The Smartset application connects to the ism7 via TCP on port 9092. There can only be one connection at a time.
The connection is encrypted using TLS (TLS_RSA_WITH_AES_256_CBC_SHA256) and a client certificate singed by "LuCon Root CA (direct)" is required.
Each message starts with a six byte header (4 byte length, 2 byte type). The payload is mostly xml.
The Smartset application contains 3 helpful xml files, which define the conversion, dependencies and human readable names for the data. Another source is the smartsetpc database at %APPDATA%\Roaming\Wolf GmbH\Smartset\App_Data\smartsetpc.sdf.
If you want look at all the nasty details, I recommend taking a look at dnSpy. Using this I was able to get all required information (like database password, encryption key for the XML files in the system-config folder, client certificate, etc.) and was able to patch out the certificate verification to use a mitm proxy.
ism7proxy can be used to intercept and dump the communication between smartset and ism7, but you need to patch LuCon.WebPortal.StandaloneService.dll to remove the certificate validation.