VPN connection to customer sites.

Having the possibility to remotely support customers have always been a good thing. Many of us remember sitting listening to the modem blip-blipping, wating to connect…. When finally connected, it was a slow connection, where everything seemed jammed from time to time. But it saved money and travels. And was very appreciated by both suppliers and customers. It was a relatively safe PTP connection using telephone line to gain direct access to the control system. It was in the early stage of connectivity, were machines/lines were more treated as independent control islands.

Now things are different, with a couple of mouse clicks you can instantly have full access to your equipment’s worldwide. I used to say to my son, today I was on a big tour: In the morning I was in France then I spend lunchtime in Russia to have a nice afternoon tea in England to finally end up in Australia. With no effort, you can monitor and modify/program PLC, HMI, Scada and other devices. Also guiding plant staff to solve different tasks and problems.

All this is good but also scary, as it creates more Vulnerability. Now talking I4.0 IOT and the fact that all units must be connected, the infrastructure and the safety within the systems needs to be carefully designed. This leads to increasingly numbers of IT persons getting involved when forming plant system layouts. There are many good VPN router solutions on the market. Like eWon, Tossibox, Secomea, mm. Most of them also supporting mobile 3G connections. By asking around I can see many different typs of solutions used, off course we all selecting the once we know works best.

but..

The problem is that many of this units are not allowed to be connected in the new plant infrastructure, this because they are unknown to the IT people designing the systems. And as some other person put it: “one thing for sure, IT guys do NOT like things they don’t understand!!”. And you can really understand the frustration of the responsible IT person: “Having a mix of VPNs/4g modems etc. from different suppliers around the plant...” A situation like this is may cause sweat drops in the forehead of the calmest IT person on this planet.

After taking part in many discussions in different groups I came to the following possible options for us to use:

• If it’s allowed in the plant, use eWon. The eWon has a HW input that can be used to disable the connection. You can connect this input to a HW key, letting the customer have full Control to turn on /off the Connection. This can off course also be handled on an IT level through managed switches etc. But HW-key is still a simple way to go for smaller customer sites. -Letting the customer feel more secure having control over the connection. The reason for me to recommend the eWon is that I have most experiences in handling this device. And I think it works very good. Another good thing is that it can easelly be set up to function as bridge between VPN and old system running older bus systems e.g. MPI.
• If the customer demands use of a company VPN connection I will recommend setting up base Virtual machine with all necessary software needed for programming your systems. Then use this as a base to create new VM ware machines supporting different connection types. You can if you are using VM ware workstation, also simplify life by using the snapshot function, to apply different connection types to a standard VM machine. If needed remote-control software’s like Mobykey, can be used to remotely access the VM computer or server. If your organization is big and many people needs to connect to different sites at the same time, more parallel stations can be set up. Alternatively distributed to users. If the security demand allows it Mobikey can be replaced with TeamViwer. When a new customer with new demands are to be introduced a new VM ware machine or snapshot is created on the server.

Finally, do not forget the endpoint protection. Some customers’ demands specific solutions to allow connection, I'm sure in the next future this type of demands will be more common. Using VM ware machines you can meet this demand as well. But anyway, if your customer not having any special demands. Make sure to have a good endpoint protection in your own end. Please remember the fact Using a company provided VPN without endpoint protection is asking for trouble. VPN's are not safe! (the system is never safer than the weakest Point).

Below you can find some links to suppliers, mentioned above:

https://ewon.biz/product-gallery

https://www.tosibox.com/

https://secomea.com/why-secomea/

https://www.route1.com/what-we-offer/technologies/mobikey/

https://www.teamviewer.com/en/

https://www.vmware.com/

VPN discussions that formed this document can be found in below Groups, See: "VPN connections to customer sites."

Control.com

Automation Engineers

But don't forget meeting people in reality face to face and visit customers and look at machinery is not to be underestimated nor forgotten in the new connected World.

Please feel free to comment or share your own experiences....                       Take care and thanx again for all your inputs.

Mattias Lindh,                                                                                                                          Mattias Lindh Automation AB                                               https://lindhautomation.com/