JAN-FEB 2019

Issue link:

Contents of this Issue


Page 21 of 55

22 INTECH JANUARY/FEBRUARY 2019 WWW.ISA.ORG FACTORY AUTOMATION risk of unauthorized access. The use of remote access accounts and passwords, available in both HMIs and PLCs, is an important method of asset protection as well as another layer of security, but adding a firewall provides a more secure connection. Another layer of security is a VPN connection. The encryption used in a VPN ensures that data cannot be intercepted, and that only authorized users can access the HMI, PLC, or other networked devices. A VPN is part of a defense-in-depth strategy to greatly reduce the chances of malicious behavior and unauthorized connections to automation systems. VPNs are offered in two main configu- rations, traditional and hosted. A tradi- tional VPN, best administrated by an in- formation technology (IT) professional, connects a local VPN router and creates a secure VPN tunnel through the Inter - net to a software client or second VPN router. Traditional VPNs basically make the remote devices on a network appear as local devices, securely, but much con - figuration may be needed at both the local and remote sites, depending on specific needs. Remote access to a man - ufacturing plant where large amounts of data must be exchanged is a common use and was the only method available until the cloud and related cloud servers were developed. With the advent of the cloud, hosted VPN solutions became available. Hosted VPN makes setup, use, and maintenance easier due to simplified network configu- ration, while still providing a secure VPN connection. A hosted VPN solution starts with the connected devices, such as a PLC or HMI, connected to a VPN router at the plant. This router also connects to the company (business) network and, through a corporate firewall, to a VPN server in the cloud. VPN clients, such as smartphones or tablets, then connect to the VPN server to remotely access data (figure 3). What simplifies the hosted VPN solution is that once a VPN router is purchased, it connects to a cloud-based VPN server managed by others with minimal IT support n e e d e d . A f t e r configuration, this cloud-based server automatically handles the connections to remote clients, including verification of connection requests, and it also ensures all data passing through the VPN tunnel is secure. As a hosted service, there can be monthly costs, but some solutions provide free monthly bandwidth, which is normally enough for troubleshooting and programming needs. Premium hosted VPN solutions, provided under various monthly subscription plans, provide extended data monitoring capabilities. Remote monitoring in action When it comes to PLC remote access apps, especially if no VPN is used, many users choose to implement only data monitoring to minimize the security risk, with no remote control allowed. Some call this concept a data diode, because it only permits access via one-way communication from the PLC to app, just as a diode only permits the flow of electricity in one direction. In a water treatment research project at a university, significant data was being stored in a PLC for use by both students and professors. However, with more than a dozen personnel having access to the data remotely via an FTP, as well as direct access via a USB connection, data integrity was in question. Data was being logged, but also read, duplicated, and sometimes erased. The ease of remote access was therefore contributing to the corruption Figure 4. HMI remote app: A dedicated HMI can provide local control as well as remote access at a reasonable cost. Figure 3. Hosted VPN Diagram: This diagram depicts a remote access solution implemented with the StrideLinx Secure hosted VPN.

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - JAN-FEB 2019