The purpose of this page is to let audience know it is really worth to go for Automation solution with Remote Connectivity option. For manufacturers, machine uptime is directly proportional to profitable operation. As machines and production processes become more complex, the need to provide expert technicians with remote access to industrial control equipment is more important than ever. It’s 4PM
on Friday, when the phone rings with news that the palletizer on your plant’s main bottling line just went down. The plant technical team is stumped and the palletizer vendor’s service engineer won’t arrive until Monday. The plant manager is on the other end of the phone line, asking you to somehow let the vendor access the palletizer control equipment to resolve the problem remotely. Otherwise, he’ll need to idle the plant through the weekend, costing your company tens of thousands of dollars in lost revenue and wages. This scenario is a frequent occurrence in today’s world of automated manufacturing. At the same time, horror stories of corporate data breaches – including breaches due to outside contractor access mechanisms – raise the stakes for enterprise security professionals. With production quotas and profitability targets to meet, simply saying “no” to outside access is not an option for most companies. But before handing out a guest account on your corporate VPN or setting up a remote desktop connection to a production line PC, let’s consider the security and personnel safety factors associated with remote access to machine networks. To begin with, consider these three key zones:
1. Machine Zone – this includes the machine control equipment, the network that interconnects that equipment, and possibly remote access modules. Multiple machine zones within a plant make up the plant zone.
2. Enterprise Zone – this includes the enterprise core network, business assets like servers and applications, Internet access, and firewalls.
3. Outside Zone – this includes the remote user, cloud connectivity service, and communications infrastructure like the Internet and cellular networks. Each of these zones presents unique network security requirements and challenges. Understanding the challenges in each zone will help the enterprise network engineer determine the best solution that balances the production team’s need for fast remote support,
the safety manager’s need to ensure personnel safety, and
the enterprise network team’s need to safeguard the company’s data and information systems. There are two common ways to provide remote access to the Machine Zone –
a PC with a remote desktop connection and
a dedicated remote access gateway. For enterprise network engineers, it’s tempting to connect a PC to the machine network and set up a remote desktop connection as this is a common practice in the Enterprise Zone for troubleshooting user PCs. However, this is not the best path in the Machine Zone for several reasons. First, a PC in the Machine Zone provides a highly capable platform for launching cyber-attacks against the machine and up into the Enterprise Zone. Second, PCs typically have a full featured operating system, including many components that have nothing to do with the basic goal of providing remote access to the machine. Over time, vulnerabilities in these OS components come to light, creating the need to regularly update the PC or risk exposing both the machine and the enterprise to attack. Worse, the PC used for remote desktop access is often supplied by the machine builder or system integrator, and may not be under the plant IT department’s standard update and virus protection routine. Finally, programming and troubleshooting industrial control equipment requires specific software packages, which are often quite expensive to license. Installing a PC on the machine for
remote access requires purchasing licenses for all the necessary software, and adds to the list of installed software that the enterprise network team must monitor and update. The better solution for access to the machine network is to use a purpose-built remote access gateway, like the ProSoft Technology ICX35-HWC cellular LTE and PLX35-NB2 wired
network gateways. These devices plug in to the local machine network on one side and an Internet accessible wired or cellular wide area network on the other side. Because the gateway is designed specifically for secure remote machine access, it does not have all the capabilities of a PC and thus does not provide a platform for attacks against the
enterprise zone. The ports on the PLX35-NB2 are logically separate and do not allow routing of traffic from the machine network port to the wide area network port2 . Unlike with the remote desktop approach, the remote access user cannot route back through the PLX35-NB2 to reach assets on the enterprise network. Both gateways can integrate into the machine controller program, such that remote access is inhibited by the machine controller whenever the machine is in a state where remote
access would be unsafe. Both gateways use outbound-only connections to the secure ProSoft Connect service and only after the gateway has been activated in the Connect service through a two-factor activation process. ProSoft Connect requires a second form of authentication for a remote user when attempting to access the machine. Unlike the full operating system on a remote desktop PC, the firmware on the ProSoft remote access gateways is regularly subjected to extensive pe*******on testing and regular
ongoing vulnerability evaluations by a third-party cyber security consulting firm. The gateways were tested using industry standard pe*******on testing software tools, Achilles and Codenomicon. In addition, ProSoft contracts a cyber security consultant, Independent Security Evaluators, to perform regular evaluation of both gateways and the ProSoft Connect service looking for vulnerabilities. The ProSoft gateways have been hardened to withstand would-be hackers; before using a PC for remote access, consider whether it has been and will be subjected to the same rigorous testing.
