What Makes ASi-5 so Safe (for the Future)

Bihl+Wiedemann's ASi-5 is a radically redesigned system. It is designed to be future-proof for the long term because it is optimally adapted to the requirements of Industry 4.0 – especially with regard to the layout of the transmission data. The system also improves safety at times when more and more devices need to communicate directly with each other. This improvement is due to the communication barrier between ASi-5 and TCP/IP which isolates many network participants and thus closes safety gaps. Bihl+Wiedemann also provides more safety through extensive testing of the software components and simple, user-friendly software updates. This article deals with four aspects of the ASi-5 system: the structure of the data transfer, the extensive safety features, safety measures by Bihl+Wiedemann, and the importance of simple in-system updates.

Fieldbuses, such as PROIFNET, EtherCAT or ASi, are widely used today. In many areas they provide a 1:1 replacement for conventional, direct wiring of sensors and actuators. For this reason, they are optimized for cyclically transmitted data, which is essential for controlling a machine. However, in the course of progressive digitization and the requirements of Industry 4.0, other data is gaining in importance:

 

  • Measuring instead of switching sensor systems

  • Controlling drives via rotational speed instead of simple ON/OFF

  • Capturing secondary measured variables in addition to the primary ones

  • Detecting derived variables such as switching frequency

  • Checking software versions and installing updates if necessary

  • Diagnostic data

Higher Bandwidths Required

This change in requirements primarily necessitates higher bandwidths for data transfer and an updated data structure. Depending on the application, there is now a need for a very different division of the bandwidth into fast cyclic data (typically just a few bits) and large volumes of slower, acyclic data.

 

Furthermore, current intelligent field devices are equipped with an IO-Link interface that also supports both cyclic and acyclic data. In order to implement ASi-5 modules with multiple IO-Link master ports, it is important to be able to establish exclusive acyclic connections to each IO-Link port, and to avoid doing this with a cumbersome application-level access control between the various ports.

Demand-Oriented Division of Cyclic and Acyclic Services

ASi-5 has therefore implemented a flexible system which allows the bandwidth of a participant to be scaled between 1 and 4 transport channels. Furthermore, the division between cyclic and acyclic services can be handled according to demand. As a manufacturer of ASi-5 nodes, Bihl+Wiedemann creates predefined, suitable datasets. From these datasets the user is provided with a number of easily selectable profiles. This allows both classic I/O modules with one bit per input point and, for example, displays that require "streamed data" to be adequately operated.

ASi-5 is a flexible system that enables demand-oriented distribution of cyclic and acyclic services to each separate device

TCP/IP Monoculture as a Safety Risk

Consideration of data safety is also becoming increasingly important in automation technology. This is intensified for ASi-5 because Industry 4.0 requires a high level of data transparency, and consequently more and more devices are able to communicate directly with each other. A fundamental weak point is the TCP/IP 'monoculture'. As easy as it is to exchange information using the same standardized TCP/IP services, the same safety gaps can easily be hidden in completely different devices. This is facilitated by the desirable re-utilization of proven software source codes.

 

This effect is impressively demonstrated by the example of the so-called Heartbleed bug, which came into existence in 2012 and was only fixed in 2014. The discovery revealed that not only web servers were affected, but also Android, some VoIP phones, NAS systems and much more. It doesn't take much imagination to picture just how much greater the impact of a comparable failure would be today or in the future – in an increasingly networked world with tens of millions of IoT devices.

Increasing the Number of Devices Makes Network Safety a Greater Challenge

The Heartbleed bug was merely a classic programming error, but one can also picture nightmare scenarios in which criminals equip IoT devices with manipulated software. Such devices then not only fulfill their originally intended function, they also scan the accessible company network for safety gaps and track down things, such as passwords, which they could then send to an external server.

 

Of course, in recent years, increased attention has been paid to the potential problems of networking, and this has helped to ensure greater safety especially in the highly professional environment of automation. But the challenge posed by an exponentially increasing number of TCP/IP-enabled field devices is very high. After all, those responsible for network safety must not only define the permitted and necessary services for each device, they must also implement these definitions without mistakes or errors in firewalls and other safety devices. This is not an easy task and it is becoming harder and harder due to the increasing number of devices.

Communication Barrier between ASi-5 and TCP/IP Increases Safety

In terms of safety, it is therefore very helpful that a logic barrier occurs between ASi-5/IO-Link and TCP/IP. High safety requirements only need to be placed on the ASi-5 Master, which establishes the connection to TCP/IP. On the other hand, ASi-5 nodes are much more harmless in terms of safety, because they cannot communicate in TCP/IP networks. Those responsible for network safety can thus concentrate on significantly fewer devices and check them more carefully.

The communication barrier between levels of automation control, especially between ASi-5 and TCP/IP, increases security

ASi-5 Makes it Difficult to Capture Exchanged Messages

Another special feature of ASi-5 also ensures greater safety: Due to ASi-5 using data transmission via OFDM with dynamic frequency allocation, the capture of exchanged messages is very complicated. The entire context for establishing a connection between master and node would be required. Exact synchronization of the clock frequencies, as it takes place between master and node according to the ASi-5 protocol would additionally be required. Only then can signals be decoded at all. Another important point is that, depending on frequency, the signal strength is not equal at all spatial positions. Master and node negotiate this with each other in an optimized way, but this considerably increases the difficulty of listening in. In contrast, it is extremely easy to capture Ethernet telegrams with commercially available Ethernet TAPs or standard mirror ports.

Data transmission using OFDM with dynamic frequency allocation makes unwanted eavesdropping more difficult

Extensive Safety Tests, Carefully Selected Components

Bihl+Wiedemann's development department also takes great care to ensure a high level of safety. All software components used are selected with consideration of their safety aspects. Furthermore, the developers constantly monitor error and safety messages. In Bihl+Wiedemann's experience, open source software can often be a very good alternative due to large, active communities.

 

Bihl+Wiedemann also carries out regular and extensive safety tests using various tools. This includes test systems such as General Electric's Achilles Test Platform. This test system stresses the DUT through a mixture of random test patterns as well as known problematic patterns like the differences between the actual and declared length of data blocks, exceeding of permitted lengths and many more. For further tests Bihl+Wiedemann uses load generators, which enable the simulation of high network loads. These could, for instance, stop individual tasks in the DUT, which can result in unexpected reactions.

 

In practice, these tests repeatedly have astonishing effects on the development process. Detecting them right in the laboratory, before they appear at the customer end, is a decisive factor for quality assurance. According to Bihl+Wiedemann's experience, the comparatively high expenditure of time and financial resources is always worthwhile in order to provide the customer with a robust, safety-tested product straight out of the box.

Simple In-System Updates Increase Safety

Uncomplicated software updates are also indispensable for a high level of safety. As the example of the Heartbleed bug shows, errors can occur even in very well-established packages and appear only after a very long time. If this is the case, the ability to react immediately is paramount. It is best to offer the user a simple, reliable in-system update. Not only does this enable the user to install urgently needed safety updates, but as a "secondary effect", it also allows the simultaneous installation of functional extensions and improvements.

 

Bihl+Wiedemann offers this possibility for all ASi-5 masters and nodes directly via the Bihl+Wiedemann Software Suite. The software of the devices on the ASi bus is compared with the software released for the corresponding serial numbers on the update server. If there is a newer version, the system can be updated directly – of course, only with the explicit consent of the user. In order not to interrupt the safety chain in this process, several safety features are integrated into the update process:

 

  • Each TCP/IP-capable device receives an individual certificate for SSL communication during production

  • The software on the update server is signed and the signature can be verified by the devices

  • Updates are only possible via the update server and encrypted connection

The firmware update is protected by several behind-the-scenes security mechanisms

The Ideal Fieldbus for Industry 4.0

ASi-5 has the optimal prerequisites for the implementation of Industry 4.0 projects: a high bandwidth, the demand-oriented division of cyclic and acyclic services and the required safety features. The communication barrier between ASi-5 and TCP/IP alone significantly increases safety due to the many network participants. Moreover, Bihl+Wiedemann goes even further to ensure greater safety. This includes the previously mentioned extensive tests using a wide range of tools from the field of cyber safety as well as the structured in-system updateability of Bihl+Wiedemann products, secured with cryptographic certificates.