Plant automation systems require technical support. But many of today’s plant automation groups are short-staffed, so plant managers are finding that it’s more cost-effective to rely on outside integrators and OEMs to get the help they need.
On-demand remote technical support can save precious time when a process, equipment or entire line is down. Remote access can also be a useful tool for the plant’s own technical support staff by allowing them to access the automation systems without having to first drive to the plant to connect into the problem system.
This productivity-enhancing resource is very powerful, but in the hands of the wrong people it can spell disaster for the plant and its company. So it’s important for plant operations to consider some ground rules when allowing remote online access to their manufacturing automation systems.
First and foremost, however, do certainly allow it. Take advantage of the many access and security tools available in today’s market. When you do, though, four major areas should be addressed when setting up your ground rules: access, security, version control and audit trail. Let’s examine each area.
Access from the outside should be through a VPN appliance—a networking router providing firewall protection, load balancing, authorization, authentication and encryption for VPNs. This is the tunnel into the plant automation systems for process, packaging, utilities and building services (HVAC, security, fire alarm). The configuration of your VPN appliance is extremely critical to the security of your automation systems. It is essential, and highly recommended, that the plant recruit the services of a security specialist integrator when deploying its VPN appliance.
Security and access should also be set up on individual automation systems. Control systems for your process should have different security and access rights than your packaging systems, utilities or building services, and vice versa. Process skids and packaging work cells should each have their own unique security and access rights. Deploying this extent of access segmentation gives you the ability to limit access to just the processes and equipment each person is qualified and authorized to service and support. This additional layer of security and access greatly reduces the risk of outsiders accidentally or deliberately gaining access to a part of the plant’s manufacturing operation that they shouldn’t be getting into.
Version control is all about making sure that the outside integrator or OEM is always viewing the most current programs and data files for the system being serviced. Additionally, version control is critical when an outside integrator or OEM makes a program or data file change to address an issue at the plant, making sure the plant’s automation group is left with the most up-to-date versions. An experienced integrator will be able to seamlessly integrate an off-the-shelf version control software asset system with the proper levels of security and access.
Lastly, your remote online support system must have audit trail, or accounting, capability. You want to know the who, what, where, when and why an outside integrator, OEM or even one of the plant’s technical personnel remotely accesses one of the plant’s automation systems—or if a hacker attempts to access the network. A well-configured network can create the auditing and accounting traps to capture this vital information, viewable and reportable on a routine basis or on demand.
Numerous examples show how allowing remote online access to qualified outside resources can save plant operations countless hours in downtime, lost production and missed opportunities. The benefits are too great to not take advantage of this cost-saving tool.
No one single product or system can provide all the layers of security needed for robust remote access. It is imperative to employ a defense-in-depth approach leveraging multiple complementary products, systems and services. The key is get a qualified and experienced integrator involved who knows security, access, accountability, version control and manufacturing automation to help the plant set up, configure and deploy remote online access.
For more information about the AAA of access, authorization and accounting for manufacturing automation systems, go to our post about operational technology security.
Steve Malyszko, P.E., is president and CEO of Malisko Engineering Inc., a certified member of the Control System Integrators Association (CSIA). See Malisko Engineering’s profile on the Industrial Automation Exchange.