For machine builders that offer remote access support and diagnostics for their installed machines, security is obviously a major concern. Security is also a concern for the IT staff at the end-user (end-customer) sites, where these machines are located. Dave Hammond explores this topic
Following the installation of a machine at an end user site, the machine builder or supplier is often contracted to support that machine during a fixed warranty period. In the past, a service engineer from the machine supplier would have traveled to the remote site to resolve any machine issues during this warranty period, even if the customer (end-user) site is located thousands of miles away in a different country.
Security concerns, from a ‘traditional’ end-user perspective
Many of the IT engineers who manage the networks at end-user sites will probably only have experience of providing remote-access to machine suppliers, using ‘traditional’ VPN methods.
With such ‘traditional’ VPN, the end-user IT department needs to configure and maintain a dedicated, in-bound VPN tunnel, through their corporate firewall, for each machine supplier. Once through the firewall and on the site-wide network, the machine supplier’s engineer can then reach the machine control devices.
Immediately, it is obvious that there are inherent problems associated with these “traditional” VPN tunnels.
Firstly, the machine control devices (PLCs, HMIs, drives, etc.) must be connected onto the end-user site network. This will involve the machine supplier configuring network (IP) addresses for these devices, during the site installation phase. Thus, each machine will have to be modified to suit each installation.
Secondly, the IT department must provide the machine supplier with a copy of their preferred VPN software and help to configure it, for each PC or laptop that is to be used for remote-access. Obviously, such computers will be administered by the machine supplier and so may not meet the strict security standards that would apply for ‘native’ site PCs.
Since the IT department is allowing this ‘foreign’ user to access its production network, it must also take comprehensive precautions to protect its site network from the actions of this user, over which it has limited leverage. This can range from limiting the IP addresses that the machine supplier can access, to providing sophisticated anti-intrusion, packet-sniffing and antivirus systems.
Taking all of the above into consideration, many IT departments understandably take the view that the operational benefits of providing remote-access to machine suppliers are outweighed by the potential security risks to their site network.
However, there are modern ‘cloud-based’ remote-access solutions available for which the above actions are not necessary, since they work in a fundamentally different way to “traditional” VPN tunnels.
To illustrate how such modern remote access solutions work, we will consider the well-known and widely used eWON Talk2M solution, which comprises an ‘eWON’ VPN Router, used with the ‘Talk2M’ Remote-Access Cloud service.
Modern remote access = isolated machine and site networks
The first consideration is the issue of network isolation of the specific machine from the site network. A VPN Router can both isolate the machine network from the factory (site) network, whilst also providing firewalled connectivity between the two. Therefore, the machine devices are not directly connected to the site network and so can be configured with IP addresses to suit the machine supplier. Indeed, every machine produced by the machine manufacturer could be identical to every other machine, which reduces complexity, as well as costs associated with design, build and installation.
Modern remote access = a different way of achieving secure VPNs
The next challenge is securing the site network from the actions of machine suppliers’ engineer users.
The ideal scenario is that the machine supplier’s engineer can only reach the specific machine devices for which they are responsible, whilst not being able to gain access to the rest of the site network. And this is exactly what the eWON Talk2M ‘cloud-based’ solution provides. Once enabled, each eWON VPN router device initiates an outbound, point-to-point, secure VPN tunnel, all the way to a specific account in the Talk2M VPN Cloud. This authenticated, encrypted HTTPS tunnel travels across the site network, out-bound through the site firewall and across the Internet, to one of the nine clustered servers, located across the world, that comprise the Talk2M Cloud.
The machine-manufacturer’s engineer then also makes a secure VPN connection to the same account in the Talk2M Cloud, to where the eWON is connecting. Therefore, he can only reach the eWON and the devices located ‘behind’ it, on the machine network. At no point can this engineer interact with to any other devices on the site network i.e. devices which the machine manufacturer did not supply and therefore has no need to access.
Modern remote access = increased security & less (or no) tasks for the site IT department
Since each VPN tunnel is initiated from inside the site network, out to the Talk2M cloud, the only facility required of the site network is the ability to make an outbound Internet connection, through the site gateway/firewall.
Consequently, the IT Dept does not need to provide in-bound VPN services to the external user, which yields major security advantages. No in-bound firewall ports are exposed on the Internet, no static Internet IP addresses are required and the machine supplier does not have access to the entire site-wide network.
The outbound VPN connection used by the eWON uses HTTPS port 443, which, for the vast majority of firewalls, will already be open. The outbound connections can be carried over any type of media that can carry IP traffic, ie cabled Ethernet, WiFi, 3G or even satellite.
Modern remote access solutions = the end user controls the remote-access
As with any remote-access system, end user companies will understandably be concerned that a machine manufacturer can interact with machines, which they have supplied, but which operate inside the end user factory.
Therefore, in order to provide additional security and control, the eWON VPN tunnel can be enabled and disabled via the 24vdc Digital Input on the eWON VPN Router, which can in turn be wired to a key-operated switch or a PLC output. This means that the machine builder will only have access to the machine when the end user decides to allow them access.
Modern remote access solutions = session by session authentication & validation
Most readers will be familiar with Session Authentication, even if they are not aware of the term, since this is widely used by major secure websites, such as on-line banking systems.
Such systems typically send a unique, one-time code by SMS message to the user’s mobile phone, at the point of connection. The purpose is to prove that the person connecting is the valid, genuine user, rather than an intruder, trying to gain access, using stolen username and password data.
Such security systems are termed ‘2-factor authentication’ systems, since they rely on more than one security measure to ensure secure access. The use of such a ‘2-factor authentication’ system should be an intrinsic part of any remote-access solution used by a machine-manufacturer, since it helps to add a second level of security in order to overcome poor password security or malicious intent.
Dave Hammond, Product Manager for Ethernet & Communications at M.A.C. Solutions.