Mobile human-machine interface (HMI) access is required in many industrial automation applications. There are two commonly used methods - standard routers that don't require a VPN and VPN routers hosted by the cloud - to achieve this connection to routers and virtual private networks (VPNs).
The first is the standard router, which, despite its low security, is still used by many existing mobile HMI applications and even some newer ones. A major advantage is that it is inexpensive, but it is not recommended because when port forwarding is enabled in a firewall, it exposes the network to external threats and therefore poses a significant network security risk.
Another approach is to employ a cloud-hosted VPN router, which simplifies the complexity of information technology (IT) by creating an encrypted connection from the local VPN router to a cloud-hosted VPN router on the Internet. Remote users can securely access local components and systems through the cloud-hosted VPN router. This not only reduces network security risks, but also simplifies configuration and maintenance.
The third type of router connection implemented using a traditional VPN router is not considered in this paper because it involves opening inbound connections and creates similar complexities and risks as those faced by standard routers.
Standard Routers
Many industrial applications utilize standard routers and firewalls for protecting company and plant networks, which require users to manually configure and manage all routing and firewall settings. This type of router usually does not have a VPN to encrypt data, but does create ports in the firewall for forwarding for remote users to access specific applications and components on the plant network.
Most HMI users want both remote and local access. Connecting a portable computer to an HMI web server is common to monitor data and change setpoints and other parameters, or use programming software to connect to the HMI for troubleshooting or program changes.
To connect remotely using a standard router, port forwarding is usually configured to allow access to the HMI or to a local PC running remote access software.The local PC provides the remote user with the ability to run the HMI programming software.
HMI mobile applications also require port forwarding so that remote users can access the local HMI to control or view data. These applications typically provide the same functionality as browser-based remote access, except that access is through the application rather than a browser.
The main issue with this approach is the security risk associated with port forwarding in mobile applications as well as PC-based applications. A hacker can easily determine which ports are open on a firewall and can access a company or factory network through a router.
While port forwarding is very efficient and useful in a company or factory network, it is extremely dangerous to use this feature on the Internet and company intranet interfaces. Manufacturing organizations should avoid using this router method in new installations and instead convert existing standard router installations to more secure connections, such as cloud-hosted VPN routers.
Cloud-hosted VPN Router
A cloud-hosted VPN provides secure connectivity with simple setup and network configuration. A typical cloud-hosted VPN option, includes a local VPN router, a cloud-hosted VPN server, a VPN client, and interconnected automation components (Figure 1).
A secure connection is established after the local router (located on the plant/control network) and the VPN client (software installed on the user's portable computer or mobile device) are each connected to the cloud-hosted VPN server. The local router establishes this connection immediately upon startup, but the VPN client only connects when it receives an authentication request from a remote user. Once both connections are established, all data passing through this VPN channel is secure.
Most cloud-hosted VPNs offer a free monthly bandwidth allotment for basic operations, and if data access is needed beyond this limit, additional premium bandwidth plans can be requested. For example, one product offers 5GB of free VPN data exchange per month, which may be enough for most troubleshooting, monitoring, and programming needs.
Security risks are reduced when a local router initiates communication with a server via an outbound connection over a standard open port, such as HTTPS. This often avoids changes to a company's IT firewall and can satisfy IT security considerations. For added confidence, users can look for a cloud-hosted VPN with an industry-certified information security management system (e.g., ISO/IEC27001:2013.) This shows that the provider has implemented a comprehensive security program and controls.
Another advantage of cloud-hosted VPNs is the simplicity of router configuration. Since it is a secure local router that connects to a predefined cloud server, the router is pre-configured with complex VPN network settings, thus allowing non-IT staff to install it. All that is required is to know the IP addresses of the automation components connected to the LAN and whether the Internet Service Provider (ISP) or enterprise-wide network router (not the cloud-hosted VPN router) is dynamically or statically providing the IP addresses.
Other advanced options may include cloud data logging and alarm notifications that provide a subset of HMI functionality and are easier to use than custom programming. These services allow users to log system data and receive customized severity alerts on their mobile device or portable computer, providing a convenient, web-based history of system performance when needed.
Mobile App-Based Remote Access
Increasingly, mobile applications are supporting industrial HMI and programmable logic controller (PLC) components. The monitoring and control functions allow users to access them remotely from anywhere at any time. To securely access industrial equipment, mobile devices must also use VPN technology to encrypt data from the mobile device to the plant network. Without a mobile VPN, it would be necessary to open the plant's firewall ports, creating a similar scenario to a standard router and leaving the plant network vulnerable to cyber attacks.
Using a hosted VPN provides a secure VPN connection for laptops and mobile devices. The latter is accomplished through a fully VPN-enabled mobile app. Once securely connected to the plant network via the mobile VPN app, a third-party HMI or PLC app can be opened and connected to the local HMI and PLC components, with that mobile user appearing virtually as if they were actually on site.
Some routers can also provide laptop and mobile device connectivity for hosted VPNs. Apple iOS and Google Android mobile device apps provide users with a secure connection to the plant network. Some cloud-hosted VPN providers also offer access to cloud-based data logging software apps, as well as widgets for configuring custom dashboards for remote viewing.
This built-in cloud logging is particularly useful for original equipment manufacturers (OEMs), many of which have thousands of machines installed in hundreds of locations around the world, each with multiple users.The OEM will provide each machine with a VPN router that is preconfigured to log the data and contains customized dashboards for remote viewing on a mobile app. Other than installing the app on a smartphone or tablet, the OEM customer will not need to configure, install, or maintain the remote access software otherwise.
For broader access to dashboards, remote users can use a mobile VPN provided by the hosted VPN provider to access local HMIs and PLCs via the app. certain mobile HMI software can work more securely when used with the provider's VPN router. a PC can also securely access local devices from the local area for programming, monitoring, or troubleshooting.