How can machine builders help customers maintain their
machines when separated by hundreds or even thousands of miles? By combining an
industrial Ethernet protocol with good cyber security practices, technicians
can directly connect to a machine and conduct remote maintenance to keep it up
Click here for larger image.
To do this, the first obstacle that must be overcome is that some end users prohibit any kind of remote access to their machines and facility. Therefore, machine builders need to first determine if their customer has a remote access policy. Many times, this policy is managed by the user's IT department, requiring the machine builder to step outside the engineering community.
Once the policy is in hand, machine builders should determine if it dictates how partners can and cannot access their facility. Before gaining access, machine builders must remember throughout the process that even if they are following the customer's policies, they don't own the network. Machine builders need to let customers know what they need access to, as well as how frequently and at what time of the day they need to tap in.
Since manufacturers vary in how they approach remote access, it is important for machine builders to be ready to recommend remote access guidance. This paves the way for secure access, while providing an opportunity for machine builders to expand their service portfolio. The guidance should be customized for each customer, taking into consideration variables such as the end user's industry, technology, support infrastructure, application and security policy requirements.
As it relates to specific technologies, machine builders should attempt to align with their customer's IP addressing schema and segmentation policies. If this is not possible, cell/area-level firewalls will likely be required. A security policy, if one is in place, typically calls for machine builders to log onto a secure, dedicated remote access server via the Internet. The remote access server acts as a choke point where end users can further authenticate, log and filter remote access. The result is stronger accountability.
More specifically, machine builders should use an Internet Protocol security- (IPsec) based VPN for remote access to a customer's enterprise network. IPsec, a protocol suite for securing Internet Protocol communications, authenticates and encrypts each IP packet of a data stream. In addition, IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session. IPsec helps protect data flows between a pair of hosts (computer users or servers), between a pair of security gateways (routers or firewalls) or between a security gateway and a host.
Manufacturers, regardless of their size, can benefit from enabling remote access. Small wineries, for example, often lack an on-site controls expert. They rely on their partners to keep the bottling machine up and running, and see value in having their partner remotely maintain the little automation it has. The role of a forward-thinking machine builder is to make sure both their organization and their end customer follows remote access best practices.
For example, system designers should consider using a stand-alone security appliance between the machine and the WAN (wide area network) router. The appliance acts as a UTM or Unified Threat Management device, offering multiple layers of security within a single box. It authenticates incoming users, while providing firewall functionality, VPN (virtual private network) access and intrusion detection. With this set-up, the machine builder uses an Internet connection to reach the WAN router, then the security appliance and, ultimately, the machine. Using standard industrial Ethernet networking technology seamlessly connects these devices, as users don't need to worry about the extra routing and configuration that proprietary Ethernet networks require.
Unlike some industrial networks, EtherNet/IP uses the same foundation or infrastructure products as an enterprise network. This means applications like e-mail, video and voice-over-IP developed for the enterprise can coexist with manufacturing network traffic like I/O and drive control, safety control, motion control and HMI communication.
Standard technologies such as EtherNet/IP and remote access servers make machine support capabilities globally available and cost-effective for manufacturers of any size. The ability to keep machines up and running and gather deep insight into their performance regardless of location can result in a significant competitive advantage for both the machine builder and their end customer.
Bradford H. Hegrat is a senior principal security consultant, network & security services for Rockwell Automation. Gregory Wilcox is business development manager, networks, for Rockwell.
Click here, for the Cisco and Rockwell Automation Reference Architectures for design guidance, recommendations and best practices to establish a robust and secure network infrastructure
Click here to read accompanying sidebar, Understanding the ISA99 Certified Network Architecture Diagram.