IT in Manufacturing


Remote industrial automation ­services via the Internet

October 2015 IT in Manufacturing

Remote access for servicing PLCs, HMI panels or other industrial equipment is becoming a must-have for most OEMs (Own Equipment Manufactures) and system integrators in order to live up to their contractual obligations. It is not just about travel budget cost reductions; more critical is the contractual obligation for response time and up time, and with the increasing complexity of industrial installations, efficient use of critical engineering resources is vital. Optimising service offerings and resources requires selection of the right solution for remote access, to ensure focus is kept on the core business.

Identify the category of remote service that covers your needs

Remote monitoring

The term remote monitoring (or remote management) typically covers collecting specific predefined information from devices, and processing them on a central server. The main purpose is to perform preventive or predictive maintenance, and if a critical problem is detected, a technician will travel on site. Note that such solutions are typically not designed to allow establishing of connections through which you can service the equipment remotely. This type of solution is very common for utility installations.

Remote service via remote desktop

Several low cost, or even free solutions, exist for providing remote desktop access to equipment inside a network. Most of the solutions require that both ends are manned, which is typically not the case for a service PC at the factory. Solutions do exist that allow secure remote access to unmanned equipment inside local networks, but these solutions are typically not cheap. Add to this the administrative task of maintaining a Windows PC (with its frequent security updates) and the potential cost of software licences for the PLC or HMI programming software packages installed on the PC, and the setup may seem less ideal .

Remote service via port forwarding

Solutions in this category are typically based on a hardware unit at the site that acts as an Internet router to the equipment. The most simple solutions are based on the router having a fixed IP address on the Internet, which 'routes' or 'port forward' incoming connections to the equipment; pretty similar to the traditional dial-up modems. This type of setup is typically seen for video surveillance. The risk of exposing access to industrial equipment directly on the Internet, using unencrypted connections, combined with the need for fixed IP addresses, essentially rules these solutions out.

Remote service via data tunnelling

This is the kind solution that would fit most remote service needs. Traditional IT solutions based on VPNs have existed for more than a decade, but in recent years, VPN solutions ­specifically addressing the automation industry have multiplied. Most of them are just traditional VPN solutions packaged for automation use, by offering DIN rail mounting and 24 V power feed. Some vendors have taken a step further to disguise complex IT con­figuration from the users and eliminate need for changing firewall settings. These solutions typically involve a central M2M server, acting as a portal for user access control and data re­direction. At least one vendor, namely the Danish company Secomea, has evolved away from VPN completely, and instead uses a concept of encrypted proxy connections for solving challenges that VPN technologies by nature have difficulties to overcome.

What to watch out for in relation to the above category

Ease of deployment – a vital part of overall security

Ease of installation and configuration is essential for saving time, and for enabling non IT literate personal to deploy the solution. It should not be necessary to configure firewall or routing rules, or to install third-party software that are not an integrated part of the solution. Installation and initial configuration should be possible to do by the same engineer that handles the electrical wiring, and user access control and configuration of device access should be manageable by the PLC programmer, the OEM project manager or the site administrator.

Using the customer network, and security argumentation

Typically a factory, or its machines, would run in a network isolated from the corporate office network, but typically it will only be the office network that can connect to the Internet. When using a standard VPN enabled router for accessing the machine network, you would typically connect its WAN side to the office network, and the LAN side to the machine network.

IT departments will not be happy about a third-party connection between the networks, even if you argue that the router has a built-in firewall that prevents unauthorised access between the networks. So you will have to explain precisely how the solution works and why it does not compromise security. Such information should be provided by the remote access solution vendor.

Additionally the solution must be able to establish its encrypted tunnel connection to the Internet based on ports that are commonly open. This would be 'web' ports, such as 80 (http) and 443 (https). Do not expect IT departments to open specific ports on your request.

Network conflict issues

Maybe one of the most common issues when connecting multiple users and networks together is 'network conflicts'. When connecting networks statically via routers or VPN connections, all networks must have different 'IP subnets'.

A typical issue is that two factories may use the same IP subnet. Most industrial remote access solutions solve that by dynamically establishing the connection on-demand, and close it again when done. The only limitation is that the service engineer cannot be connected to both factories simultaneously, which would typically not be necessary either.

More critical is the scenario where the engineer sits in an IP subnet that is identical to that of the factory (e.g. a user sits in subnet 192.169.0.10/24, and attempts to connect via VPN to a factory that uses the exact same subnet). For routed technologies this will simply not work. It could be solved by making alias addresses and applying NAT (network access translation), but it is not trivial.

Two-factor authentication

Typical VPNs for statically connecting office networks are based on x509 certificates that are manually exchanged between the VPN peers during the initial setup. In recent years SSL/TLS based VPN solutions have become popular, due to being 'firewall friendly' and automatic bidirectional authentication. The concern with many such implementations for industrial access is that the initial authentication is based on only a user name and a password.

Traceability and logging

Documented proof of who took access to what, and when. The purpose is not only to document if a given remote user may have been causing an issue on a machine, but also to document if a service provider is in fact fulfilling the service obligations.

Check if audit logging exists and how it can be accessed.

Dependence of third-party cloud services

As mentioned earlier, using a central M2M server is becoming essential for controlling user access and data connection redirection. Such services may be free, or be subject for maintenance fees. Investigate fees in relation to scaling the solution and make a strategy for which budget to place such cost on.

More importantly you should investigate if the M2M server is available only as a cloud service hosted by the vendor, or if you can migrate to an own M2M server. Major OEMs generally do not like to be dependent on a specific vendor’s existence for their server’s up-time and applied security measures.

For more information contact Bob Petrie, Throughput Technologies, +27 (0)11 705 2497, info@throughput.co.za, www.throughput.co.za



Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Mitigate industrial network vulnerabilities
July 2021, RJ Connect , IT in Manufacturing
It must not be forgotten that ignoring common system vulnerabilities in today’s world could put your entire network at risk.

Read more...
Digital transformation in mining
July 2021 , IT in Manufacturing
Rapid advances in technology have disrupted industries and businesses around the world, which are now being forced to accept this new reality rather quickly because the new technologies have tremendous potential to deliver value for those who adopt them.

Read more...
Digital twins require accurate and reliable data to be effective
July 2021 , IT in Manufacturing
At the 25th ARC Industry Forum, hosted virtually, many industry experts gave their perspectives on accelerating digital transformation in the post-Covid world.

Read more...
Frequency analysis without programming requirements
July 2021, Beckhoff Automation , IT in Manufacturing
Beckhoff expands TwinCAT Analytics with easy-to-configure condition monitoring functions.

Read more...
Siemens adds AI to Simcenter
July 2021, Siemens Digital Industries , IT in Manufacturing
Siemens Digital Industries Software has announced the latest release of Simcenter Studio software, a web application dedicated to discovering better system architectures, faster. Simcenter Studio offers ...

Read more...
ABB technology can help make SA steel industry competitive
June 2021, ABB South Africa , IT in Manufacturing
South Africa’s steel industry needs to invest in technology like automation and data analytics if it is to improve its productivity to the point where it is globally competitive.

Read more...
Siemens expands CFD simulations
June 2021, Siemens Digital Industries , IT in Manufacturing
Siemens’ Simcenter portfolio expands capabilities for frontloading computational fluid dynamics (CFD) simulation and increased productivity.

Read more...
Digital twin for refinery production
June 2021, Yokogawa South Africa , IT in Manufacturing
Within Repsol’s Industrial Business, the development of a refinery digital twin leads the digitalisation program. The digital twin maximises production while optimising energy consumption.

Read more...
Building secure networks
June 2021, RJ Connect , IT in Manufacturing
This article explores how to build resilient industrial networks and deploy cybersecurity defences in order to sustain continuous industrial operations.

Read more...
Improving the state of OT cybersecurity by sharing experiences
June 2021 , IT in Manufacturing
It is essential that we view improvements in cybersecurity as requiring improvements in multiple areas, including people and skills development, governance and process development and improved technology.

Read more...