VPNs are just as important for securing industrial automation systems as they are for personal internet connectivity. Here is what a VPN does, and how industrial users can quickly implement VPNs for all their sites and users to provide upgraded cybersecurity.
If you spend any time at all watching TV, browsing websites, or listening to audio stations, it will not take long before you hear about virtual private network (VPN) services, intended to protect your online privacy and anonymity. This certainly is a good idea, particularly for sensitive activities like using banking and credit card websites.
Today’s always-connected users are looking for the same kind of access and security for their industrial operational technology (OT) systems. They want to remotely visualize automated machines and systems, and gather data to help them optimize and diagnose equipment.
It stands to reason that VPN technology would also be applicable to industrial automation systems, but many users wonder exactly what its benefits are, how it works, and how complex and costly it might be to set up and maintain a VPN. This article discusses some products and services tailored for providing secure VPN connectivity for industrial automation systems.
What is a VPN?
A network at your home or workplace is usually called a local area network (LAN), whereas a widely distributed network like the internet is typically referred to as a wide area network (WAN). If you are using a PC, a PLC, or an HMI on your LAN to connect to an internet-based website or to another computing resource via the WAN, then this communication traffic could potentially be exposed to others. This is especially the case if any part of the connection uses Wi-Fi because a cyber attacker would not even need physical network access, they could simply connect over the air.
Typical consumer-grade VPN services use software to create a data tunnel between the PC you are using on the LAN, and some other ‘exit node’ elsewhere in the world. This connection makes your PC look like it is somewhere else (anonymizes the connection), and all the data you send back and forth is scrambled (encrypted) to prevent eavesdroppers from seeing what you’re sending and receiving.
An alternate type of VPN configuration uses a router at your local LAN and a corresponding router installed on a remote LAN. It is possible to create a VPN tunnel between these two routers such that the local and remote LANs appear to be on the same network, with all traffic between them encrypted.
VPNs have many uses for industrial automation systems, enabling secure communications between:
- PLCs at a site, and a cloud hosted data logging system.
- PLCs at multiple sites.
- A PLC at a site, and a remote mobile user with an app, HMI, or programming software which needs to access that PLC.
Consumer-grade VPNs are usually a PC software download or a mobile device install, but is this good enough for industrial projects?
Creating Industrial-Grade VPN Connectivity
Some users with strong IT skills may be able to create and then maintain their own site-to-site or mobile-to-site VPN connections using commercial routers, along with careful configuration and testing. But a VPN solution of this type can be a bit of a science experiment and complex to manage. Many users simply do not have personnel with this OT/IT skillset.
For these reasons, many users are finding that a solution using intelligent routers and OT-specific cloud-based solutions provides a much easier path for providing VPN connectivity. AutomationDirect offers StrideLinx VPN routers and various cloud-based StrideLinx services to help users quickly, conveniently, securely, and economically get their VPN systems running, and to keep tabs on the performance.
StrideLinx VPN Router
StrideLinx VPN routers are industrial-grade hardware installed on-site to connect locally with machines and systems, and feature:
- Built-in VPN capability, and use of secure protocols like HTTPS, and MQTT over TLS.
- Use of only outgoing ports, so they work well with existing on-site firewalls.
- Access control, IP addressing, and two-factor authentication to comply with IT security standards.
- Router failover to switch from a primary/preferred to a secondary/fallback network as needed, and local data logging to preserve data during communication outages.
StrideLinx Cloud Services
StrideLinx cloud services are operated using a worldwide network of dozens of servers, each distributed in an ISO 27001-certified data center. Because the VPN server network is arranged across the globe, it can provide low-latency connections wherever sites and users are located, while providing redundancy to ensure HMI and web-based visualization remains in service. Other features include:
- Users own their data, and licensing is convenient and economical.
- Specific databases provide the necessary OT-aware functionality:
- Relational: Stores device and user configuration info.
- Non-relational: Logs events and alarms.
- Time-series: Efficiently stores time-stamped process data.
- VPN tunnels are created so user devices and 3rd party apps can securely access the cloud data.
- Management services let authorized users configure and monitor the system, while 3rd party services scan and audit the system for vulnerabilities.
High Performance Industrial VPN
VPNs are just as necessary for securing industrial automation systems as they are for personal banking. However, it takes very specific OT/IT experience to create a solution from scratch. A better way for users to quickly implement VPN connectivity is to choose an end-to-end solution, like AutomationDirect’s StrideLinx platform, which was developed using the latest standards and technologies, and with industrial users in mind, and is constantly maintained and improved.
AutomationDirect offers many VPN-capable products and services, along with customer assistance (phone & online) and a wide variety of associated parts and technologies to help users implement the best solution for their application.