By Dan Hebert, PE, Senior Technical Editor
Many OEMS use PCs for monitoring, control and remote access to their machines, robots and skids. As the price/performance ratio of PCs improves, applications become more widespread. But one major concern for many machine builders and their customers is holding PC implementation back, namely the lack of security inherent to most PC platforms when they are connected to the outside world.
PCs are cheap because tens of millions of units are sold each year, but this very ubiquity creates a security risk. The vast majority of hackers operate from a PC, usually Windows-based, and many of them know Windows and other popular PC operating systems such as Linux backward and forward.
The typical hacker might have trouble getting into your PLC or PAC, even if the controller was connected to the Internet via an Ethernet link. But odds are the same hacker could burrow into your Internet-connected PC with ease.
Fortunately, there are solutions. The first and simplest is to connect the PC to the outside world only at predefined periods when data exchange is required. “We can connect to a system anywhere in the world to remotely view the operator interface,” says Keith Gardener, product engineering manager at MPI (www.mpi-systems.com) in Poughkeepsie, N.Y. MPI makes wax-injection-molding machines and automated pattern-assembly systems for the investment-casting industry.
“We establish a VPN connection to our customer’s network, and then they control the connection,” explains Gardener. “Our account usually is disabled and only activated by the customer when required. The VPN policies establish the limits of our access to the network. After a VPN is established, connection to each machine requires a separate login.”
MoCo Engineering & Fabrication (www.mocoeng.com) in Spokane Valley, Wash., builds lumber-handling equipment, and it also implements remote access security via manual customer interaction.
“We offer a remote access option to our customers,” notes Loren Wernecke, electrical and hydraulic manager. “It’s a Web port device that uses open VPN tunnel technology, and the customer has to provide Internet access. Once the tunnel is created, MoCo can connect to any Ethernet device on the private side of the Web port as if they were on-site.”
Placing the burden of remote-access security on the customer has many benefits. It allows a machine’s PC to fit into the customer’s security plan. To a large extent, it removes the OEM from security issues. It’s also highly secure since a potential hacker normally would have only sporadic and relatively short time intervals to breach defenses.
But some customers would rather the machine builder be responsible for maintaining and establishing remote access connections—complete with required security. This saves the customer from manual intervention each time access is required and also lowers the level of required IT expertise on the customer’s end.
In these types of applications, the OEM will have an always-on, secure link to its machine PC, preferably via the Internet to minimize costs. Ideally, this security will be implemented via a software add-on compatible with a wide range of operating systems and hardware platforms.
One way to do this is via a dual-operating system. In this approach, a highly secure and specialized operating system is installed on the PC between the hardware and the general-purpose operating system, which is usually some variant of Windows.
One company that supplies secure operating systems is Green Hills Software via its Padded Cell secure hypervisor. Padded Cell enables multiple guest operating systems such as Windows, Linux and Solaris and their applications to run in secure partitions on a single computer.
Green Hills calls this dual-operating-system approach a virtual machine. According to Green Hills, the use of its embedded operating system between Windows and the system hardware means there will be no software-related system failures and no susceptibility to viruses and worms.
The company also claims its operating-system technology is the first to undergo a high assurance (EAL 6+) Common Criteria security evaluation and gain EAL 6+ high robustness certification. Green Hills believes this security certification distinguishes its software from other virtual machine and hypervisor products.