There are several design considerations to think about for industrial gateways:
- Operating system
- Industry standards and certifications
- Security
- Industrial network connectivity support
- Gateway hardware specifications
- Network deployment and configurations
Operating system
Considering the type of Operating System (OS) to deploy on the industrial gateway is an important factor, as software solutions can have different OS requirements. It is also important to choose an OS based on different factors such as how lightweight it might need to be or what dependencies it might or might not support. KEPServerEX, also known as Kepware Server, is one of PTC’s solutions for creating interoperability between industrial devices and upstream systems. Kepware Server provides a large variety of drivers and plug-ins to help facilitate communications with plant floor devices running different types of industrial and non-industrial protocols.
Kepware Server runs on Microsoft Windows and supports the following OS versions:
- Windows 10 x64 (Pro and Enterprise Edition)
- Windows 10 x86 (Pro and Enterprise Edition)
- Windows 8.1 x64 (Windows 8, Pro, and Enterprise Edition)
- Windows 8.1 x86 (Windows 8, Pro, and Enterprise Edition)
- Windows 8 x64 (Windows 8, Pro, and Enterprise Edition)
- Windows 8 x86 (Windows 8, Pro, and Enterprise Edition)
- Windows Server 2019 x64
- Windows Server 2016 x64
- Windows Server 2012 x64 R2
- Windows Server 2012 x64
An alternate option to Kepware Server is PTC’s ThingWorx Kepware Edge. Kepware Edge is a more lightweight solution, but has a limited set of supported connectivity options when compared to Kepware Server. Kepware Edge is currently verified and supported on Ubuntu X86_64 version 18.04 LTS (x86_64 is currently the only supported platform).
Industry certifications
Industry standards and certifications are an important factor to consider when deploying equipment in a factory environment. One such industry standard is the Ingress Protection (IP) rating, also defined as IEC 60529. This standard classifies the different levels of protection provided by the casing around the device. It looks at the intrusion protection, such as solid objectsfollowed by the moisture protection, such as shielding from water spray. Depending on your environment, you will need different values to stay compliant and for the gateway to stay operational.
Other than the IP rating, there are other standards and certifications to consider, depending on the environment and use case. For safety standards in the manufacturing space, consider IEC 61010 and the newer IEC 62368 standards. For IT-based standards and security, consider IEC-62443 and other frameworks or standards for more stringent environments like FIPS-140-2.
Security
Security is a crucial consideration, as it will play a role in protecting the safety of factory workers and protecting sensitive company data. When working with gateways, review the following security functions:
- Ensure that only authorized users have access to the gateway, both physically and over the network. For example, consider access methods such as integrating with a central authentication server for more effective management of users. Any unused physical ports (for example, an unused RJ-45 port) should be sealed or disabled in the BIOS. Consider physically placing the gateway in an area that requires key-card access for authorized personnel only.
- Create user roles based on job function to follow the principal of least privilege. Review access and authorization periodically to ensure that both are up-to-date and accurate. It is also recommended to configure logging on the gateway (OS and any relevant applications) and to ideally forward those logs to a centralized logging server.
- Protect any data that exists within the gateway and any data going through it. Consider using up-to-date encryption algorithms to protect the confidentiality of the data. An example would be to encrypt any data at rest while leveraging a TPM module for secure encryption key management. Also, it may be appropriate to use hashing algorithms to protect the integrity of the data.
- Review segmenting of access as well. An example of this is to either designate a VLAN per function, or to physically segment management traffic from data traffic. Proper segmentation of data prevents someone without access from pivoting from one section of the network to another. This is important because machine data is often considered intellectual property, and therefore it must be protected and separated from other data.
Industrial connectivity
It can be helpful to put together a list of the devices and the protocols running in your environment. This will help identify whether the gateway can support interfacing with everything on the list. Also, ensure that the gateway has the right hardware to connect to devices, especially programmable controllers like Programmable Logic Controller (PLC) or Distributed Control System (DCS). Often, this can be done using standard CAT-6 family Ethernet cables, but serial-based connections may be required, too. The ThingWorx Kepware Server Data Sheet lists the protocols supported by KEPServerEX version 6.11.718. ThingWorx Kepware Edge supports: Modbus Ethernet, Allen-Bradley ControlLogix Ethernet, and Siemens TCP/IP Ethernet.
Gateway hardware specifications
Hardware specifications help define the amount of processing that the gateway can handle. Often there is a ratio of programmable controllers to gateways to consider. Initially, it is helpful to understand how many machines, devices, and sensors are on the factory floor, and how much data each unit produces. Choose the appropriate hardware specifications and identify which cells and zones need specific hardware capabilities. Also consider what functions and applications the hardware needs to support.
Specific hardware specifications to consider include the CPU, memory, network ports and capabilities, as well as other special capabilities like ARM and multipathing capabilities. For example, if you require low power consumption, then require a gateway that runs the Intel Atom CPU. Other components include the amount of local storage. Does your environment need to support a large amount of data storage, or can you get by with a lower amount? Do you need a GPU card for more powerful processing? Also, does the factory floor support the power supply? Consider a TPM module for added security. Review the form-factor of the gateway for constrained spaces. Environmental factors like operating temperature, humidity, and vibration are essential considerations as well.
The following is a table of system requirements for Kepware Server.
Hardware component | Requirement |
CPU | 1.0 GHz processor (2.0 GHz recommended) |
Memory | 1 GB installed RAM |
Storage | 530 MB of available disk space |
For Kepware Edge deployments, there are numerous considerations. One consideration is if Kepware Edge is being deployed on the host OS directly or if implemented as a container (not tested as a part of this DVD). Generally, an Ubuntu VM with 1 or 2 CPU cores and 1 to 4 GB RAM would be sufficient, depending on the active tag count load for Kepware Edge. For any additional information, please contact Kepware support.
Dell EMC Edge Gateway 5200
The Dell EMC Edge Gateway 5200 is a ruggedized gateway built to handle harsh environments provide performance at the edge and able to handle sizeable workloads. Some features of the Edge Gateway 5200 include an optional module to extend functionality by adding ports that can support connections to RS-422/485, RS-232, Canbus, 4G, 5G, and extra Gigabit Ethernet ports. This allows the EGW-5200 to support a wide array of different physical connections which are often characteristic in manufacturing environments. Additionally, the EGW-5200 gateway offers environmental specifications such as an IP rating of 20 (by default) or 30 (with all screws covered). Reference the EGW-5200 Spec Sheet for any additional information of the gateway's specifications. Part of the DVD validation testing validated that the EGW-5200 can successfully run Kepware Server and execute basic functionality. Please reference Kepware Server validation testing for additional detail.
Network deployment and configuration
It is important to pre-plan the network deployment of the gateway to ensure a successful outcome. Consider where and how the gateway will be connected. Ensure that the necessary number of IP addresses are reserved for the gateway or gateways being deployed. If using VLANs, ensure that they are configured on the correct ports and that they are extended to the right devices. Test connectivity from the gateway location to where it will send the data, to services such as DNS or NTP, and the upstream ThingWorx server. This will verify that the Layer 2 and Layer 3 settings are configured correctly.
Review network redundancy for continued availability and minimal disruptions. Consider planning for network multipathing and fault tolerance by deploying redundant connections and switches. It is also important to plan for gateway failure scenarios. Ensure that there is a plan to restore gateway functionality with minimal downtime. For example, preconfigure a spare gateway on-site and nearby so that it is ready to be deployed with minimal configuration. When deploying Kepware Server software, back up the latest configuration periodically. For more detail, see High Availability and Disaster Recovery.
Another topic to consider is support for required network services. Common services and protocols to think about are NTP, DNS, 802.1X, as well as network monitoring (for example, SNMP) and logging. The networking should allow for the gateway to reach these services. Lastly, think about network security considerations such as firewall rules. Are the necessary ports and protocols allowed for the gateway software to carry out all its functions? Are the necessary network services allowed through the network path? Successful network planning results in an easier and more successful deployment. See Security considerations for further details on validated firewall access-list rules between PTC devices.