Learn more on how to optimize with the Industrial Internet of Things in the series.
To improve access to process data in water/wastewater plants in Japan, Nishihara Environment Co., Ltd. in Tokyo and Nissin Systems Co. in Kyoto recently developed a solution and service called N-Share, which combines DataHub technology from Skkynet and iBress cloud-computing service from BellChild Ltd. in Osaka. They report that N-Share lets Nishihara work closer with its client facilities, share data in real-time with regulators and operating firms, and save everyone time and revenue.
Nishihara previously had to gather data at each water/wastewater site, feed it to analytics tools for fault detection, variable predictions and applying control algorithms. However, N-Share uses iBress to let them remotely access and redistribute information about power supplies, tank levels, pump status, sludge weight and other parameters. Sensors and other onsite devices send data to their PLCs, which relay it 12 times per minute via Modbus to a wireless gateway at each plant. This information is aggregated by Skkynet's Embedded Toolkit (ETK) software into one dataset, which is sent via the open DataHub Transfer Protocol (DHTP) at a resource-saving once per minute to the iBress cloud and the HMIs of authorized users. DHTP maintains a secure connection with a cloud-enhanced version of DataHub running on iBress, which lets ETK and iBress exchange data in real-time via a secure socket layer (SSL) link with no ports or firewalls open at the plants. Any alarms are immediately passed via a separate channel to iBress, which generates emails and logs them to databases and CSV files.
"Having an in-plant monitoring system gives us the data we need to propose large-scale, comprehensive maintenance projects," says Masumi Wada, engineering manager at Nishihara. These projects are typically valued at around 10 about million yen (about $100,000) each. "N-Share also reduces onsite maintenance visits, saving us hundreds of person-hours per year."
Secure links = safer operations
Bob McIlvride, communications director at Skkynet, adds that secure network links are crucial for IIoT success, especially because the European Union Agency for Cybersecurity recently launched its Network and Information Systems 2 (NIS2) directive for securing data moving from operations technology (OT) to information technology (IT). It's based on similar standards developed by the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO) and International Society of Automation (ISA).
"NIST SP 800-82 advises segmenting networks and establishing demilitarized zones (DMZ) between them, so NIS2 requires a three-step process for bridging the OT, DMZ and IT levels," says McIlvride. "The problem is regular OPC UA and MQTT protocols can't directly and reliably connect through a DMZ, while DataHub and DHTP provide secure access by tunneling between all three levels, and can daisy chain multiple times without data loss. One source of the difficulty is that OPC was designed for use in plants, before IIoT emerged. Consequently, OPC UA clients on the IT side would usually be outside of firewalls, and need to open a port in the firewall on the OT side. This is like a hole in a boat—just one will sink it. DataHub is more secure because the tunnel connection originates from inside the firewall, and then makes a secure connection to the outside."
[sidebar id=2]
McIlvride adds that the MQTT publish-subscribe protocol (which Skkynet supports) also allows outbound connections, but MQTT only allows one hop. "MQTT is useful for connecting directly from an OPC UA gateway on the OT side to a cloud system. But if you need the security of a DMZ, that would require adding an extra broker to the data chain, which would not be reliable," explains McIlvride. "DataHub was designed for this kind of daisy-chain connection, and it guarantees consistency of the data. Each DataHub in the chain becomes the authority for the data set, from the data source to the user. This way the final recipient always knows if the data is consistent with the source. MQTT does not offer this feature. DataHub's patented technology lets users control in which direction connections are initiated. This lets OT and IT each make outbound connections to the DMZ, without opening any inbound ports in either firewall. Once the connection is established, the data can flow in either direction."