ESSENTIALS OF REMOTE MACHINE ACCESS

This Control Design Essentials guide is made possible

by eWON, the HMS brand for Remote Solutions.

See the last page for more information about eWON.

About the Control Design Essentials SeriesThe mission of the Control Design Essentials series is to provide industrial machinery designers with an up-to-date, top-level understanding of a range of key machine automation topics. Our intent is to present essential engineering concepts in a practical, non-commercial fashion, together with a review of the latest technology and marketplace drivers—all in a form factor well suited for onscreen consumption. Check in at ControlDesign.com/Essentials for other installments in the series.—The Control Design Editorial Team

2017

A Control Design Essentials Guide, by the editors of Control Design

Visibility into the operation of remote assets presents a compelling business case for original equipment man-ufacturers (OEMs) with far-flung fleets of machines at

customer facilities, as well as for end-user manufacturing com-panies with multiple sites and corporate engineering centers.

Modems can provide such visibility, but relatively low band-width together with the production-floor availability of cellular signals and the lack of an easy VPN solution are among the factors complicating deployment of modem-based remote ac-cess schemes.

While Ethernet TCP/IP-based network technology is clearly a more elegant solution to providing remote access, securely managing a machine’s connection to the end user’s corporate network and, in turn, to the open Internet has long been a challenge. Most companies’ IT departments are understand-ably loath to grant blanket network access to non-employees for security reasons. And even though virtual private networks (VPNs) are an excellent solution from a technical standpoint, allowing proper inbound network access while ensuring secu-rity can be a complex task and require delicate negotiations with end users’ IT departments.

One unique approach to enabling secure remote machine access over the Internet -- that gets around much of the need to involve IT while fulfilling IT security expectations -- is to use an outbound VPN connection. Most firewall configurations and policies require no changes to accommodate outbound, encrypted VPN tunnels. This method also adds a logical net-work segregation, ensuring that the remote engineer has no access to the factory LAN and can only reach the devices con-nected behind the remote access router.

EXECUTIVE SUMMARY

Perhaps for as long as industrial machine builders have ex-isted, they’ve had the desire to look into the operation of their machines from afar. Indeed, for original equipment

manufacturers (OEMs) with far-flung fleets of machines at cus-tomer facilities, as well as for end-user manufacturing companies with multiple sites and corporate engineering centers, visibility into the operation of remote assets presents a compelling business case.

The ability of a remote specialist to access a machine’s control system can help to troubleshoot and solve an estimated 60% to 70% of operating problems, avoiding the need for support personnel to travel across town – or around the world. The types of problems that can derail production often don’t require fixing the machine as much as tweaking its programming or other parameters. For ex-ample, to accommodate changes in raw materials, machine wear or other production inputs that may have shifted over time. But it’s not just the cost of travel that’s saved; speedy issue resolution means less downtime and a faster return to full production for the machine builder’s customer. And on those occasions when an in-person service call is required, remote visibility can help ensure that the person with the right skills, the right parts and the right tools is sent – increasing the odds of a “fix on first visit” outcome.

The pressures driving industry to adopt remote access strate-gies have only intensified in recent years as industry faces the continued loss of subject matter experts to retirement. The exper-tise of those remaining must be stretched over a larger installed base of production machines that is often increasingly deployed globally. Further, machine builders are realizing that remote ac-cess opens up a new vista of pro-active and preventive services it can offer on behalf of its customers. From modems to custom-er’s dedicated VPN, these connection methodologies have often proven to be costly, unmanageable, time-consuming to set up and not satisfactory from a security point of view.

THE CASE FOR REMOTE ACCESS

The greatest appeal of remote access through a modem (Figure 1) is the ability to access controller data and to by-pass the customers’ corporate network. Wireless modems that communicate via cell phone providers’ data networks are available from many suppliers of programmable controllers.

This approach avoids the need for a wired phone line or the need to tap into the corporate IT network, but wireless signal availability in production areas can be an issue.

Further, working with a cellular network provider introduces its own complexities. SIM cards with fixed IP addresses cost extra and take time to acquire and configure. And this approach entails ongoing network access and usage fees that can quickly add up – an expense most machine builders would avoid, especially if continuous connectivity is not necessary.

MODEM CONNECTIVITY

Programmablecontroller Cellular modem Remote userCellular

network

Figure 1

Clearly the most elegant means of remote machine access is by leveraging increasingly pervasive Ethernet TCP/IP network technology.

The primary challenge is to securely manage the machine’s connection to the end user’s corporate network and, in turn, to the open Internet. Most companies’ IT departments are understandably loath to grant blanket network access to non-employees for security rea-sons. And while virtual private networks (VPNs) are an excellent solution from a technical standpoint, allowing proper inbound network access while ensuring security can be complex task. Every automation vendor typically uses a different set of network ports, and negotiating a clear path through a customer’s firewalls requires careful configuration and sometimes deli-cate negotiations with resistant IT departments.

On-demand remote accessUnlike remote asset management where the ability to control the asset is essential, which means that permanent access to the asset is necessary, machine builders do not always need permanent connections. Indeed, remote access for machine troubleshooting, maintenance or service could be provided by an on-demand connection.

Why is this important? In fact, the customer may want to prevent continual remote access to the machine, which means that the machine is usually disconnected from the LAN and only connected for a certain period when this is necessary or requested by the machine builder.

Disconnecting the machine from LAN is not essential for security, but it gives the customer the feeling of having physical control over when the machine is accessed and for how long.

In addition, when remote connectivity is based on a volume-dependent pricing option, such as cellular technology, it can be desirable to establish the connection and pay only when necessary.

Outbound connectionsBy relying on an outbound connection across the factory LAN, many firewall issues are re-solved right off the bat.

Indeed, if no incoming connections are made, no ports need to be enabled in the corporate firewall for incoming connections and no IT/firewall changes are needed to establish commu-nication. A key feature that the IT team will appreciate.

LEVERAGING THE INTERNET

Software-based solution A supervisory local PC can be remotely accessed and controlled using virtual net-work computing (VNC)-like technology or other PC-based remote access software (Figure 2). In this scenario, software securely replicates and cedes control of the remotely accessed operator interface computer.

This approach presumes that there is an industrial PC that can run the ap-plication on the remote machine. And this additional hardware and software en-tail expense. Indeed, besides the software license fee, a PC have a higher power consumption and requires to be maintained (OS updates, anti-virus updates, etc.) making its total cost of ownership higher than the one of a dedicated device.

What also needs to be considered is that the same software version needs to be installed on both client and host sides. It is therefore preferable to have the same version of the software installed on all the local PCs of the fleet.

Next, to ensure remote access availability, the local PC must be constantly on. Yet, an internal or external event may cause the unavailability of the system.

Finally, you could face the need for additional developments and configurations to limit and control access to other systems that are connected to the PC, such as the plant network.

Router-based solution using VPNAnother solution to this predicament is to rely on an on-demand VPN connection using an industrial router and a cloud-based management infrastructure (Figure 3).

The VPN connection using outbound port 443 (normally reserved for secure website access using SSL) typically presents few issues for end users’ corporate IT departments. They have to do very little, if anything, to enable secure re-mote connectivity.

This method is even more interesting from a security point of view, as it auto-matically adds a logical network segregation between the machine and factory LAN (Figure 4). This ensures that the remote engineer has no access to the factory LAN and can only reach the devices connected behind the remote access router.

Programmablecontroller

Local PC +Automation SW Remote userPublic

internet

Figure2

2 INTERNET-BASED SOLUTIONS

PLC 1

PLC xeWON

VPN router

HMI 1

IP camera 1

Remote user

FactoryLAN

Machine

VPN VPN

eWON Talk2M cloud

Figure 4

Programmablecontroller

eWONVPN router

Remote userVPN

eWONTalk2M cloud

VPN

Figure3

That is not all. Since the VPN router is connected to a secure cloud-based man-agement infrastructure, OEMs and their end users gain a number of other advan-tages. Machine builders can manage fleets of machines through a single secure interface. End users, meanwhile, can use the platform to manage remote access rights with multiple OEMs. Connection reports provide an added level of security, accountability and traceability essential for many industries including food, phar-maceutical and water.

The herein described solution is not new and has been pioneered by eWON (part of HMS Industrial Networks) since 2001. Today the technology has been tested and adopted by a large majority of Machine Builders from all over the world. As an illustration, more than 115,000 eWON devices are currently connected on the eWON cloud-based infrastructure ‘Talk2M’, having successfully established over 9 Million secure VPN connections in total.

The door to IIoTMore and more experts see remote machine access as the ideal entry point to IIoT. Indeed, by providing a secure communication channel as well as data services, eWON also offers the possibility to easily collect, visualize or prepare data from remote sites and make it available for third party applications (e.g. performance monitoring and proactive maintenance).

ABOUT THE SPONSORThis Control Design Essentials guide on Remote Machine Access was made possible by eWon (HMS industrial Networks).

Through its brand for Remote Solutions ‘eWON’, HMS has become the worldwide market leader for intelligent Internet remote access routers for PLCs and automation systems.

eWON Remote Solutions are Internet of Things in its purest form. By connecting an eWON router to an industrial machine, the machine gets connected to the Internet giving users access to it at any time, from anywhere.

Learn more about eWON Remote Solutions on www.ewon.biz.

MADE POSSIBLE BY