Designing Systems for Remote Access

How can machine builders help customers maintain theirmachines when separated by hundreds or even thousands of miles? By combining anindustrial Ethernet protocol with good cyber security practices, technicianscan directly connect to a machine and conduct remote maintenance to keep it upand running.

To do this, the first obstacle that must be overcome is that someend users prohibit any kind of remote access to their machines and facility.Therefore, machine builders need to first determine if their customer has aremote access policy. Many times, this policy is managed by the user's ITdepartment, requiring the machine builder to step outside the engineeringcommunity.

Once the policy is in hand, machine builders should determine ifit dictates how partners can and cannot access their facility. Before gainingaccess, machine builders must remember throughout the process that even if theyare following the customer's policies, they don't own the network. Machinebuilders need to let customers know what they need access to, as well as howfrequently and at what time of the day they need to tap in.

Since manufacturers vary in how they approach remote access, itis important for machine builders to be ready to recommend remote accessguidance. This paves the way for secure access, while providing an opportunityfor machine builders to expand their service portfolio. The guidance should becustomized for each customer, taking into consideration variables such as theend user's industry, technology, support infrastructure, application andsecurity policy requirements.

As it relates to specifictechnologies, machine builders should attempt to align with their customer's IPaddressing schema and segmentation policies. If this is not possible,cell/area-level firewalls will likely be required. A security policy, if one isin place, typically calls for machine builders to log onto a secure, dedicatedremote access server via the Internet. The remote access server acts as a chokepoint where end users can further authenticate, log and filter remote access.The result is stronger accountability.

More specifically, machine builders should use an Internet Protocolsecurity- (IPsec) based VPN for remote access to a customer's enterprisenetwork. IPsec, a protocol suite for securing Internet Protocol communications,authenticates and encrypts each IP packet of a data stream. In addition, IPsecincludes protocols for establishing mutual authentication between agents at thebeginning of the session. IPsec helps protect data flows between a pair ofhosts (computer users or servers), between a pair of security gateways (routersor firewalls) or between a security gateway and a host.

Scalability Issues
Manufacturers, regardless of their size, can benefit fromenabling remote access. Small wineries, for example, often lack an on-sitecontrols expert. They rely on their partners to keep the bottling machine up and running, and see value inhaving their partner remotely maintain the little automation it has. The roleof a forward-thinking machine builder is to make sure both their organizationand their end customer follows remote access best practices.

For example, system designers should consider using a stand-alonesecurity appliance between the machine and the WAN (wide area network) router.The appliance acts as a UTM or Unified Threat Management device, offeringmultiple layers of security within a single box. It authenticates incomingusers, while providing firewall functionality, VPN (virtual private network)access and intrusion detection. With this set-up, the machine builder uses anInternet connection to reach the WAN router, then the security appliance and, ultimately,the machine. Using standard industrial Ethernet networking technologyseamlessly connects these devices, as users don't need to worry about the extrarouting and configuration that proprietary Ethernet networks require.

Unlike some industrial networks, EtherNet/IP uses the samefoundation or infrastructure products as an enterprise network. This meansapplications like e-mail, video and voice-over-IP developed for the enterprisecan coexist with manufacturing network traffic like I/O and drive control,safety control, motion control and HMI communication.

Standard technologies such as EtherNet/IP and remote accessservers make machine support capabilities globally available and cost-effectivefor manufacturers of any size. The ability to keep machines up and running andgather deep insight into their performance regardless of location can result ina significant competitive advantage for both the machine builder and their endcustomer.

Bradford H. Hegrat is a senior principalsecurity consultant, network & security services for Rockwell Automation.Gregory Wilcox is business development manager, networks, for Rockwell.

Clickhere, for theCisco and Rockwell Automation Reference Architectures for design guidance,recommendations and best practices to establish a robust and secure networkinfrastructure

Click here to read accompanying sidebar, Understanding the ISA99Certified Network Architecture Diagram.