Fieldbus & Industrial Networking


Selecting the best remote access solution for your application

August 2023 Fieldbus & Industrial Networking

In today’s Internet of Things world, remote mobile access is a necessity for many industrial applications. There are several ways of implementing this connectivity with routers and virtual private networks (VPNs). Three of the most popular methods are:

• Standard router (without VPN).

• Traditional VPN router.

• Cloud-hosted VPN router.

The first solution is a standard router, and although it is not secure, it is still widely used in many existing mobile HMI applications, and even in some newer ones. A primary attraction is its low cost, but this approach is discouraged because it poses significant cybersecurity risks when port forwarding is enabled in the firewall, as this exposes the network to external threats.

The second solution is a traditional VPN router, which creates a secure tunnel from one location to another. This option requires significant IT skills and greater investment to implement and sustain than either of the two other options, but it offers a secure solution with some significant advantages.

The third solution is a cloud-hosted VPN router, which simplifies IT complexity by creating an encrypted connection from a local VPN router to a cloud-hosted VPN router via the internet. Remote users can then securely access the local components and systems via the cloud-hosted VPN router. This option provides a high degree of cybersecurity, along with relatively simple configuration and maintenance. Each solution can support various PC-based remote access applications, along with access via smart phone and tablet apps, but with different levels of cybersecurity.

This white paper will compare the three types of remote access solutions for both PCs and mobile devices, and it will examine the advantages and design considerations for each.

In many industrial applications, a standard router and firewall are used to protect the corporate and industrial plant network, requiring users to manually configure and manage all routing and firewall settings. This type of router does not usually have a VPN to encrypt data, but rather creates port forwarding ‘holes’ in the firewall for remote users to access specific applications and components in the plant network.

Most HMI users want the same level of access whether they are remote or local. Laptops normally connect to the HMI web server for monitoring data and making changes to setpoints and other parameters, or they connect to the HMI with programming software to troubleshoot or make program changes. In order to connect remotely using a standard router, port forwarding is usually configured to allow access to the HMI, or to a local PC running remote access software such as TeamViewer or VNC Connect. The local PC provides the remote user with the ability to run the HMI programming software. HMI mobile apps also require port forwarding so the remote user can access the local HMI for control or viewing data. These apps usually provide the same functionality as browser-based remote access, but via an app rather than a browser.

The main concern with this approach is the security risk associated with port forwarding in both mobile and PC-based applications. It’s not difficult for a hacker to determine which ports are open on a firewall, thereby gaining entrance to the corporate or plant network through the router. While port forwarding can be extremely efficient and useful when done within a corporate or plant network, it is extremely dangerous to use this functionality at the internet-corporate interface. Organisations should avoid this standard router approach for new installations and should convert existing standard router installations to a more secure solution, such as a cloud-hosted VPN router.

Traditional VPN router advantages

This option requires a local VPN router to connect through the internet via a secure VPN tunnel to a second remote VPN router or software client. Once connected, remote users can access automation components connected to the local router and all associated networked devices through the VPN tunnel, just as if they were connected directly at the plant/controls network.

There are no cloud-hosted VPN servers between the two devices with either method of connection: VPN router to VPN router, or VPN router to VPN software client. This implementation is preferred when there are large amounts of data to be continuously exchanged between the local and remote sites, as with remote viewing of local video. This solution is widely used, and it was the only method of secure two-way access prior to the introduction of cloud-based remote access solutions. It can be complex and costly in terms of internal resources required for support, both at the local and the remote site.

Traditional VPN design considerations

The main design consideration for this option is the capability and willingness of an IT team to support this solution at both the local and remote sites. For example, an OEM machine builder must consider every customer site and ensure all of its customers are willing to provide IT support. If not, the OEM will have to customise its remote access solution for each customer.

This solution is often more expensive upfront than a cloud-hosted VPN because of increased hardware cost and the IT resources required to configure the connection. Some companies have a dedicated IT staff to provide this support, but many smaller companies do not. Ongoing external costs are lower because there are no monthly cloud service fees, but internal costs are higher due to the need for IT support.

IT must open an inbound VPN port on the firewall. This provides full remote control and monitoring as it effectively creates one network joining local and remote users, but also presents a security concern, as this port must be protected from unwanted access at all times. Ongoing security vigilance is required to ensure the router and VPN protocols remain up to date, and other technical considerations must also be addressed including:

• Firewall configuration may be challenging.

• Subnet conflicts must be managed across sites with similar network design.

• User management and access must be well controlled.

• Event logging is not usually implemented and must be added if needed.

• Security certificates must be created and managed.

• Advanced networking knowledge is required.

• Client configuration is needed for each connection point.

Despite some drawbacks, this is the preferred VPN solution when the application requires high data bandwidth, or if there is a need to avoid reliance on a hosting vendor. IT staff must be available and willing to maintain security standards and make firewall changes.

Cloud-hosted VPN solutions provide a secure connection with simple setup and network configuration. Typical cloud-hosted VPN solutions include a local VPN router, a cloud-hosted VPN server, a VPN client and connected automation components.

A secure connection is established after the local router (at the plant/controls network) and VPN client (software installed at the user’s laptop or mobile device) each make a connection to the cloud-hosted VPN server. The local router makes this connection immediately upon startup, but a VPN client only connects upon a verified request from a remote user. Once both connections have been made, all data passing through this VPN tunnel is secure.

Most cloud-hosted VPN solutions provide a free monthly bandwidth allocation for basic operation, and then throttle data access once this allocation is reached, and also offer a premium plan for additional bandwidth. For example AutomationDirect’s StrideLinx solution offers 5GB of VPN data exchange per month for free, sufficient for most troubleshooting, monitoring and programming needs.

This solution has very low security risks, as the local router initiates communication to the server via an outbound connection through standard ports that are typically open, such as https. This usually requires no changes to the corporate IT firewall, and satisfies IT security concerns. For added security confidence, users should look for cloud-hosted VPN solutions that have an industry-certified information security management system, such as ISO/IEC 27001:2013, as it indicates the supplier has implemented comprehensive security programmes and controls.

Another advantage of a cloud-hosted VPN solution is extremely simple router configuration. Since the secure local router will be connected to a predefined cloud server, the router comes preconfigured with complicated VPN networking settings in place, allowing non-IT staff to easily install this solution. All that’s required is knowing the IP addresses of the automation components connected to the local area network, and whether their ISP or corporate wide area network router (not the cloud-hosted VPN router) provides IP addresses dynamically or statically.

In addition to a wired LAN option, the cloud-hosted VPN router should include Wi-Fi and 4G LTE connectivity options. Wi-Fi provides access point or client connection, and it allows plant personnel to access the local router’s LAN network wirelessly. This is safer and more convenient than opening the panel to access the physical LAN connection ports. 4G LTE connectivity provides access from remote locations without internet access, or from locations that don’t have access to their corporate network.

Other advanced options included with some platforms are cloud data logging and alarm notification. These services allow users to log system data and receive customised critical alarms on their mobile devices or laptops, providing a convenient, web-based historical record of system performance available whenever needed.

Platform branding is helpful for an OEM looking to market its own Industry 4.0 solution by private labelling the StrideLinx platform. The OEM receives its own unique URL and home page logo, promoting its brand every time its customers access their machines.

Cloud-hosted VPN design considerations

The hosted VPN solution does not require an IT team for support because it’s simple to implement and maintain, and it is accepted as secure by most companies. Those companies that would not accept a cloud-hosted VPN solution for security reasons would likely not accept a traditional VPN either because of its required firewall changes.

The simplicity of this solution comes at the cost of limiting some of the advanced routing features that may be required for sophisticated networks such as machine-to-machine networking, advanced NAT configuration and access control lists. However, for most users these advanced features are not required.

Other design considerations depend on specific features offered by the cloud-hosted VPN vendor. Inclusion of these key features address these issues, while exclusion may present problems. These key features include data logging, widgets for configuring remote access screens, a web-based platform for router configuration and a digital input for enabling/disabling remote access.

The traditional VPN solution requires supply and configuration of a third-party HMI, either PC-based or embedded, to provide data logging and widgets for configuring remote access screens. Instead, the cloud-hosted VPN option may provide data logging functionality in the form of collection, storage and display of data via a cloud-based platform. This allows users to log and access a virtually unlimited amount of data, while only paying for the required capacity. Users can start with a small number of data points and then scale up as needed.

Some cloud-hosted VPN solutions provide widgets for users to configure dashboards for data visualisation on their PC or mobile device. If this feature is not provided, the additional software and effort required for designing remote access viewing screens can be cumbersome. Cloud-based data logging typically requires an additional licence or subscription from the cloud-hosted VPN vendor to collect and store the data in the cloud, and this cost must be considered, particularly since it doesn’t exist with the traditional VPN option.

Cloud-based notifications provide mobile push notifications or email alerts, for example when a process parameter exceeds its limits or when process steps are completed. This is an important advantage because alerts and notifications can be quickly configured in the cloud platform to inform users when parameters fall outside a predefined range.

Those considering this solution must have a high level of trust in the hosted VPN vendor as it will be responsible for securely storing data and making it available to only those who need it. Monthly costs incurred for data bandwidth exceeding the free limit must also be considered, particularly compared to the relatively much lower cost, approaching zero in some cases, for a traditional VPN solution.

A web-based platform provides quick and easy configuration of the VPN router, often as simple as registering an account, configuring and downloading router settings, and installing a secure client on a PC. One of the main advantages of a web-based platform over PC-based configuration is that platform features can be updated without the user reinstalling a new version. This is particularly useful in the cases where new features are added on a regular basis.

An important safety feature for the VPN router is a digital input for a switch to locally enable or disable communications, preventing remote control of a machine during maintenance periods. If this option is not provided, it should be added on, which will add cost and design time.

Mobile app-based remote access

Industrial HMI and PLC components are increasingly supported with mobile apps, providing users with remote access anytime from anywhere, with both monitoring and control capability. In order to securely access industrial equipment, the mobile device must also employ VPN technology to encrypt the data from the mobile device to the plant network. Without mobile VPN, the firewall ports at the plant will need to be opened, creating a similar scenario to the standard router solution, and leaving the plant network vulnerable to a cyber-attack.

The solution is to use a traditional or hosted VPN solution providing a secure VPN connection for both laptops and mobile devices. Once securely connected to the plant network through the mobile VPN app, the third-party HMI or PLC app can then be opened and used to connect to the local HMI and PLC components as if the mobile user was on-site, because he or she is there virtually.

Traditional mobile VPN solutions are relatively easy to implement on the mobile user side, but they again require IT staff to deploy and support. Hosted VPN solutions are significantly easier to deploy, but only available from a limited number of industrial VPN suppliers. AutomationDirect’s StrideLinx routers provide a hosted VPN solution with VPN connections for both laptops and mobile devices. Both iOS and Android mobile device apps are available, providing users a secure connection from any device to the plant network.

App-based access in action

As mentioned earlier, some cloud-hosted VPN vendors go beyond secure VPN remote access and also provide app-based access to data logging software running in the cloud, along with widgets for configuring customised dashboards to be viewed remotely.

This built-in cloud logging would be particularly effective for an OEM machine builder with thousands of machines installed worldwide at hundreds of different locations, each with multiple users. The OEM would simply provide a VPN router for each machine, pre-configured to log data, and including customised dashboards for remote viewing on an Android or iOS app. No effort would be required by the OEM’s customers to configure, install or maintain remote access software − other than installing an app on their smart phone or tablet.

For more comprehensive access beyond dashboards, remote users could securely access local HMIs and PLCs via apps using the mobile VPN provided by the hosted VPN supplier. For example, AutomationDirect’s C-more HMI mobile app works securely when used in conjunction with the StrideLinx VPN router. And of course, local equipment could also be securely accessed remotely by a PC for programming, monitoring or troubleshooting.

Conclusion

This white paper examined the three router-based methods for establishing remote access to industrial systems via a PC or mobile device: standard router, traditional VPN and hosted VPN.

Standard router solutions are not cybersecure, and therefore should not be used for new applications, and should be replaced in any existing applications. Traditional VPN solutions are difficult to configure and support, with cybersecurity primarily the responsibility of the end user. But when properly deployed, these solutions can be used for secure remote access by mobile devices and PCs, although PC-based access does require firewall modifications, which may not be supported or even allowed by all of an OEM’s customers.




Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

EtherCAT interoperability removes industrial networking barriers
Fieldbus & Industrial Networking
Selecting the right communication technology is one of the most important decisions engineers make, and interoperability helps with that decision. Key development tools and standards ensure interoperability among many EtherCAT devices and manufacturers.

Read more...
Condition monitoring to go
Turck Banner Southern Africa Fieldbus & Industrial Networking
Anyone who wants to efficiently monitor the climate in control cabinets will find a comprehensive range of control cabinet monitors for the DIN rail in Turck Banner’s cabinet condition monitoring family.

Read more...
Innovative separation of recyclable materials
Beckhoff Automation Fieldbus & Industrial Networking
A plant built by Belgian specialist machine builder, Absolem Engineering features an innovative process for separating recyclable materials. Using PC-based control from Beckhoff, a major problem has been elegantly solved - the generation of different signal sequences for the exact synchronisation of different camera systems.

Read more...
Enhancing AI-powered object detection and recognition capabilities
Vepac Electronics Fieldbus & Industrial Networking
Innodisk has announced its cooperation with Advantech, a global leader in AIoT and edge computing. This collaboration leverages Innodisk’s customisable MIPI camera modules and Advantech’s Intel x86-based AFE-R360 solution to enhance AI-powered object detection and recognition capabilities, expanding visual applications for autonomous mobile robots in smart factories and warehouses.

Read more...
Rugged, agile and scalable boards
Vepac Electronics Fieldbus & Industrial Networking
Embedded computing pioneer, AAEON has launched the PICO-ASL4 and GENE-ASL6, both featuring the new Intel Atom x7000RE Processor Series for the edge.

Read more...
Rugged gateway board with open-source flexibility
Vepac Electronics Fieldbus & Industrial Networking
The SRG-CM4 from Vepac brings all the open-source flexibility of the Raspberry Pi OS and ecosystem to AAEON’s signature rugged, durable gateway design to create a truly industry-ready modular system.

Read more...
New safety I/O modules for functional safety in highly automated operations
Fieldbus & Industrial Networking
Belden has expanded the Lumberg Automation LioN family with its new LioN-Safety I/O Modules. Designed to support functional safety efforts in industrial operations, the modules streamline the transmission of data over existing networks.

Read more...
IO-Link master for the automation and IT world
ifm - South Africa Fieldbus & Industrial Networking
The decentralised IO-Link master modules from ifm serve as a gateway between intelligent IO-Link sensors and the fieldbus. Important information on the intelligent sensors can also be simultaneously sent.

Read more...
Condition monitoring with IO-Link rotary encoders
Pepperl+Fuchs Fieldbus & Industrial Networking
Whether in the materials handling industry, in packaging machines or in wind turbines, sensors with an IO-Link interface are increasingly being used to pave the way to Industry 4.0. Pepperl+Fuchs was one of the first manufacturers to launch an absolute rotary encoder with IO-Link interface, that was available in numerous variants and with a wide range of setting parameters.

Read more...
Efficiently consolidate analogue signals and reduce wiring
Turck Banner Southern Africa Fieldbus & Industrial Networking
Control engineers can bring analogue signals into a control system more efficiently with the new R95C 8-port analogue input to modbus hub.

Read more...