The cost of downtime is enormous. "Sometimes we don't have the time to sit back and analyze what it costs, because we're so focused on getting it fixed quickly," noted Sal Conti, Rockwell Automation product manager, introducing his session, "Scalable Secure Remote Access Solutions," this week at the Rockwell Automation RSTechED conference in Orlando, Florida.
Conti stated that there's $20 billion associated with unscheduled downtime each year. "Some 89% of this downtime is completely random, and a lot of time is spent to resolve these problems," he added. "Eight percent of downtime is spent first trying to determine that there really is a problem, another 21% is spent to analyze the issue, and nearly half of the downtime is spent scrambling to get the needed resources. So three-quarters of the total downtime is spent before the fixing even starts."
Conti recognized that everyone's dealing with leaner staffs, aging workforces that are walking out the door with all that experience, remote locations and employees who are trying to keep up with technology. Further, the response time for a downtime incident can typically take up to 60 minutes. So wouldn't it be great to give your best qualified engineer visibility and access to every site when they're needed?
Three Levels of Security
Conti explained that the Rockwell Automation Virtual Support Engineer (VSE) can provide secure remote access to sites, monitoring equipment and collecting valuable performance analytics. It can help users to better understand how well machinery is working and provide alerts when performance falls outside of predefined perimeters. Because there are different needs and potential threats, and different security rules for different customers, Conti presented good, better and best levels of its Virtual Support Engineer service.
"In a 'good,' or Virtual Support Engineer Standard, approach only outbound communication outside the firewall is allowed, and we require two outbound ports (443 and 80) for that," Conti explained. "We use SSL [secure socket layer] from a tunneling standpoint, as well as user authentication. For users to log into the system, they have to have an active account, and that authentication is brokered by our hosted service center. So there's never a direct connection to the plant. We also have an access audit trail, so we know who logged in and when they logged in."
Conti then explained that the "better" or VSE Enhanced model includes the standard features, but reduces the outbound ports to one (443). It has a couple of levels of certification, including fingerprint, and can limit access by user and/or IP address. It also adds remote access notification, surveillance and recording. "There's also a couple of things added for end-user control, Conti explained. "Not only can the end user allow or disallow access, it can control the type of access and what you can or can't see, the types of IP addresses you can access, as well as some of the recording features."
Then there's what Conti labeled the "best" VSE method, which adds compliance with the Rockwell Automation/Cisco Reference Architecture Model to the Enhanced version. "This means you're creating an air gap between the plant floor and the outside world through your industrial DMZ," Coni explained. "There's never any direct connection. It's always brokered by a remote desktop session."
"Just as Virtual Support Engineer allows internal access to remote assets, it can also connect to Rockwell Automation Managed Services, allowing knowledgeable resources to help prevent downtime or optimize your production, in addition to offering support during unexpected failures, all while giving you total visibility and control over who has access, what they have access to and what information they can see," Conti said.
Conti added that the Asset Health Support that comes from Managed Services will report on the health of the network infrastructure devices, the UPS and the server, and the only alarms they get are whether the asset is up or down. It can also monitor the health of medium-voltage drives and PLCs, with service to soon be available for low-voltage drives, MCC, and PlantPAx process automation system.