The knock against cloud-computing services is they require more and closer-integrated networking connections, and these usually come with increased cybersecurity risk. At least, that's the usual story. Wouldn't it be great if these powerful virtual and digital tools could be used to improve security at the same time? Glad you asked.
"Remote access enables technical support and increased worker productivity to counter the exponential growth of automation, but it comes with security risks," said Peter Eliya, safety and control systems automation specialist at aeSolutions, system integrator and consulting engineering firm in Greenville, SC. "This is especially true when users engage in dangerous methods for achieving remote access, such as connecting control systems to company networks, connecting directly to the Internet, and/or working around IT security policies."
Eliya presented "Using the cloud for secure remote access to control systems," on the second day of Siemens Automation Summit 2018 in Marco Island, Fla.
Secure links for VPNs
To make cloud computing, virtualized tools, and other digital formats more secure, Eliya reported there are several basic methods for monitoring them. These include encrypted communications, managed virtual private network (VPN) tunnels, hosted servers or server clusters, and secure cloud services managed via web-based platforms.
"One of our clients is a specialty chemicals firm that makes resins, and they didn't allow outside access to the company network, but they did have customized logic with frequent bugs, and their local staff wasn't trained in PCS 7 controls," said Eliya. "We implemented mGuard switch from Phoenix Contact and used their servers to establish an encrypted, IPsec protocol, VPN tunnel between their control system network and our engineering workstation."
The chemical company and aeSolutions recently implemented a Siemens Virtualization as a Service (SiVaaS) system, which provides a virtual PCS 7 architecture using VMWare vSphere and ESXi. All control system terminals (OS servers/clients, ES, etc.) are running as virtual machines on ESXi host servers.
"Remote support engineers can employ mGuard to quickly navigate to any of the VMs to make program changes or install hotfixes," said Eliya. "When connecting mGuard to SiVaaS, it’s important to define user permissions for each person who may need to remotely open certain VMs, reboot the host or an individual VM, and perform a full suite of monitoring and control tasks."
Eliya added that signing up for mGuard secure cloud service also lets users access its VPN Builder software tool, which tells them what's happening with their connections and firewalls; allows them to set switches on mGuard devices; and provides the capability to ask their cloud service to build VPN data files. "Overall, the mGuard experience is good, and everyone saved time and money," he said. "However, there were some initial challenges with the VPN tools; activating the data plan took months; users must coordinate modifications with Phoenix Contact; and the PCs' secure cloud can be taken down for maintenance."
Meanwhile, another aeSolutions client has been using Siemens Totally Integrated Automation Portal (TIA Portal) to monitor the efficiency of cooling towers in Mexico, using a Siemens SIMATIC S7-1510 controller with six Profinet remote I/O drops, and recently decided to add Siemens SINEMA Remote Connect (RC) server to its industrial Ethernet architecture, which is based on Siemens SCALANCE industrial communication products, to secure its wireless and company networks.
Eliya reported that an appliance is installed on an aeSolutions server and assigned an address for the SINEMA RC server. Next, a profile is created on the server for the equipment or application being monitored, and that profile is automatically downloaded by the switch. Finally, client software is added to the user's workstations, a profile is created on the server, and a secure VPN tunnel is established. "This is a very simple setup. You don't need to be an IT or cybersecurty expert to use these tools," added Eliya. "We host it locally to prevent unplanned downtime.”
David Burrell, automation networking consultant at Siemens, reported, “SINEMA RC server with a SCALANCE M876 mobile wireless router provides the same level of security as the prior example, but does it on a server managed locally as a cost effective and robust solution.
Eliya added, "The case for adding secure remote access like this is pretty strong. Many facilities are constantly adding new users and locations, and this solution can do it more efficiently, prevents devices from ever being 100% isolated, helps pull IT and OT together, and helps users achieve better work/life balance."
Burrell concluded, “As demands increase, SINEMA RC server option offers cost-effective options, including providing user accounts to different customers, so one server can have the administration, aeSolutions and customer access focused on specific locations. There's also flexibility with the offering, including the use of PKI cards or various VPN protocols in one server for different levels of security including dual authentications. These are tools aeSolutions has at their disposal to meet clients' demands.”