Overview

Beckhoff ADS (Automation Device Specification) is a communication protocol developed by Beckhoff for efficient data exchange in industrial automation systems. It serves as the backbone for the integration of devices and software into the PC-based control technology from Beckhoff.

From the perspective of the ADS protocol, ADS-over-MQTT is an additional transport channel over which ADS can be transported. Decoupling communication via an MQTT message broker results in a number of advantages, particularly in terms of scalability and flexibility when integrating additional ADS applications. Security mechanisms such as TLS can be used at the transport layer to secure the communication connection.

With ADS-over-MQTT, the entire data exchange is transparent for the ADS applications, because only the ADS router needs to know and hold the corresponding information on the MQTT transport channel. In particular, this also enables easy retrofitting for existing applications.

The main use case for ADS-over-MQTT is a classic remote maintenance and remote diagnostics scenario, where the TwinCAT engineering environment (TwinCAT XAE) needs to connect to one or more controllers for remote debugging. The following diagram illustrates the architecture being created here.

However, there are many other use cases for ADS-over-MQTT, especially when it comes to the aggregation of multiple distributed PLC systems.

This document provides an overview of the usage possibilities as well as a technical description of how a "virtual ADS network" can be configured over an MQTT message broker.

Benefits of an MQTT-based ADS network

Subnets, NAT-based networks and firewalls:
Incoming TCP/IP connections are used in both directions in a classic ADS setup. This makes it necessary for the devices to be located in the same network in the normal case. In distributed systems with different subnets this leads to complex configurations in order to make the ADS routes available. In the case of MQTT-based ADS networks, only an outgoing TCP/IP connection is used by the devices. This allows the broker in the higher-level network to broker between all devices. Due to the outgoing connections, a typical firewall can be used and no incoming ports need to be registered.
Access control:
After creating the appropriate routes, bidirectional communication can be executed in a classic ADS setup. An access by device A, which accesses B, also allows device B to access A. The MQTT-based ADS network can be configured so that device A can access B, but not the other way around.
Security / encryption:
The communication from TwinCAT to the broker can be encrypted by TLS (with certificates or PreSharedKey (PSK)). In this case, the transporting MQTT protocol is encrypted, so the ADS protocol can be transmitted unencrypted in the payload.
Retrofitting:
ADS-over-MQTT is transparent for the ADS applications, which means that they do not need to be changed.

Notice

ADS access means full access

As described in Security Advisory 2017-01, ADS offers full access to a device.
Secure ADS offers authorization as well as encryption for the communication; therefore, it represents a transport encryption. Hence, if an ADS route exists, then full access exists.
Dedicated, role-related access to individual files is offered by solutions such as OPC UA.