40 Windows Firewall .........................................................................................................................41 Security settings ...........................................................................................................................43 Patches ........................................................................................................................................44 Enhanced Mitigation Experience Toolkit ......................................................................................46 Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 3 Table of contents 5 4.3.6 4.3.7 Network functionality ................................................................................................................... 47 User accounts ............................................................................................................................. 48 4.4 4.4.1 4.4.2 4.4.3 4.4.4 Integrating the Acquisition IPC into the local security policy ....................................................... 49 Overview ..................................................................................................................................... 49 Ensuring physical access protection ........................................................................................... 49 Integrating the Acquisition IPC into existing IT infrastructure ..................................................... 50 Implementing IT security measures against unauthorized access ............................................. 54 Restoration and maintenance................................................................................................................ 55 5.1 5.1.1 5.1.2 5.1.3 5.1.3.1 5.1.3.2 5.1.3.3 5.1.4 5.1.4.1 5.1.4.2 5.1.4.3 5.1.5 Backup and Restore .................................................................................................................... 55 Basics on backup and restore ..................................................................................................... 55 Siemens SIMATIC IPC Restore .................................................................................................. 57 Restoring Acquisition IPC ........................................................................................................... 58 Restoring the Acquisition IPC ..................................................................................................... 58 Resetting the Acquisition IPC to the factory settings .................................................................. 59 Restoring a "user generated" image ........................................................................................... 61 Backing up the Acquisition IPC ................................................................................................... 62 Creating a backup ....................................................................................................................... 62 Creating recovery medium for Acquisition IPC ........................................................................... 63 Backing up configuration settings of the Acquisition IPC ............................................................ 64 Managing language packs .......................................................................................................... 65 5.2 Repair and replacement of parts ................................................................................................. 66 5.3 Backup battery ............................................................................................................................ 67 Index .................................................................................................................................................... 69 Acquisition IPC 4 Operating Instructions, 04/2014, A5E34850737-AA Introduction 1.1 1 Introduction Purpose of the documentation This document describes the characteristics and the pre-installed system configuration of the Acquisition IPC. Definitions and naming conventions The following terms are used in this documentation... Acquisition IPC: This term refers to the IPC227D with pre-installed software as well as the system configuration. Target group This documentation is intended for engineers, administrators and service personnel. Required knowledge To understand this documentation, you need knowledge of the following topics: Windows operating system Network engineering Security of PCs and telecommunications devices Location of the documentation You can access the documentation using a link on the desktop or the Start menu under "Siemens Automation > Documentation > Manuals > [language]". can be found on the documentation DVD. Guide This document consists of sections with instructions and a reference section. This documentation covers the following topics: Introduction Product overview Initial power-on Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 5 Introduction 1.1 Introduction Security policy Restoration and maintenance Position in the information landscape You can find additional information in the following documents: Documentation for Brief description of relevant content B.Data - Operation This manual describes how to configure and operate B.Data. Available on the Internet (http://support.automation.siemens.com/WW/view/en/45522 504/133300) B.Data - Installation This manual describes how to install B.Data. Available on the Internet (http://support.automation.siemens.com/WW/view/en/45522 504/133300) B.Data system description This manual presents the benefits and usage scenarios of the energy data management system, B.Data. Available on the Internet (http://support.automation.siemens.com/WW/view/en/45522 504/133300) Industry PC SIMATIC IPC227D - Operating Instructions This manual contains information on commissioning and using the SIMATIC IPC227D. Available on the Internet (http://support.automation.siemens.com/WW/view/en/48958 203/133300) Acquisition IPC 6 Operating Instructions, 04/2014, A5E34850737-AA Product overview 2.1 Basics 2.1.1 Energy data management with B.Data 2 Introduction Energy efficiency is playing an increasingly important role in industry. Rising energy prices, increasing pressure to improve profitability and the growing awareness for climate protection are important factors for the introduction of an energy data management system. Lack of transparency in infrastructure processes, changing cost centers and heterogeneous system environments require an energy data management system with a comprehensive range of interfaces. B.Data as an energy data management system SIMATIC B.Data meets the current requirements for an energy data management system. The system has a positive influence on consumer behavior, opens up new procurement options and thereby helps to save costs. With its precise automatic energy data acquisition and processing as well as its diverse analytical and projection capabilities SIMATIC B.Data is the ideal tool for energy data management for now and the future. Task of data acquisition in the energy data management system Data acquisition plays a central role in energy data management. Essential requirements for the data acquisition include, for example: Acquiring measurement data from a process, for example, a plant Processing the acquired measuring data and forming data records Transferring the data records to B.Data energy data management Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 7 Product overview 2.1 Basics The data required for successful energy data management often exist in different formats or systems: Analog and digital measuring instruments Data from other production sites Archived consumption data from the previous year The value of data acquisition is therefore determined by the available interfaces. Architecture of B.Data B.Data is based on a client-server architecture that is easily integrated into your corporate infrastructure. Stand-alone solutions are possible as well as multi-user solutions at various locations. B.Data consists of four components that can be installed on one or more PCs depending on the existing infrastructure. The communication between the individual components is automatically set up during installation. SIMATIC B.Data acquisition component: Acquires and processes data such as measurement values. SIMATIC B.Data function server: Establishes communication between B.Data acquisition component and the B.Data database server. Generates reports. SIMATIC B.Data database server: Stores the acquired measurement values and all calculated or generated data, such as reports. SIMATIC B.Data client: Configuration and operation of B.Data SIMATIC B.Data web client: Operation of B.Data via a web browser; e.g. calling of generated reports or trends but also inputting measurement values or energy efficiency measures. Acquisition IPC 8 Operating Instructions, 04/2014, A5E34850737-AA Product overview 2.1 Basics 2.1.2 Basics of Acquisition IPC Introduction The Acquisition IPC is an industrial PC with pre-installed acquisition component from B.Data that enables easy introduction into the energy data management with B.Data: Tested components that are suitable for continuous operation No maintenance required during operation SIMATIC NET for connecting components of an existing S7 infrastructure Direct connection to the field level without local configuration, for example via Modbus driver Acquisition IPC The Acquisition IPC is designed as an interface between the process and company network / Internet. The Acquisition IPC meets all requirements of an energy data acquisition with B.Data: Acquisition of data from different data sources Precalculation of measurement values to form data records Protected transmission of data records to the B.Data server Caching of data records in the event of connection loss to the B.Data server Security policy Due to the sensitive interface between the process and company network, there are increased security requirements for the Acquisition IPC in regard to data security and integrity. The Acquisition IPC must be included in the local security policy before the Acquisition IPC can be integrated into an existing IT infrastructure. See also Security policy (Page 37) Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 9 Product overview 2.1 Basics 2.1.3 Application areas of the Acquisition IPC Introduction The Acquisition IPC supports data acquisition from the field and/or process level. The acquired data is forwarded to the B.Data server via the Intranet / Internet. Data acquisition in the Intranet The Acquisition IPC collects data from various plants. The acquired data is forwarded to the B.Data server and evaluated. Acquisition IPC 10 Operating Instructions, 04/2014, A5E34850737-AA Product overview 2.1 Basics Data acquisition via the Internet A separate Acquisition IPC is used for each company location, which securely sends acquired data via the Internet to the B.Data server at the company headquarters. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 11 Product overview 2.2 Hardware configuration 2.2 Hardware configuration Hardware configuration of the Acquisition IPC The Acquisition IPC is available with the following hardware configurations: Processor - Atom E660 RAM - 2 GB RAM Mass storage - SSD hard disk Software configuration - Windows Embedded Standard 7 SP 1 32-bit Mounting types (included in product package) - Standard rail mounting - Wall mounting Note A 24 V power supply is required to operate the Acquisition IPC. Power supply recommendation: Siemens Sitop 5A 24V. Acquisition IPC 12 Operating Instructions, 04/2014, A5E34850737-AA Product overview 2.3 Software configuration 2.3 Software configuration Software configuration of the Acquisition IPC The following software is pre-installed on the Acquisition IPC. Windows Embedded Standard 7 SP1 - 32-bit SIMATIC B.Data Acquisition SIMATIC NET SIMATIC DiagBase Automation License Manager Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 13 Product overview 2.3 Software configuration Acquisition IPC 14 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.1 3 Overview Introduction Note The Acquisition IPC should be integrated in the local security policy to ensure secure operation. Contact your IT security manager before commissioning the system. Note Data acquisition is only possible with an accessible B.Data server. Commissioning the Acquisition IPC The following steps are required for initial commissioning of the Acquisition IPC: Installing the Acquisition IPC Connecting peripherals Completing Windows Setup Configuring the network adapter Logging the Acquisition IPC onto the B.Data server See also Security policy (Page 37) Commissioning the Acquisition IPC (Page 16) Pre-configuration (Page 25) Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 15 Initial power-on 3.2 Commissioning the Acquisition IPC 3.2 Commissioning the Acquisition IPC 3.2.1 Installing the Acquisition IPC Introduction You can find more detailed information on installing the Acquisition IPC in the operating instructions of the IPC 227D. Requirement A suitable 24 V voltage supply is available. PE conductor is available. Tools for installation are available. Procedure 1. Install the Acquisition IPC in a lockable cabinet, for example, a low-voltage distribution cabinet. Note You can also install the Acquisition IPC in the cabinet after initial commissioning. 2. Connect the PE conductor. 3. Connect the power supply. Result The Acquisition IPC is installed. Acquisition IPC 16 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.2 Commissioning the Acquisition IPC 3.2.2 Connecting peripherals Introduction You can find more detailed information on connecting peripherals to the Acquisition IPC in the operating manual of the IPC 227D. Requirement 24 V voltage supply is connected. PE conductor is connected. The following peripheral devices are available: - Cable USB keyboard - Cable USB mouse - Monitor with DVI-D connector Procedure 1. Connect the above-mentioned peripherals to the Acquisition IPC. 2. Switch on the Acquisition IPC. The Acquisition IPC performs a self-test. After a successful self-test, "Windows Boot Manager" is displayed. 3. Select the option "Windows Embedded Standard 7". The operating system starts and installs the necessary software packages for the commissioning. The Acquisition IPC restarts following the installation. The "Windows Boot Manager" is displayed. 4. Select the option "Windows Embedded Standard 7". Result The setup wizard for Windows is launched for initial configuration of the system. Alternative procedure Alternatively, you can use a "custom" image for setting up the Acquisition IPC. To do this, select the "Siemens SIMATIC IPC Restore" option in the "Windows Boot Manager" following the self-test. The "Completing Windows Setup (Page 18)" step is skipped. Continue with the "Configuring the network adapter (Page 19)" step. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 17 Initial power-on 3.2 Commissioning the Acquisition IPC 3.2.3 Completing Windows Setup Requirement The setup wizard for Windows has been launched for initial configuration of the system. A network cable is not connected Procedure 1. If an additional language pack is installed on the Acquisition IPC, you will be prompted to select a language. Otherwise, "English (U.S.)" is selected. 2. Enter a user name and optionally the computer name. The user is assigned administrator rights and has full access to the Acquisition IPC. The computer name is usually composed of the entered user name and the suffix "-ACQ". 3. Enter the password for the user. The following rules apply to the password: - At least 12 characters - User name may not be included - Three of the following criteria must be fulfilled: Uppercase letters, lowercase letters, numbers, special characters 4. Accept the licensing conditions. 5. Select the time zone and time of day. The initial configuration of the system is completed. 6. Read and accept the disclaimer on IT security. The disclaimer is displayed each time you start the operating system. Result The initial configuration of the system is completed. The Windows Desktop is displayed. The local time is used as time stamp by B.Data drivers that do not support time stamping of the data source. See also Resetting the Acquisition IPC to the factory settings (Page 59) Implementing IT security measures against unauthorized access (Page 54) Acquisition IPC 18 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.2 Commissioning the Acquisition IPC 3.2.4 Configuring the network adapter Introduction The Acquisition IPC has two interfaces that are represented by two network connections after completing the Windows setup: Represents the physical interface "X2P1" Use this interface to connect the Acquisition IPC to the process network. This interface is configured for data acquisition in SIMATIC NET. Represents the physical interface "X1P1" Use this interface to connect the Acquisition IPC to the Intranet / Internet in order to connect to the B.Data server. Requirement The Windows Desktop must be displayed after completion of the Windows setup. A network cable for connecting to the process network is available. A network cable for connecting to the Intranet is available. Network cables are uniquely marked to avoid confusion, for example, by different colors IP configuration data for both network connections are available. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 19 Initial power-on 3.2 Commissioning the Acquisition IPC Procedure 1. Open the "Network Connections" in the Control Panel. 2. Assign descriptive names to clearly distinguish the two network connections: - Local Area Connection: For example "Process Connection" - Local Area Connection 2: For example "Intranet" 3. Configure the IP addresses for both network connections. Static and dynamic IP addresses are supported. IPv6 is disabled and not supported. Note Remote desktop connection from the process network If you want to access the Acquisition IPC from the process network via a Remote Desktop connection, additionally specify the IP address of an accessible node in this network as the "Default Gateway" for this network connection. 4. Connect the Acquisition IPC to the process network: - Insert the network cable into the "X2P1" port to connect to the process network . - Select "Work network" as the network profile. 5. Connect the Acquisition IPC to the Intranet: - Insert the network cable into the "X1P1" port to connect to the Intranet / Internet. - Select "Public network" as the network profile. 6. Give both networks descriptive names: - Open "Network and Sharing Center" in the Control Panel. - Click on the icon to the left of the network profile. - Enter the name. 7. Finally, clearly mark the two "X1P1" and "X2P1" ports on the Acquisition IPC, for example, using colored labels. Acquisition IPC 20 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.2 Commissioning the Acquisition IPC Result The network adapters are configured. See also Security policy (Page 37) Windows Firewall (Page 41) Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 21 Initial power-on 3.2 Commissioning the Acquisition IPC 3.2.5 Logging the Acquisition IPC onto the B.Data server Overview In the B.Data acquisition configuration, you establish the logical connection between the acquisition component and the B.Data server. The B.Data acquisition component is installed together with the "B.Data Acquisition" software component. You need the following data to log on the acquisition component onto the B.Data server: Address and port of the B.Data server B.Data user name and password Name of the "Hardware" object in B.Data You can use the wizard for entering the data if the B.Data server can be reached in the network. Otherwise enter the data directly. The acquisition component is logged on as soon as the specified B.Data server can be reached. The figure below shows the layout of the B.Data acquisition configuration after logon: Navigation area Display and configuration area. The content depends on the selection in the navigation area. Acquisition IPC 22 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.2 Commissioning the Acquisition IPC Requirement The "B.Data Acquisition" software component is installed on the PC. Microsoft Internet Information Service (IIS) is installed on the PC. The PC is connected to the B.Data server (optional). The "Hardware" object is set up on the B.Data server. A user with the "Configure acquisition" authorization is set up on the B.Data server. Procedure 1. Double-click the "B.Data Acquisition Configuration" icon on the Windows Desktop: The Internet Explorer starts. The welcome page of the "B.Data Acquisition Configuration" is displayed. 2. Log on using your Windows user data of the acquisition component. The "Status" page of the B.Data acquisition configuration is displayed. If the acquisition component is logged on to the B.Data server yet, the "Configure the acquisition" dialog is displayed. 3. Select the required option in the "Configure the acquisition" dialog: - Starting the connection wizard - Configuring the connection manually 4. Enter the following connection data: - Address and port of the B.Data server - B.Data user name and password - Name of the "Hardware" object in B.Data Note Only with manual configuration: If you are using the name of a "Hardware" object that is already connected to another acquisition component, the existing connection is replaced. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 23 Initial power-on 3.2 Commissioning the Acquisition IPC Result The "Acquisition ID" is generated and entered for the connection between the acquisition component and the B.Data server if you have used the wizard. Otherwise an attempt is made to establish the connection with the specified data every time you start the acquisition component. The acquisition ID is generated and entered as soon as the B.Data server can be reached. The readiness of the acquisition configuration depends on the configured start delay time of the acquisition service. The figure below shows a correctly configured connection to the B.Data server: Acquisition IPC 24 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.3 Pre-configuration 3.3 Pre-configuration 3.3.1 Pre-configuration of SIMATIC DiagBase Introduction The "SIMATIC IPC DiagBase" software provides functions for viewing, monitoring and controlling the Acquisition IPC: Monitoring of the temperature Monitoring of the battery voltage Monitoring of drives with S.M.A.R.T. functionality Watchdog Operating hours counter Management of the BIOS Configuration of the display elements of the Acquisition IPC You can find more detailed information on the topic "SIMATIC IPC DiagBase" in the operating instructions for IPC227D. Pre-configuration In the Acquisition IPC's factory state, the "Watchdog" functionality is configured as follows: An automatic hardware reset is performed for a system shutdown. After the system reboots, data acquisition continues automatically. Note Since the data acquisition for B.Data runs over Windows services, no logon to the system is necessary. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 25 Initial power-on 3.3 Pre-configuration 3.3.2 Pre-configuration of SIMATIC NET Introduction SIMATIC NET is a communication solution for various Siemens products and protocols in industrial environments. SIMATIC NET enables consistent communication between different automation components and devices. SIMATIC NET provides the ideal interface to integrate or connect the Acquisition IPC in the local automation world. Pre-configuration In the Acquisition IPC's factory state, SIMATIC NET is configured as follows: The "S7" protocol is enabled. The "SIMATIC NET SOFTNET-IE S7 LEAN" license is installed. All other protocols are disabled. The "PROFINET I/O" adapter is disabled. Note If you need the disabled protocols or adapters for data acquisition, you can enable them again using the "Siemens Communication Settings" application. Additional licenses may be required to use other protocols or adapters. "SIMATIC NET SOFTNET-IE S7 LEAN" license The "SIMATIC NET SOFTNET-IE S7 LEAN" license entitles you to set up a total of eight connections to the following data sources: S7 controllers with absolute addressing of the memory areas Other S7 stations via the integrated OPC server See also Licensing (Page 36) Acquisition IPC 26 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.3 Pre-configuration 3.3.3 Pre-configuration of Windows Introduction The Acquisition IPC is designed and optimized as an acquisition component for continuous operation. Since the data is acquired from the process via Windows services, it is not necessary for a user to logon to the Acquisition IPC. Note The functionality of the Acquisition IPC can be limited to its intended use by installing additional software. Pre-configuration In the factory state: The energy options are set to "Continuous operation" and "Maximum performance". All non-relevant data acquisition functions are disabled. Services running in the background are preferred. Properties such as memory paging or indexing are disabled for the SSD hard drive. System events are primarily recorded only for the functions of the data acquisition. Notes on use Create a recovery medium. Remote access on the Acquisition IPC Access from another PC via Remote Desktop is only allowed from the process network. This PC must additionally meet the higher safety requirements of the Remote Desktop Protocol. The user created within Windows Setup has the right for remote access by default. If necessary, create an additional user with restricted rights. Assign this user the right for remote access. See also Backing up the Acquisition IPC (Page 62) Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 27 Initial power-on 3.3 Pre-configuration 3.3.4 Pre-configuration of B.Data 3.3.4.1 Basics Introduction The Acquisition IPC supports the following interfaces for data acquisition: "S7" interface You use the "S7" interface to retrieve data from an S7 controller with the help of SIMATIC NET. You address the memory areas of the S7 controller absolutely. "Modbus" interface You use the "Modbus" interface to retrieve data from measuring devices with Modbus support and Ethernet interface, for example, SENTRON PAC measuring devices. The "Modbus" interface supports the following modes: - Modbus TCP - Modbus RTU over TCP "OPC" interface You use the "OPC" interface to retrieve the data provided by an OPC server. The "OPC" interface supports the "OPC-DA" specification "OLE-DB" interface The "OLE DB" interface allows access to Excel tables as well as complex databases such as SQL Server or Oracle. "FTP, sFTP" interface You use the "FTP, sFTP" interface to read data from ASCII files. The structuring of the content is determined by the parser, which simultaneously represent the link between the file and the interface. These ASCII files can be located in a local directory or on an FTP server. If the FTP server supports "sFTP", the files are transferred over a secure connection. "Simulation" interface You use the "Simulation" interface to simulate data acquisition. You can monitor the accessibility of the Acquisition IPC via this interface, for example. Note For some interfaces, additional rules in the Windows Firewall are pre-defined, but not active. You can activate these rules if needed. Acquisition IPC 28 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.3 Pre-configuration Pre-configuration The following sections describes the pre-configuration of the individual interfaces on the Acquisition IPC: Configuration in the factory state Notes on use Measures for commissioning Configuration of the data acquisition Use the "Acquisition Wizard" in B.Data to configure data acquisition. The acquisition wizard will assist you in entering the necessary information in each case and is used to create data points with suitable parameters. Once you have run the acquisition wizard, the respective acquisition structure is completely laid out. Data can be acquired. You can find more detailed information on this topic in the operating instructions for B.Data. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 29 Initial power-on 3.3 Pre-configuration 3.3.4.2 Pre-configuration of the "S7" interface Configuration in the factory state The physical interface "X2P1" set as the interface for the "KERNEL (B.Data)" software access point. The name in Windows is "Intel(R) 82574L Gigabit Network". Additional firewall rules: Yes (incoming) "Public" network profile: Prepared, but not enabled. "Home" / "Work" network profile: Enabled Notes on use Using the the preset connection, data can can be acquired from all nodes in the network that support the "S7" protocol. The local time is used for time stamping of data records. Measures for commissioning Check the system time and configure time synchronization, if needed. If you need more than eight connections to S7 controllers, procure an additional "SIMATIC NET SOFTNET-IE S7" license. If you want to use another physical interface instead of the preset physical interface, "X2P1", change the configuration of "PG/PC Interface" in the Control Panel using the "Set PG/PC Interface" configuration software. Acquisition IPC 30 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.3 Pre-configuration 3.3.4.3 Pre-configuration of the "Modbus" interface Configuration in the factory state Additional firewall rules: Yes (outgoing) "Public" network profile: Prepared, but not enabled. "Home" / "Work" network profile: Enabled Notes on use Data can be acquired from all nodes in the network that support the Modbus protocols "Modbus TCP" or "Modbus RTU over TCP". The local time is used for time stamping of data records. Measures for commissioning Check the system time and configure time synchronization, if needed. 3.3.4.4 Pre-configuration of the "OPC" interface Configuration in the factory state A local OPC server is pre-installed by the SIMATIC NET installation. Additional firewall rules: Yes (incoming) "Public" network profile: Prepared, but not enabled. "Home" / "Work" network profile: Enabled Notes on use You configure the connections to other network nodes from the Siemens product range via the local OPC server. Note To configure connections to network nodes from other manufacturers, either install an additional OPC server or an "OPC TCP tunneling" product. The DCOM technology for establishing a connection between the OPC client of B.Data and an external OPC server in the network is not supported for security reasons. The local time is used for time stamping of data records. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 31 Initial power-on 3.3 Pre-configuration Measures for commissioning You configure connections to the nodes in a network in order to configure the "OPC" interface in B.Data via the Acquisition Wizard. Use COML-S7. You can find more detailed information in the documentation for SIMATIC NET. Integrate the Acquisition IPC as a station in a STEP 7 project. You can find a configuration example for STEP 7 Professional V12 in the documentation directory of the Acquisition IPC. This configuration example contains a network topology with a Acquisition IPC and several CPUs, including the types S7-300 and S7-1200. The data blocks of the CPU are accessed symbolically. You have two options for using this example configuration for the Acquisition IPC: - You can configure the hardware configuration and adapt the station name on the Acquisition IPC in the "Station Configuration" editor. You can load the project in the Acquisition IPC using the "Devices & Networks" editor in the TIA Portal. - Alternatively, you can configure the hardware and create an *xdb type file for the Acquisition IPC in the TIA Portal. You can then import this file in the "Station Configuration" editor on the Acquisition IPC. You can find more detailed information about this topic in the documentation for SIMATIC NET and in the information system of the TIA Portal. Acquisition IPC 32 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.3 Pre-configuration 3.3.4.5 Pre-configuration of the "OLE-DB" interface Configuration in the factory state The following standard OLE DB providers are installed among others: Microsoft OLE DB Provider for Oracle Microsoft OLE DB Provider for SQL Server Microsoft OLE DB Simple Provider Additional firewall rules: No Notes on use Data can be accessed by all databases in the network that are supported by the OLE DB providers mentioned above. A connection is required to the data source with the data to be queried for the configuration of the "OLE DB" interface in B.Data. Measures for commissioning If needed, install additional OLE DB providers based on the data source to be used. 3.3.4.6 Pre-configuration of the "FTP" interface Configuration in the factory state A local FTP server is configured on the Acquisition IPC. "C:\BData\GUI\FTP" is configured as the directory for the FTP server. Access authorization is given to all Windows users that belong to the "SIMATIC FILE ACCESS" group. You can access this FTP directory as follows: Through the "File and Printer Sharing for Microsoft Networks" under the share name, "SIMATIC_BDATA_FTP". Through the default FTP access, for example, "ftp://localhost" The "FTP_Import_Task" task is configured in the Windows Task Scheduler to transfer ASCII files from the FTP directory to the B.Data acquisition component . This task is started automatically with the B.Data function, "HotFolder". The "FTP_DeleteOldFiles" task deletes the ASCII files in the "D:\BData\mcl\..." directory every three months. The "D:\BData\mcl\..." directory contains the files for control purposes that have already been imported. Additional firewall rules: Yes (incoming/outgoing) "Public" network profile: Prepared, but not enabled. "Home" / "Work" network profile: Enabled Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 33 Initial power-on 3.3 Pre-configuration Notes on use The following figure shows the process of data acquisition from two FTP servers: Data storage from an external PC via Windows File Sharing in the FTP directory The evaluation of the content starts as soon as new ASCII files are stored in the FTP directory. The ASCII files must be available in specific formats that are defined by the parser. Data acquisition from local FTP server Data acquisition from an external FTP server If the external FTP server supports "sFTP", you can also configure a "secure connection" using the "Acquisition Wizard". After a successful data transfer, the ASCII files are moved to the "D:\BData\mcl\..." directory. The contents of the directory are deleted every three months with the FTP_DeleteOldFiles" task. Measures for commissioning Create a Windows user with limited rights to enable the user to store data in the local FTP directory. Assign this user to the "SIMATIC FILE ACCESS" user group. Adapt the "FTP_Import_Task" task in the Windows Task Scheduler. Note If you configure the task, "FTP_Import_Task" B.Data client, the pre-configured task on the Acquisition IPC is overwritten. Change the Windows task, "FTP_DeleteOldFiles", depending on the use, if necessary. Acquisition IPC 34 Operating Instructions, 04/2014, A5E34850737-AA Initial power-on 3.3 Pre-configuration 3.3.4.7 Pre-configuration of the "Simulation" interface Configuration in the factory state None. Notes on use The "Simulation" interface generates data with no real data source. The local time is used for time stamping of data records. Measures for commissioning None. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 35 Initial power-on 3.4 Licensing 3.4 Licensing Introduction The "Automation License Manager (ALM)" is pre-installed on the Acquisition IPC for management of licenses. The license required for the use of SIMATIC NET is already installed. The licenses required for data acquisition are installed on B.Data server. Note Notes on security Read the following information about handling the "Automation License Manager": * The transfer of licenses from the intranet / Internet is disabled for security reasons. Transfer licenses exclusively via USB storage media. Adhere to the guidelines for the secure handling of USB storage media. * Always keep the installation of the "Automation License Manager" current by performing updates. Installing additional licenses Additional licenses can be made available on a USB storage medium. 1. Start the "Automation License Manager" on the Acquisition IPC with "Start > All Programs > Siemens Automation > Automation License Manager". 2. Connect the USB storage device. 3. Transfer the license. See also Pre-configuration of SIMATIC NET (Page 26) Acquisition IPC 36 Operating Instructions, 04/2014, A5E34850737-AA Security policy 4.1 4 IT security disclaimer Note Siemens provides automation and drive products with industrial security functions that support the secure operation of plants or machines. They are an important component in a holistic industrial security policy. With this in mind, our products undergo continuous development. We therefore recommend that you keep yourself informed about new features and updates for our products. You can find information and a newsletter at Internet (http://support.automation.siemens.com). Note To ensure the secure operation of a plant or machine, it is also necessary to take suitable preventive action (e.g. cell protection concept) and to integrate the automation and drive components into a state-of-the-art, holistic industrial security policy for the entire plant or machine. Third-party products that may be in use should also be taken into consideration. You can find additional information in the Internet (http://www.siemens.com/industrialsecurity). Note Defense in depth Read the information on "Industrial Security" in the Internet (http://www.industry.siemens.com/topics/global/en/industrialsecurity/concept/Pages/defense-in-depth.aspx). Note Security Guidelines for PC-based Automation Systems Read the information and recommendations in "Security Guidelines for PC-based Automation systems" in the Internet (http://support.automation.siemens.com/WW/llisapi.dll?aktprim=4&lang=en&referer=%2fWW %2f&func=cslib.csinfo&siteid=cseus&switchLang;55390879;1.x=34&switchLang;55390879;1 .y=4&groupid=4000003&extranet=standard&viewreg=WW&nodeid4=20229695&objaction=c sopen). Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 37 Security policy 4.2 Measures for IT security 4.2 Measures for IT security Introduction To be used as intended, the Acquisition IPC requires communication between networks with different security levels. In extreme cases, the Acquisition IPC will record consumption data from a closed, unsecured process network. The consumption data are transmitted to a B.Data server via the Internet. Reducing present threats is part of the package of measures that goes beyond the life cycle of the Acquisition IPC. Typical threats are for example: Infection with malware Manipulation of data Denial of service attacks Unauthorized use Since technology will evolve over the life cycle of the Acquisition IPC and new risks may arise, the following applies: The package of measures for IT security included ex works is the best compromise between functionality and security. Nevertheless, the measures taken for IT security only serve as a very good starting point, which the user must adapt, expand, and check on a regular basis. Note Delineation of responsibility IT security is the responsibility of the user, because the security measures taken can only represent a starting point. Siemens AG recommends that you immediately install all available updates in the categories of "Security Update" and "Important Update". The installation of additional software is permitted, but the responsibility of the user. Note Installing updates additional software can compromise the functionality of the system. Install updates and additional software only after testing them in a project's test environment. Intended use The intended use of the Acquisition IPC is to record consumption data and transfer the data to a B.Data server. The Acquisition IPC is equipped in performance and security exactly for this purpose. Its (additional) use as an office or engineering PC is not permitted. Acquisition IPC 38 Operating Instructions, 04/2014, A5E34850737-AA Security policy 4.2 Measures for IT security IT security measures for the Acquisition IPC The security of the Acquisition IPC within the context of its intended use is mainly achieved by limiting functionality. You will learn what measures have been taken for system hardening in the "System configuration" section. The "Integrating the Acquisition IPC into the local security policy" section provides recommendations for additional security measures. See also System configuration (Page 40) Integrating the Acquisition IPC into the local security policy (Page 49) Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 39 Security policy 4.3 System configuration 4.3 System configuration 4.3.1 Basics Introduction The security-related system configuration ex-factory is designed for the highest possible level of security that is possible within the scope of its intended use. This security is essentially achieved by functional limitations to the operating system. System configuration The following provides an overview of the security-relevant system configurations of Acquisition of IPC after the initial commissioning: Windows Firewall The existing "Public" and "Work" / "Home" network profiles in Windows have been adapted. Patches In the factory state, the acquisition IPC contains the most current patches available at the conclusion of development for the operating system and installed additional software. Enhanced Mitigation Experience Toolkit A utility program is installed that is designed to prevent the exploitation of security vulnerabilities in installed software products. Security settings Supported services have been kept to a minimum and adapted to the configuration of the operating system. Network functionality Unnecessary protocols and functionalities are disabled. User accounts For security reasons, a user account is created only during commissioning. Acquisition IPC 40 Operating Instructions, 04/2014, A5E34850737-AA Security policy 4.3 System configuration 4.3.2 Windows Firewall Introduction The Windows Firewall is enabled by default for the Acquisition IPC. The Windows Firewall plays a central role in the security policy of the Acquisition IPC. The Acquisition IPC features two network interfaces that are adapted to the particular network profile and thus the security level during the initial commissioning. The effectiveness of the Windows Firewall is determined by the selected network profile. If you are connecting to a network in Windows for the first time, you are prompted to select the network profile. If you have a separate firewall, you need the following rule for communication with the Acquisition IPC of B.Data server: 1 outbound IP4 connection with the B.Data port (default: 4444) "Public" network profile The "Public" network profile is intended solely for the communication of the Acquisition IPC with the B.Data server: All inbound connections are blocked. Only a few outbound connections are enabled which are required for communication with the B.Data server. All firewall rules are configured through Group Policy. "Work" and "Home" network profiles The "Work" and "Home" network profiles are configured identically. This network profiles are solely intended for the communication with the process network: All outbound connections are enabled. The following services and functions are allowed for inbound connections: - Access to the core network functionality - B.Data communication - File and printer sharing - Network discovery - File transfer via FTP - Internet access (only from the local subnet) - Remote Desktop (only from the local subnet) Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 41 Security policy 4.3 System configuration Note Firewall rules with "disabled" status can be set to "enabled" by a user with administrator privileges, for example, to extend functions. System configuration in the factory state The "Public" and "Work" / "Home" network profiles ex-factory are configured as described above. During initial commissioning, you must assign a network profile for the connection to the process and company network. Note Automatic network discovery prevents changing the network profile If the associated network connection is not assigned a gateway, Windows cannot identify the network. Remedy: In the network properties of the connection under "Default Gateway", enter the IP address of any permanently available network node. In its factory state, the Acquisition IPC can be reached via the "ping" network function. If needed, enable the following firewall rules of the "Public" network profile: "Network discovery (LLMR-UDP-in)" File and Printer Sharing (Echo Request - ICMPv4) Recommendation for runtime Following commissioning, clearly mark the network ports on Acquisition IPC, for example, using colored labels. Use network cables with corresponding colors. Assign descriptive names to the network and the network connections in the operating system name, for example, "Process network". See also Integrating the Acquisition IPC into existing IT infrastructure (Page 50) Configuring the network adapter (Page 19) Acquisition IPC 42 Operating Instructions, 04/2014, A5E34850737-AA Security policy 4.3 System configuration 4.3.3 Security settings System configuration in the factory state Around 500 security-related settings have been adapted in the operating system. Background services are kept to a minimum or run with restricted rights. The following guidelines apply to the logon password in Windows: At least 12 characters Three of the following character types must be included: - Upper-case letters - Lower-case letters - Numbers - Special characters No user name or logon name can be included. Note A user account that has been locked due to repeated incorrect entry of the password is released again after 15 minutes. Recommendation for runtime NOTICE Change the password at regular intervals In order to avoid restricting runtime operation, the validity of the password should not expire automatically. Change the password regularly to ensure the access security. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 43 Security policy 4.3 System configuration 4.3.4 Patches Introduction Patches fix vulnerabilities or errors in the software or upgrade to functions that were previously not available. System configuration in the factory state In the factory state, the acquisition IPC contains the most current patches available at the conclusion of development for the operating system and installed additional software. The functionality of the Acquisition IPC in accordance with the intended use is ensured with system tests by Siemens AG. NOTICE There may be unresolved vulnerabilities during initial commissioning Usually, between the end of development and delivery of the Acquisition IPC, there is a period containing several patch cycles. If available, install the latest patches for the operating system and additional software in a secure environment. Recommendation for runtime Keep the Acquisition IPC up-to-date after commissioning by installing patches at regular intervals: Operating system: If possible, use the "Windows Update" to install security-related patches. Siemens AG recommends that you keep the patches current for the following Microsoft categories: - Security Update - Hotfix - Service Pack Additional software: Install these patches at regular intervals if possible. In particular, check the availability of patches for the following additional software, for example: - Adobe Acrobat Reader - Microsoft .NET-Framework - Microsoft XML Parser - B.Data - SIMATIC NET Acquisition IPC 44 Operating Instructions, 04/2014, A5E34850737-AA Security policy 4.3 System configuration NOTICE Installation of the latest patches can impair the function of the Acquisition IPC Especially security updates, for example, can impair or change the network functionality. After installing patches, check whether data acquisition is working correctly. Alternatively, you can test the effect on the functionality using a test system. This procedure is recommended if you are using multiple Acquisition IPCs. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 45 Security policy 4.3 System configuration 4.3.5 Enhanced Mitigation Experience Toolkit Introduction Microsoft's "Enhanced Mitigation Experience Toolkit" is a utility program that is designed to prevent the exploitation of security vulnerabilities in installed software products. You can find additional information on this topic in the Internet under the keyword "Enhanced Mitigation Experience Toolkit". You can find the documentation in the Acquisition IPC Start menu under "Start > All Programs > Enhanced Mitigation Experience Toolkit > EMET > User Guide". System configuration in the delivery state The following software is protected by default for the Acquisition IPC: Internet Explorer B.Data Software that is included in Microsoft's standard list (approx. 60 products from various manufacturers) If the "Enhanced Mitigation Experience Toolkit" detects potential unauthorized access, close the corresponding software. Such an event is entered in the "Event Viewer" in Windows. Recommendation for runtime Especially if problems occur after installing additional software, you can define exceptions or a different reaction in the "Enhanced Mitigation Experience Toolkit" . Acquisition IPC 46 Operating Instructions, 04/2014, A5E34850737-AA Security policy 4.3 System configuration 4.3.6 Network functionality Introduction Any network activity poses a security risk. Therefore, the Acquisition IPC network functionality is limited to the necessary minimum. System configuration in the delivery state Protocol / service / component Status Operating system - IPv4 protocol Supported IPv6 protocol Disabled IPv6 components Disabled Automation License Manager Transfer of licenses over the network SIMATIC NET Disabled - OPC protocols not needed by B.Data Disabled SIMATIC Shell Disabled Modules for PROFINET I/O and LLDP/DCP Disabled S7 protocol Enabled Recommendation for runtime If you share a folder for network access, restrict the share to the respective folder. Reduce access rights to the necessary minimum. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 47 Security policy 4.3 System configuration 4.3.7 User accounts Introduction No user account is preconfigured in the factory state of Acquisition IPC. You set up the user account for security reasons only during the initial commissioning. Set up additional user accounts, if possible with restricted rights, in accordance with the local safety policy. System configuration in the factory state During initial commissioning, set up a user account that is assigned to the "Administrators" user group. The "Administrators" user group has full access rights to the operating system level. The following user groups are defined: SIMATIC FILE ACCESS User group with access to the shared B.Data directory in which the ASCII files are saved via FTP or Windows file sharing. SIMATIC NET User group for using OPC. Siemens TIA Engineer User group for using engineering tools such as WinCC or STEP 7. SIMATIC HMI User group for using SIMATIC HMI components. Recommendation for runtime If you create additional users, assign them to one or more user groups. NOTICE Assign additional users to the user groups intended for this in the local security policy The "Administrators" group has full access to all the configuration settings of the operating system, including user permissions. Assigning a user to the "Administrators" group represents a significant security risk. Acquisition IPC 48 Operating Instructions, 04/2014, A5E34850737-AA Security policy 4.4 Integrating the Acquisition IPC into the local security policy 4.4 Integrating the Acquisition IPC into the local security policy 4.4.1 Overview Introduction The integration of the Acquisition IPC in the local security policy essentially involves deliberation and actions on the following points: Ensuring physical access protection Integrating the Acquisition IPC into existing IT infrastructure Implementing IT security measures against unauthorized access Before commissioning the Acquisition IPC, it may be necessary to perform another risk analysis from which the effective measures are derived. NOTICE Measures for the local security policy must be regularly reviewed and adapted The integration of the Acquisition IPC in the local security policy does not end with its commissioning. All security measures must be regularly reviewed and adapted to the current state of art when needed. 4.4.2 Ensuring physical access protection Introduction Measures for physical access protection directly prohibit access to the Acquisition IPC. In addition to access controls for the production area, physical access protection essentially means the installation of the Acquisition IPC in a lockable cabinet. Recommendations for physical access protection Take into account the following recommendations when integrating the Acquisition IPC in the local security policy: Install the Acquisition IPC in a lockable cabinet. Appoint specific contact persons who have access to this cabinet. Place the keyboard and mouse in lockable drawers as well. Prohibit the use of Bluetooth keyboards with the Acquisition IPC. Use only USB storage devices with trusted content. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 49 Security policy 4.4 Integrating the Acquisition IPC into the local security policy 4.4.3 Integrating the Acquisition IPC into existing IT infrastructure Introduction Within the framework of its intended use, the Acquisition IPC forms an interface between the process network and the company network / Internet. Depending on the security policies in effect, it may be necessary to perform a new risk analysis before integrating the Acquisition IPC in an existing IT infrastructure. The following figure shows the communication paths required by the intended use of the Acquisition IPC. The Acquisition IPC transmits data from the process network to a B.Data server via an outbound connection. Inbound connections are not permitted. Use a separate router to configure inbound connections. The following deliberations and actions are essentially needed for the integration of the Acquisition IPC in an existing IT infrastructure: Configuration of a company firewall Integration of an update server Integration of a time server Use of a virus scanner Acquisition IPC 50 Operating Instructions, 04/2014, A5E34850737-AA Security policy 4.4 Integrating the Acquisition IPC into the local security policy Topology examples The following topology examples show the use of one or more Acquisition IPCs: Acquisition of consumption data in a local area network Acquisition of consumption data directly over the Internet Acquisition of consumption data from two company sites via the Internet Acquisition of consumption data in a local area network In this topology example, the consumption data from the factory floor of a small manufacturing company are recorded and transmitted to the B.Data server in the administration building. There is no connection to the Internet. Connection from the Acquisition IPC to the process network. Required network profile: "Home" / "Work" Connection from the Acquisition IPC to the Intranet. Required network profile: "Public" Taking into consideration the local security policy as well as the availability of data sources, update servers and additional firewalls, you can select a security level lower than the network profile, "Home" / "Work". Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 51 Security policy 4.4 Integrating the Acquisition IPC into the local security policy Acquisition of consumption data directly over the Internet In this topology example, building management records the consumption data from two property locations. The consumption data are transmitted to a B.Data server in the administration building via the Internet. The two Acquisition IPCs are connected directly to the Internet. Connection from the Acquisition IPC to the process network. Required network profile: "Home" / "Work". Connection from the Acquisition IPC to the Internet. Required network profile: "Public". Router with additional firewall The following rule must be defined in the firewall settings: * 1 outbound IPv4 connection with the B.Data port (default: 4444) Acquisition IPC 52 Operating Instructions, 04/2014, A5E34850737-AA Security policy 4.4 Integrating the Acquisition IPC into the local security policy Acquisition of consumption data from two company sites via the Internet In this topology example, the consumption data are recorded in a large industrial company with two locations. The B.Data server is located at the company headquarters. The consumption data from the production site are transferred over the Internet. Connection from the Acquisition IPC to the process network. Required network profile: "Home" / "Work" Connection from the Acquisition IPC to the company network (Intranet). Required network profile: "Public" Taking into consideration the local security policy as well as the availability of data sources, update servers and additional firewalls, etc., you can select a security level lower than the network profile, "Home" / "Work" network profile can also be selected. Router with additional firewall The following rule must be defined in the firewall settings: * 1 IP4 connection with the B.Data port (default: 4444) Router with additional firewall to connect the update server with the process network. PC to provide updates for operating systems and virus scanners in the company and process network. Use of anti-malware software No anti-malware software is pre-installed on the Acquisition IPC. The use of anti-malware software, including automatic updating, is strongly recommended. You can also use Whitelisting software to define applications that are allowed to run on the Acquisition IPC. See also Windows Firewall (Page 41) Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 53 Security policy 4.4 Integrating the Acquisition IPC into the local security policy 4.4.4 Implementing IT security measures against unauthorized access Security updates for operating system and installed additional software Security updates for the operating system or the provision of updated virus signatures can be implemented via an update server, for example. You should preferably place the update server in the process network. Secure handling of passwords When working with passwords, adhere to the following recommendations: The password should only be known by legitimate users. Entrust passwords only to authorized users. Change the password at regular intervals in accordance with the password rules. Always assign a new password. Only use cabled input devices. Physical access protection Simple biometric access controls and wireless connections increase the security risk. Instead, adhere to the recommendations for physical access protection. See also Ensuring physical access protection (Page 49) Acquisition IPC 54 Operating Instructions, 04/2014, A5E34850737-AA Restoration and maintenance 5.1 Backup and Restore 5.1.1 Basics on backup and restore 5 Introduction The Acquisition IPC is delivered with a pre-installed operating system. The image for creating a Recovery DVD is stored in a hidden partition on the hard drive. You can use the "Siemens SIMATIC Restore" application to access the hidden partition. The application can be started via the boot menu of the Acquisition IPC. Partitioning the hard disk The following figure shows the partitions of the Acquisition IPC hard disk: "Restore": Hidden. Contains the "Factory Settings" image of the factory state. "System": Operating system and configuration data "Data": User data Note Recommendation for data organization When the Acquisition IPC is restored, the "System" partition is deleted at the very least. Save all individually created data and additionally purchased licenses, preferably in the "Data" partition. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 55 Restoration and maintenance 5.1 Backup and Restore Images An image is a file with the following content: Partition data Content of the "System" partition There are two images for the Acquisition IPC: "Factory Settings" image: This image contains the settings for the Acquisition IPC in its factory state. You cannot overwrite or delete this image. "User generated" image You can create this image at any time, for example, after the configuration of the Acquisition IPC. Each additional "user generated" image overwrites the previous "user generated" image. Each of the two images is stored in the "Restore" partition. You can back up the content of the "Restore" partition to a USB storage device. See also Creating recovery medium for Acquisition IPC (Page 63) Acquisition IPC 56 Operating Instructions, 04/2014, A5E34850737-AA Restoration and maintenance 5.1 Backup and Restore 5.1.2 Siemens SIMATIC IPC Restore Siemens SIMATIC Restore The "Siemens SIMATIC IPC Restore" application is used for the following tasks. Creating a recovery medium Resetting the Acquisition IPC to the delivery state Creating a user-defined backup Restoring a user-defined backup Managing language packs for the interface language of the Acquisition IPC The application can be started via the boot menu of the Acquisition IPC. Language packs You can install up to two different language packs on the Acquisition IPC: Basic language The language in which the user interface is displayed. "English" is set as the basic language by default. You cannot delete the basic language. Additional language You can set the additional language as the basic language. The previous basic language then becomes the additional language. You may delete the additional language. See also Creating a backup (Page 62) Restoring the Acquisition IPC (Page 58) Managing language packs (Page 65) Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 57 Restoration and maintenance 5.1 Backup and Restore 5.1.3 Restoring Acquisition IPC 5.1.3.1 Restoring the Acquisition IPC Introduction You create an image with the "Siemens SIMATIC IPC Restore" application. Rules: If the Acquisition IPC is booted from a USB storage device, you can restore only the images from the USB storage device. You can additionally restore the entire hard disk. If the Acquisition IPC is booted without a USB storage device, only the image of the "Restore" partition in the Siemens SIMATIC Restore application is available. Restoring the entire hard disk NOTICE All data on the hard disk are deleted The hard drive is formatted and all data will be deleted. Before you restore the hard disk, ensure that: * The data of the "System" and "Data" partitions are backed up. * The licenses are backed up. The "Restore complete system disk" command restores all partitions of the hard disk, for example, after a hard disk replacement: 1. The hard disk is formatted and then partitioned. 2. The content of the "System" partition is restored based on one of the following images: - "Factory settings" - "User generated" See also Restoring a "user generated" image (Page 61) Acquisition IPC 58 Operating Instructions, 04/2014, A5E34850737-AA Restoration and maintenance 5.1 Backup and Restore 5.1.3.2 Resetting the Acquisition IPC to the factory settings Introduction You can restore the "system" partition from the local hard disk or from a USB storage device. Note All data on the "System" partition are deleted. Requirement The data of the "System" and "Data" partitions, including the licenses, are backed up. When restoring from a USB storage device: - A recovery medium has been created. - Booting from USB is enabled in BIOS. Procedure 1. To restore the backup from a USB storage device, connect the USB storage device to the Acquisition IPC. 2. Restart the Acquisition IPC. 3. Select the command "Siemens SIMATIC Restore" from the boot menu. The "Siemens SIMATIC IPC Restore" application starts. The application starts automatically when booting from a USB storage device. 4. If you have booted from the hard disk: - Select the menu command "Restore SIMATIC B.Data Acquisition IPC" and click "Next". 5. If you have booted from a USB storage device: - Select the menu command "Restore SIMATIC B.Data Acquisition IPC" and click "Next". - If you want to restore the "System" hard disk partition, select the menu command "Restore existing system partition only" and click "Next". - If you want to restore the complete hard disk, select the menu command "Restore complete system disk" and click "Next". The entire hard disk is formatted and then partitioned again. The "System" hard disk partition is restored with the "Factory Settings" image. Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 59 Restoration and maintenance 5.1 Backup and Restore 6. Restart the Acquisition IPC once the restore is successfully completed. The setup wizard for Windows is launched for initial configuration of the system after rebooting. 7. Configure the following settings: - Country settings with time zone and keyboard layout - User name and PC name - Password - Windows updates - Time - Network settings Result The restoration of the Acquisition IPC is completed. See also Creating recovery medium for Acquisition IPC (Page 63) Completing Windows Setup (Page 18) Acquisition IPC 60 Operating Instructions, 04/2014, A5E34850737-AA Restoration and maintenance 5.1 Backup and Restore 5.1.3.3 Restoring a "user generated" image Introduction You can restore the "system" partition from the local hard disk or from a USB storage device. Note All data on the "System" partition are deleted. Requirement The data of the "System" and "Data" partitions, including the licenses, are backed up. When restoring from a USB storage device: - A recovery medium has been created. - Booting from USB is enabled in BIOS. Procedure 1. To restore the backup from a USB storage device, connect the USB storage device to the Acquisition IPC. 2. Restart the Acquisition IPC. 3. Select the command "Siemens SIMATIC Restore" from the boot menu. The "Siemens SIMATIC IPC Restore" application starts. The application starts automatically when booting from a USB storage device. 4. Select the menu command "User generated Backup/Restore" and click "Next". 5. If you have booted from the hard disk: - Select the menu command "Restore User generated Backup" and click "Next". 6. If you have booted from a USB storage device: - Select the menu command "Restore SIMATIC B.Data Acquisition IPC" and click "Next". - If you want to restore the "System" hard disk partition, select the menu command "Restore existing system partition only" and click "Next". - If you want to restore the complete hard disk, select the menu command "Restore complete system disk" and click "Next". The entire hard disk is formatted and then partitioned again. The "System" hard disk partition is restored with the "user generated" image. 7. Select the menu command "Restore User generated Backup" and click "Next". Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 61 Restoration and maintenance 5.1 Backup and Restore Result The "System" partition is deleted and then restored from the image. See also Restoring the Acquisition IPC (Page 58) Creating recovery medium for Acquisition IPC (Page 63) 5.1.4 Backing up the Acquisition IPC 5.1.4.1 Creating a backup You create backups with the "Siemens SIMATIC IPC Restore" application. Note The "Siemens SIMATIC IPC Restore" application is designed exclusively for backing up the configuration data of the Acquisition IPC. You need to use a separate backup solution to back up the data generated at runtime. The following backups are supported: Creating a recovery medium for the "Restore" partition1 Backing up the "System" partition2 1: Only possible on USB storage devices 2: Only possible on local drives You can use backups for commissioning multiple Acquisition IPCs. See also Creating recovery medium for Acquisition IPC (Page 63) Backing up configuration settings of the Acquisition IPC (Page 64) Acquisition IPC 62 Operating Instructions, 04/2014, A5E34850737-AA Restoration and maintenance 5.1 Backup and Restore 5.1.4.2 Creating recovery medium for Acquisition IPC Introduction Acquisition IPC is supplied without a Recovery DVD. The "Factory Settings" image with the factory state of the Acquisition IPC is stored on the "Restore" partition instead. Recommendation: When the Acquisition IPC is switched on for the first time, create a backup of the "Restore" partition on a USB storage device. Requirement A bootable, blank USB storage device with the Windows file system must be available. Windows has been properly shut down. The "Restore" partition is unchanged. Procedure 1. Reboot the Acquisition IPC. 2. Select the command "Siemens SIMATIC IPC Restore" from the boot menu. The "Siemens SIMATIC IPC Restore" application starts. 3. Select the menu command "Copy Restore to USB-FlashDrive" and click "Next". The required memory is determined and displayed. 4. Connect the USB storage device to the Acquisition IPC, which has at least the indicated minimum amount of memory. 5. Select the USB storage device and click "Accept selection". Result The following images are copied to the USB storage device: "Factory Settings" image If created: "User generated" image You can use this USB storage device to restore the entire disk partitions of the Acquisition IPC. See also Creating a backup (Page 62) Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 63 Restoration and maintenance 5.1 Backup and Restore 5.1.4.3 Backing up configuration settings of the Acquisition IPC Introduction You can back up the "System" partition as a "user generated" image in the "Restore" partition. If you have already created a "user generated" image, it is overwritten. Recommendation: If you have configured the Acquisition IPC and connected it to the network, you should back up the configuration settings as a "user generated" image. Procedure 1. Restart the Acquisition IPC. 2. Select the command "Siemens SIMATIC IPC Restore" from the boot menu. The "Siemens SIMATIC IPC Restore" application starts. 3. Select the menu command "User generated Backup/Restore" and click "Next". 4. Select the menu command "Capture Backup of system partition" and click "Next". Result The "user generated" image is created and saved in the "Restore" partition. If you want to additionally save the "user generated" image on a USB storage device, create a recovery medium. See also Creating a backup (Page 62) Creating recovery medium for Acquisition IPC (Page 63) Acquisition IPC 64 Operating Instructions, 04/2014, A5E34850737-AA Restoration and maintenance 5.1 Backup and Restore 5.1.5 Managing language packs Introduction You set the user interface language and the keyboard layout of the Windows operating system in the "Siemens SIMATIC IPC Restore" application. English is set as the interface language by default. If you need a different language, install an additional language pack. Requirement The "Siemens SIMATIC IPC Restore" application has started. The "Manage Windows Language" command is selected. Installing a language pack 1. Select the language pack that you want to install. The installed language is set as an additional language. You can set the language as the basic language. Setting the language as the basic language 1. Select a language pack that has been already installed. 2. To set the selected language as a basic language, click on "Set language to <language>". The selected language is set as the basic language. Removing a language pack 1. Select the language pack that you want to remove. Note You can only remove additional languages. If you want to remove a basic language, you must first specify a language other than the basic language. 2. To remove the selected language, click on "Remove <language> language pack". Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 65 Restoration and maintenance 5.2 Repair and replacement of parts 5.2 Repair and replacement of parts Sending the Acquisition IPC for repair If you need to send the Acquisition IPC in for repair, please make the following preparations: 1. If you are using additional licenses, back up the licenses to an external storage medium. 2. Back up the configuration settings of the Acquisition IPC. 3. Note changed BIOS settings (optional). After the repair When you receive Acquisition IPC back from repairs, restore it with following steps: 1. Restore the changed BIOS settings (optional). 2. Restore the "User-defined" backup. 3. If you are using additional licenses, transfer the licenses from the external storage medium. See also Backing up configuration settings of the Acquisition IPC (Page 64) Restoring a "user generated" image (Page 61) Acquisition IPC 66 Operating Instructions, 04/2014, A5E34850737-AA Restoration and maintenance 5.3 Backup battery 5.3 Backup battery Regular replacement of the backup battery The service life of a backup battery is approximately 5 to 8 years, depending on the operating conditions. Replace the backup battery at regular intervals. Additional information Read the additional information on handling the backup battery in the documentation for your SIMATIC IPC Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 67 Restoration and maintenance 5.3 Backup battery Acquisition IPC 68 Operating Instructions, 04/2014, A5E34850737-AA Index " D "FTP" interface Pre-configuration, 33 "Modbus" interface Pre-configuration, 31 "OLE-DB" interface Pre-configuration, 33 "OPC" interface Pre-configuration, 31 "S7" interface Pre-configuration, 30 "Simulation" interface Pre-configuration, 35 Definitions and naming conventions, 5 A Acquisition IPC Backup battery, 67 Completing Windows Setup, 18 Configuring the network adapter, 20 Connecting peripherals, 17 Hardware configuration, 12 Initial power-on, 18 Installing, 16 Remote access, 27 Repairing, 66 Software configuration, 13 B B.Data acquisition configuration, 22 Logging an acquisition component onto B.Data, 23 Backup battery, 67 C Configure Network Adapter, 20 Connecting Keyboard to the Acquisition IPC, 17 Monitor to the Acquisition IPC, 17 Mouse to the Acquisition IPC, 17 Peripherals to the Acquisition IPC, 17 Power supply to the Acquisition IPC, 16 G Guide, 5 I Initial power-on Acquisition IPC, 18 Installing Acquisition IPC, 16 Intended use, 38 IT security Delineation of responsibility, 38 Local security policy, 49 Measures, 38 System configuration, 40 L Licenses transfer, 36 Licensing, 36 Location of the documentation, 5 Logon Acquisition component with B.Data, 23 P Position in the information landscape, 6 Pre-configuration "FTP" interface, 33 "Modbus" interface, 31 "OLE-DB" interface, 33 "OPC" interface, 31 "S7" interface, 30 "Simulation" interface, 35 SIMATIC IPC DiagBase, 25 Windows, 27 Purpose of the documentation, 5 Acquisition IPC Operating Instructions, 04/2014, A5E34850737-AA 69 Index R Remote access, 27 Repair Acquisition IPC, 66 Required knowledge, 5 S SIMATIC IPC DiagBase Pre-configuration, 25 System configuration Patches, 44 T Target group, 5 Transferring Licenses, 36 Acquisition IPC 70 Operating Instructions, 04/2014, A5E34850737-AA