Integrator Update: Remote access programming
Internet promises of better remote access, monitoring, and tweaking of automation systems have been slowed by malware and other security issues; options are available for secure remote access programming.
The concept of remotely accessing, monitoring, and tweaking automation systems has been around since the late 1980s, and the Internet seemed to be the “Promised Land,” just around the corner. Just about the time we were ready to perform a happy dance atop the Internet bandwagon, malware and security issues reared their ugly heads and ruined the party.
In the beginning
The year 1988 was about the time the major PLC manufacturers first made noise about remote access. It was a good idea, but back then, the only option available was a dial-up modem. This required a lot of tinkering and faced three obstacles.
First, the connections were slow—really slow, and even after 20 years of progress they didn’t get better. According to Leslie Adams of Chicago’s MAAC Machinery (in 2012), “I remember the frustration associated with trying to monitor machines when it took a long time for information to make its way back via the modem connection. In one instance, we were working with a machine in Australia and the delay ran up to 15 seconds.” With speeds like that, any thoughts of actively making changes on the fly are pretty much shot.
The coups de grace was when the search began for a telephone line on the plant floor. There are issues with getting an analog line down to a machine. When dozens of machines were scattered throughout a manufacturing facility, it was nearly impossible. Even today, phone lines can be iffy. James Alongi, MAAC’s president, noted, “Those of us in the U.S. and Canada take solid phone infrastructure for granted. This is not true in other parts of the globe.” Developing countries in Asia, Latin America, and even some first-world nations regularly suffer from spotty phone service.
So modems were applied on some mission-critical systems, ones that could shut down a whole plant. Things like the main ammonia chiller inside a food processing plant might justify having a line, but the rest of the applications went begging, and engineers continued to go on expensive unplanned trips.
Let there be Internet
The late 1990s brought an Internet explosion followed by a logarithmic proliferation of Ethernet devices. In a couple of years, it was Ethernet everything. And in 2001 when companies like Rockwell Automation began introducing Ethernet-enabled programmable controllers (and then drives, operator interface devices, and other components), it looked like remote connectivity problems were over.
Using plant wide networks hooked to the Internet, it became possible to sit in a comfortable office and fine-tune processors wherever they may be. Expensive and physically exhausting last-minute trips to customer sites would be a thing of the past.
Paradise lost, devils in malware
In the early days of the Internet, most of us had no way to imagine the evils of spyware, malware, and code capable of bringing whole companies to their knees. As businesses became networked, one bit of this nasty stuff could shut down million-dollar operations. A hell-bent hacker worming into a plant-wide network could conceivably access sensitive information, such as private human-resource information, trade secrets, and more. Proprietary processes, formulas for new products, and sensitive e-mail correspondence are choice targets. U.S. IT departments switched from utility providers to private detectives. We’re still basking in the red light warning of a new heightened state of security. Security can create a barrier for those who had hoped to use the Internet to monitor machinery.
Currently, the virtual private network (VPN) is the most common method for allowing employees remote access to a company or plant network. If you can access company e-mail or other files (that aren’t cloud-based) from home or a motel room, it is likely via a VPN. When you joined your organization, someone from the IT department created an encrypted certificate for you that provides secure network access.
VPN is defined as a network that uses public infrastructure (like the Internet) to provide remote offices or individual users with secure access to a private company network. It aims to avoid an expensive array of private or leased lines that can only be used by one company at a time. VPNs encapsulate data transfers between two or more networked devices that are not on the same private network. This keeps the transferred date secure from devices on one or more intervening local or wide area networks.
VPN also is used for remote access to factory machines to allow the machine builder to work remotely. There are four main problems:
- A PC must be installed near the machine with the necessary software to connect to a remote desktop.
- The machine builder must be given a username and password to reach the PC.
- Depending on architecture, this “outsider” also may have the ability to access the rest of the factory network, which makes most companies very nervous.
- There is a lack of traceability. Without appropriate software, it is impossible to verify who has been on the system and when and where they made changes.
Simply stated, access through the network and VPN is (or should be) highly guarded. Once a user is on the VPN, he may have access to the whole network. And that’s the problem. Corporate IT groups spend enormous resources setting up new users and regulating access to the VPN. Nearly every company has a procedure that automatically informs the IT group if someone quits or is terminated, and they close off network access immediately.
In most company environments the VPN will be open to automation providers for only a couple of days before or after they work. While this minimizes risk to the customer’s network, it eliminates chances of taking a proactive look at the customer’s system. Worse for the engineer involved, once on the customer’s network, the engineer must remember a long string of IP address numbers to find the right PLC. The 30-plus-year war of wills between control engineers and corporate IT departments can add difficulties.
See the future from here
Promising technologies are pushing into the remote access arena. Many come on the verge of Stuxnet and an inherent escalation of the computer-securities war. One such new technology comes from Belgium-based eWon (a systems integration company turned manufacturer). It uses unique hardware, cloud computing, and VPN router technologies (LAN, PSTN, GPRS, 2G, 3G) in an industrial case. The product establishes a secure Internet connection between the user and the machine with minimal effort using the factory LAN. The eWon Talk2M (talk to machine) is a smart Web-based remote access method integrating IT security standards by enabling Internet tunneling between the user and the remote machine without requiring changes to IT network security settings at either end. This allows easy deployment while hiding the complexity of the IT network infrastructure. Since cloud connections are outbound, firewalls remain intact to protect the network against malware and viruses, like Stuxnet.
A California-based systems integrator specializing in water treatment systems is among early adopters of the eWon technology. Darian Slywka of American Water Technology said, “VPN network connections used to be a major hassle. As you might imagine, there are significant issues with security relating to utility infrastructure. Opening ports in a firewall creates concerns for both the customer and our own systems.”
American Water Technology uses eWon Talk2M and related services to assign engineers and programmers based on workload, project dynamics, and business requirements. They monitor equipment access and log the time they spend working remotely. They can monitor, debug, and later troubleshoot literally any device with an Ethernet connection; things like PLCs, drives, instrumentation, and other devices can be connected as easily as if they were within arm’s reach.
The eWon device automatically grabs an IP address, so there are no issues with assigning one, saving time and effort. Talk2M Pro service manages control access between users and the machine. Plus, the software only allows communication with eWon devices, resolving security issues.
Remote connectivity is a good economic decision. With last-minute airfare and a hotel room pushing the thousand-dollar mark, travel costs justify a remote access strategy. When the lost productivity from being out of the office is factored in, costs skyrocket.
According to MAAC Machinery’s Leslie Adams, eWon use eliminates “50%-70% of our support cost, in addition to significantly reducing hours of machine downtime normally associated with waiting for a service technician. Travel time wasted on field trips equates to a lot of money. Sitting in airports and driving out to customer installations means a whole lot of unproductive time—time we prefer our programmers spend working on new machines or fine-tuning existing systems. When these guys are gone, they simply aren’t working on the important stuff.”
Other companies share similar justification. Joe Reilly, VP of technology at Comtec Industries, a manufacturer working with commercial bakeries, said, “In the baking business, downtime is expensive. With the Model 2900 operating at 3,600 crusts per hour, downtime could easily reach upwards of $7,000 per hour in lost revenue. With numbers like this, it’s safe to say we will save hundreds of thousands of dollars in lost production over the life of these machines. And, the money we save our customers when we eliminate a field trip is just icing on the cake (no pun intended). When we drop everything and rush out to a field emergency, our costs skyrocket.”
At last, engineering elegance meets economic impact with practical remote access of automation equipment. We’re at the gates of Nirvana.
- Frank Hurtte is founding partner of River Heights Consulting. Edited by Mark T. Hoske, content manager, CFE Media, Control Engineering and Plant Engineering, mhoske(at)cfemedia.com.
www.controleng.com/safety for the Safety and Security channel
- Remote access to machinery decreases downtime
- External access needs to be secure
- Tools can reduce remote access risk
One downtime incident or security breach could justify enabling remote access connections to critical plant assets.