Can I monitor and program using the same remote-access hardware or software?

Fundamental concerns are a good place to start with remote programming and monitoring.

By Control Design

A Control Design reader writes: We’re a Tier 1 supplier to the automotive industry, producing engine control modules. I often need to get into the line’s automated control systems and program the controllers, HMIs and robots remotely, but I also need my technicians and engineers to be able to monitor the assembly line, and possibly even change set points or start and stop equipment. How do I do this?

Can I use the same hardware for programming remotely that I use for controlling and monitoring remotely? What about security? Is that even possible?

Join in on the discussion in the Comments Section below. 


 

For more, also read: DHS cybersecurity director on avoiding security vulnerabilities when connecting to the IIoT

 

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • Secure support and monitoring options are crucial to today's critical manufacturing facilities and the OEMs, suppliers and integrators that support them. There are many options for doing this, with some pro's and con's for each. There are some excellent security-focused appliances that provide IT-approved VPN technologies (e.g. mGuard, zenwall and tofino). These will give you the "pipe" or conduit to connect your technicians and engineers to the production cell or line that you need to support. You then use your programming tools (e.g. RSLogix, Proficy, etc.) as if you were local and on-site; the VPN is just giving you a "1000 mile patch cable". The very best of these solutions include the ability for your customer to easily control when the VPN is on or off so they can ensure the line is safe and ready for support/monitoring before starting the connection. Another factor to look for is to make sure you can restrict what traffic goes over the VPN, this can keep an infected technician PC from wreaking havoc on the production line equipment with malicious traffic. There are also several Cloud-based solutions out there that remove the need for your company to stand up a VPN infrastructure. Security should be a top concern here, so look for things like 2-Factor authentication, strong encryption and good logging/auditing capabilities so you know which of your technicians connected to which site, when and for how long. If you don't want to (or aren't allowed to) add another DIN-rail device, there are some PCI card solutions that can be used, allowing you to integrate your secure connectivity right into your HMI or a any PC on the network. This is a convenient way to get the functionality without having to fit another piece of equipment in a cabinet. Hope this helps - Dan

    Reply

  • Any OEM or machine builder has a number of valid concerns no matter the equipment they build or the end-user they need to support. The remote connectivity solution they are looking for doesn’t need to be expensive or complicated, but at the same time should offer the peace of mind that the machine is secure from unwanted traffic. The mGuard Secure Cloud from Phoenix Contact provides an easy, cost-effective and reliable solution, allowing users to talk securely over the Internet to industrial equipment such as PLCs, HMIs, etc. all over the world. Using an accepted and highly secure IPsec VPN technology with the highest encryption standards available (AES-256), your mGuard hardware will open a secure tunnel to the mSC infrastructure, while users, having dual authentication methods, can start the supported software VPN. After logging into the mSC website, they can select the machinery they wish to support. Let me add that the mSC will allow several technicians/engineers to connect to the same piece of equipment at the same time to perform different functions like monitoring, control and/or remote programming as requested. In addition, all mGuard hardware comes with integrated stateful firewall that secures the local devices from unwanted or malicious traffic. Another unique security feature is the conditional VPN and/or firewall. This means that, through a dry contact closure, you can enable/disable a VPN tunnel (the connection for remote support would be just available per customer request) and/or a set of firewall rules (managers from each shift can control firewall rules using a physical key). With many hardware flavors and features to choose from, I’d like to explain two of the most convenient: - For a security focus, the recommendation would be to use the FL mGuard RS4004 VPN that can filter traffic locally and even within an authenticated VPN, so allowed technicians can only monitor, while engineers can program the remote PLC. As an extra, this hardware comes with a dedicated DMZ port, which can be translated as a third interface for local use (an example is WAN connected to enterprise, LAN to industrial machinery and DMZ to a SCADA or a WLAN network) taking advantage of the security settings between these three ports. - For a cost effective focus, the FL mGuard RS2005 VPN gives you all the same remote connectivity access with an extra 5 port unmanaged switch and a basic firewall. Using the well-known mGuard hardware as your VPN gateway, provides a great range of uses and flexibility for full or partial protection, wired Internet access or cellular. Depending on the application and budget, you can select the different variants. If OEMs, machine builders and end users are still concerned about a third-party company hosting a cloud infrastructure for all their remote connectivity, the mGuard is a powerful device that can be configured as your company’s hub in a point-to-point VPN application. For more information about the mGuard product visit www.phoenixcontact.com/mguard For more information about the mGuard Secure Cloud visit www.phoenixcontact.com/msc To register for the mGuard Secure Cloud go to https://us.cloud.mguard.com For any questions email us at portal@phoenixcon.com For more cyber security and remote connectivity trends follow me in Twitter @mcoladon

    Reply

  • You are talking about two different functions, though some suppliers of automation software cannot separate them and end up hamstringing their end users with "gotchas". Developers for instance who opt for using VB.Net or C++, etc. end up doing just that many times to their end users, requiring them to rehire the original developers to create any new functionality and reinstall the newly compiled runtimes on all the machines in the plant. Therefore it is important to understand the difference in functionality that is needed within the plant. One function is the actual development of the runtime applications and the other is creating appropriate functionality within the applications as they are being developed in order to address your needs without stopping production or redesigning the runtime applications. When an HMI or some other type of front end is designed, it is done generally speaking, with some sort of development station that is operating in an OS environment capable of supporting the development and runtime, and any virtualization that needs to take place. When a development environment is installed it is usually on a full Windows OS, not simply a CE, Windows Embedded Compact Edition, Linux, etc. This is because such a system usually requires a great deal more resources than an efficiently compiled runtime app that is hosted on one of the tiny OS's. This does not mean that the runtime is necessarily scaled back or has limited features. Runtimes and their environments are chosen specifically for the functionality that they have to support, and the connectivity and processes that they have to maintain. InduSoft Web Studio for instance has physical and virtual runtimes that can host external thin clients, interface with Historians and data warehouses, connect to databases, and has drivers capable of talking to more than 300 types of proprietary devices and industry protocols from every vertical imaginable, including several generic ones that can be configured or created when nothing else is available to communicate to unusual devices. Having said that however, a small runtime client machine usually does not have enough resources to host the design/development and compilation parts - the heart creating runtime clients and servers unless that environment is purposely scaled to be small. Therefore a full Windows Embedded installation can be used to host such a need when needed, and it will still be fully-featured. When developers create applications for the functionality that you have mentioned, they are designed so that setpoint adjustment and automation control, along with the ability to modify necessary parameters or provide other external machine access, such as robotic programming, is built into the application, along with user security and machine authentication. Therefore, in a properly designed standalone application operating in a small OS environment like Compact or Linux, actual redesign of the client or server should never be necessary from the actual workstation itself. Many devices like this are indeed headless in any case, meaning that they may not have a display terminal or other means of interfacing directly to humans except perhaps through a local keypad and/or a remote terminal for more maintenance intensive functions. Again, this will be a function of the properly designed application, not the development environment that created the app. It is also possible however to build and license specific nodes in your environment to have development and runtime capabilities, and these are created for exactly the reasons that you are pointing out that you need. For instance, with InduSoft Web Studio, you could have (for instance) a single Web Server/Local Client - Operations Dashboard and Development machine, and while it is concurrently running the server functions for your thin client HMI's around the plant. Updates to the screens and application functionality on such a machine can be made and pushed out to the operating HMI nodes without any disruption in production. Therefore, when designing such a system for a large environment, it is prudent to carefully understand, as much as is possible, about the final applications and implementation vision, so that one does not get "painted into a corner" so to speak, by inadequate planning and engineering. It is necessary also to employ a development system like InduSoft Web Studio, which is completely scalable, with the added ability run applications that were built on earlier versions without modification, so that future expansion and changes to the plant can be made when needed.

    Reply

  • Getting all this capability in to a single device can be a challenge. The key to your question is having a device that can connect you to all the devices you wish to reach. This requires a device that can speak several protocols and some at the same time. Then the device needs the ability to have remote access. Fortunately for you that is exactly what the Red Lion’s HMIs and protocol gateway devices offer. Protocol conversion is the first requirement you need to get a handle on. Offering over 300 protocols, Red Lion has the largest reach of any company providing protocol conversion. Our protocol list includes most of the major automation manufacturers for drives, PLCs, bar code reader and even cameras. In addition, our products also offer the ability to run multiple protocols simultaneously which is important because you will probably need to communicate to more than just a single protocol. Now that you have the communication part figured out, access is the next issue. Red Lion products offer remote access and have for many years. The capability includes remote control of operations, pass through programming capability, email notification, SMS messaging and more. These controls can be accessed from any smart device so connection and control are very simple. Now to address your security concern. This can be a tricky balancing act between how secure you want your equipment and how accessible you want it to be. An easy to use solution is a cellular router which may include a firewall, VPN capabilities or even Access Control Lists. This solution doesn’t use any of the Internet connectivity within the facility, thus not requiring IT to open ports or allow special access on the corporate network. In addition to security at the edge of the network, you also need to consider device-level security. To summarize, yes there is equipment (including HMIs) that will allow you to program remotely as well as monitor and control systems and processes. Security can be addressed either on the device itself, or for higher-grade security, you can use a separate device. Red Lion has a number of options that would fit your requirements.

    Reply

  • Remote access as you described is indeed possible via three main methods: PC-based Programming Software: A fixed or portable PC can be connected to controllers and HMIs via hard-wired or wireless networks. If the controller or HMI programming software is installed on the PC, it can be used to fully access the controller or HMI in order to make changes, view status, etc. IDEC’s HMI and controller programming software are provided free of charge, and can thus be freely installed on multiple PCs for this type of remote access. Browser-Based Access: If the controller or HMI comes with web server functionality built in, as do most of IDEC’s controllers and HMIs, then web pages can be created using the PC-based programming software, and then stored in the controller and HMI. Once stored, these web pages can be accessed via any browser running on any platform such as a PC, a tablet or a smartphone. The only requirement is a connection between the controller or HMI and the platform running the browser. Within a facility, this connection is often via Wi-Fi. External to the facility, this connection is usually via a company intranet or the Internet. App-Based Access: Table and smartphone users prefer app-based access instead of browser-based access because it’s simpler and faster to connect, easier to interface with, and has a quicker speed of response. If your controller or HMI supports app-access, this is the preferred alternative.

    Reply

  • A. The ability to program and monitor your equipment remotely has been around for quite some time. There are a few technologies that have been attempted over the years with varying degrees of complexity, effectiveness, and security. Believe it or not, dial-up modems are still being used, however, slow speeds and availability of phone lines have made these all but obsolete. Cellular modems require reoccurring monthly fees and coverage inside factories is far from ideal. Remote desktop applications require costly software to be loaded and giving access to a PC that has the ability to reach the rest of the network is a serious security concern. Fortunately, there are ways to overcome these challenges through the setup of secure encrypted VPN connections. Traditional VPN's have their own challenges as they are very complex to setup securely and never seem to be available when needed. However using a cloud-based VPN solution like eWON’s Talk2M that establishes firewall friendly outbound connections you are able to access your equipment just as if you were plugged in locally, all while keeping the integrity of the corporate network and security policies intact. Knowing that security is essential, all connections are encapsulated in encrypted VPN tunnels, built in digital I/O provides local control of when a connection is possible, and options like 2 Factor Authentication ensure that only trusted personnel have access to the connectivity. As for local monitoring and control of the assembly line, the local hardware used for these connections has the ability to configure 1:1 NAT making it possible to setup communication from devices on the corporate network to PLCs, HMIs and other industrial equipment on the remote access network. Also, the M2Web application of Talk2M allows remote web access over HTTP, VNC or RDP to the Ethernet devices behind the eWON from any tablet or smartphone, allowing for easy monitoring and control from anywhere.

    Reply

  • Some HMIs harness the capability of web-based publishing to allow users to obtain Information Anywhere. Web-based HMI runtimes allow users to open separate instances of their HMI program allowing for multiple users to monitor or operate at the same time. The added benefit of these web-based publishing HMIs are their ability to be used on mobile and tablet devices. Vendors often create their own iOS or Android application to make this capability even more straight forward. As you've mentioned, huge concern when multiple parties have access to the same HMI is which users are controlling, which are monitoring, and which are editing? Look for HMIs with built in security and administrative settings that allow you to handle these potentially complex case scenarios with ease. These administrative settings should allow you to either limit the user to specific panels or down to specific button or input read/write access. This allows you to easily segregate between monitor-only users such as administration or factory floor managers to machine operators who are working locally with the device. In addition--ensure you have an application with dual-LAN ports that allow for physical separation of the networks often you'll want a network dedicated to your controls scheme and the second dedicated to remote access. Trying to utilize an HMI without web-based publishing makes this significantly more difficult--often involving the collection of data to a single PC data base, development of an application that then allows web-based publishing or remote access. This could potentially involve either a programmer or an IT specialist driving up the cost of the overall project. Parker's Interact Xpress is an award winning software that has pre-built administrative profiles that allow machine builders to easily create different levels of access with ease. When partnered with Remote Xpress Manager (free!) the system HMI can be viewed from any location on any iOS or Android device without any complex programming or system modification necessary. For more information on Parker's Interact Xpress see: http://www.parkermotion.com/xpress/

    Reply

  • Response provided by Gregory Wilcox, global business development manager, Rockwell Automation: OEMs are looking to reduce costs, add more value to their customers, and differentiate themselves from their competitors. OEMs desire secure remote access to assets installed at their end users, but it’s important to understand that one size does not fit all when it comes to a solution. The solution end users choose to enable OEMs’ secure remote access depends on the end users’ security stance. Their security stance will be based on their business practices, corporate standards, industrial security policies and risk tolerance. It will also be based on the specific application requirements, such as the current state of the end user’s network infrastructure (segmentation into domains of trust) and alignment with applicable industrial automation and control system (IACS) security standards, such as IEC-62443. Early and open dialogue between the OEM and end user is critical in determining a secure, remote-access solution that aligns with the end user’s security stance. The Cisco and Rockwell Automation Converged Plantwide Ethernet (CPwE) secure, remote-access solution leverages common IT infrastructure and defense-in-depth best practices to help align the security needs of the OEM and end user. Linked below are additional resources on the CPwE, Identity Services and Industrial DMZ best practices: http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td008_-en-p.pdf http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td009_-en-p.pdf.

    Reply

  • Whether or not you can use the same hardware depends on a few issues. One of the biggest issues is security. If you are going to control an assembly line remotely, the assembly line must be connected to the Internet, however you need to be cautious because this could cause a potential risk. Automotive companies are very critical with network topics, especially if they are a possible threat – so you can run the risk that a system is hacked by someone and production may stop. Therefore, it’s possible to conduct remote maintenance but it might be risky. As a result, you should involve your IT department to get full Internet connectivity. In the past IT administrators were not familiar with the network structure of industrial machines so to avoid adverse impact they wouldn’t support any external access point into their standard network. If the assembly line is connected to the Internet, it’s possible to use a Lenze Controller for remote maintenance with the same hardware and software. You first have to establish a connection from your Engineering PC or Laptop to the Lenze Controller and then you can connect yourself to the controller in the same way you would onsite. When inside a plant you can do remote maintenance from any location as long as you are connected to the machine’s network. The Lenze controller platform (for 3200 C, p500, c300 and p300) is designed with state-of-the-art security functions and measures. For example, besides internal control, measure and safety functions, the Lenze controllers are all equipped with detailed user rights management and a PLC safety measure system to address the safety aspect. Daniel Repp - Business Development Manager, Automation Solutions - Lenze Americas

    Reply

  • KEB's C6 Router with Combivis Connect Software can be used for remote access and programming of any device connected to the automation network. Device access is setup through virtual ethernet and serial ports established by the C6 Router and Combivis Connect for end-to-end VPN connection. KEB's intuitive Combivis Connect software is also used for managing and configuring access rights and the setup of security rules such as firewall policies. Furthermore an unlimited number of users, user groups and devices can be defined each with different access rules for flexible configuration and a high level of security. For more information on KEB's C6 Router and Combivis Connect visit http://kebblog.com/industrial-router/.

    Reply

  • Route1 is a security company that provides a service to provide 2 and 3 factor authentication for the user and the device used to access assets remotely. Incredibly easy to setup, and uses an encrypted smart USB key for access. Route1.com will take you there... no need for routers/switches and it is IT friendly. Highly recommended!! and no I don't work for the company!

    Reply

RSS feed for comments on this page | RSS feed for all comments