Selecting HMI remote access options
Two leading methods exist for establishing mobile human-machine interface (HMI) connectivity; one providing more cybersecurity. See table comparison of remote access HMI connections.
Mobile human-machine interface (HMI) access is a necessity for many industrial automation applications, and two typical methods exist to implement this connectivity with routers and virtual private networks (VPNs):
- Standard router without VPN
- Cloud-hosted VPN router.
The first is a standard router, and although it is not secure, it is still used in many existing mobile HMI applications, and even in some newer ones. A primary attraction is its low cost, but this approach is discouraged because it poses significant cybersecurity risks when port forwarding is enabled in the firewall as this exposes the network to external threats.
A cloud-hosted VPN router simplifies information technology (IT) complexity by creating an encrypted connection from a local VPN router to a cloud-hosted VPN router via the internet. Remote users can securely access the local components and systems via the cloud-hosted VPN router. This option provides a high degree of cybersecurity, along with simpler configuration and maintenance.
A third type of router connectivity with a traditional VPN router implementation is not considered here due to the complexities of deploying this type of connection. It involves opening inbound connections and creates complications and risks similar to a standard router implementation.
To evaluate each of the two types of remote access for mobile HMIs, accessed from a laptop, smartphone or tablet, see the table summarizing differences.
Table comparison of remote access HMI connections
|Cloud-hosted VPN router
|HMI programming from a laptop PC
|3rd party mobile app support
|Not secure due to port forwarding
|Secure through mobile VPN
|Security risk – laptop
|Security risk – mobile
|Changes to existing firewall
|Not required, although an outbound rule may be required
|Required technical expertise
|Data dashboards, alerts
|Typically not available
|Available through subscription
In many industrial applications a standard router and firewall is used to protect the corporate and industrial plant network (Figure 1), requiring users to manually configure and manage all routing and firewall settings. This type of router does not usually have a VPN to encrypt data, but it creates port forwarding “holes” in the firewall for remote users to access specific applications and components in the plant network.
Most HMI users want the same level of access whether remote or local. Laptops normally connect to the HMI web server for monitoring data and making changes to setpoints and other parameters, or they connect to the HMI with programming software to troubleshoot or make program changes.
To connect remotely using a standard router, port forwarding is usually configured to allow access to the HMI, or to a local PC running remote access software. The local PC provides the remote user with the ability to run the HMI programming software.
HMI mobile apps also require port forwarding so the remote user can access the local HMI for control or viewing data. These apps usually provide the same functionality as browser-based remote access, but via an app rather than a browser.
The main concern with this approach is the security risk associated with port forwarding in mobile and PC-based applications. It’s easy for a hacker to determine which ports are open on a firewall, thereby gaining entrance to the corporate or plant network through the router.
While port forwarding can be extremely efficient and useful when done within a corporate or plant network, it is extremely dangerous to use this functionality at an internet-corporate interface. Organizations should avoid this router approach for new installations and should convert existing standard router installations to a more secure connection such as a cloud-hosted VPN router instead.
Cloud-hosted VPN router
Cloud-hosted VPNs provide a secure connection with simple setup and network configuration. Typical cloud-hosted VPN options include a local VPN router, a cloud-hosted VPN server, a VPN client and connected automation components (Figure 2).
A secure connection is established after the local router (at the plant/controls network) and VPN client (software installed at the user’s laptop or mobile device) each make a connection to the cloud-hosted VPN server. The local router makes this connection immediately upon startup, but a VPN client only connects upon a verified request from a remote user. Once both connections have been made, all data passing through this VPN tunnel is secure.
Most cloud-hosted VPNs provide a free monthly bandwidth allocation for basic operation and then throttle data access once this allocation is reached, and also offer a premium plan for additional bandwidth.
For example, one product offers 5GB of free VPN data exchange per month, which is sufficient for most troubleshooting, monitoring and programming needs. Security risk is reduced when the local router initiates communication to the server via an outbound connection through standard open ports such as HTTPS. This usually requires no changes to the corporate IT firewall and satisfies IT security concerns. For added security confidence, users should look for cloud hosted VPNs that have an industry-certified information security management system such as ISO/IEC 27001:2013. This indicates the supplier has implemented comprehensive security programs and controls.
Easier router configuration
Another advantage of a cloud-hosted VPN is simple router configuration. Since the secure local router (Figure 3) will be connected to a predefined cloud server, the router comes preconfigured with complicated VPN networking settings in place, allowing non-IT staff to install it. All that’s required is knowing the IP addresses of the automation components connected to the local area network and if the internet service provider (ISP) or corporate-wide area network router (not the cloud-hosted VPN router) provides IP addresses dynamically or statically.
Other advanced options may include cloud data logging and alarm notification, which provides a subset of HMI functionality and also is easier to use than custom programming. These services allow users to log system data and receive customized critical alarms on their mobile devices or laptops, providing a convenient, web-based historical record of system performance available when needed.
Mobile app-based remote access
Industrial HMI and programmable logic controller (PLC) components are increasingly supported with mobile apps. This provides users with remote access anytime from anywhere, with monitoring and control capabilities. To securely access industrial equipment, the mobile device must also employ VPN technology to encrypt the data from the mobile device to the plant network. Without mobile VPN, the firewall ports at the plant will need to be opened, creating a similar scenario to the standard router and leaving the plant network vulnerable to a cyberattack.
Using a hosted VPN provides a secure VPN connection for laptops and mobile devices; the latter is via a fully supported mobile application with VPN. Once securely connected to the plant network through the mobile VPN app, the third-party HMI or PLC app can then be opened and connected to the local HMI and PLC components as if the mobile user was on-site, because the user is there virtually.
Some routers provide a hosted VPN with connections for laptops and mobile devices. Apple iOS and Google Android mobile device apps are available, providing users with a secure connection to the plant network.
App-based access in action
Some cloud-hosted VPN vendors also provide app-based access to data logging software running in the cloud, along with widgets for configuring customized dashboards to be viewed remotely (Figure 4).
This built-in cloud logging could be particularly effective for an original equipment manufacturing (OEM) machine builder with thousands of machines installed worldwide at hundreds of locations, each with multiple users. The OEM would provide a VPN router for each machine, pre-configured to log data and including customized dashboards for remote viewing on the mobile app. No effort would be required by the OEM’s customers to configure, install or maintain remote access software — other than installing an app on a smartphone or tablet.
For more comprehensive access beyond dashboards, remote users could access local HMIs and PLCs via apps using the mobile VPN provided by the hosted VPN supplier. For example, some mobile HMI software works securely when used in conjunction with a supplier-specific VPN router. Local equipment could also be securely accessed remotely by a PC for programming, monitoring or troubleshooting.
Cloud-based VPN security
Access to local HMIs and automation systems by mobile devices and laptops is a necessity for many OEMs and other companies. Using a cloud-hosted VPN to provide this access results in a secure system with simple installation, configuration and maintenance.
Jonathan Griffith is product manager for industrial communications and power supplies at AutomationDirect. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, firstname.lastname@example.org.
KEYWORDS: Mobile HMI, secure VPN monitoring
Options for mobile HMI access include a standard router, cloud-based VPN router, or creating inbound connections.
Security risks exist with standard router and inbound connections.
Simpler options have advantages.
Could more mobile HMI access help you do your job better?