InTech

JAN-FEB 2018

Issue link: http://intechdigitalxp.isa.org/i/935787

Contents of this Issue

Navigation

Page 31 of 53

rity concern. This port must be protected from unwanted access at all times. Ongo- ing security vigilance is required to en- sure the router and VPN protocols remain up to date, and other technical consider- ations must also be addressed, including: l Firewall configuration may be challenging. l Subnet conflicts must be addressed across sites with similar network designs. l User management and access must be well controlled. l Event logging is not usually imple- mented and must be added if needed. l Security certificates must be created and managed. l Advanced networking knowledge is required. l Client configuration is needed for each connection point. Despite some drawbacks, this method is the preferred VPN solution if the IT staff is available and willing to make firewall changes, if the application requires high data bandwidth, or if the company does not want to rely on a hosting vendor. Application example: Traditional VPN Consider two types of OEM machine builders. The first OEM sells very large and complex printing presses with thousands of automation system I/O points, and its customers require the OEM to support the machine, includ- ing uptime and throughput guarantees. The OEM needs to remotely monitor and support its presses worldwide to make sure it meets its guarantees to customers. The OEM has considerable IT expertise and is capable of imple- menting a traditional VPN, and each of the customers is willing to allow the re quired firewall modifications. Each press also has multiple video cameras installed for remote viewing, a necessity for solving some of the more complex troubleshooting issues. Each printing press has a full-featured PC- based HMI installed for local viewing and data storage, with high-speed re- mote access to the HMI and its stored data required at all times. Therefore, large amounts of operating data must be continuously transmitted to the re- mote corporate control center. A traditional VPN is the right solution in this application, because of the significant amount of data exchange required, which could be cost prohibitive for a hosted VPN, and because the right IT resources are available to support the solution at the control center and at each site. Application example: Hosted VPN The second OEM sells a machine that does not require video monitoring. Lo- cal operator interface is provided by an embedded HMI with limited data logging and storage functionality. The OEM machine builder needs two kinds of remote access. The first is VPN access to remotely troubleshoot, debug, and program the machine's PLC and HMI. Second, the OEM and its customers want to monitor the machine's most im- portant operating parameters on dash- board screens from remote devices, such as smartphones and tablets. The OEM machine builder does not have an IT department, just one part-time person who set up the internal network. The automation staff consists of one or two control systems professionals who are experts when it comes to program- ming PLCs and HMIs to automate their machines, but who are not very familiar with IT, VPN, and router technology. Most of the OEM's customers are not willing or able to reconfigure their firewalls, elimi- nating the traditional VPN option. In this case, a hosted VPN is the best choice, be- cause it will satisfy all of the OEM's and its customers' requirements, and it can be implemented without IT staff. Data logging is provided in the cloud, so the local HMI's limited data storage capa - bility is not an issue. The machine build- er can use widgets to create dashboard screens that many different users can view on remote devices. When full con - trol and monitoring is required, it can be done by installing a lightweight software client on a PC, which can connect to the cloud from any location worldwide. Many considerations When designing a remote access solution using VPNs, there are many consider- ations influencing final implementation: initial and sustaining costs, technical ex- pertise during installation and ongoing operation, site control, security risks, and data storage capabilities. Using the information in this article, end users can evaluate each option based on their needs, budget, and inter- nal expertise—and then select the best choice for their applications. n ABOUT THE AUTHOR Jonathan Griffith (jgriffith@automation- direct.com) is the product manager for industrial communications and power sup- plies at AutomationDirect. Before joining AutomationDirect in 2015, he worked at ANADIGICS, a Wi-Fi networking company. View the online version at www.isa.org/intech/20180205. 32 INTECH JANUARY/FEBRUARY 2018 WWW.ISA.ORG AUTOMATION IT Remote access option tradeoffs Hosted VPN Traditional VPN External cost Initial Medium High Sustaining Bandwidth dependent Low Internal support cost Low High Required technical expertise Low High Changes to existing firewall Not required Required Security risk Low Low Data dashboards Available through subscription Typically not available Data storage and access Available through subscription Typically not available Q&A with authors of Industrial Data Communications www.isa.org/q-and-a-with-authors-of-industrial- data-communications-fifth-edition Industrial Automation Cybersecurity: Principles & Application www.isa.org/ts13 IACS Cybersecurity Design & Implementation www.isa.org/ic34/0318nc RESOURCES

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - JAN-FEB 2018