Elevate Your OT Data Securely to the Cloud

45 min video  /  40 minute read


Benson Hougland

Vice President of Product Strategy

Opto 22

Ignition Cloud Edition! Awesome! But wait… How can I possibly connect my PLCs or I/O systems to the cloud? Won’t that jeopardize them? And require heavy IT involvement? What’s the payoff? In this session, we’ll discuss how to use Ignition Edge and Ignition Cloud Edition together to quickly create scalable, high-performance, cybersecure architectures for democratizing your OT system’s data. Whether in brownfield or greenfield environments, you’ll unlock the power of edge-to-cloud hybrid architectures that are cost-effective, easy to manage, cybersecure, and deliver more value to your organization. 


Bryson Prince: Awesome. Alright. Hey guys. I'm Bryson Prince. I'm a Software Support Engineer for the Inductive Automation Support Department, and welcome to "Elevate Your OT Data Securely to the Cloud." I'll be your moderator today. So basically I'm just here to introduce our lovely speaker, Benson, and then afterwards with the Q&A, I'll be helping out with the microphones. Just for the Q&A portion, please remember if you've got a question, you either need to come down to one of these mics on the stand or we'll have a mic runner run up to you. Okay? So to introduce Benson off, he is the Vice President of Product Strategy at Opto 22, with 30 years experience in information technology and industrial automation. Benson Huegland?

Benson Hougland: Hougland.

Bryson Prince: Hougland? Sorry.

Benson Hougland: No problem.

Bryson Prince: Hougland drives product strategy for Opto 22 automation and control systems, which connect and secure the real world of OT with the systems and networks of IT and cloud. Benson speaks at trade shows and conferences including IBM Think, Arc Forum, and ISA. His 2014 Ted Talk introduces non-technical people to the IoT. So please help me in welcoming Benson.

Benson Hougland: Thank you, Bryson. Okay, welcome everyone, and welcome to this, what will be an action-packed session. So fasten your seat belts, we're about to get started here. Special shout out to all you Livestream attendees as well. Thanks for joining this session, mom, dad...

Benson Hougland: Appreciate that. So let's jump in. The title of this session, of course, "Elevate Your OT Data Securely to the Cloud." My name is Benson and I'll be your host for this journey from the edge to the cloud. I decided to forego the obligatory about Opto 22 slides here, get straight into the session. But for those of you who don't know much about Opto, real quickly, we're a California-based manufacturer of industrial automation hardware and software. Been in business for 50 years. And we have applications all over the world in a myriad of industries. Here's a drone shot of our headquarters, based in lovely Temecula, California, about an hour north of San Diego. Here is where we design, manufacture, support everything we make, 100% made in the USA. So, there you go. Go USA, right?

Benson Hougland: So this is the agenda in your programs. You've all already read this and hopefully that's why you're here. But in short, we're gonna cover how to use Ignition Edge at the edge to, along with Ignition's new Cloud Edition, to create a scalable high-performance and cyber-secure automation architecture to pull data from both greenfield applications and brownfield applications, democratize that OT data and of course deliver new value to your organization. Now's a good time to mention, as you probably know, this session will be recorded. We are gonna cover a lot of materials, so don't feel like you gotta remember everything I do up here. Getting to this session's agenda, we'll start off with, why? Why should we do this? Followed by some architecture diagrams. Then we're gonna roll up our sleeves, well, not gonna roll up my sleeves, they're already rolled up, and we're gonna actually build this thing literally out of the box to the cloud with OT data in 35 minutes.

Benson Hougland: So, wish me luck. We'll also cover the important question, of course, which is what if you lose the connection to the cloud, what happens next? Finally, we'll have some time at the end to answer some questions. Okay, so why? Well, our industry is still somewhat in the Industry 3.0-type world. And that simply means where you have devices like this that are tightly coupled to software applications, could be Ignition, could be other software applications, but generally they're very tightly coupled. And this rigid architecture does impose some limits on how our automation systems can grow. And it also limits our abilities to start taking some advantages of some of the massive resources that are available to us in the cloud. So these new cloud smart architectures leverage something called publish-subscribe data methods. Okay? So this runs counter to what you're probably very used to in terms of command-response models where the software asks the device for something and it responds.

Benson Hougland: But modern IIoT and Industry 4, or 4.0 architectures, they employ this notion of edge data producers pushing their data up into infrastructure for anybody to access. So a couple other things real quick, simple manageable access by any authorized user. Of course, the ability to scale your applications up in the cloud as those systems grow, whether it's compute or users. And there was just a great session put on by Brad Fischer about Ignition Cloud Edition. Check out that recording. He covers some more of the whys. System-wide resiliency, we'll talk about store and forward at the edge. And local control is always, always available. And one thing I wanna make a point of, this isn't a session about Ignition Edge or the edge device to the cloud, but note that this same exact architecture works on a standard gateway on-prem just exactly the same way. So, keep that in mind as we move forward.

Benson Hougland: So we've seen this graphic over the past year or so. We saw it again in the Keynote and of course, this was first presented last year when they introduced Ignition Cloud Edition. What we're gonna do is we're gonna actually do a little circuitous route around the gateway, not that the gateway's not important, the standard gateway, we're just showing you another architecture that could work. Again, this... What I'm gonna show you works well with the standard gateway, as well. So what do we got in front of us? Some hardware. Yeah, I'm a hardware vendor and I'm at a software show, but I love this stuff. I take it everywhere I go. So what do we got here? First, we're gonna start with the brownfield PLC AB CompactLogix. I think it's a pretty old one. Found it somewhere. Put a power supply on it, put a stack light on it.

Benson Hougland: I've got here a groov EPIC. An EPIC is a Edge Programmable Industrial Controller. So I've got that with some I/O. This will represent my greenfield application, in which case it's going to be simulating a convenience store. But I actually have real I/O, all that connected to it as well. Then I'll be using Ignition Edge running on that platform and Ignition Cloud Edition where I'm gonna push this data up to. Now, this session doesn't cover bringing up or tilting up Ignition Cloud Edition. There's a lot of sessions here that cover that. I'm just gonna cover the Edge portion and I will pop up into Ignition Cloud Edition to get this whole thing going. We're gonna talk about technologies like OPC, OPC UA. We're gonna talk about MQTT, Sparkplug B, and of course we're also gonna talk about VPN.

Benson Hougland: That's kind of a bonus. Alright, couple things on the network architecture. Anybody in here have a little idea about how IT networks work, IP addresses and so on? Maybe so. Here's my OT network. It's represented by this side of the table. So that's my OT network, traditionally a fixed IP network, non-routable IP address space. And here you can see the PLC has an IP address, a fixed IP address, 'cause that PLC doesn't have DHCP, it has no security, it has nothing. Well, it's a good PLC, but other than that, we're gonna connect that up to the EPIC on its own network segment. So we're gonna configure east zero to be on that OT network. And on the other network interface, which is on the EPIC, we'll use that to connect to northbound type of networks. That could be the IT network, it could be a cellular router, which indeed I have here.

Benson Hougland: So I've got a cellular router that represents my northbound network. It could be any network as long as it has a valid gateway to where? Ideally the Internet at some point, could go through your corporate network, through all its firewalls. But as long as I can get out to the cloud, I'm good to go. So that's kind of the architecture we'll be looking at. And then we're gonna work with all the software that's pre-installed, ready to go on the EPIC to get this going. Okay, here we go. Build time. Alright, so as I said, fasten your seat belts. We got a lot to unpack here. I'm gonna move fast. So, another reminder, it is recorded, so don't feel like you gotta remember everything. First step first. Let's configure the EPIC. We're gonna start at the edge. We've got a processor, we've got a power supply, we've got various I/O modules that represent signals we need within the convenience store.

Benson Hougland: We've got multiple network interfaces. The device is a web server, so all of my configurations, almost all of them, are done through a web browser and we will be configuring Ignition Edge IIoT. First thing first, let's assemble it. I just pulled it outta the box. This entire session is actually the steps I took for setting this up and all of the CStores that are in the Data Dash. So I've got my chassis power supply I/O modules. I put on the processor, I connect my two network connections, remember, the OT network to the PLC and the other network to my upstream valid gateway network. And I apply power. Once I've done so, I go to my favorite browser, I look there, I got my browser. I'm gonna open it up and I'm going to enter the default host name. The default host name is printed on the inside label of the EPIC. Terrific.

Benson Hougland: So I enter that in and the first thing it does is say, create administrator account. Let me be clear, there are no default accounts on this system. There are no back doors. If you lose your credentials, you have to reset to factory default. We can't help you. This device is meant to be secure, zero trust out of the box. Okay? So remember your credentials. Once I've done that, you'll come up with a screen that looks just like this says, great, you're ready to go. Let's start configuring things. So we're gonna jump into groov Manage, groov Manage is the application to manage the device. It is web-based, it is a web server. So I'm just using my browser. It is responsive. I could be doing this from my phone. It manages all of EPIC's features, of which I'm gonna go through four of those right there.

Benson Hougland: And it also manages all the pre-installed applications, which of course you can see, well I got a laser pointer, Ignition right there. So we're gonna get to that soon enough. But first we gotta get this thing going. So I'm gonna jump up to users. I'm gonna click on there and I can see there's my administrator account I created earlier. I can see what my permissions are, my API key if I want to use that, but I can also easily create new users on the device. So these new users, I just click add, I give it a name, I can give it some permissions. Maybe they just don't get to see the local operator interface, whatever. That's fine. But I've also got LDAP in here. How cool is that? So now I can connect to LDAP server and use Active Directory to manage the users on this edge device. It's meant to be enterprise-ready in that regard. So you just work with the IT group, put the LDAP settings in, you're good to go.

Benson Hougland: Okay, moving on to networking. I'll click on the network tab, I'll click on status. There I can see that I have my two Ethernet connections connected in, but they're not configured yet. I'm gonna go ahead and configure those coming up right now where I click on configure. I go into the dialogue box and of course the first thing I wanna do is change that default host name to something I can remember. I can't remember that. So I'm gonna call it EPIC-LC2-Showdemo. Then on Ethernet zero, remember that's the static network, so I need to give it a static IP address on the same network as that PLC. Okay? So I entered that in, I put in a subnet mask.

Benson Hougland: Now Ethernet one, the upstream network, I'm just using DHCP services so I'm not gonna change anything there. I'll just let myself get an IP address, DHCP and for... Because it's fun, I'm gonna go ahead and put in VPN. I go to my VPN administrator, they gimme an OVPN configuration file. I plug it in and I click save and boom. And just a few minutes here or a few seconds actually, I'll see that the network is restarting with all my new settings and that guy should go to connected in just a moment. There it goes. I've even got an IP address now on the tunneled interface. So now I have, if you're counting, I've got three interfaces now. I'm gonna go back and just look at the status and I'll see I'm connected on a static network, DHCP network, and VPN. Networking is done, dude, let's move on.

Benson Hougland: System time. This device does connect to NTP servers so we can keep the time updated. So it's easy to do. You go in there and you set your zone. Again, this is out of the box, so it's set to universal time zone. I'm gonna set it for my region and locality. So we're gonna go to Los Angeles here, there we go. And I click set zone, boom, I'm done. I can also change my time server. So I want to go to an on-prem time server, I can go, whatever you want. So in this case, I am using standard time servers. System time's done. Let's move on.

Benson Hougland: Certificates. This is a secure device and if you've ever worked with certificates before, you know they're a pain in the butt. But what we're gonna do is I've actually, did I go one ahead? I may have. There we go. I'll click on the web server certificate button. I'm gonna go into the certificate and I'll see that it's self-signed, in other words that's the certificate that shipped with the product, but it's tied to the old host name. So I wanna update that cert. So here I go, I click on it, I create a certificate, the certificate's being generated on the EPIC. And then once I've done, again, this is just standard forms you fill out to create a certificate, nothing too different than what you're used to except it's all form-based. There are no SSL tools you need to use, no command line, just click and go.

Benson Hougland: Now I will go actually to the next thing where I'm going to download all those certificates for safekeeping, but I can also download a CSR. What's a CSR? It's a Certificate Signing Request. Thank you. Certificate... Need to get you a Tootsie Roll or something. Certificate signing request. I take that file and I send it to my IT administrator. He signs the certificate, gives it back to me, I put it back in, upload it, and I'm good to go. Again, no open SSL tools, nothing like that. Just go ahead and put the new cert in, the new signed cert from your IT department and you're good to go. What's nice about that is once it's done, it will reload and then I will get this really nice little browser lock padlock. So if you're ever doing banking or anything like that on the Internet, you wanna see that to know that you have an encrypted authenticated connection. So there we go, we're all done. That is the commissioning process for the EPIC. We're ready to move on.

Benson Hougland: The next thing I'm gonna do is configure the controller that, you know, it is a PLC too, so it does all kinds of stuff. But first we're gonna do the controller. So I'm gonna confirm the control engine that I want to use. We give you choices, you can use CODESYS, you can use our own PAC Control. We're gonna actually go into PAC Control and you can see that I have a control engine running. However, there's no application in there yet. So we're gonna take care of that next. And to do that, remember I'm on the IT network when I did all this work, the upstream DHCP network. So if I try to go in here and download a control program, I won't be able to because the firewall port is blocked. So I'm gonna go in to PAC Controller and I'm gonna open the firewall port for Ethernet one, the network that my PC is on. And that's super simple to do. I click there, I have administrator access, so I can do this and I confirm that ETH1 is indeed open and now I can download my control program.

Benson Hougland: I'm only doing this on a temporary basis and I could have done this from the OT network. But anyway, I'm all set there. I'm gonna go into my PAC Control IDE, PAC Control program, and I'm simply gonna download the strategy into the device. And of course it says its memory's cleared. Yep, this is out of the box, we'll put it in there, click run, boom. I now have a control program running in there. This is not a programming class, so I'm not gonna explain the control program, but I have it done. It's in there now. So I come back to my groov Manage screen and I can see I have the six running charts, good to go.

Benson Hougland: Next, OPC. Well, we have all those controller tags, how do I expose them to other applications? OPC, I'll go ahead and add the OPC server. But what's unique here is I'm setting up the OPC UA server here for Ignition Edge to get to the data, 'cause I want Ignition Edge to get all these tags. So I'm just using anonymous access, allow reads/writes, boom. Done. Oh, one thing I do wanna mention on that one, we do wanna make sure we're taking note of that discovery endpoint. We'll use that in Ignition Edge. Next, what is the OPC server gonna serve up? Well, it's gonna serve up all my control strategy tags. It's also gonna serve up all of my I/O tags. So I just give it a name and I confirm that I have OPC UA server. You probably see MQTT there too. Ignore that. That's our native MQTT. We're gonna do MQTT in Ignition Edge.

Benson Hougland: So I do the same thing for the I/O system. I can get access just to the I/O and not to the control program if I want. I go ahead and put that in there. And finally, I'm running a PID loop. It's on this little guy right here and I wanna get that data as public access as well. So there we go. Last step, public access, read and writable. And we are done. Now we have a control program running in there. OPC server set up, EPIC is set up. Let's go in into what you probably all have been waiting for. Ignition Edge. Let's do it. Okay, so starting Ignition Edge, it's pretty difficult. You gotta click a button and you gotta choose the platform you want and then you enable it. Everybody got caught up there. Any problems?

Benson Hougland: Pretty simple. Once it gets going, same thing. We start, just like if you downloaded Ignition Edge to your computer, you're gonna actually go through the end user license agreement. You click next, you're gonna create a username and password, and you click next. And then it's gonna ask you if you want to start the gateway. Also, check your ports. We'll open up all those firewall ports for you when you spin up Ignition. The gateway is starting. Boom, we're ready to roll.

Benson Hougland: We are now in Ignition Edge, that's how easy it is. So, now that we're in Ignition Edge, we've got the gateway started, the next thing is to install the MQTT module. But wait a minute, Benson, you said everything was pre-installed. Aha, it is, however, the Ignition Edge MQTT Transmission Module, which I need is developed by Cirrus Link Solutions, and that means it's simply quarantined. So I go down to the quarantine area and I click install, accept the certificate or actually the end user license agreement for that. I come down, I accept the terms, I accept the certificate, get the module installed and I'm done. Still haven't downloaded a single thing from anywhere, it's all built in. Okay, now that I've made that step, we're gonna take a quick look at the status page on Ignition Edge. There it is. You can see my host name up there in the top square, and look, Ignition Edge automatically has visibility on all those configured NICs that I configured back on the networking page, which is a good thing because I need to get to that PLC on that 172 network. So let's do it now. We're gonna go to Device Connections, same stuff we see in Ignition, create a new device, we're gonna click the proper driver. We'll go ahead and do that, click next, again, pretty difficult part here. Gotta give it a name. AB-PLC, that's gonna come up later.

Benson Hougland: The IP address of the PLC, next, create a new device, done, that's it. The Allen-Bradley Driver in Ignition is pretty slick in that regard. So that's all set. Next, I'm gonna create the OPC connection between Ignition Edge and the OPC UA server running on EPIC where all my control strategy tags are. Go in here, put in that endpoint I mentioned earlier, it's all local host 'cause everything is on the same device. So I put that in and I just start going through the motions. Click next, click next, accept the certificate, yes, check my settings, looking good, click finish. Give it a name because I'm gonna reference this name later in a UDT, more on that in a moment. We're just gonna call it the CStore OPC UA Server because it represents a convenience store and I'm connected. Everybody still caught up? We're good?

Benson Hougland: Okay, let's go on. Now we're gonna start doing MQTT. First thing, we gotta set up the memory store and this is important, I come in here, I'm just gonna edit the existing memory store, I give it a name, I give everything a name, drives my colleagues crazy. Accept the defaults, done, dude. All set, I've got my memory store and this is important, because if my connection to Ignition Cloud Edition, or any upstream broker, fails I will start storing that data in that memory store and on the resumption of that connection, I'll start forwarding that data up. We're gonna actually check that out later. Next is the server sets, super simple configuration here, again, give it a name, and I'll just go ahead and edit the default server set. Again, give it a name, description if I like, and finally the primary host ID. This is important in MQTT, but it's not important to this session. If you wanna know more about primary host, I'm happy to tell you but I'm gonna put that in, but that host is my Ignition Cloud Edition, okay? So that's Engine, MQTT Engine, running up on the cloud. Boom, done. Move on. Next, the transmitter, this is where the heavy lifting occurs, okay? So here I'm gonna go in, give it a name, getting tired of saying that.

Benson Hougland: The tag provider, always Edge on Edge, the tag path, where do I wanna send my... Where do I want all my tags to live? The server set I just created and I'm going to use UDTs, so I check that. The memory store I just configured, click that, and then this is where the rubber meets the road, this is your MQTT namespace. So I put in group ID, ICC session, remember that, it's gonna come up again later. The Edge Node is Opto 22-Harris Center and the store name is EPIC-CStore-520. That is my MQTT namespace already set up. That's pretty much it, but I haven't connected to the server yet and if I need to connect to the server, guess what I need? Because I said I'm gonna send data up there securely, I need some credentials, I need a way to connect to that server. So I'm gonna switch over to Ignition Cloud Edition in the designer gateway, you'll see that up at the top, it's Ignition Cloud Edition. I'm gonna go into config and the beauty of Ignition Cloud Edition, it includes all the modules you need, including MQTT Distributor, there it is. What is Distributor? It's an MQTT broker built right in. So I go in there, I'm gonna create a new user. Now I'm calling it ICC Session, on second thought I probably shouldn't have, but we're just gonna call the user ICC Session, give it a password, and give it the rights that I can read and write to that broker in the cloud sitting in my Ignition Cloud Edition and I'm done.

Benson Hougland: So now I'm gonna go back to Ignition Edge and enter that data in. So let's go back to Ignition Edge, go to my servers tab and here is where we actually make the connection. I'm gonna delete the existing sample broker in there, server, and create a new one. Give it a name, give it a URL, that is the URL for my Ignition Cloud instance :8883, a secure and encrypted port. I put in the server set that I've already configured and I put in the brand new credentials that I just created. We good? Create new server, once I do so, now Ignition Edge is reaching out through this cellular modem up to the cloud and establishing a connection of which I see I'm indeed connected. We're good. Now what tags do we wanna set up in there? That comes next, that's of course designer. So the beauty of designer, it's already built into the device. I just click, it downloads it from the EPIC onto your PC so you can install designer. First, you install the launcher, you put in your manual configurations, point to the host name of my EPIC, accept the now valid certificate that I have in there, click add designer, open the designer, and log in. Remember, we created a username and password for Ignition, I put that in. Voila, I'm now an Ignition designer, which I'm sure most of you who use Ignition are very familiar with this interface.

Benson Hougland: So there it is. Now you see I changed the panes because all the work I'm gonna do in Ignition Edge for this session is all in the tag browser. Yes, you can build Perspective screens, yes, you can do all kinds of other stuff, but we're just gonna focus on getting the data to the cloud. First thing I'm gonna do is delete the default folder, get rid of that, it's gone. Remember ICE tags, I put in the transmitter settings, that folder's there. First things first, let's import UDTs. Now I could have done all this just with tags, but I thought it'd be kind of fun to have a UDT for my AllenBradley PLC and a UDT for all my CStore strategy tags. So I simply import those UDTs I already created. The good news? Those UDTs and all that work I did, I've already put up on the [Ignition] Exchange 'cause it was required for the Data Dash and I got the socks to prove it.

Benson Hougland: So there you go. All my UDT definitions are now in here, all folderized, everything is ready to go. Now I need to instantiate those, instantiate into the tags folder, ICE tags. Go here, new tag, new tag from instance, there it is, AB PLC. Come in and fill out my parameters, give it a name. Two parameters, we'll click on there, that device connection name, AB-PLC, I configured earlier. Put that in there, click okay, and let's see if we have live data. Well, of course we do, right? There it is, AB ControlLogix, which I named it, there's my parameters, there's my AllenBradley data in my designer. Let's do the EPIC CStore, that's about the same, we just go in, we're gonna click new tag from instance, choose the UDT, pull it in, give it a name, go to parameters. My parameters for this UDT are a little bit more, I've got different... My OPC server name, my MMP name, all the stuff that I need to make that connection work is all built in there, so you can use this UDT anywhere you like. So I plug all that in, click apply, take a look at my tags, boom, there they are, all in nice folders. So I've got my car wash, my freezer system, my fuel system, everything is in there, all ready to go. Okay, all my tags are in my designer. Now what? We need to get them up to the cloud. Well, that's gonna be a lot of work, so let's stand by.

Benson Hougland: We're gonna take this slowly. First, I'm gonna open up Ignition designer up on the cloud, but that's just to show you the data tags coming in. I don't have ICC Session in my Edge nodes yet, I've got some other projects in there. So I open up Edge designer, overlaid it over Cloud Edition designer, and I'm gonna go back up to read/write, go to my MQTT Transmission folder, there it is. Come to Transmission control, and it's just one checkbox, click, refresh, hold on, there it is. ICC Session, all my tags are now in the cloud.

Benson Hougland: Thank you, thank you. That is pretty damn cool, right? I didn't do anything else up in Cloud Edition except get it spun up and set up some credentials in that primary host. Now all my data's up there. Woohoo, we got data in the cloud, how cool is that? Well, let's do something with that. So I'm still in designer up on the cloud. I'm gonna go up into my standard template here, I'm just using the standard Flex Container template. I'm gonna make two containers, I'm gonna first in the top container do this the old-fashioned way. I'm gonna drag tags from my PLC folder, and I'm gonna drop it into the container. First one I'll do is a PLC waveform. Pretty simple, just kinda cool little gadget there, put that in. Second one is a stack light, that stack light, drop that in, I'm gonna give it a name, red stack light. Now that was the old-fashioned way. The new way is this way. For my CStore, I've got a Perspective template tied to that UDT, I drag the UDT on the canvas and boom, all my data's there. The entire template, all of the different tabs for all the car wash system, it's all in there, I'll switch over and just like that, I have a complete application for this particular EPIC, all built in with the tools that are available in Ignition, very, very cool. So when you start looking at a dozen CStores or hundreds of CStores, all the steps are the same.

Benson Hougland: Okay, so I can actually... It looks like I can actually control this thing. Who wants to see this live?

Audience Member 1: Yeah.

Benson Hougland: Live? Live? Okay.

Audience Member 1: Live.

Benson Hougland: Good, you guys are a great audience.

Benson Hougland: So I'm gonna actually click over first. That is the... That's what it looks like, all I did is go to dark mode, I added some other CStores in Germany, I've got Spain, I've got Australia, I've got them all over the world. But this is the one we're working with, Epic CStore 520. And it's just a standard template, fully mobile-responsive. Let's take a look at it, I've already opened it up here. This is... Anybody want to guess the word I'm gonna use? Live. This is live. My PC is connected to the ICC WiFi network, it's not connected to this, this system is all going through my router. So what I'm gonna do, guys, is I'm... And gals, I'm gonna actually click on that browser right up there at the top. Oh, somebody's gotten ahead of me, somebody just turned on the stack light, I'm gonna go up and click on that red stack light, that means from this PC through the ICC WiFi network up to the cloud, I'm gonna send a command. This guy is connected to the cloud on a persistent, secure, authenticated connection, when I send that command, it's gonna send it back down to this guy, 'cause it's bi-directional. But let's hang on a second, you're going through the cloud and all that, it's gonna take forever. So I hope that I still have time, 'cause it'll take a while for this to work.

Benson Hougland: But that's okay, we're good. Okay, ready? Three, two, one. Huh? Did you see it? Let's do it again, let's turn it on. Three... I didn't even count that time. That's how fast it is because if you put these systems together and they don't operate at high performance, what's the point, right? It's gotta be secure, it's gotta be easy, but it has to be high performance and that's pretty... And I'm not suggesting you're gonna operate your AB PLC stack light from the cloud, that's totally your call, I just wanna show you that it can happen. Okay, so real quickly about the app, I've got HVAC here, this is my store temperature, this is my PID loop. You got a disturbance on my PID loop and we'll see the process variable go down, all this is being published up. And we'll start to see that come in, there it goes, I'm... I should have a shirt that says, no SIM tags, I love working with real data. So there you go, we've got all my tags coming in, I've got a bunch of other stuff, this is all available to you guys to see as well. My fuel system, my freezer. And while I'm on the freezer, I can actually trigger anomalies that go where? Snowflake. This system is connected to what you guys have been hearing about this conference, the Snowflake system. So that's pretty cool as well.

Benson Hougland: And you can see in Germany, there we are, weather in Germany right now. Oh, somebody else just started the car wash.

Benson Hougland: There's Las Vegas, there's San Diego, there's Boynton Beach, Florida, there's Madrid, Spain, there's Melbourne. All of this data was built exactly the way I just showed you. So pretty cool there. Alright, so I am getting close on time. Thanks for playing.

Benson Hougland: I do appreciate it. Alright, so we do have a URL for this and if you wanna play from your own phone, some of you already got started. There's the QR code, have a ball. And I love hearing the beeps, I don't think you're bothering me. Alright, a couple closing slides.

Benson Hougland: A couple of closing sides. I've got my OT network, I've got my IT network, I'm moving all the data and I've got my workstation. What's cool is because I set up VPN, I can access this system from anywhere in the world with a valid set of credentials, multi-factor authentication and I can tunnel right in. What's more, is I can use that to tunnel right to the Allen-Bradley PLC, more on that in another session. And finally, when I talk about the VPN on my... This week, one of our good friends, Corso Systems, Alex Marcy, posted on LinkedIn that he was on an airplane, a 737 MAX 8, and he was indeed connected from airplane WiFi to his EPIC and to Ignition. I thought that was pretty cool, so I just threw that in this morning. Finally, if you're like, "Oh, cloud, this makes my head explode." I highly recommend the guys over at 4IR Solutions, these guys know cloud, they know it better than anybody. But what's more, they know these, part of their business is to put these in a plant floor, collect the data and get it up to PharmaStack or up to FactoryStack. So, huge shout out to these guys, see their session tomorrow at 2:45 in one of these stages. Finally, the question, what happens when it goes offline? When we lose a connection up to the cloud, no problem, we'll start storing data.

Benson Hougland: But more importantly, I still have local control, there's a built-in HMI in here, or you could put Perspective on here, I have complete control over the system while it's disconnected. When it reconnects, I'll then take all that stored data up to a week buffer or several million tags, can't remember how many.

Audience Member 2: 10 million.

Benson Hougland: Thank you, thank you. 10 million tags, and we'll send that back up too. So you're not gonna lose data by connecting the cloud, in fact, it's an arguably more secure way and a better buffering system than anything you could do before. How'd I do?

Benson Hougland: Alright.

Benson Hougland: Thanks.

Benson Hougland: Thank you.

Benson Hougland: Thank you very much, I appreciate that. So I'd like to open it up to some questions. Anybody have any, any at all? I'd love to hear them.

Bryson Prince: Up top there. Oh, sorry, there first.

Benson Hougland: Oh, it's the press, I feel like I'm in Ted Lasso.

Audience Member 3: Independent.

Benson Hougland: Yeah, The Independent, thank you.

Audience Member 4: Can you do this from like multiple devices or fleets of devices, if you do this, does it... You have to do this for each device or can you populate to multiple devices?

Benson Hougland: Yeah, each Edge device gets configured very similarly to this. This is just a simple example that we're using to illustrate this, but we have other customers some who just got Firebrand Awards that are using the same concept of an EPIC being deployed and based on the application, they connect to other devices, however many devices you need pulled in through here, modeled, and securely pumped to the cloud. If you're asking if we're doing like cloud deployments out to edge devices, no, we're not doing that yet. Stay tuned. Good question, though.

Bryson Prince: Up here.

Audience Member 5: Just... Excuse me. Just curious, if you wanted to use the native MQTT right from the groov EPIC to Ignition Cloud, is the MQTT payload configured in a way that if you were using the Distributor Module and MQTT Engine Module in cloud, would it recognize the tag structures, the folder structures, similarly to how MQTT Transmission Module allows for?

Benson Hougland: The answer is almost yes.

Benson Hougland: This is an Ignition conference, naturally, I'm gonna use Ignition Edge, but yes, the MQTT native client that's built into EPIC will publish all the data, will do store and forward. Everything I described except one thing: that is the UDTs, so we already have pre-templatized the native client to send the data up. Then you just use, put the UDTs in the cloud, easy enough to do, but in this case, I wanted to use UDTs at the Edge. So Ignition Edge with its UDT capabilities and, and the ability with Ignition Edge to communicate to other systems with those built-in drivers made Ignition Edge perfect for this type of application. But to answer your question, MQTT native in EPIC and in RIO supports everything I just showed with the exception of creating UDTs.

Audience Member 6: Yeah. Not Ignition related, but...

Benson Hougland: Okay.

Audience Member 6: Does the groov EPIC have IO-Link drivers?

Benson Hougland: We don't have IO-Link drivers today, we've been discussing that quite a bit, but that would be an IO-Link, essentially an IO-Link master. Our customers have been doing this, they're simply using an IO-Link gateway. In fact, we have a pretty large OEM that's doing just that. So good question, though, thanks. Most of our drivers are gonna be your standard stuff, Ethernet-based, Ethernet-based. Great, that's a good question, too. After this session, over on stage one, my good friend, dear friend Arlen and Pugal and Travis are gonna talk about Snowflake. And when they do, they're gonna talk about an accelerator kit and that accelerator kit, guess what it includes? That guy. So stay tuned for that, definitely attend that session, they're gonna talk about Snowflake, about all this stuff, but the same concept that I just went through here. Another question?

Audience Member 7: Yes. So for the... In your example, you had one UDT that had all of your tags. Is there, I guess, more basic UDTs you could have that...

Benson Hougland: Oh, yeah.

Audience Member 7: I guess if you built as a new function block or what have you, it could just add that in rather than one giant UDT.

Benson Hougland: Yep, yeah, you're... Good catch. I thought, you know I got all these tags, and it's all based on different things in a CStore, the car wash, the freezer, the fuel system. I was like, yep, I could... I actually started doing that with separate UDTs. I was like, well, hang on a second, I wanna be able to drag that UDT up in Cloud Edition right on the canvas and not build a bunch of pages and then figure out how it works. So I put it all in one UDT so that when I created the template, I could drop that on, and everything was all tabbed, everything was done. That's why I did it that way. But yes, you can do a multiple, whatever you like on UDTs, for sure. Let's cool that guy down again. Whoa.

Audience Member 8: I was wondering about the number of device connections you can have to the Opto 22. So if I'm not mistaken, Edge comes with two device connections right now, but you can add more?

Benson Hougland: Yes, you can.

Audience Member 8: What is the limitation, from a performance perspective, of adding 100 more CompactLogix to your Opto 22?

Benson Hougland: Yeah, you're gonna run into a point to where CPU and RAM start to play a role, just as it happens in Ignition server sizing, right? You wanna figure out how many tags you got, you're gonna how many can you... So this guy is a Linux computer, it is a PLC, but it's a gateway, it's an HMI... It's everything, it's the smartphone of PLCs. And it is running a four-core ARM processor with four gigs of RAM, one and a half of gigs of that RAM is allocated to Ignition Edge.

Audience Member 8: Will that starts to affect the scan time on the PLC side?

Benson Hougland: Nope, that's got its own real-time thread.

Audience Member 8: Okay.

Benson Hougland: Yep, that guy is, he's guaranteed to do what he's supposed to do, and then Ignition Edge, Node-RED, groov View, your C application, your Python, whatever, takes the rest of the threads. It is a multi-threaded application, so we can use all four cores.

Audience Member 8: Thank you.

Benson Hougland: You're welcome. Keep them coming, keep them coming.

Audience Member 9: So as a Internet-connected device, I assume there's semi-frequent security updates.

Benson Hougland: Thank you.

Audience Member 9: What's that process like, and what's downtime and PLC impacts?

Benson Hougland: Yes, indeed, and that's super important. We do frequent updates for our firmware to address anything that might have happened in Linux security things, updating any of the other software on that. It is a monolithic firmware update, so you're not having to figure out, well, this piece of software has this firmware, none of that. One big firmware download addresses all the security updates and they're all in there. And since you brought up security, one thing to know, I think I can do this. I'll pay anybody in this room a million bucks if you can crack that PLC right now. Huh, a million bucks, it's all...

Benson Hougland: I don't have it on me, so, yeah.

Benson Hougland: No, and the point being is this, is that we designed these systems, all this connection to the cloud is 100% outbound. There are no firewall ports that need to be opened either at the corporate level, at this device level, level two, level three, or DMZ, it doesn't matter. It's all outbound communications, persisted, encrypted, authenticated, and we keep that persisted so we can receive traffic back if we need to, but everything is meant to make this thing secure. This guy is not secure, if I get on that 172 network, I get to go crazy, but when it's behind that guy, there's no chance to get to this guy unless I explicitly configure that, and again, that's a session for another day, we've done some really cool stuff with being able to do remote access to unsecure PLCs on the other side. I can't wait for next year to do that one.

Bryson Prince: This will be the last one, sorry everyone.

Audience Member 10: What version of Ignition do you put on the groovs and as I buy them throughout the year, are they gonna come in with different versions?

Benson Hougland: Exactly.

Audience Member 10: Or do you maintain that?

Benson Hougland: And that's a good point, because we actually take the Ignition Edge that is available on the website. So all we do is take that one, put it into our firmware wrapper, so as those new Ignition Edge editions come out, we update the firmware, then you get the new edition. What we have had some people going through shell access, this does allow you to do that as an option to update their Ignition instance. And we don't necessarily recommend that, but it's possible, but otherwise, the reason we do that is so we can test it, we can put it through our whole QA suite and test everything is working properly and then we release it. So we will tend to lag a bit, but yeah, that's exactly how we do it.

Bryson Prince: Can we thank Benson one more time?

Benson Hougland: Oh, thank you guys.

Benson Hougland: Thank you guys. Thank you very much, I appreciate it.

Benson Hougland: We do have a booth, thank you. We do have a booth outside, right at the entrance of stage one, we've got a bunch of engineers here to answer more of your questions. Thank you so much, have a great conference.

Posted on November 20, 2023