How can machine builders help customers maintain their
machines when separated by hundreds or even thousands of miles? By combining an
industrial Ethernet protocol with good cyber security practices, technicians
can directly connect to a machine and conduct remote maintenance to keep it up
|Click here for larger image.|
To do this, the first obstacle that must be overcome is that some
end users prohibit any kind of remote access to their machines and facility.
Therefore, machine builders need to first determine if their customer has a
remote access policy. Many times, this policy is managed by the user's IT
department, requiring the machine builder to step outside the engineering
Once the policy is in hand, machine builders should determine if
it dictates how partners can and cannot access their facility. Before gaining
access, machine builders must remember throughout the process that even if they
are following the customer's policies, they don't own the network. Machine
builders need to let customers know what they need access to, as well as how
frequently and at what time of the day they need to tap in.
Since manufacturers vary in how they approach remote access, it
is important for machine builders to be ready to recommend remote access
guidance. This paves the way for secure access, while providing an opportunity
for machine builders to expand their service portfolio. The guidance should be
customized for each customer, taking into consideration variables such as the
end user's industry, technology, support infrastructure, application and
security policy requirements.
As it relates to specific
technologies, machine builders should attempt to align with their customer's IP
addressing schema and segmentation policies. If this is not possible,
cell/area-level firewalls will likely be required. A security policy, if one is
in place, typically calls for machine builders to log onto a secure, dedicated
remote access server via the Internet. The remote access server acts as a choke
point where end users can further authenticate, log and filter remote access.
The result is stronger accountability.
More specifically, machine builders should use an Internet Protocol
security- (IPsec) based VPN for remote access to a customer's enterprise
network. IPsec, a protocol suite for securing Internet Protocol communications,
authenticates and encrypts each IP packet of a data stream. In addition, IPsec
includes protocols for establishing mutual authentication between agents at the
beginning of the session. IPsec helps protect data flows between a pair of
hosts (computer users or servers), between a pair of security gateways (routers
or firewalls) or between a security gateway and a host.
Manufacturers, regardless of their size, can benefit from
enabling remote access. Small wineries, for example, often lack an on-site
controls expert. They rely on their partners to keep the bottling machine up and running, and see value in
having their partner remotely maintain the little automation it has. The role
of a forward-thinking machine builder is to make sure both their organization
and their end customer follows remote access best practices.
For example, system designers should consider using a stand-alone
security appliance between the machine and the WAN (wide area network) router.
The appliance acts as a UTM or Unified Threat Management device, offering
multiple layers of security within a single box. It authenticates incoming
users, while providing firewall functionality, VPN (virtual private network)
access and intrusion detection. With this set-up, the machine builder uses an
Internet connection to reach the WAN router, then the security appliance and, ultimately,
the machine. Using standard industrial Ethernet networking technology
seamlessly connects these devices, as users don't need to worry about the extra
routing and configuration that proprietary Ethernet networks require.
Unlike some industrial networks, EtherNet/IP uses the same
foundation or infrastructure products as an enterprise network. This means
applications like e-mail, video and voice-over-IP developed for the enterprise
can coexist with manufacturing network traffic like I/O and drive control,
safety control, motion control and HMI communication.
Standard technologies such as EtherNet/IP and remote access
servers make machine support capabilities globally available and cost-effective
for manufacturers of any size. The ability to keep machines up and running and
gather deep insight into their performance regardless of location can result in
a significant competitive advantage for both the machine builder and their end
Bradford H. Hegrat is a senior principal
security consultant, network & security services for Rockwell Automation.
Gregory Wilcox is business development manager, networks, for Rockwell.
, for the
Cisco and Rockwell Automation Reference Architectures for design guidance,
recommendations and best practices to establish a robust and secure network
to read accompanying sidebar, Understanding the ISA99
Certified Network Architecture Diagram.