OSI PI Server Interface with 800xA System
Hi Rob,
I seen your post regarding OSI PI connection and it would be great if you give some guidance for my current running project which has OSI PI servers(Redundant) interface with 800xA system.
Project Overview: Two OSI PI servers connected at Level 3.5 network, 2 PI interface(OPC DA) servers connected at Level 3 network, all 800xA servers connected at level 2 network, in between each levels 2 Firewalls placed for the level segregation.
Harmony, AC 800M and PLC connectivity servers are used in the project, There are 2 OPC servers(Application servers) which only purpose are sending data to PI system, OSI PI system integrator proposing Matrikon tunneler to install at OPC servers placed at level-2 network and which will send data to level-3 PI interface servers and further from PI interface servers will send data to OSI PI servers which placed at at level 3.5, It will be great if you provide some guidance about this method i mentioned is correct approach or any other better alternative method to give data to OSI PI servers?, whether to go with Matrikon tunneler as proposed by OSI PI system integrator?, at any circumstance i should maintain the level segregation as per cyber security standard.
Thank you..!!
-Suresh
I seen your post regarding OSI PI connection and it would be great if you give some guidance for my current running project which has OSI PI servers(Redundant) interface with 800xA system.
Project Overview: Two OSI PI servers connected at Level 3.5 network, 2 PI interface(OPC DA) servers connected at Level 3 network, all 800xA servers connected at level 2 network, in between each levels 2 Firewalls placed for the level segregation.
Harmony, AC 800M and PLC connectivity servers are used in the project, There are 2 OPC servers(Application servers) which only purpose are sending data to PI system, OSI PI system integrator proposing Matrikon tunneler to install at OPC servers placed at level-2 network and which will send data to level-3 PI interface servers and further from PI interface servers will send data to OSI PI servers which placed at at level 3.5, It will be great if you provide some guidance about this method i mentioned is correct approach or any other better alternative method to give data to OSI PI servers?, whether to go with Matrikon tunneler as proposed by OSI PI system integrator?, at any circumstance i should maintain the level segregation as per cyber security standard.
Thank you..!!
-Suresh
Asked 7 months ago
Voted best answer
3
There should be no need at all for Matrikon ( or any other ) tunneler in this kind of situation.
OSI PI is specifically designed to communicate through this kind of network. All PI traffic requires a single port ( 5450 ) is opened on the firewall. PI provides extensive additional security to ensure that only trusted nodes are allowed to use this port, and the firewall should do the same.
Put the PI interface software (ICU) on to the 800xA Application Servers at level 2 - do not use separate PI interface nodes. Route the traffic between the PI servers and PI Interface/800xA servers as required through the firewalls.
As you know I strongly advocate the use of *OPC HISTORY* (OPC-HDA) - Not OPC DA. This especially applies to the Harmony OPC Server. Using separate Application servers for the PI connections WILL NOT prevent an incorrectly configured third party OPC subscription for overloading some types of control systems.
Matrikon software appears to be end of life. Since the company was acquired by Honeywell in 2010 there seems to have been minimal development on any of the companies products. There have been no product announcements or news since 2012. I no longer recommend it to any of my customers.
Of course, none of this is "your" problem. It's your customer's decision on how to proceed with this. It is the PI system Integrators job to make this work ( within the restrictions you set to protect the health of any systems that you are responsible for ) And any advice you get on the internet is worth exactly what you paid for it.
OSI PI is specifically designed to communicate through this kind of network. All PI traffic requires a single port ( 5450 ) is opened on the firewall. PI provides extensive additional security to ensure that only trusted nodes are allowed to use this port, and the firewall should do the same.
Put the PI interface software (ICU) on to the 800xA Application Servers at level 2 - do not use separate PI interface nodes. Route the traffic between the PI servers and PI Interface/800xA servers as required through the firewalls.
As you know I strongly advocate the use of *OPC HISTORY* (OPC-HDA) - Not OPC DA. This especially applies to the Harmony OPC Server. Using separate Application servers for the PI connections WILL NOT prevent an incorrectly configured third party OPC subscription for overloading some types of control systems.
Matrikon software appears to be end of life. Since the company was acquired by Honeywell in 2010 there seems to have been minimal development on any of the companies products. There have been no product announcements or news since 2012. I no longer recommend it to any of my customers.
Of course, none of this is "your" problem. It's your customer's decision on how to proceed with this. It is the PI system Integrators job to make this work ( within the restrictions you set to protect the health of any systems that you are responsible for ) And any advice you get on the internet is worth exactly what you paid for it.
Answered 7 months ago
Add new comment