IT in Manufacturing


Remote industrial automation ­services via the Internet

October 2015 IT in Manufacturing

Remote access for servicing PLCs, HMI panels or other industrial equipment is becoming a must-have for most OEMs (Own Equipment Manufactures) and system integrators in order to live up to their contractual obligations. It is not just about travel budget cost reductions; more critical is the contractual obligation for response time and up time, and with the increasing complexity of industrial installations, efficient use of critical engineering resources is vital. Optimising service offerings and resources requires selection of the right solution for remote access, to ensure focus is kept on the core business.

Identify the category of remote service that covers your needs

Remote monitoring

The term remote monitoring (or remote management) typically covers collecting specific predefined information from devices, and processing them on a central server. The main purpose is to perform preventive or predictive maintenance, and if a critical problem is detected, a technician will travel on site. Note that such solutions are typically not designed to allow establishing of connections through which you can service the equipment remotely. This type of solution is very common for utility installations.

Remote service via remote desktop

Several low cost, or even free solutions, exist for providing remote desktop access to equipment inside a network. Most of the solutions require that both ends are manned, which is typically not the case for a service PC at the factory. Solutions do exist that allow secure remote access to unmanned equipment inside local networks, but these solutions are typically not cheap. Add to this the administrative task of maintaining a Windows PC (with its frequent security updates) and the potential cost of software licences for the PLC or HMI programming software packages installed on the PC, and the setup may seem less ideal .

Remote service via port forwarding

Solutions in this category are typically based on a hardware unit at the site that acts as an Internet router to the equipment. The most simple solutions are based on the router having a fixed IP address on the Internet, which 'routes' or 'port forward' incoming connections to the equipment; pretty similar to the traditional dial-up modems. This type of setup is typically seen for video surveillance. The risk of exposing access to industrial equipment directly on the Internet, using unencrypted connections, combined with the need for fixed IP addresses, essentially rules these solutions out.

Remote service via data tunnelling

This is the kind solution that would fit most remote service needs. Traditional IT solutions based on VPNs have existed for more than a decade, but in recent years, VPN solutions ­specifically addressing the automation industry have multiplied. Most of them are just traditional VPN solutions packaged for automation use, by offering DIN rail mounting and 24 V power feed. Some vendors have taken a step further to disguise complex IT con­figuration from the users and eliminate need for changing firewall settings. These solutions typically involve a central M2M server, acting as a portal for user access control and data re­direction. At least one vendor, namely the Danish company Secomea, has evolved away from VPN completely, and instead uses a concept of encrypted proxy connections for solving challenges that VPN technologies by nature have difficulties to overcome.

What to watch out for in relation to the above category

Ease of deployment – a vital part of overall security

Ease of installation and configuration is essential for saving time, and for enabling non IT literate personal to deploy the solution. It should not be necessary to configure firewall or routing rules, or to install third-party software that are not an integrated part of the solution. Installation and initial configuration should be possible to do by the same engineer that handles the electrical wiring, and user access control and configuration of device access should be manageable by the PLC programmer, the OEM project manager or the site administrator.

Using the customer network, and security argumentation

Typically a factory, or its machines, would run in a network isolated from the corporate office network, but typically it will only be the office network that can connect to the Internet. When using a standard VPN enabled router for accessing the machine network, you would typically connect its WAN side to the office network, and the LAN side to the machine network.

IT departments will not be happy about a third-party connection between the networks, even if you argue that the router has a built-in firewall that prevents unauthorised access between the networks. So you will have to explain precisely how the solution works and why it does not compromise security. Such information should be provided by the remote access solution vendor.

Additionally the solution must be able to establish its encrypted tunnel connection to the Internet based on ports that are commonly open. This would be 'web' ports, such as 80 (http) and 443 (https). Do not expect IT departments to open specific ports on your request.

Network conflict issues

Maybe one of the most common issues when connecting multiple users and networks together is 'network conflicts'. When connecting networks statically via routers or VPN connections, all networks must have different 'IP subnets'.

A typical issue is that two factories may use the same IP subnet. Most industrial remote access solutions solve that by dynamically establishing the connection on-demand, and close it again when done. The only limitation is that the service engineer cannot be connected to both factories simultaneously, which would typically not be necessary either.

More critical is the scenario where the engineer sits in an IP subnet that is identical to that of the factory (e.g. a user sits in subnet 192.169.0.10/24, and attempts to connect via VPN to a factory that uses the exact same subnet). For routed technologies this will simply not work. It could be solved by making alias addresses and applying NAT (network access translation), but it is not trivial.

Two-factor authentication

Typical VPNs for statically connecting office networks are based on x509 certificates that are manually exchanged between the VPN peers during the initial setup. In recent years SSL/TLS based VPN solutions have become popular, due to being 'firewall friendly' and automatic bidirectional authentication. The concern with many such implementations for industrial access is that the initial authentication is based on only a user name and a password.

Traceability and logging

Documented proof of who took access to what, and when. The purpose is not only to document if a given remote user may have been causing an issue on a machine, but also to document if a service provider is in fact fulfilling the service obligations.

Check if audit logging exists and how it can be accessed.

Dependence of third-party cloud services

As mentioned earlier, using a central M2M server is becoming essential for controlling user access and data connection redirection. Such services may be free, or be subject for maintenance fees. Investigate fees in relation to scaling the solution and make a strategy for which budget to place such cost on.

More importantly you should investigate if the M2M server is available only as a cloud service hosted by the vendor, or if you can migrate to an own M2M server. Major OEMs generally do not like to be dependent on a specific vendor’s existence for their server’s up-time and applied security measures.

For more information contact Bob Petrie, Throughput Technologies, +27 (0)11 705 2497, [email protected], www.throughput.co.za



Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Buildings in Africa’s urban evolution
Schneider Electric South Africa IT in Manufacturing
Africa is now an urban continent. How does the continent mobilise to accommodate urban dwellers and maintain and implement critical infrastructure that allows for this expansion? Building management systems provide a tangible solution to optimise resource use, lower operations costs and ultimately contribute to a growing continent that also employs green practices.

Read more...
Black Rock Mining centralises mining operations with AVEVA
IT in Manufacturing
Black Rock Mine Operations replaced and upgraded its existing infrastructure, and installed additional capacity to expand production from 3 to 4,6 million tons in three years. The new system is powered by a suite of AVEVA solutions.

Read more...
The strategic role of technology in today’s economy
IT in Manufacturing
In an era of economic uncertainty and persistent market volatility, businesses are under immense pressure to manage costs while maintaining operational effectiveness. The role of chief information officers and chief technology officers has never been more critical, as they are tasked with leveraging technology not just as a tool for efficiency but as a strategic asset in navigating these turbulent times.

Read more...
Minutes to meltdown: surviving a cyber attack
IT in Manufacturing
Commvault recently hosted its Minutes to Meltdown event. Led by the company’s security experts, this was an interactive and detailed ransomware attack simulation designed to help companies understand how to respond in the event of a cyber attack.

Read more...
Siemens elevates automotive and aerospace simulation
Siemens South Africa IT in Manufacturing
Siemens Digital Industries Software has announced the latest update to its Simcenter portfolio, delivering advancements in aerostructure analysis, electric motor design, gear optimisation and smart virtual sensing. These enhancements are designed to streamline workflows, accelerate certification and provide deeper insights into system performance.

Read more...
Automation in 2025: Navigating manufacturing innovation without the risk
IT in Manufacturing
During 2025, a wave of innovative technologies is expected to disrupt and change the way IT is applied to automation systems. The challenge lies in balancing the reliability of proven techniques with the potential of new technologies, all while minimising and controlling risk. This article explores ways to approach the latest information technologies effectively in a manufacturing context.

Read more...
South Africa’s AI revolution is here – but are we secure?
IT in Manufacturing
South African businesses are sprinting to embrace generative AI, lured by its potential to drive efficiency, productivity and innovation. But here’s the stark reality: without a rock-solid cybersecurity foundation, AI will become a Trojan horse, opening the floodgates to sophisticated cyber threats.

Read more...
Shaping data resilience strategies with AI and hybrid cloud solutions
IT in Manufacturing
In today’s rapidly evolving digital landscape, organisations are under growing pressure to secure their operations against increasingly sophisticated cyberthreats, including those that leverage AI to enhance the success rate of attacks. In this landscape, it has become essential to ‘fight fire with fire’ – harnessing AI as a means to counter these threats.

Read more...
Cloud or on-prem? Decoding the choices for South African enterprises
IT in Manufacturing
The debate between on-premise and cloud computing architectures remains a prominent topic among businesses, particularly in South Africa.

Read more...
Advancements in wire rope testing
IT in Manufacturing
Being able to get instant, real-time and portable detection of wire rope flaws can make a significant difference for operational teams. There have been a number of significant technological advancements and tools entering the market that help wire rope operators detect and resolve problems faster.

Read more...