Ignition Community Live: Ignition Edge at the I/O Level

59 min video  /  51 minute read
 

Speakers

Benson Hougland

Vice President, Marketing & Product Strategy

Opto 22

Ben Orchard

Senior Applications Engineer

Opto 22

Garrick Reichert

Senior Applications Engineer

Opto 22

Kent Melville

Director of Sales Engineering

Inductive Automation

With the introduction of Ignition Edge, Inductive Automation allows you to drive operational data collection at its source. And through the Ignition Onboard program, we made it possible for industrial hardware vendors to provide Ignition Edge pre-installed in products aimed at jumpstarting your Digital Transformation projects. These products include a range of industrial PCs (IPCs), cellular gateways, panel PCs, and PLCs, like Opto 22’s groov EPIC.

Now, Opto 22 has taken the next step to connect you to the source of your operational data with an Ignition Edge-powered, Ethernet input/output (I/O) module named groov RIO.

  • Instrument virtually any sensor, transmitter, or other I/O signal with over 200K software-configurable options in a single module
  • Integrate your I/O signals directly with an Ignition system through either a Gateway Area Network or MQTT with Sparkplug B
  • Connect to third-party PLCs and devices using Ignition Edge’s built-in driver modules

 

Transcription:

00:00
Kent: Alright, welcome everybody to the Ignition Community Live. Today's episode of the Ignition Community Live is gonna be right here on the next slide, which is Episode 27, “Ignition Edge at the I/O Level,” and we're excited for this one. You have me as your host, Kent Melville, Sales Engineering Manager here at Inductive Automation, and I'm just really here to introduce the big guns, which is gonna be some people from Opto 22 who'll be presenting today. But I wanted to give a little background for those who may not be aware. These days, a lot of companies are looking for faster, easier ways to tackle digital transformation, and so we've created the Ignition Onboard program to help them with that. And so we partnered with trusted hardware providers so that we can offer Ignition or Ignition Edge already installed and configured.

00:57
Kent: So today, we'll be talking about Ignition Edge Onboard specifically, and Ignition Onboard devices are a great choice because they let you skip the install and save time. For example, they're plug-and-play, they're IIoT-ready with MQTT to instantly publish your industrial data, they run all through a rigorous benchmarking process for incomparable performance, they're optimized by the manufacturer, and we test them here at Inductive Automation.

01:25
Kent: So one of those Onboard partners is Opto 22 and they were one of the original ones from the beginning. And Opto 22 has been in business for over 40 years, a manufacturer of reliable, easy-to-use hardware and software products for your industrial automation and energy management, remote monitoring, and data acquisition, and they are known for their policy of providing free product support, free training, and free pre-sales engineering assistance. Recently, Opto 22 released groov EPIC, which stands for Edge Programmable Industrial Controller, and that has Ignition Edge Onboard. And groov EPIC is a new kind of industrial controller that simplifies, secures, reduces the cost of automation in IIoT products. But now, Opto 22 has taken the next step to connect you to the source of operational data with Ignition Edge-powered, Ethernet I/O module named groov RIO, and you'll hear more about that soon.

02:24
Kent: So with that, I'll introduce the team here. We're proud to work with Opto 22, and so you'll be hearing from three of their members today. The first is Benson Hougland, Opto 22's Vice President of Marketing and Product Strategy. Also, you'll have Ben Orchard and Garrick Reichert who are both Senior Application Engineers. Benson, Ben, and Garrick, thanks so much for being here. I'll turn it over to you now to introduce yourselves and start your presentation.

02:52
Benson: Fantastic. Okay, hopefully you guys can see my screen now. Thank you for that introduction, Kent and thank you David and the rest of the team at the Inductive Automation for this opportunity to share these exciting technologies all working together. I am presenting live from the Opto Demo Studios here in Temecula, California, so let me give you a quick look at what that looks like. Here's our headquarters, about an hour north of San Diego. It's where we design, develop, manufacture, sell, and support everything we make, so made in the USA all the way.

03:29
Benson: Let's dig right in. This is the agenda, this is the topic that we're gonna cover today. And just to be clear, we're taking this a little bit more casually, so we absolutely invite your questions during the webinar. So I'm gonna cover a lot of ground, we're gonna have a lot of cool live demos, and so on but Garrick and Ben are on standby, ready to answer your questions as they start rolling in. So we'll answer those in real time but we'll also have a Q&A session after the live demo. But before we get to there, the first thing is go over a couple of real quick ideas relative to IIoT, the goals and the technologies, and so on. Then I'll give you a brief introduction about what groov RIO is and then we'll take a look at what some of those system architectures might look like, those architectures where groov RIO is a terrific fit in combination with the Ignition 8 on there.

04:20
Benson: The best part, of course, is always a live demo from this studio. I've got some interesting stuff going on here behind me. I've got a bunch of demo equipment, including some third-party PLCs and EPIC, of course, which is not for this webinar but we have other webinars for that, and RIO over here, running Ignition Edge. I've also got my little cooking cam here, so this is kind of neat. I've got my learning center, a little RIO learning center, with some I/O outfitted on it connected to a network and an Allen-Bradley PLC, a little CompactLogix that's kinda cool, and finally, down here, on the ground to my right, is an actual customer enclosure. This is for an oil and gas application where RIO is inside and it'll be running Ignition Edge and talking to a pump-off controller but also the I/O on the RIO will communicate to other devices, other sensors, level sensors, temperatures, and so on, pulling all that data in and then burping it out over a cellular network. All 100% secure, all 100% with outbound communications and so on.

05:29
Benson: So let's keep moving here, got lots to cover, but as I said, please, pile in your questions and we'll get to more of those on the end. Alright, so first, let's talk about some goals and technologies. Ideally, in an IIoT transformation project, digital transformation, Industry 4.0, whatever you wanna call it, it doesn't really matter, but there's a number of goals that we're trying to do. The first is to democratize operational data. What does that mean? Well, there's a lot of operational data that's essentially locked in silos throughout the plant floor, remote assets or whatever, so a big part of IIoT, from a goal perspective, is how do we democratize that? How do we get the data out of these systems and into systems that can benefit from them? It could be business systems, it could be other OT systems, like SCADA, it could be historians, business apps, whatever. The idea is to democratize this operational data.

06:25
Benson: The second, and this doesn't get spoken about, in my opinion, as much as it should, it is a perfect time to address cybersecurity, to be able to implement cybersecurity measures as part of the digital transformation experience. And that allows us... Today, we know JBS, Colonial, the list goes on and on, and there are cyber incidents happening all the time. Now is the opportunity to address those. But of course, all those things don't matter as much as achieving the desired business outcome, whether that's to make a better product, improve quality, reduce downtime, provide a safer working environment, trying to achieve maybe new revenue streams. Whatever it is, the business goals are... That's the primary goal and then some of these others are a way of making that happen.

07:15
Benson: Now, there are some technologies that are generally required to try to get to our goal. The first one, which is near and dear to my heart, is edge computing and edge computing has gotten quite a bit of play lately. Sure, it's being defined in a number of different ways. In fact, I'll be showing an edge computer, this small little I/O module, as another example of how the power of processing and software, and memory, and robustness and reliable OT system is indeed an edge compute device. But the second thing is also critical and this speaks to cybersecurity, it speaks to a number of different topics, but that's networking, and more particular is zoning. Being able to create zones of networks to protect unprotected devices. And let's be honest, most of the devices on a plant floor today are unprotected, they're not secure, and they're on just a regular LAN perhaps or maybe they're on an air gapped LAN, or whatever, and then it makes it harder to get the information out. So the technology for networking and zoning becomes critical.

08:20
Benson: And then the third is once the network's in place, your edge computer’s in place, what are the data comms? What are the communication models? Whether it's a data model, a data comm approach, say, MQTT or Modbus, whatever it might be, those data comms become important as well. Alright, enough of the big sky stuff, let's jump in. Groov RIO, this is what we're gonna talk about today, groov RIO with the Ignition Edge, 200,000 I/O configurations from a single device. Yes, indeed. I'll show you that in a moment but let's take it from a top level. It is indeed an Ethernet I/O module. It's designed to fit on a DIN rail, as you can see. It's multi-signal, multi-channel, multifunction I/O all in one single package. It can be line-powered or PoE-powered, which is what I'm doing here. It's web-based and cyber secure. So all the security capabilities that we can stuff into this box are in there; accounts and encryption. More on that in the demos. It's not a real-time controller but we do have the Node-RED runtime engine on there, so you can actually develop some simple logic to do down there or use the compute module from the Ignition Edge platform. And speaking of Ignition, that's the beauty and why we're here today is that integration of RIO with Ignition Edge running right on the device.

09:44
Benson: And there's a couple of different ways that can be done. There's a native Sparkplug B publisher that's built into the RIO but what we wanna talk about today is Ignition Edge version 8 running on this guy. And when I say running on this guy, that means it can be pretty much running anywhere. You can see that it's UL/ATEX approved and have a wide temperature range, Class 1/Div 2 even, for those environments that need it. So this is a rugged device designed to be deployed right at the edge of the network, pulling in I/O data and with Ignition being able to pull in other data, and that's the beauty of the Ignition Edge platform. In this case, Ignition is pre-installed, ready to roll on this thing. The Edge IoT module gives you three things, essentially. The MQTT Transmission Module, which comes from our friends at Cirrus Link Solutions, that allows us to take all the data we're collecting and publish it up to an MQTT broker. The second is the PLC device drivers. All of them are in there, they're all part of Ignition 8. Just choose the ones you want, connect it to your PLCs, up to two devices, with the base license. You can extend that if you need to. And then of course, it has OPCUA server and client.

11:02
Benson: So if you needed to secure an OPC server that was on an unsecured network, you could do it with a RIO, communicate to the OPC server and then burp that data up securely to just about anywhere. Additional modules are also supported by this instance of Ignition Edge, including Edge Panel, I'll show you how that works, but also other of the modules that are in the Ignition Edge suite, including Compute Sync, and Enterprise Asset Module but also the Cirrus Link modules. So you've got your injectors, your cloud injectors, Azure, AWS, I'm missing one, Google Cloud, I think. Those are there and even some of the Sepasoft OEE modules. We've been doing a lot of great work with the folks at Sepasoft, both for our EPIC and now the RIO.

11:50
Benson: Now, as I said before, and this is critically important, it is cyber secure out of the box. We're not talking about coding, we're not talking about command line, messing with the IP tables. This is completely built-in with a nice interface. I'm gonna show you this in a live demo but this device has encryption and user accounts; two critical pieces of security for any device that's on the plant floor, on an IT network, you name it. It's designed also to create zones, so I can... In this case here... Let me pop over to my desk cam, my cooking cam, and as you can see, I've got an Allen-Bradley processor in my RIO. I wanna create a network zone for that and another network zone that goes up to the IT network. So that network zoning is very important. And then for each of those zones, I have a configurable firewall, so I can be very granular about what kind of access I permit to the device through any of those network interfaces. More on that in a moment. And then of course, any secure device has a certificate. A server certificate is the primary thing, SSL, TLS. So we have certificate management tools built in as well.

12:57
Benson: And then quickly about the I/O. Yes, it is software configurable I/O. There's eight channels of multifunction, mixed I/O signals, discrete analog, voltage, temperature, resistance. Whatever you need, it's all in there. You just pick the channel you wanna land your instrumentation to and software configure it. More on the demo. Plus, there's two electromechanical relays on there, rated up to 5 amps at 300 volts that can be wired up as normally open or normally closed. This is a quick diagram, it's in all of our brochures and our data sheets, and so on, that just shows how some of those instrumentation signals land on to the terminal strip on the RIO and that gives you your configuration options that are available. We also have a really useful RIO Explorer tool on our website that allows you to come up with all these different configurations that can be saved, that can be sent to our engineers for review, and so on.

13:57
Benson: So relative to the architecture of the software and the RIO itself, this is essentially how it looks. So as you can see down here, I've got my various I/O signals, analog/digital serial wired up to my terminations. I can also connect to serial devices using a USB to serial adapter, and that's what we're doing with this oil and gas box down here to talk to a Modbus serial pump-off controller. So that's supported as well, although not necessarily illustrated on this drawing. Then over another network interface or a given network interface, I'm gonna communicate to perhaps unsecured PLCs. That's what I'm gonna show you here on my desktop as well. And then over another network interface, I'll communicate up to the corporate network. In which case, I'm gonna move data to on-premise applications, maybe move it up to the cloud or directly to devices. But as you can see by this little padlock here, that will always be done very securely because we don't know who's on the corporate network, so we only wanna allow authenticated access or outbound access only.

15:01
Benson: So when we wrap that up into system architectures, what you see on the screen now is where we go with this. And this is our overall system architecture but what's important to note on here is you've got OT network zones where largely unsecured PLCs exist. It's kind of your air gaps network, if you will. And then you've got your IT zones. These are PaaS to the internet or PaaS to other networks, whatever it is, through a valid gateway. And then you got your DMZ or cloud zone. It doesn't really matter which is which. They're essentially the same. DMZ is typically on-prem, cloud is, well, it's in the cloud, wherever that is. And then we got another IT zone here with the SCADA platform and other zones including like remote access using VPN. So this is the overall for a lot of our products, that OT architecture also showing how messages move around from MQTT messages to VPN traffic to conduits. That's all the topics for another webinar. Let's focus on what I'm dealing with in this demo.

16:09
Benson: So here we go, we've got our OT zone here. And I'll switch my screen real quickly to show that my OT zone is here and also, this PC that's over here over my shoulder. So that PC and the Allen-Bradley PLC, and one of the network interfaces on the RIO constitutes a zone. That's where we're gonna collect data and then we're going to provide that data to other applications over the IT zone. And in this case, this PC that's right here in the middle is the PC I'm presenting from. So it's on the IT network but I have access to the RIO and ultimately, data from sensors and Allen-Bradley PLC. Then I'm gonna move the data up to wherever it needs to be. I can use gateway network, I can use MQTT. I'm gonna show you examples of both. And then also, in this demonstration, show you our Ignition Gateway. So we have a full gateway running on a virtual machine here at Opto that is exposed to the internet securely and I'm gonna show you some of the configurations there of how we're getting the data to move across.

17:15
Benson: Let me go ahead and click one more because there's two other RIOs here in my demo studio. One, of course, is the one I just mentioned earlier, the oil and gas box that we have down here that's using a Cradlepoint modem to get out over a network, and I've also got a RIO behind me that is just on a flat network. So just to... It can work in a lot of different ways, is what the bottom line is. Alright, so that's gonna jump me into the live demo. So what I'm gonna do first is I'm gonna bring up a browser and then I'm gonna switch my screen over to here.

17:49
Benson: Alright, let's settle in. This is where the fun begins. What time am I doing now? Oh, not bad, not bad. Okay, so the first thing that I wanna do is give you a sense of the buildout, how an architecture like this is built out. So I got this cool little web page that one of my illustrators did for me, I thank him for that, and we start off with, essentially, assets in the field, sensors or perhaps intelligent assets like drives or whatever. And then we're gonna add on, naturally, PLCs if they already exist or we can just connect those I/O sensors directly to the RIO and that constitutes the OT network zone. And then what I'm gonna do is I'm gonna, also from my PC, configure that IT zone or the untrusted network, we don't know who's on that network, for secure only access. And that is also shown here with this firewall. So we're gonna talk a little bit about that. And then we're gonna move that data on up to some applications on-prem and also the cloud all simultaneously.

18:53
Benson: So the first thing we need to do is log into this RIO here, a CSS called RIO ICL. That's just the host name I made. Now let's take a look at how that's done. So I'm gonna come over here to my RIO or to my bookmarks and I'm gonna choose RIO ICL Local, and you'll notice it loads up right there and it's secure. So from my PC connecting to the RIO on that IT network, I am connected securely and I must authenticate. I must put in a username and password. So indeed, I'm gonna do that and I'm not gonna just use the local password on this thing, I'm actually gonna log into this device using my IT credentials. Those are my credentials for getting on the Opto 22 network. So I'm gonna use something called LDAP. So I'm gonna go ahead and sign in.

19:43
Benson: Now, what I've got is this little Ethernet I/O module running on Ignition Edge, yet I am logging into it by authenticating to an LDAP server. So that looks right here and I'm logged in now. I'm gonna go ahead and click on accounts and click on users and as you can see, I have two users. The first one is this Opto user but note, there's no default user. There's no default user name and password for these devices. When they ship from the factory, the first thing you need to do is commission it up, which I did over on this PC here, on that OT network zone, gave it that local user, and then set up LDAP so all my other users are authenticated remotely. And this becomes important, particularly in, say, a cybersecurity scenario. In which case, let's say there's an employee that, I don't know, goes rogue or decides to leave the company, rather than going out to every single device to wipe out his account credentials, I can now do it in one location. This is what IT does. They manage those accounts and permissions in one place.

20:45
Benson: Alright, enough about accounts. Let's go to the next step, which was, “How do I get this thing on the network?” So I'm gonna go to system and network and here you can see I have, essentially, three network interfaces on this little RIO. The first one is the Ethernet right here. So let me switch my screen. You can see I've got an Ethernet cable plugged into here. It also happens to be PoE and that's how I'm powering the RIO. And that goes back into a PoE hub that's from behind or PoE switch behind me, which is also where the Allen-Bradley processor is plugged in. But note, I'm using a static IP, which tends to be prevalent on OT network zones, a non-routable 172.22.0.30.

21:30
Benson: So remember that, it'll become important later. That's a connection there. And then over here is my Wi-Fi connection. So switching back, I've got my USB Wi-Fi adapter. It's connected and connected to the corporate LAN. And in that case, I am DHCPing, so I'm obtaining an IP address directly from IT. That again, is all managed by them but it also allows me to register the domain name or the host name, which is right there, and note that that's the same address I used to access the device all securely. And then finally, we have an open VPN client built into the RIO, as well as the EPIC's. That allows me to create a connection over the gatewayed IT LAN to a configured open VPN server. Could be on-prem, could be in the cloud, doesn't really matter, but that connection is a third connection that allows me... Now, I have three network zones on this device for security.

22:36
Benson: Alright, that was fun. Lots of other stuff in there. The next important part relative to security and networking I'll cover is absolutely the firewall. As I mentioned earlier, each of those network interfaces can be configured to allow traffic or disallow. Very quickly, a firewall is designed to prevent outbound or incoming access to a device. We're gonna basically block everything and only allow certain traffic to come in. This is important because the only traffic we wanna allow to come into the RIO is authenticated encrypted traffic. So indeed, up on the top one here, the groov RIO itself, while we're only allowing traffic to come in on HTTPS. Port 80 is shown there but all traffic is redirected to 443, so it's always a secure encrypted connection. And on each of those network interfaces, I'm permitting that because it's encrypted and I have an account set up for that. But Modbus TCP, that's not a secure protocol, so I wouldn't wanna allow anybody on the LAN to come and access the Modbus TCP registers unless you trusted everybody on that LAN. But you can start to see where I'm only gonna permit certain interfaces to access the Modbus server that's on this. So it's actually, in this case, Modbus Slave that's on this device. Same goes for all of the other things.

24:01
Benson: The beauty of Ignition Edge is, particularly with version 8, everything is secure, so I'm going to allow access on all the interfaces to Ignition Edge over 8043 and 8060. So again, very cool stuff in terms of granular access to device, making it very secure. I can literally shut off all the ports on this thing and just do all outbound access, 100% capable of doing that as well. Now, if you have your own application, and we do have the key, and I will see that we have shell access, you can actually turn on your shell access and write your own application and run it on the RIO if you choose. And in that case, you would add a rule for that and if you had to have a listener or something in your application.

24:48
Benson: Alright, before we get to Ignition, I think you probably wanna see the I/O channels. This is really cool. You're talking about a one part number that you can literally put on the shelf and as you need to get a little bit of data, you pull it off the shelf and you put it in because you can software define those I/O channels, and that's what we've done here. So on my screen, I've got a top button, bottom button, fuel level by this little knob here, a temperature, a little LED, it's all there, and I can see everything as I turn things on or off, as I turn my potentiometer, I'm changing my fuel level as indicated here. Let's take a quick look at how that's configured.

25:29
Benson: So I'm gonna click into the top button here and here you can see I've got more status. I even got, got some latching on going on there. I'm gonna click on the configure button over here, there we go, and here it is. Just fill out the form, give it a name, and in this case, in many cases, this name becomes the single source of truth. Particularly in an MQTT environment where I'm creating a unified namespace, topic namespace, that can become the single source of truth. And then here's where the magic really happens, when I click this channel type, all of these channels are supported. So you literally just pick what sensor or what transducer, or what circuit you're plugged into on Channel 0 and that channel becomes that device. There's a lot of other cool capabilities in here outside of the scope of this webinar. We'll focus mostly on the Ignition Edge on this RIO but like I said, you get eight channels of software configurable I/O and then you've also got two mechanical relays down there that can be configured as normally open or normally closed.

26:41
Benson: Terrific, let's move on. Ignition, the moment we've all been waiting for, completely integrated, completely built-in. So as you can see, from this screen, I can now... I've got the different Ignition platforms that are available for the RIO, both full Ignition, if you wish, or Ignition Edge, which we're gonna focus on here. I can see it's running and the version that's running. I've even got a hyperlink here to go ahead and launch into the gateway. So let's take a look at this gateway.

27:12
Benson: Alright, here we go. First things first, let's go to the status page and as soon as I do that, naturally, it's gonna ask me to log in. Now, the commissioning process for the Edge is the same as you would expect if you downloaded Ignition Edge from the website. You have to create a user account, you'll have to accept the terms of the license. All of that's built-in right through this interface. So once you've done that, I can go ahead and create or log in with my account credentials, there we go, and we'll come up to the status page. A couple of quick things I wanna show you on the status page. We get up to... When I'm hitting it hard with the web server, my CPU goes up a little bit but in general, everything is looking pretty good. One of the things I wanna show you, we are indeed running on a Linux ARM. The RIO is a Linux device ARM processor and just as I described earlier, the Ignition Edge can see all of my network interfaces. That's important because that means Ignition Edge running here on the RIO can communicate to the Allen-Bradley PLC on one network interface, can connect to MQTT servers, VPN servers and so on over the LAN interface, and then also accept VPN traffic over the final VPN interface. So very cool there.

28:28
Benson: Let's go to devices 'cause that's the cool part about Ignition Edge, is it's gonna give me an opportunity to connect to other systems. So not just to the I/O on the RIO but to other systems as well. So you can see there, I've got a configured L24 processor here on the Allen-Bradley and I'm also communicating to the RIO. In this case, Modbus... Yes, RIO supports Modbus as well. I'm gonna go to the configuration page 'cause I wanna show you, essentially, how those devices are created. And a lot of you on the call are Ignition users, so you're probably very aware of how the drivers work in Ignition. They work very similarly on Ignition Edge. I'm gonna click edit here. I'm gonna come to the page for the Allen-Bradley driver. And what's cool is, the Allen-Bradley driver by Ignition is magical. I literally put in the IP address of the PLC and that's it. I hit save, it pulls all the tags in, and boom, I can start building my application. So in this case, the Allen-Bradley PLC is on that private network at [172.22.0].52.

29:36
Benson: Alright, keep a track of my screens here so I'm... Or my steps. Okay, next thing is, how do we get the data from the Allen-Bradley PLC, the I/O to other applications? First one, gateway network. A lot of you are probably familiar with the gateway network. Indeed, that's supported here as well. In fact, it's included on the IIoT Edge Module license. So indeed, I come over here, I can see that it's enabled, and then I'm gonna go over here to incoming connections and I'm permitting a secure incoming connection over the gateway network from another system. In this case, my main gateway that's running here at Opto 22. So there you have it, gateway network is set up. I'll show it to you over on the main gateway in a moment but before we get there, one other thing I wanna show you is MQTT.

30:27
Benson: So I have the MQTT Transmission Module installed on this device. I'm gonna come down here to settings. And the idea behind MQTT is to be able to take all those tags that I have now in the RIO and publish those tags to a broker, and that could be on-premise, it could be in the cloud, it can be wherever. And in this case, I am doing one on... The broker I've selected is from our friends at Cirrus Link Solutions, the Chariot Broker running on an Amazon EC2 Instance, but I can put multiple brokers in here, I can do all kinds of different things. So there is my broker. Indeed, I'm communicating outbound to a secure broker. In this case, it's called chariot.groov.com. And then once the server connection is created, I create what are called transmitters. The transmitters are the way I transmit information on a given Sparkplug ID. It's all there. Okay, very, very cool.

31:22
Benson: The next step, of course, is to... Let's look at Designer. So to make things a little simpler, I've already launched the Designer but you just use the Designer launcher, launch your Designer. It's launching securely, in this case, from the IT network, and there's all my tags. So I've got my Allen-Bradley tags here. Let's take a look. If I press this start button... And that's a green momentary there. So as soon as I press it, bingo, and there it comes on. Terrific. And then over here on the RIO, I've got this blue LED which is currently showing on. So I'm gonna check the box, make sure I enable read, write, and the LED goes off. So clearly, I've got a connection between my Designer running on the Edge to the I/O and the Allen-Bradley PLC, all 100% secure. Very cool. And then of course, once I have my I/O, I just drag it out here to a canvas, and there you go. I can go ahead and turn on the blue LED from my canvas. There you saw the LED come on right there. Let's do it again, and off. Pretty cool. Same thing with my potentiometer here and even my... I can turn on an alarm output and this light will come on on the PLC, as you just saw, on or off. Everything is working. Terrific.

32:43
Benson: Let's actually show it to you in a browser because yes, if I go to a new tab and come over to RIO, and go to, let's see, Ignition Edge panel... There you go. With the panel license, I can now... From the IT network or the OT network, I can access my screens, obviously, if I have the right credentials. For simplicity, I made this pretty much accessible to anybody, but I still am secure. So I'm already logged in and I can log in and see the data. Pretty cool. So now I've got a little HMI right on an /IO module as well, communicating to all these systems.

33:21
Benson: Okay, enough about Edge. Let's move up to the big gateway, let's move up to the main gateway, and here, I'll go ahead and launch that here in the browser. There we go. And just to recap, I'll go back to my screen and add the next level. Now, I'm using full Ignition and I'm gonna be able to see the data coming from the remote tag provider on the RIO and various other things. So there it is, there's my system. I can go into the status page. This is just running on a VM here at Opto 22. Again, a public one. I can see all the information there, including the public IP address out to the internet. So we have a lot of demos that use this gateway.

34:06
Benson: I've also launched the Ignition Designer for this gateway and normally, it'll come up to the default provider here but in this case, I wanna show you two things. One, RIO ICL Edge. This, of course, is your gateway network. So now, I'm getting all the tags into the main gateway from the remote tag provider in the remote gateway, which is nice 'cause now I can build my screens here and if I have EAM, I can deploy them down to the RIOs. I have a lot of capabilities for a distributed system using this technology. So there it all is and then I just built a very quick screen showing the difference between the gateway network and the MQTT Sparkplug B because yes, on this Ignition Gateway, I also have MQTT Engine. Now, what Engine does is... Let me switch back to my topo screen here. What Engine does is Ignition Edge, Engine... Let's see if I can get my key out there. There we go. The MQTT Engine Module runs right here on the Ignition Gateway that I'm working on at this moment and goes up to the MQTT broker and pulls all the tags from all systems that are publishing, which is great 'cause now I've got a main gateway that can see everything.

35:28
Benson: So if I go back, see everything is exactly right. Let me go now to the MQTT Engine tag provider right there, go to Edge Nodes and DemoCenters. Talking about this demo center in front of me and EPIC demo centers behind me, they're all over the world and a lot of them are publishing into the same broker. So I can actually see all the demo centers that are online right now. I can come down here to Opto 22 and I even got my house in here. It turns out I can get EPICs at a pretty good price. So I'd put one in my house and I'm publishing in, and pulling it into this Ignition Gateway, mixing it with all the other data. Democratization of operational data right here in Ignition. So that's kinda cool but this isn't about my house, this is about the demos.

36:17
Benson: So let me go down to here and there indeed is RIO ICL, there's my Allen-Bradley processor, there's my RIO I/O all through MQTT. That's how I was able to build this screen with both gateway network information and Sparkplug B and as you can see, they all work very quickly. Now remember, MQTT is going outbound from the RIO, over the IT network up to the broker on AWS and then the gateway, the main gateway, is subscribing to all that data and allowing me to build these screens. So there's a lot of things I can do here. It doesn't really matter which one I use but let me pull this up. That's what I meant to do, is pull that in and click Alarm Output. That'll turn on this output down here. So very cool.

37:05
Benson: So once I have the data in the broker, I can do a lot with it with Ignition but hey, what about some other things we can do? Well, here's another example. I'm gonna come down here to this one, which is the RIO oil and gas box, this PLC that's... Actually, this RIO down here in this oil and gas is essentially an RTU, as I described earlier. This one is also publishing its data, so I can actually see that right into this screen here. There's my oil and gas data, temperatures flows, wellhead temperature, whether the pump jack is moving or not, all kinds of information. And then once we connect this to the pump-off controller, we're gonna pull in all the pump-off cards, all of those come through the Ignition system all over MQTT, all securely. Pretty slick.

37:58
Benson: So now that we got all of the data in the broker, perhaps some of it's in Ignition, what else can we do with it? Well, let's take a look at my browser again and I am going to log in to —  our friends over at Canary Labs have an historian, and of course, you know that historian works beautifully with the Ignition Gateway. Direct implementation, pull all the tags, historizing and so on. But Canary has also written an MQTT Sparkplug, basically Engine or a client to go get the tags from the broker and bring them in. Let's see what that looks like. So here we are in Axiom, which is their web-based interface to the Canary data, and let's go to here. Let's go to five minutes. And apply. There it is. So you saw as I was moving, actually, let me come out to about, let's say, 10 minutes and apply, and you'll see where I actually moved some of the... My other... I pressed some of the buttons, I can see my wave form. All this is historized on this a Canary Labs server, but the way it got its data is from the broker. So if I come back to my overview screen and I add in some of my final layers here, I can see I have a lot of data publishing into this system, right up to the MQTT broker and having other applications subscribed to that. Very, very slick.

39:28
Benson: And of course, there's others in here as well, I can't help myself. I'm also bringing all the power that my home is using right now, and there you see it, so pretty slick stuff. So my pole pump is on right now, so I can see that coming in. So the bottom line is democratization of data, doing it securely, doing it at very high performance in a lot of different ways. One other thing I'm gonna show you, I've been talking about, especially in today's world...

40:09
Benson: One of the things that we've all been faced with over the past 16, 17 months, however long it's been, is remote access. How do we gain access to our devices when we're sitting at home? And that's the beauty of VPN and that's what I'm gonna show you next. I'm gonna actually... I'll close this screen. I'll go ahead and close this guy down. What I wanna show you is from this screen here, I'm gonna actually open up a basically what's called AnyDesk session to my computer at home. Okay? So I'm gonna actually log into the computer at home, so I can see the screen and show it to you, because what I'm gonna illustrate is that this RIO does have that open VPN connection. So, from the RIO here, I'm connecting into, in this case, the cloud connecting to a VPN server and keeping that connection open. But I can obviously turn it on and off based on need, and that's what we recommend, do it on demand.

41:04
Benson: Then my PC at home, here is my remote access PC, so let's get that going. I'm gonna open it up here and let's come to there. Now on your screen, you're seeing the AnyDesk software running on my local computer, and I'm gonna go into this PC here. Now, I've turned off. I've turned off the two-factor authentication for both my PC and for the open VPN server just to make it simpler; both offer two-factor authentication, highly recommend it. We know that the application, the cyber incident in Florida was caused largely by an exposed VPN password. Absolutely, use two-factor authentication, I would do the same for your Ignition instances as well. They have... Inductive has done a terrific job of the identity piece and the two-factor authentication in there as well. Okay, this is my application at home, turns out, like I said, I've got a lot of automation at home. I'm gonna open up a new tab here, and I'm gonna go to my VPN connector. So right now, I'm not connected to the VPN, there's no way to the VPN server.

42:11
Benson: So now I'm gonna come up here, I'm gonna select this guy, and I'll wait for him to get in. I just tested it before we got going, so I haven't timed out for my user credentials, but normally I'd have to enter user credentials and my two-factor authentication but I'm connected. Now, what I'm gonna do is I've created a hyperlink right down here called RIO ICL. I know it's hard for you to see. It's very small on my screen too. Go right to there and look at that, I'm logged in to this RIO from my house. Sign in, and just to prove I'm not joking around, I'm gonna go to system, network and there you go. I've got the highlighted ICL there this is all... It's the same RIO, but now I'm doing it from home. So that VPN access on all our devices, again, provides a very secure method of creating a connection from the devices into a VPN server, and then again, another client coming in and creating a tunneled secured encrypting connection to your devices. No need, no need to open up ports on plant floor devices, and expose them to anyone. With something as affordable as a RIO or even our EPICs, you can front in all of those unsecured devices, provide a lot of capabilities for remote access, for moving data around at very high performance, and with a lot of flexibility. I think it's a great time for Q&A. Who's in? 

43:50
Ben: Benson, Garrick and I have been going like crazy. There's a lot of great questions. The general thrust seems to be just understanding the ability to be able to put more access to your PLCs, legacy PLCs behind EPIC or RIO. So that sort of seems to be the thrust of a lot of the questions is communication options, and one of the questions was, "What happens if the communication goes down?" Maybe you wanna talk about storing forward just a little bit, and some of the cool stuff that Ignition is doing there.

44:32
Benson: Great, great question. Yeah, it's a key consideration. So if I do go back over here to my browser, I'll just pull it up here for a moment. Indeed, we can't always expect that a connection, say, on the IT network, or even a cellular network will always be on. And so that's another power of edge computing with the right software, and of course the right software is Ignition Edge, is its ability to store that data on the Edge until communications resume. So whether it's cellular, whether it's WiFi, whether it's VPN, whatever, if that connection to, say, the broker, in the case of MQTT is lost, the MQTT Transmission Module will automatically start storing that data at the Edge, and then when the communications are re-established to the broker again, in the MQTT scenario, then all that data gets burped up. First the real-time values come in, and then MQTT Transmission starts sending all the historical data right behind it. The beauty is when those tags are set up as historical, they'll all get backfilled right into your historical database. So that's a very, very cool feature, particularly in remote assets like this oil and gas box I have down here. Gateway network? Same kind of thing, one week buffer of data in there in the event of a gateway failure, we can store data.

46:00
Benson: Again, Edge doesn't have a database, it has its own little database for storing data and so on, but it's not a full Ignition system. So it's not set up with a database. You wanna do that, you can. You can actually install a database right on the RIO, and on EPIC for those of you that are brave enough to do so. Brave in the sense that you know how to do it. We give you a lot of access with Shell and tools and so on to do so. Hopefully, that answered the question, Ben.

46:25
Ben: Yeah, absolutely. Benson, we're going pretty good on time, but one of the questions actually leads into... I don't wanna steal the fun, but one question was, I might have missed this, but can we access the AB Logic PLC behind the RIO? I'm sure you're gonna get to that one in just a moment, here.

46:47
Benson: Yeah, and you're right, we are doing pretty good on time, but I'll just pop this thing up here. Indeed, we can.

47:06
Benson: So here's my RIO. And yes, you indeed, I'm showing you the architecture, which I'm gonna pull up on another screen here in a moment, in fact, I'll go ahead and do that here. The question is, looking at this architecture, can I access this PLC on a private network from, say, the VPN interface coming through the RIO? The answer is soon on RIO, but over here, I am doing that. So I'm kind of set up for it, but let me just close this guy down here, if you guys wanna see it. If you really wanna see it, I'm happy to show it to you, or call us up, Garrick, Ben, any one of us can show it to you. But here's what happens, I'm gonna show... I'm gonna switch this screen back over... Actually you know what I'm gonna do? I'm gonna go back to my PowerPoint and just page up to this screen here so I can show you how this works. So I've got my mouse pointer here. The way that it works is this way: Inside this EPIC here, and this is where this thing called Port Redirects currently exists that allows me to redirect ports between interfaces.

48:16
Benson: So you can do this and you can do it securely. For example, in my PLCs right here, I've got two PLCs on a private network, same as I've done over here, connected to an EPIC on one network interface. On the second network interface is going to my corporate LAN, so that's the untrusted network, corporate LAN, whatever. And that's also my path to the internet, to MQTT servers, to open VPN servers and so on. Now, I have a control program running in here, it is operating this turbine, I've got local HDMI, that's all in there as well. But what's important is that I have segmented or zoned these unsecure PLCs from the corporate LAN and from anywhere else. Now what I can do is I can go back in through my interface here on the EPIC, and I can create what are called conduits. And the way that it works is this way; the EPIC itself is set up to connect to a VPN server, and then on my remote PLCs or on my remote workstation here at home, I log into that VPN server. Now, I've created a secure encrypted connection directly to the EPIC. However, because the PLCs are on their own network zone, how do I access those? 

49:34
Benson: This new service that's built in, and I'll go ahead and take a little bit of a risk here, but it's not a big risk. I'm gonna log in and show you where that's done. I'm gonna log right into the EPIC. So this is the EPIC behind me, and if I go to system port forward, this is where it's done. So I'm literally taking traffic that's coming in on the tunnel, on the VPN tunnel, and I'm moving it to the private network on the port that needs to listen there, which is on eth0, one of the Ethernet ports on the EPIC. Now, right now, this is enabled, but what we recommend is that you only enable it when you need it. Now, I'm showing you how to enable and disable and where it's configured, all from the gateway. I'm sorry, all from groov manage running on the EPIC. But wow, wouldn't it be cool to do this directly from Ignition? I'll save that for a moment. I'll save that for a moment to a little bit later. So long story short, coming back to here, that's what these red lines here that are indicated, these are your conduits or your port forwards to your PLCs, this is your VPN access to the EPIC in the first place.

50:52
Benson: Now, I would simply run say RS links or whatever software on this PC, and yes, I can get all the way to the PLCs on the secure zone. Here's what's important; it's all encrypted, it's actually double authenticated, 'cause first you gotta have the VPN tunnel, then you gotta have the access over on the EPIC side. It's just... It's the most secure way you can do this, and we're not having to use third party tools, we're just using what's built into the EPIC and soon the same feature will be on the RIO. Long-winded answer, but there you go. If you hang around to the end, I'll show you something very cool relative to this capability from Ignition. Next question.

51:41
Ben: Another question, Benson, perhaps you can... We've answered it, but I'd just like you to flesh out a little bit, and maybe it'll help describe some of the relationship that Opto has with Inductive. But the question was, "When Inductive release a new version of Ignition, do we have to update the firmware in the RIO?"

51:58
Benson: We do. The way that we do this is when a new release of Ignition Edge or full Ignition, we get a new installer and then we put that onto our system, put into the QA process, well, actually into the build process. And then it's gotta go through QA, and make sure all the pieces work together and then it's released. So under the current upgrade scenario, that is indeed how we get the latest version of Ignition Edge or Ignition on our devices, and that's why you may see a lag. By the time it's available from Ignition, we have to run it through all of our processes to get it on to the firmware, fully tested through our QA department. And then it comes out as a release, but the short answer is yes. Upgrades to Ignition are done through EPIC, or RIO firmware upgrades.

52:47
Ben: Awesome stuff, Benson, I think you've got time for maybe one more thing.

52:52
Benson: Okay. I'll throw it out there. We've been working... One of the cool things about the Port Redirect, the conduiting, and also this network zoning is it's really capable. There's a lot of capabilities. And as I was just showing you, I go in through groov Manage and I can set all these up. I can fire up my VPN, I can fire up my Port Redirects, but maybe you don't always wanna go through groov Manage. What if you could do this from a single pane of glass? What if you could do this from Ignition? So we have worked with... Oh, and I'll get the... I'll pass the helm back to you in a moment, Kent for your closing thoughts. So here's my one more thing, I just always wanted to do this, so here it is; the groov Ignition Module by Avadine. Avadine is a system integrator up in Bakersfield, California, and they are working with a large customer there, I can't name them. But in any case, they're working with them to incorporate this to start securing field assets, and this was the problem, and we wanted to be able to do this, "Hooray." We can now do it, we can now secure devices in the field and address cyber security issues. However, can we do it from Ignition? So we started working with Avadine, and with our own development team. And this is what is created. It's not yet available. It soon will be, this is kind of beta, but what you can see here, and I think I saw my laser pointer going, I got Opto 22 groov down here with general network and port forward rules.

54:32
Benson: This allows me to do, essentially, ISA 62443 zoning and conduits from Ignition. And the way it does it is our EPICS and RIOs have a full restful API. So anything I can do in groov Manage, I can do through an API, and that's what Avadine is taking advantage of. They've pulled in our entire Swagger document for all of our API calls and have built a gateway interface to turn these configurations on and off to actually enable and disable the VPN, and all of these tags are over in its own tag provider. So think about that, I can drag these tags onto the canvas and allow somebody to turn on or off the VPN access based on their credentials, on their view Perspective or Vision credentials. I can also... I got some advanced properties, I can set up all the port forwards right here and turn them on and off on demand. And this is critical 'cause you don't necessarily wanna leave a VPN open all the time, you may not even wanna leave... Well, you definitely don't wanna leave Port Redirects open all the time. You only want them when you have to make a program change or you need to get into the PLC for some reason. So that's how this thing is built. It's designed to give you on-demand, secure... And remember, if you're doing this through Ignition, all of that is audited. You know who, you know when, you know for how long, and there's also some other features in there that are built-in, they are kind of cool where they'll actually time out over time.

56:02
Benson: So if you say you can only allow access for five minutes and somebody forgets to shut it all off, it'll automatically do it. So we're super excited about working with Avadine. Terrific development team over there. Again, I think that it shows the power of the Ignition community to extend the platform, to address the kinds of concerns that we're dealing with today, and that's amazing. So keep your eye out, look for our blog or Ignition or Avadine's blog where we naturally will announce this. We also anticipate having a full webinar that just focuses on this feature, on these capabilities for securing your existing legacy assets, democratizing their data, doing this at a high performance and achieving your business goals, your business outcomes. And if it happens to be cybersecurity or just getting data around, we can help you with both. So with that, I'm going to... Let's page up to here, I think there's one other announcement that Kent would like to say.

57:04
Kent: Yeah, thanks so much. Benson, incredible presentation, it's fun to see all this stuff in action coming together. And I'm glad that you ended with Avadine's module there, it kinda leads into what I wanted to talk about, which is ICC. Maybe that doesn't seem like a direct lead, and I'll explain that in a second. But we have our Ignition Community Conference every year. Last year, and this year it has been a virtual event, being cautious with COVID-19. Being virtual, it's free, so you have no excuse. So you gotta come, you gotta join us. It's gonna be exciting, there's gonna be a Keynote, Developer Panel. All the stuff you're used to. But one thing that we didn't have last year that people got really mad, and they said, "You gotta bring this back" was the Build-a-Thon, if you haven't watched a Build-a-Thon in the past, you're missing out. The past Build-a-Thons are available on our website, so feel free to check those out. But it's been Travis and Kevin going head-to-head building cool things for Ignition. The reason I say it's great that you talked about how the integrators in our community are doing exciting things with Ignition, well, that leads in this, because this year instead of Travis and Kevin directly going head-to-head for the Build-a-Thon, they've gone into our integrators and they have actually recruited teams to go against each other.

58:20
Kent: And so stay tuned to Inductive Automation's marketing, 'cause we're gonna be announcing those teams and we're gonna talk about the challenge, what they're gonna build. But this year is gonna be bigger and better than ever, and that will be live-streamed as part of ICC this year. So that's my spiel, I hope you all attend ICC and really, that is it. And I really want to thank Benson, Ben, and Garrick for this presentation today. And yeah, it's been a pleasure. Everybody have a great day.

58:53
Benson: Thank you so much.

 

Posted on June 2, 2021