Automation is a critical factor in boosting productivity and efficiency within the manufacturing sector. The ability to remotely access industrial automation equipment becomes pivotal, allowing manufacturers to oversee and update their machinery from any location and at any time. Nevertheless, this task often proves to be intricate due to stringent cybersecurity demands, unique communication protocols from third-party sources, and the intricate nature of network infrastructures. This document delves into a secure connectivity service that facilitates remote access to industrial automation devices via SDA's cloud-hosted services.
The contemporary manufacturing landscape has witnessed a profound transformation, with automation emerging as a pivotal force behind improved growth and efficiency. The intricate nature of industrial automation equipment, such as Programmable Logic Controllers (PLCs), sensors, and Human-Machine Interfaces (HMIs), necessitates real-time monitoring, control, and adjustment by manufacturers. Consequently, the complexity of the programs running on these devices has underscored the significance of enabling remote access. This remote access empowers manufacturers to diagnose issues, conduct maintenance, and fine-tune their equipment regardless of physical location, yielding substantial cost savings, increased uptime, and enhanced overall efficiency.
However, despite these advantages, enabling remote access to industrial automation devices poses various challenges. This undertaking necessitates secure and dependable connections that do not jeopardize the security of devices or production processes. SDA's connectivity service addresses these hurdles, delivering a secure and efficient solution for PLC operators, including manufacturers and machine builders, seeking to enable remote access to their industrial automation devices. Integrated within SDA's PLC Ops offering, it proves cost-effective compared to single-function alternatives and streamlines the setup and integration of different solutions.
Challenges in Enabling Remote Access to Industrial Automation Devices
The process of enabling remote access to industrial automation devices presents several challenges for manufacturers, including:
Security Concerns:
Industrial automation devices often control critical production processes, making security paramount. Remote access must be secure and impervious to compromise device integrity or production process.
Legacy Devices:
Many manufacturers rely on legacy devices that lack native support for remote access. This creates difficulties in enabling this functionality without costly hardware upgrades, compounded by legacy devices often needing to be matched.
Complex Network Architectures:
Operational Technology (OT) networks, designed to meet specialized requirements, feature intricate architectures. Devices are often segmented across numerous subnets, with a demilitarized zone (DMZ) separating the OT and enterprise networks.
Proprietary Communication Protocols:
Industrial automation devices frequently rely on proprietary software and communication protocols (e.g., Siemens TIA Portal), complicating establishing secure remote connections through a single solution.
Connectivity Reliability:
Remote access mandates dependable and secure connections, a challenge in regions with poor network coverage or unreliable internet connections.
Advantages of Secure Remote Access in Manufacturing
Remote access to machines offers significant benefits in manufacturing. According to ARC, a substantial portion (63%) of machine maintenance involves routine checks or discovering no issues. Additionally, over 30% of these repairs can be performed remotely by adjusting parameters over the Internet or with minimal onsite assistance. Since unplanned downtime can cost up to €500,000 per hour, remote access presents substantial savings for OEMs and asset owners.
It is crucial to recognize the distinctions between Industrial Control Systems (ICS) and Information Technology (IT) systems. ICS prioritizes efficiency for high-speed data transmission and deterministic processes but lacks the primary focus on security. Availability is paramount in ICS, whereas IT systems emphasize security and confidentiality. Furthermore, while IT risk analysis considers data loss or business operations failure, ICS focuses on life, equipment, or product loss risks.
Top Recommendations for Secure Remote Access
Here are some key recommendations for end users and asset owners when selecting and implementing a robust, scalable, and secure remote access solution:
Implement Strong Identification and Authentication Controls:
It is essential to enforce robust identification and authentication controls for all users of the remote access solution. Each user should have a unique identification and a straightforward process for revoking access when needed. Changing default passwords during initial configuration is crucial to prevent common security vulnerabilities. Consider the use of multi-factor authentication for enhanced security.
Ensure Confidentiality and Encryption for All Connections:
To protect the confidentiality of data and communications, it is advisable to use encrypted protocols such as business VPN service connections when remote support personnel connect over the Internet. Additionally, employ robust authentication mechanisms, such as token-based multi-factor authentication, to add an extra layer of security to remote access sessions.
Establish Access Controls and Connection Management:
Centralized user rights management at the server level is a best practice to enhance security. Users should be organized into groups with assigned roles for accessing routers or groups of routers. Maintain comprehensive logs of access control events, errors, configuration changes, and other activities for auditing purposes. Implement a system for turning remote sessions on and off to maintain control over vendor remote connectivity.
Choose a Maintainable Solution:
Staying up to date with the latest firmware versions and security patch updates is critical. Follow the manufacturer's recommendations for updates and security patches. Consider receiving notifications from organizations like ICS-CERT about vulnerabilities in industrial automation equipment and adhere to their recommendations for patching. Ensure high availability of the remote access service, especially for emergency operational support, by working with service providers who offer Service Level Agreements (SLAs) and reinforce these SLAs with appropriate actions and control objectives.
Design a Secure Remote Access Architecture:
Ensure that machine vendors can only access the machines under their responsibility for support and maintenance within the plant. This can be achieved by configuring the system to segregate the machine network segment from the rest of the network. Avoid using control devices (e.g., HMI, PC, PLC) as VPN hosts for remote connectivity, as it can affect their performance. Instead, employ external routers as boundary protection devices to filter packets and protect control systems from external attacks.
How to implement secure remote access to industrial automation systems?
Many machine builders, plants, and facilities now require remote access to local programmable logic controllers (PLCs), human-machine interfaces (HMIs), and other automation system components. In the past, many industrial networks were configured with routers without a virtual private network (VPN). However, due to security risks, new installations should avoid this approach.
While a business VPN plays a crucial role in a defense-in-depth strategy, establishing remote and secure connectivity to local components poses challenges regarding technology, cost, and resource allocation. This article introduces two options to address these challenges, each with advantages and design considerations. Hosted VPN and a traditional VPN.
The choice between a hosted VPN and a traditional VPN depends on four key factors:
- Will all remote access requirements adhere to similar information technology (IT) conditions, allowing for uniform router configurations at each site?
- Is there available IT expertise to support a traditional VPN?
- Is the IT team willing to manage a traditional VPN?
- Will there be a need for high bandwidth?
When the response to all four questions is "yes," a traditional VPN may be the preferred option.
Hosted VPN vs. Traditional VPN:
Hosted VPNs offer a secure connection with a straightforward setup and network configuration. Typical hosted VPN solutions include a VPN router, a hosted VPN server, a VPN client, and interconnected automation system components.
Establishing a secure connection between the VPN client and the router occurs when both the router and VPN client connect to the cloud-hosted VPN server. The router initiates this connection immediately upon startup, while the VPN client connects only upon receiving a verified request from a remote user. Once both connections are established, all data passing through this VPN tunnel remains secure.
In contrast to traditional VPNs that require opening inbound firewall ports, hosted VPNs operate through outbound connections via standard, typically open ports like HTTPS. This typically eliminates the need for adjustments to the corporate IT firewall and addresses IT security concerns. On the other hand, traditional VPNs necessitate IT involvement and oversight to open inbound firewall ports.
Another notable advantage of a hosted VPN is its straightforward router configuration. Since the secure router is linked to a predefined cloud server, the router comes pre-configured, requiring only basic network information from the user. The router's internal firewall is also pre-set to keep the plant floor network segregated from the corporate network.
On the other hand, traditional VPN entails using a local VPN router to establish an Internet connection and create a secure VPN tunnel with a second remote VPN router or software client. Once the connection is established, remote users can access the automation components linked to the local router through the VPN tunnel.
Unlike option 1, no intermediary cloud server is involved in either connection method: from VPN router to VPN router or from VPN router to VPN software client. This option is preferred when substantial volumes of data need to be consistently exchanged between the local and remote sites, particularly for remote viewing of local video feeds.
This approach is widely adopted and was the sole method for secure two-way access before the advent of cloud-based remote access solutions. It can, however, be intricate and resource-intensive in terms of the support required, both at the local and remote sites.
Wrapping Up
When crafting a remote access solution through VPNs for business, various factors come into play and influence the ultimate implementation. These factors encompass initial and ongoing expenses, technical proficiency needed for setup and maintenance, site management, security vulnerabilities, and data storage capabilities.
By leveraging the insights provided in this article, you can assess each option according to their specific requirements, financial constraints, and internal expertise. With this informed evaluation, they can confidently choose the most suitable solution for their unique applications.