PLCs, DCSs & Controllers


Selecting the best remote access solution for your application

September 2024 PLCs, DCSs & Controllers

In today’s Internet of Things (IoT) world, remote mobile access is a necessity for many industrial applications. There are several ways of implementing this connectivity with routers and virtual private networks (VPNs). Three of the most popular methods are:

• Standard router (without VPN).

• Traditional VPN router.

• Cloud-hosted VPN router.

The first solution is a standard router, and although it is not secure, it is still widely used in many existing mobile HMI applications, and even in some newer ones. A primary attraction is its low cost, but this approach is discouraged because it poses significant cybersecurity risks when port forwarding is enabled in the firewall, as this exposes the network to external threats.

The second solution is a traditional VPN router, which creates a secure tunnel from one location to another. This option requires significant IT skills and greater investment to implement and sustain than either of the two other options, but it offers a secure solution with some significant advantages.

The third solution is a cloud-hosted VPN router, which simplifies IT complexity by creating an encrypted connection from a local VPN router to a cloud-hosted VPN router via the internet. Remote users can then securely access the local components and systems via the cloud-hosted VPN router. This option provides a high degree of cybersecurity, along with relatively simple configuration and maintenance.

Each solution can support various PC-based remote access applications, along with access via smart phone and tablet apps, but with different levels of cybersecurity.

This white paper will compare the three types of remote access solutions for both PCs and mobile devices, and it will examine the advantages and design considerations for each.

Standard router advantages and design concerns

In many industrial applications, a standard router and firewall is used to protect the corporate and industrial plant network, requiring users to configure and manage all routing and firewall settings manually. This type of router does not usually have a VPN to encrypt data, but rather creates port forwarding ‘holes’ in the firewall for remote users to access specific applications and components in the plant network.

Most HMI users want the same level of access, whether they are remote or local. Laptops normally connect to the HMI web server for monitoring data and making changes to setpoints and other parameters, or they connect to the HMI with programming software to troubleshoot or make program changes.

In order to connect remotely using a standard router, port forwarding is usually configured to allow access to the HMI, or to a local PC running remote access software, such as TeamViewer or VNC Connect. The local PC provides the remote user with the ability to run the HMI programming software.

HMI Mobile apps also require port forwarding so the remote user can access the local HMI for control or viewing data. These apps usually provide the same functionality as browser-based remote access, but via an app rather than a browser. The main concern with this approach is the security risk associated with port forwarding in both mobile and PC-based applications. It is not difficult for a hacker to determine which ports are open on a firewall, thereby gaining entrance to the corporate or plant network through the router.

While port forwarding can be extremely efficient and useful when done within a corporate or plant network, it is extremely dangerous to use this functionality at the internet-corporate interface. Organisations should avoid this standard router approach for new installations, and should convert existing standard router installations to a more secure solution, such as a cloud-hosted VPN router.

Traditional VPN router advantages

This option requires a local VPN router to connect through the internet via a secure VPN tunnel to a second remote VPN router or software client. Once connected, remote users can access automation components connected to the local router and all associated networked devices through the VPN tunnel, just as if they were connected directly at the plant/controls network.

There are no cloud-hosted VPN servers between the two devices with either method of connection: VPN router to VPN router, or VPN router to VPN software client. This implementation is preferred when there are large amounts of data to be continuously exchanged between the local and remote sites, as with remote viewing of local video.

This solution is widely used, and it was the only method of secure two-way access prior to the introduction of cloud-based remote access solutions. It can be complex and costly in terms of internal resources required for support, both at the local and the remote site.

Traditional VPN design considerations

The main design consideration for this option is the capability and willingness of an IT team to support this solution at both the local and remote sites. For example, an OEM machine builder must consider every customer site, and ensure all of its customers are willing to provide IT support. If not, the OEM will have to customise its remote access solution for each customer.

This solution is often more expensive upfront than a cloud-hosted VPN because of increased hardware costs and the IT resources required to configure the connection. Some companies have a dedicated IT staff to provide this support, but many smaller companies do not. Ongoing external costs are lower, because there are no monthly cloud service fees, but internal costs are higher due to the need for IT support.

IT must open an inbound VPN port on the firewall. This provides full remote control and monitoring, as it effectively creates one network joining local and remote users, but also presents a security concern as this port must be protected from unwanted access at all times. Ongoing security vigilance is required to ensure the router and VPN protocols remain up to date, and other technical considerations must also be addressed including:

• Firewall configuration may be challenging.

• Subnet conflicts must be managed across sites with similar network design.

• User management and access must be well controlled.

• Event logging is not usually implemented and must be added if needed.

• Security certificates must be created and managed.

• Advanced networking knowledge is required.

• Client configuration is needed for each connection point.

Despite some drawbacks, this is the preferred VPN solution when the application requires high data bandwidth, or if there is a need to avoid reliance on a hosting vendor. IT staff must be available and willing to maintain security standards and make firewall changes.

Cloud-hosted VPN router

Cloud-hosted VPN solutions provide a secure connection, with simple setup and network configuration. Typical cloud-hosted VPN solutions include a local VPN router, a cloud-hosted VPN server, a VPN client, and connected automation components.

A secure connection is established after the local router (at the plant/controls network) and VPN client (software installed at the user’s laptop or mobile device) each make a connection to the cloud-hosted VPN server. The local router makes this connection immediately upon startup, but a VPN client only connects upon a verified request from a remote user. Once both connections have been made, all data passing through this VPN tunnel is secure.

Most cloud-hosted VPN solutions provide a free monthly bandwidth allocation for basic operation, and then throttle data access once this allocation is reached, and also offer a premium plan for additional bandwidth. For example, AutomationDirect’s StrideLinx solution offers 5GB of VPN data exchange per month for free, sufficient for most troubleshooting, monitoring and programming needs.

This solution has a very low security risk, as the local router initiates communication to the server via an outbound connection through standard ports that are typically open, such as HTTPS. This usually requires no changes to the corporate IT firewall, and satisfies IT security concerns. For added security confidence, users should look for cloud-hosted VPN solutions that have an industry-certified information security management system, such as ISO/IEC 27001:2013, as it indicates the supplier has implemented comprehensive security programmes and controls.

Another advantage of a cloud-hosted VPN solution is extremely simple router configuration. Since the secure local router will be connected to a predefined cloud server, the router comes preconfigured with complicated VPN networking settings in place, allowing non-IT staff to install this solution easily. All that is required is knowing the IP addresses of the automation components connected to the local area network, and whether their ISP or corporate wide area network router (not the cloud-hosted VPN router) provides IP addresses dynamically or statically.

In addition to a wired LAN option, the cloud-hosted VPN router should include Wi-Fi and 4G LTE connectivity options. Wi-Fi provides access point or client connection, and it allows plant personnel to access the local router’s LAN network wirelessly. This is safer and more convenient than opening the panel to access the physical LAN connection ports. 4G LTE connectivity provides access from remote locations without internet access, or from locations that do not have access to their corporate network.

Other advanced options included with some platforms are cloud data logging and alarm notification. These services allow users to log system data and receive customised critical alarms on their mobile devices or laptops, providing a convenient, web-based historical record of system performance, available whenever needed.

Platform branding is helpful for an OEM looking to market its own Industry 4.0 solution by privately labelling the StrideLinx platform. The OEM receives its own unique URL and home page logo, promoting its brand every time its customers access their machines.

Cloud-hosted VPN design considerations

The hosted VPN solution does not require an IT team for support because it is simple to implement and maintain, and it is accepted as secure by most companies. Those companies that would not accept a cloud-hosted VPN solution for security reasons would likely not accept a traditional VPN either because of their required firewall changes.

The simplicity of this solution comes at the cost of limiting some of the advanced routing features that may be required for sophisticated networks such as machine-to-machine networking, advanced NAT configuration and access control lists. However, for most users these advanced features are not required.

Other design considerations depend on specific features offered by the cloud-hosted VPN vendor. Inclusion of these key features address these issues, while exclusion may present problems. These key features include data logging, widgets for configuring remote access screens, a web-based platform for router configuration and a digital input for enabling/disabling remote access.

The traditional VPN solution requires supply and configuration of a third-party HMI, either PC-based or embedded, to provide data logging and widgets for configuring remote access screens. Instead, the cloud-hosted VPN option may provide data logging functionality in the form of collection, storage and display of data via a cloud-based platform. This allows users to log and access a virtually unlimited amount of data, while paying only for the required capacity. Users can start with a small number of data points and then scale up as needed.

Some cloud-hosted VPN solutions provide widgets for users to configure dashboards for data visualisation on their PC or mobile device. If this feature is not provided, the additional software and effort required for designing remote access viewing screens can be cumbersome.

Cloud-based data logging typically requires an additional licence or subscription from the cloud-hosted VPN vendor to collect and store the data in the cloud, and this cost must be considered, particularly since it doesn’t exist with the traditional VPN option. Cloud-based notifications provide mobile push notifications or email alerts, for example when a process parameter exceeds its limits or when process steps are completed. This is an important advantage because alerts and notifications can be quickly configured in the cloud platform to inform users when parameters fall outside a predefined range.

Those considering this solution must have a high level of trust in the hosted VPN vendor, as it will be responsible for securely storing data and making it available to only those who need it. Monthly costs incurred for data bandwidth exceeding the free limit must also be considered, particularly compared to the relatively much lower cost, approaching zero in some cases, for a traditional VPN solution.

A web-based platform provides quick and easy configuration of the VPN router, often as simple as registering an account, configuring and downloading router settings, and installing a secure client on a PC. One of the main advantages of a web-based platform over PC-based configuration is that platform features can be updated without the user reinstalling a new version. This is particularly useful in the cases where new features are added on a regular basis.

An important safety feature for the VPN router is a digital input for a switch to locally enable or disable communications, preventing remote control of a machine during maintenance periods. If this option is not provided, it should be added on, which will add cost and design time.

Mobile app-based remote access

Industrial HMI and PLC components are increasingly supported with mobile apps, providing users with remote access anytime from anywhere, with both monitoring and control capability. In order to access industrial equipment securely, the mobile device must also employ VPN technology to encrypt the data from the mobile device to the plant network. Without mobile VPN, the firewall ports at the plant will need to be opened, creating a similar scenario to the standard router solution, and leaving the plant network vulnerable to a cyberattack.

The solution is to use a traditional or hosted VPN solution, providing a secure VPN connection for both laptops and mobile devices. Once securely connected to the plant network through the mobile VPN app, the third-party HMI or PLC app can then be opened and used to connect to the local HMI and PLC components as if the mobile user was on site, because he or she is there virtually. Traditional mobile VPN solutions are relatively easy to implement on the mobile user side, but they again require IT staff to deploy and support.

Hosted VPN solutions are significantly easier to deploy, but are only available from a limited number of industrial VPN suppliers. AutomationDirect’s StrideLinx routers provide a hosted VPN solution with VPN connections for both laptops and mobile devices. Both iOS and Android mobile device apps are available, providing users a secure connection from any device to the plant network.

App-based access in action

As mentioned earlier, some cloud-hosted VPN vendors go beyond secure VPN remote access and also provide app-based access to data logging software running in the cloud, along with widgets for configuring customised dashboards to be viewed remotely. This built-in cloud logging would be particularly effective for an OEM machine builder with thousands of machines installed worldwide at hundreds of different locations, each with multiple users. The OEM would simply provide a VPN router for each machine, pre-configured to log data, and including customised dashboards for remote viewing on an Android or iOS app. No effort would be required by the OEM’s customers to configure, install or maintain remote access software other than installing an app on their smart phone or tablet.

For more comprehensive access beyond dashboards, remote users could securely access local HMIs and PLCs via apps using the mobile VPN provided by the hosted VPN supplier. For example, AutomationDirect’s C-more HMI mobile app works securely when used in conjunction with the StrideLinx VPN router. And of course, local equipment could also be securely accessed remotely by a PC for programming, monitoring, or troubleshooting.

Conclusion

This white paper examined the three router-based methods for establishing remote access to industrial systems via a PC or mobile device: standard router, traditional VPN, and hosted VPN.

Standard router solutions are not cybersecure, and therefore should not be used for new applications, and should be replaced in any existing applications. Traditional VPN solutions are difficult to configure and support, with cybersecurity primarily the responsibility of the end user. But when properly deployed, these solutions can be used for secure remote access by mobile devices and PCs, although PC-based access does require firewall modifications, which may not be supported or even allowed by all an OEM’s customers.




Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The convergence of intelligence: DCS, SCADA and TLC
Schneider Electric South Africa PLCs, DCSs & Controllers
In the early days of industrialisation, control systems were primarily mechanical, and relied on manual intervention and simple feedback loops to manage processes. Now, in the 21st century, industrial process automation systems are mind-blowingly intelligent, and provide almost unparalleled control and monitoring capabilities, making them integral to modern industrial systems.

Read more...
PC-based control for advanced hydrogen storage technology
Beckhoff Automation Editor's Choice PLCs, DCSs & Controllers
The proportion of renewable energies from solar, wind and water is rising continuously. However, sufficient storage options are of the essence to use these energies as efficiently as possible. GKN Hydrogen offers a particularly compact and safe option, low-pressure metal hydride hydrogen storage systems with PC-based control from Beckhoff.

Read more...
ABB modernises key board mill
ABB South Africa PLCs, DCSs & Controllers
ABB has secured a landmark contract to modernise Smurfit Kappa’s Paper Machine 5 at its corrugated cardboard mill near Mexico City. ABB will provide Smurfit Kappa with DCS, accompanied by a comprehensive paper machine drives system, encompassing some of the market’s most advanced drives and motors meticulously designed to optimise PM5’s performance.

Read more...
The synapses of the distributed control system
Schneider Electric South Africa PLCs, DCSs & Controllers
Industrial operations require a distributed control system (DCS) to coordinate and control their process subsystems in real time. Like the brain, a DCS is a multitasking maestro, controlling and coordinating complex processes in a myriad of industrial setting such as large manufacturing plants, providing valuable top-down control.

Read more...
Modular assembly platform for clean manufacturing
Beckhoff Automation PLCs, DCSs & Controllers
JR Automation delivers custom automated solutions for numerous industries. It has done this through its scalable, modular automation platform, FlexChassis, which speeds up time to market while cutting costs. The company chose the XTS linear transport system from Beckhoff because of its speed, and modular design that allows for multiple configurations.

Read more...
PLCs and PACs simplify data acquisition
PLCs, DCSs & Controllers
Data acquisition, data logging and data analysis are required functions for most modern industrial control systems. The simplest and lowest cost way to provide these functions is often by using the same platform providing real-time control, namely the PLC or the PAC.

Read more...
Small-scale custom development in the information age
H3iSquared PLCs, DCSs & Controllers
In the twenty-first century, the ability to put together custom electronic devices has become much more accessible to smaller companies, and even the private user. With the open nature of these platforms, potential developers can start learning systems easily, and do not need a massive capital output to do so.

Read more...
Reliable control systems for sustainable manufacturing
Ana-Digi Systems PLCs, DCSs & Controllers
The modern factory depends on reliable processes to ensure reliable production output. Reliable production depends on reliable control systems and accurate production information. Ana-Digi Systems has been propounding this philosophy since 1985.

Read more...
Optimising pulp and paper industry water management
Schneider Electric South Africa PLCs, DCSs & Controllers
The manufacturing of pulp and paper is a complex process that involves several stages to convert wood into the final paper product. The industry has strict guidelines for water discharge into effluent systems. To meet the requirements, pulp and paper mills are increasingly focusing on the reuse of water.

Read more...
Delta and CODESYS to redefine motion control in manufacturing
ElectroMechanica PLCs, DCSs & Controllers
In today’s fast-paced world of industrial digitalisation, the need to streamline production and enhance output quality is more critical than ever. Leading this industrial evolution is Delta Electronics, through its innovative collaboration with the CODESYS group that aims to redefine motion control in manufacturing.

Read more...