Transparent cybersecurity

Protect plant-floor data without limiting industrial network access.

By Mike Bacidore, Editor in Chief

In brief:

  • A steel plant that used a server to interconnect its PLCs with its automation system enjoyed more intensive interconnectivity when it installed QMOS, a software system specially developed for steel operations, that could also integrate its MES and SCADA systems.
  • Having as many as 40,000 to 50,000 I/O points can help improve troubleshooting capabilities because operators can track down the problem to the minutest detail. This makes it possible to trend any variable to determine if the cause was human error or equipment problem.
  • Operations are separated into two domains, the plant floor/process side, which has the PLCs, and historian, and the corporate side, which has the ERP. Sophisticated software delivers data that both corporate and the process people use.

View more content on

Fire and water don’t play well together. Firefighters will tap a hydrant to battle a blaze. By the same token, if you want to boil water to evaporation, there’s nothing like a hot flame. As eternal combatants, fire and water thwart one another endlessly.

Much like a waterfall, data cascades through an organization, spilling from the plant floor and pooling where it’s needed, whether that’s the maintenance staff or the executive boardroom. But, as any IT director worth his bandwidth will tell you, that data needs to be protected and the network needs to be secure. Some still argue that multiple firewalls are the only surefire way to ward off cyber-infiltration, but how do you keep the data flowing?

Steeling fire

Gerdau Ameristeel (, a mini-mill steel producer and steel recycler in North America with an annual manufacturing capacity of more than 10 million metric tons of mill-finished steel products, has 11 mini mills running a manufacturing execution system (MES) called QMOS. While QMOS oversees the management of information to the company’s ERP system, it relies heavily on KepServerEX communication technology and OPC server from Kepware Technologies ( to manage myriad diverse PLCs distributed throughout the mills.

“We have a variety of different PLCs — just about every platform out there, Siemens, Allen-Bradley, GE,” says Jason Magill, application architect at Gerdau Ameristeel. “We’re trying to become more standardized, but each mini-mill has its own sets of PLCs. The great advantage of using KEPServerEX is that its drivers are able to connect to all the PLCs, regardless of their individual specifications.”

The company’s Jacksonville, Florida, mill has two major operations — the melt shop and rolling mill. Other locations have a shredder, which takes large objects such as cars and other large pieces of metal and shreds them down to be melted in the furnace at the melt shop. The average car contains approximately 1 ton of steel, and the Jacksonville operation is melting and rolling about 90 cars/hr or up to 750,000 cars/yr.

While the Jacksonville plant originally was using the Kepware technology to tie GE PLCs to a PC-based automation system, it expanded its use when QMOS was launched because of the Kepware technology’s interoperability with the plant’s MES and SCADA, along with the PLCs, explains Jarrod Parrotta, improvement facilitator at the Jacksonville plant. “When QMOS came into play,” says Parrotta, “we replaced everything with Kepware.”

The Jacksonville rolling mill operation is monitoring approximately 13,000 I/O points, and the melt shop has another 10,000 being acquired from smart devices via KepServerEX, and the plant is only about halfway to where it wants to be. “Our target is somewhere between 40,000 to 50,000 I/O points,” says Parrotta.

The plant has four Wonderware terminal servers — two in the rolling mill and two in the melt shop. Future implementation of Wonderware’s FactoryFocus will be used on the corporate network to provide executives with a more granular view of specific operational information. Process data are collected, and staff can link data from multiple OPC data sources. “With the current system configuration, I will never have to let anyone through the firewall,” reveals Parrotta. “Using the two servers across the firewall allows me to provide a security control feature and limit the amount of traffic on the process network.”

But the I/O points improve troubleshooting capabilities. “If an operators have issues, they can literally track down the problem to the minutest detail,” says Parrotta. “They can technically re-create anything the operator did via Wonderware or pushbutton interfaces. We can trend just about anything and find out if it was a human error or whether it was, for example, a sensor that failed. As long as we have every I/O logged, we can troubleshoot anything.”

QMOS receives a schedule from the ERP system and covers the management of the planning, scheduling and production in the rolling mill and the melt shop. It manages the process from receiving customer orders, creation of production schedules as well as managing the demand for the steel, up to the production of the billets and bundling and packaging and shipment of semi -finished or the finished products to the customers.

“QMOS figures out which ingredients are needed for the products,” explains Parrotta. “Recipes for those orders reside in both QMOS and Wonderware. QMOS is keeping track of each step in the process. It’s tracking all of the operational parameters that are critical, for example, Amps, pressures, kiloWatt hours, time start/stop. All this is tracked inside the QMOS MES system. We’re pulling data out of the Oracle database on the opposite end within certain parameters and we’re sending those to the KepServerEX to manage the tags to the PLC. In this way, the operators don’t have to manually do it, which eliminates the possibility of human errors.”

In the Jacksonville plant, Kepware provides the connectivity between the PLCs, QMOS, Wonderware and integrated IBA historian. Operations are separated into two domains, the plant floor/process side and the corporate side. The ERP resides on the corporate domain, while Wonderware, the PLCs and historian reside on the process domain. QMOS and Kepware straddle between the process side and corporate because QMOS via Kepware’s communication delivers data that both corporate and the process people use.

“We also use Kepware’s LinkMaster to deliver tags from the melt shop to corporate and to the rolling mill in order to generate some of the plant energy readings such as gas and electric,” says Parrotta. “LinkMaster enables us to transfer data to and from the melt shop to corporate and back to the rolling mill or in any data configuration we need.” The data then goes to the IBA historian for a complete plant utility report. The historian adds tags together, calculates the values and delivers a comprehensive report.


Is it safe?

The security mechanisms and controls that protect enterprise networks are insufficient for industrial networks.

– Jeff Cody, industrial Ethernet technical support engineer for Hirschmann

“The interconnection of the enterprise and industrial Ethernet using common, standards-based communications protocols has brought measurable advantages to industrial companies,” says Mike Miclot, vice president at Belden’s industrial solutions division ( “For many, seamless interoperability and real-time information flow from the shop floor to the front office has become a reality and helped reduce costs and drive increased efficiency and productivity.”

Organizations with multiple locations can operate on a common networking system, connecting internal departments with personnel in the field. However, the evolution of Ethernet from the enterprise to the plant floor isn’t without challenges for industrial plants. Sharing a common networking platform can open vulnerabilities that put manufacturing operations at greater risk for inadvertent and deliberate network intrusion, explains Jeff Cody, industrial Ethernet technical support engineer for Hirschmann, a Belden brand. In fact, as automated production and the instrumentation systems that connect and control equipment and operations have grown increasingly more complex, cybersecurity vulnerabilities also have increased.

“The security mechanisms and controls that protect enterprise networks are insufficient for industrial networks,” explains Cody. “Although the two might use similar equipment and protocols, they have different characteristics and performance criteria and can be affected in dramatically different ways by the same type of events. Enterprise networks supporting front- and back-office activities typically can withstand periodic network outages ranging from a few minutes to a couple of hours, with no lasting damage. Firewalls and proxy servers protect them from external threats, and operating system patches and security software usually are effective in keeping them safe from viruses and malware.”

But industrial networks are a different stream altogether. “They have a more specialized nature, with environments ranging from climate-controlled clean rooms to harsh and sometimes hazardous operating conditions,” says Miclot. “In addition, industrial operations typically involve deterministic control networks with strict timing constraints rather than intermittent traffic. In this data-intensive environment, outages are intolerable. Any disruption is too long and can lead to waste or contamination of raw or in-process materials or goods. It also might mean an entire process needs to be restarted from the beginning. Further, production machines rarely can be secured with a software patch, anti-virus system or intrusion protection mechanism.”

Another cybersecurity consideration is how the industrial network links to the corporate network, warns Cody. “Some are directly connected on the same enterprise domain,” he says. “Others consist of segmented networks connected by routers or virtual local area networks. Still others remain completely isolated while sharing common resources over the Internet. Too often, however, security measures and controls on the plant side simply mirror the mechanisms implemented on the corporate side and are inadequate to address the specialized requirements of the industrial network.”