Access Control for Productivity and Profit

Jan. 8, 2013
Whether Remotely or on the Factory Floor, Machine Builders Take Various Approaches to Provide the Right Access
About the Author
After working as a semiconductor process engineer, Hank Hogan hung up his cleanroom suit and now writes about process control and other technologies from Austin.That soda can sitting in the refrigerator might have been manufactured a bit more efficiently, thanks to remote access to the machinery that made it. That access has to be managed, though, to protect the product, the consumer, and the intellectual property of the maker of the canning equipment. An examination of soda cans and other items uncovers hardware and software solutions used by machine builders today for access control.

Take the case of Belvac Production Machinery of Lynchburg, Va., which makes high-speed equipment for the canning industry. One of its primary products is a necker, a machine that reduces the diameter of the open end of the can. It also flairs the top to prepare for the lid.

"Our machines are modular and have very different configurations depending on our customers' needs," explained Stephen Packer, a Belvac electrical engineer, during a webinar hosted by InduSoft. "The interesting thing about the necker is it's the last machine to touch the can before it goes to the beverage maker. So we're putting in lots of different quality checks within our machine."

These include vision inspection to detect any imperfections or mislabeling. There's also a light test that is capable of finding holes greater than 0.004 in. in diameter.

Belvac's machines can produce 1,800–3,000 cans per minute, with work underway to boost that number even higher. The upstream canning equipment has much lower throughput. In a typical setup, perhaps five body makers and six inside spray machines feed into each necker.

The canning industry has developed labeling standards that indicate which body maker and sprayer a can passed through. The former is marked by a stamp, and the latter is identified by colored dots. Data about this is gathered during the visual inspection by the necker and incorporated into the Intelligent Manufacturing System, a package that Belvac offers its customers. This proprietary software provides information about machine status and collects data from the quality checks it is running. This information enables the monitoring of as many as a half-dozen upstream machines. This is done by categorizing which ones are causing rejects on Belvac's equipment and by tallying those rejects.

The data can also be used to determine if a given turret on a necker is having more problems than the others. Limits can be set so that if the number of turret rejects is too high, the machine is stopped, an email alert goes out, some other action is taken or a combination of all of the above is done.

"It has provided Belvac with a very value-added item that we can use to really differentiate ourselves from the competition by giving our customers a level of service that no one else is providing them," Packer said of the system.

With remote access to this data, that advantage can be enhanced. That is why Belvac began offering customers access to this information. Since late 2011, the company's products equipped with the latest software have uploaded data into a secure server every five minutes. That information is stored in a database and customers can log in to look at results from a specific machine. This examination can be done anywhere there is an Internet connection.

Though valuable to customers, this data is also a powerful tool for Belvac itself. Company engineers can monitor machines remotely, sending reports about the results to customers as part of a service. Both Belvac and its customers are happy with this remote access solution.

Of course, that access has to be managed and controlled, a process that Indusoft is aiding. The provider of HMI SCADA software assisted Belvac in creating its customer interface.

InduSoft's preferred method for access control starts with the setup of its software, says Richard Clark, customer support specialist. "In the settings for the product, when you're setting up security, you set up users and then create groups that they have access to."

That, in turn, allows user and group authentication through the Lightweight Directory Access Protocol (LDAP), which helps organizations provide a single sign-on where one password for a user allows access to many services.

The group approach allows specific collections of individuals to be restricted in what they can access. This can be information from a machine, buttons on a screen, or even whole screens. What's more, because IT groups often use LDAP, its inclusion can make process control fit better into an overall corporate IT structure.

For even more secure access control, it might be wise to implement an Internet Protocol Security (IPsec) tunnel. It authenticates and encrypts traffic, which means that communications cannot be read. An IPsec bubble surrounding a control system with only one way in or out offers the highest and most secure level of access control, Clark says.

Purge Paint Passwords
An example of the need for machine operator access control comes from an automotive manufacturer. The unnamed carmaker has a worldwide footprint and was running into trouble in its paint operations a few years ago.

One of the last steps in the manufacturing process, painting is one of the first things customers notice. Thanks to metallic paints, the human eye can detect defects that measure microns in size. This carmaker had password-protected painting systems, but the password was not closely guarded. Thus, it was available to a wide array of employees, many of whom were inadequately trained on the painting equipment or had no need to access the painting equipment at all. However, access it they did.

"Whether people were purposely or inadvertently changing the processes, they were changing them," recalls Mark Witherspoon, director of North American automotive operations for Euchner USA, which makes a host of safety and access control products. "The result was multiple bad paint jobs before they recognized it, creating a very expensive problem."

Hard Access
Figure 1: RFID-based keytags can provide a hardware-based solution to machine access control.Source: EuchnerRFID-based access provided the solution to the carmaker's paint problems by eliminating easily shared passwords. Euchner put an RFID chip in a key fob, with user access information from this tag processed by a reader encased in an IP67 enclosure suitable for an industrial environment (Figure 1). The reader passed this information into a control system, which then allowed machine access.

Hardware-based RFID access control solutions are an option offered by B&R Industrial Automation, says Robert Muehlfellner, director of automation technology. The company has transponders that work with the keytags often used for access control in buildings. "You never have to type in a password," Muehlfellner says. "Since you have to have your ID card with you to get around, the ID card is personalized to you."

Not many machine builders are going this route yet, but there is interest in technology, he argues. More widespread are software solutions, which typically involve usernames, passwords and different levels of access.

The latter can be enhanced by breaking down access into two categories: that needed by a machine operator and that required by someone just interested in machine data or diagnostics, Muehlfellner says. The first classification requires access to actual machine functions, while the second one might only require being able to view data. Diagnostics can be handled by a browser, with access control managed via a firewall.

Remote Control
Remote access can be advantageous in some not-so-obvious ways, says Greg Philbrook, product manager of HMI and communications products at AutomationDirect. For instance, being able to connect to a machine via a mobile device can yield multiple benefits. With such a setup, an owner-operator of a small pump station can check on operating status remotely without needing a PC. Also, Philbrook reports that in one case a customer was able to streamline a common task: the training of new operators. "Instead of having to take the operators out to the machine, he can train just on the HMI part of that machine remotely," he says.

Secure Mobile
Figure 2: Providing access control on a mobile device requires stable hardware with a secure operating system, which is why AutomationDirect has not moved beyond the iOS platform with its mobile app.Source: AutomationDirectThe key here with regard to access control is that the mobile device itself should be a stable hardware platform with a secure operating system. That's why AutomationDirect released an iPad remote app in 2010 (Figure 2) but has not done so for Android or another mobile OS as of late 2012. The Android platform is unstable and insecure, Philbrook states, partly because it isn't really just one platform, but several — each with its own features, depending on who made/sold it.

A final example of access control can be found in an offering from Harmony Enterprises, a machine builder in Harmony, Minn. The company makes balers that compress scrap paper, plastic and aluminum packaging materials into compact bundles, which can be hauled off or recycled.

In 2010, the company designed a new baler, the SSG2, in response to a customer request. The design incorporated a controller with EtherNet/IP industrial connectivity, allowing remote access, diagnosis and machine servicing (Figure 3).

Along with the HMI for access to operate and control the baler, this setup made the SSG2 very easy to use, says Steve Cremer, Harmony's president. Remote access is employed more and more because of the information about machines it offers users, he says. "They can know who is running it, how long it takes to make a bale, and how many cycles of the machine it takes."

Rockwell Automation provided engineering support throughout the design process. The company follows a common authentication and authorization model across a range of products, says Michael Bush, technology manager for Integrated Architecture software.

Great Bales of Authorization
Figure 3: In response to a customer request, Harmony Enterprise designed a baler that allows remote access, diagnosis and servicing. Machine authorization is typically role-based.Source: Rockwell AutomationAccess control is split into these two fundamental functions of authentication and authorization because the division aligns with how end users do things. Authenticating someone as being who they say they are can involve cards or other tokens, passwords and usernames, or even biometrics. Handling this assignment tends to fall to IT in larger enterprises. Smaller organizations might turn to the capabilities for this contained within the Rockwell software. In general, authentication is a pain to administer, and so it's often best to keep identity management responsibilities off the plant floor.

On the other hand, authorization, which allows someone to do something, belongs on the plant floor. Authorization is often role-based, with an individual allowed access to certain machine functions because he or she is an electrician, for example.

Bush sees a future where authentication is centralized and uses smart cards or other technologies for user identification while authorization continues to be system-specific. No matter what method is used for access control, though, one future trend is clear: Government regulations are increasingly demanding access control be implemented, and they also require that no secret path to restore access be allowed in case a password is lost.

"The U.S. government and everybody else are telling me I can't provide backdoors," Bush says. "In fact, backdoors in control systems are considered vulnerabilities."