Elements of an Industrial Remote Access Solution

By Gregg Schaefer

With the popularity of high-speed wireless networks and the financial benefits of cloud computing, we are seeing two types of remote access solutions growing in popularity:

  • Type 1 – A cloud application that periodically connects to remote sensors via cellular connections and then polls sensor data for user retrieval
  • Type 2 – A cloud application that securely allows access enterprise equipment for diagnostics and service agreements

Companies interested in connecting their remote users and resources (tanks, motors, pumps, etc.) must consider today’s common threats and make sure that counter measures are built into solutions that manufacturers are providing.

In a perfect world where everyone was a trusted data user, network boundaries with embedded intrusion countermeasures would not be required and the cost to provide connectivity to company resources would be easy and affordable. What a world this would be! The network diagram might look something like Figure 1.  

The Enterprise Internet Fantasy: A global network with no boundaries diagram image

Figure 1: The Enterprise Internet Fantasy: A global network with no boundaries


Intrusions and Countermeasures

However, as the Internet of Things has emerged, so has the need for the network to be immune to viruses and resistant to malicious outsider intrusions. A short list of known intrusions and associated countermeasures is listed in Table 1. An engineer who is architecting a remote access solution should consider these items when selecting networking components.

Network Threat

Countermeasure


Spoofing user identity

  • Use strong authentication
  • Do not store secrets (for example, passwords) in plaintext
  • Do not pass credentials in plaintext over the wire
  • Protect authentication cookies with Secure Sockets Layer (SSL)

Sniffing or eavesdropping - monitoring traffic on the network for data such as plaintext passwords or configuration information; with a simple packet sniffer, an attacker can easily read all plaintext traffic

  • Use strong physical security and proper segmenting of the network; this is the first step in preventing traffic from being collected locally
  • Encrypt communication fully, including authentication credentials; this prevents sniffed packets from being usable to an attacker i.e. SSL and IPSec (Internet Protocol Security)

Tampering with data

  • Use data hashing and signing
  • Use digital signatures
  • Use strong authorization
  • Use tamper-resistant protocols across communication links
  • Secure communication links with protocols that provide message integrity i.e. X.509, certificate exchanges

Table 1: Short list of known cyber threats and countermeasures


Authentication

Remote access equipment that connects edge and cloud locations to an enterprise network must have the ability to authenticate trusted users and attached equipment. This technology is known as public key infrastructure (PKI) and can use protocols such as X.509. Additionally, there must be a mechanism built into networking hardware and software which ensures that transmitted data cannot be observed by intruders. This feature is commonly known as data encryption and is implemented in technologies know as Secure Socket Layer (SSL) and Internet Protocol Security (IPsec). With the user of cloud computing sites and cell phone transport, the network now looks like Figure 2.

The Enterprise Internet Reality: Secure remote access solutions with secure boundaries diagram image

Figure 2: The Enterprise Internet Reality: Secure remote access solutions with secure boundaries


Solutions

Let’s take a look at two solutions in more detail in Table 2:

Type

Manufacturer

Solution Set

Application


1

Remote sensor data historian

Digi

Meet performance obligations and security requirements with fast, efficient troubleshooting—as well as remote configuration and performance monitoring—while enjoying greater device reliability.

Digi Remote Manager provides an efficient, cost-effective way to remotely monitor, update and manage Digi TransPort intelligent routers over 3G/4G LTE.


2

Remote equipment access
or analysis

Hirschmann, A Belden Brand logo
Belden logo

For control engineers and original equipment manufacturer (OEM) machine builders who need constant monitoring and control of their global systems, the Gecko Secure Remote Access Solution offers instant access for maintenance or troubleshooting.

This product also helps companies embrace the Industrial Internet of Things movement by enabling a secure way for many devices to connect together and communicate.

Table 2: Anixter remote access solutions with embedded security


Connectivity Options for Industrial Environments

In addition to providing authentication and encryption, the remote access solution also needs to provide connectivity to other types of media such as RS-232, Wi-Fi, LTE cellular, analog and digital signals. Table 3 shows a summary of the connectivity options that could be used in an industrial environment.

 

B+B SmartWorx
SR30xxxx4xx

+

ABB
AC500-eCo

+

GarrettCom
DX-940

 

DIGI
Remote Manager
CSENSE-A210

 

+

+

 

LTE Cellular

Yes

 

---

 

Yes

 

Yes

Firewall

Yes

 

---

 

Yes-SI, IPsec

 

---

Certificate Authentication

---

 

---

 

---

 

Yes

PoE

Yes

 

---

 

---

 

---

E1/T1

---

 

---

 

Yes

 

---

Wi-Fi

Yes

 

---

 

Yes

 

---

# FE

2  

1

 

4

 

---

# SFP

---

 

---

 

2

 

---

# Serial

Yes

 

---

 

4

 

---

# AO

---

 

2+

 

---

 

---

# AI

---

 

4+

 

---

 

4

# DI

2

 

16

 

---

 

1

# DO

1

 

16

 

---

 

---

DO & DI

---

 

16

 

---

 

---

Battery

---

 

---

 

---

 

Yes

Table 3: Snapshot of Anixter cellular remote access solutions with I/O support

 

Ask an Expect image

 

Have a Question?

Request a call from our Industrial Networking experts.