How to Implement Secure, Remote Access to an Industrial Automation System

  • Will all of my remote access needs fall under similar information technology (IT) conditions, with each site able to use the same router configurations?
  • Is IT expertise available to support a traditional VPN?
  • Is the IT team willing to support the traditional VPN?
  • Will high bandwidth be required?

Option 1: Hosted VPN

Hosted VPNs provide a secure connection with simple setup and network configuration. Typical hosted VPN solutions include a VPN router, a hosted VPN server, a VPN client, and connected automation system components (figure 2).

Hosted VPN design considerations

Those considering this solution must have a high level of trust in the hosted VPN vendor, as it will be responsible for securely storing data and making it available to only those who need it. Monthly costs incurred for high data bandwidth usage must also be considered, particularly as those costs are zero for a traditional VPN solution.

Option 2: Traditional VPN

This option requires a local VPN router to connect through the Internet with a secure VPN tunnel to a second remote VPN router or software client (figure 5). Once connected, remote users can access automation components connected to the local router through the VPN tunnel.

Traditional VPN design considerations

The main design consideration for this option is the capability and willingness of an IT team to support this solution at both the local and remote sites for each installation. For example, an original equipment manufacturer (OEM) machine builder must consider every customer site, and make sure all of its customers are willing to provide IT support. If not, the OEM will have to customize its remote access solution for each customer.

  • Firewall configuration may be challenging.
  • Subnet conflicts must be addressed across sites with similar network designs.
  • User management and access must be well controlled.
  • Event logging is not usually implemented and must be added if needed.
  • Security certificates must be created and managed.
  • Advanced networking knowledge is required.
  • Client configuration is needed for each connection point.

Application example: Traditional VPN

Consider two types of OEM machine builders. The first OEM sells very large and complex printing presses with thousands of automation system I/O points, and its customers require the OEM to support the machine, including uptime and throughput guarantees. The OEM needs to remotely monitor and support its presses worldwide to make sure it meets its guarantees to customers. The OEM has considerable IT expertise and is capable of implementing a traditional VPN, and each of the customers is willing to allow the required firewall modifications.

Application example: Hosted VPN

The second OEM sells a machine that does not require video monitoring. Local operator interface is provided by an embedded HMI with limited data logging and storage functionality. The OEM machine builder needs two kinds of remote access. The first is VPN access to remotely troubleshoot, debug, and program the machine’s PLC and HMI. Second, the OEM and its customers want to monitor the machine’s most important operating parameters on dashboard screens from remote devices, such as smartphones and tablets.

Many considerations

When designing a remote access solution using VPNs, there are many considerations influencing final implementation: initial and sustaining costs, technical expertise during installation and ongoing operation, site control, security risks, and data storage capabilities.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
International Society of Automation - ISA Official

International Society of Automation - ISA Official

The International Society of Automation (isa.org) is a non-profit professional association founded in 1945 to create a better world through automation.