The desire for remote access to plant floor PLCs, HMIs and other automation components is becoming a must-have feature for many manufacturing facilities and machine builders. For many applications, providing the desired level of cybersecurity requires more than just a router, namely a VPN.
Jonathan Griffith, Product Manager, Industrial Communications & Power Supplies at AutomationDirect, authored an article titled Remote access to automation system components, on the advantages and design considerations for two leading types of VPN remote access which ran in the January-February 2018 issue of InTech magazine. In addition to a security discussion, he discusses each method and provides application examples.
Griffith points out that a VPN is an important part in a defense-in-depth strategy, with the two main options a hosted VPN or a traditional VPN.
The decision to use a hosted VPN versus a traditional VPN hinges on four primary factors:
- Will all of my remote access needs fall under similar IT conditions, with each site be able to use the same router configurations?
- Is IT expertise available to support a traditional VPN solution?
- Is the IT team willing to support the traditional VPN solution?
- Will high bandwidth be required for this solution?
If any of the primary factors are answered “no”, then a hosted VPN is probably the best option. If all are answered “yes”, then a traditional VPN may be the best option.
Hosted VPN Solution
According to Griffith, “Hosted VPN solutions provide a secure connection with simple setup and network configuration. Typical hosted VPN solutions include a VPN router, a hosted VPN server, a VPN client, and connected automation system components.”
Griffith further discusses the hosted VPN connection. “A secure connection between the VPN client and the router is established after the router and VPN client each make a connection to the cloud-hosted VPN server. The router makes this connection immediately upon startup, but the VPN client only connects upon a verified request from a remote user. Once both connections have been made, all data passing through this VPN tunnel is secure.”
“The router initiates communication to the server via an outbound connection through standard ports that are typically open, such as HTTPS. This usually requires no changes to the corporate IT firewall, and satisfies IT security concerns. By contrast, traditional VPN solutions require inbound firewall ports to be opened, which requires IT involvement and oversight.”
While typical hosted VPN solutions have 1 GB free monthly bandwidth for normal troubleshooting and programming needs (StrideLinx provides 5 GB of free monthly data), premium plans are needed for high data use applications such as video surveillance.
Griffith goes into detail about several other advantages of hosted VPNs in the article. One advantage is that the router is simple to configure, with some settings preconfigured. Another is that the complicated VPN networking is handled by the platform and hosted servers in the cloud. Additionally, if full-featured hardware, such as AutomationDirect’s StrideLinx Secure hosted VPN solution, is used, it will provide good connectivity options. In addition to physical LAN connections, Wi-Fi (wireless) and 4G LTE (cellular) are available.
Hosted VPNs also have very low security risk due to the use of the proven encryption standard SSL/TLS. Advanced user management, event logging and two-factor authentication add an extra level of security.
Considerations for Hosted VPN
Although a Hosted VPN provides many advantages, there are some considerations. “Those considering this solution must have a high level of trust in the hosted VPN vendor as it will be responsible for securely storing data and making it available to only those who need it. Monthly costs incurred for high data bandwidth usage must also be considered, particularly as those costs are zero for a traditional VPN solution.”
Data logging provides a great way to collect, store and display data via a cloud-based platform. The hosted VPN can get you connected to the cloud, where you can start with a small amount of storage and scale up if needed. This is typically done using a subscription from the router vendor. Hosted VPNs often also provide features for configuring data displays.
“Some cloud-based data storage and monitoring solutions allow users to configure dashboards using widgets for VPN remote access viewing on their PC or mobile device. Alerts and notifications can be configured to inform users when parameters fall outside a predefined range. If this feature is not provided, designing remote access viewing screens can be cumbersome.”
Griffith discusses many other considerations, so be sure to check out the original article.
Traditional VPN Solution
A traditional VPN solution uses a local VPN router connected to a remote VPN router via the Internet with a secure VPN tunnel. This is a good option if large amounts of data are continuously exchanged between local and remote location.
“This solution is widely used, and it was the only method of secure two-way access prior to the introduction of cloud-based VPN remote access solutions. It can be complex and costly in terms of internal resources required for support, both at the local and the remote site.”
“The main design consideration for this option is the capability and willingness of an IT team to support this solution at both the local and remote sites for each installation. For example, an OEM machine builder must consider every customer site, and make sure all of its customers are willing to provide IT support. If not, the OEM will have to customize its VPN remote access solution for each customer.”
There are several other firewall, networking, security and technical considerations in Griffith’s article, please see the full article for more details.
Applications for Traditional and Hosted VPNs
When it comes to application examples for traditional and hosted VPNs, Griffith makes the case that large, complex systems with significant amount of data exchange, or with video monitoring, would be better left to traditional VPN systems because a hosted VPN might be cost prohibitive in this case.
With all other applications requiring less data and/or no video monitoring, common for OEM use, the table starts tilting to a hosted VPN solution quickly.
“The OEM machine builder needs two kinds of remote access. The first is VPN access to remotely troubleshoot, debug and program the machine’s PLC and HMI. Secondly, the OEM and its customers want to monitor the machine’s most important operating parameters on dashboard screens from remote devices such as smartphones and tablets.”
Both remote access and monitoring is available using AutomationDirect’s StrideLinx secure hosted VPN solution. IT support or changes to firewalls are not required in most cases—nor does the user need to be familiar with IT, VPN or router technology.
Griffith has some final advice. “When designing a solution using VPN remote access, there are many considerations influencing final implementation: initial and sustaining costs, technical expertise during installation and ongoing operation, site control, security risk and data storage capabilities.”
Users should take these considerations into account, and if more information on a hosted VPN solution is needed, they can check out the STRIDE StrideLinx secure hosted VPN solution on AutomationDirect’s website.
To read more articles like this, click here.