As enterprises in the automation and process industries look to improve productivity and increase uptime, they are more and more turning to Internet-based technologies that allow employees to remotely monitor product performance, diagnose part failures and make repairs. Remote Product Service (RPS) solutions can greatly benefit enterprises in the automation and process industries that need secure remote access to their equipment.
This article examines how RPS solutions can significantly assist enterprises in the automation and process industries to achieve secure and controlled remote access of their automation and process-control network environment. It will explain how RPS solutions allow plant managers to simply, securely and accountably leverage both distributed internal support resources and third-party support services to achieve increased industrial network productivity and performance.
Until recently, industrial plant managers that wanted effective management and maintenance of process-oriented and discrete control systems, required direct human intervention. Examples include:
- Plant technicians making threshold changes to a Programmable Logic Controller (PLC)
- Plant managers monitoring the operator screens of a Distributed Control System (DCS)
- Corporate accountants inquiring about the volume of gas measured in any given month by the pipeline custody transfer system. The accountants need the answer in Remote Terminal Units (RTU) which is monitored by a Supervisory Control and Data Acquisition (SCADA) system
- Corporate applications experts in Detroit providing technical assistance to plant operators in Australia as they watch their Human Machine Interface (HMI) console
- Third party systems integrators providing Change Management services by checking the current version of firmware and application programming of an intelligent process automation instrument.
Without remote network access, each of these cases requires that someone be physically located where the devices reside in order to track performance, make required modifications, or simply to give proper advice for maintaining operations and productivity.
Fortunately, the advances in the embedded management capabilities of today's automation/process control equipment coupled with the adoption of Industrial Ethernet as the standard has now given plant managers a means to improve productivity and increase uptime. They can accomplish this by leveraging either a centralized or distributed resource pool to monitor and service plant network segments remotely.
Industrial Network Security
Unfortunately, remote access advantages of a "networked" plant environment introduce security risks. Security risks historically were not a major concern before due to the "air-gap" effect where plant networks were completely disconnected from both the corporate LAN and the outside world. Yet by opening production and process control networks to other segments including the Internet, these departments are now exposed to the same virus and security threats that corporate IT departments have been facing for years.
In general, two corporate departments -- IT and Plant Automation -- have important and legitimate needs to own and control remote network access to automation systems. Corporate IT needs to monitor any IP-connected devices and "out-of-band" (e.g. Dial up modem) remote access for regulatory and security concerns. Plant Automation needs to have access to automation systems because they have the application knowledge, the expense budget, the remote support tools, and the sense of urgency to properly diagnose and solve its own problems. Typical conflict entails when Corporate IT wants all networks closed to remote access while Plant Automation wants freedom to remotely connect quickly and simply.
RPS solutions give appropriate control to both parties; Corporate IT gets universal control of remote network access and compliance reporting while Plant Automation departments get easy connectivity and best-of-breed software tools to solve problems in an optimal way.
Internal Access Challenge: Corporate Support Groups
Modern advances in network access tools for automation systems and Windows-based HMIs (Human Machine Interfaces) have made it possible to create a centralized data center that integrates asset management data mining and TCP/IP networking support. These integrated capabilities allow plant managers to collect and extract detailed information on performance and throughputs and generally simplify Operations, Provisioning and Maintenance (OP&M).To best take advantage of this centralized data center, plant managers use commercial or custom-built applications to centrally collect and analyze performance and statistical data from multiple dispersed processing components and servers.
Data centers also support expert personnel that can analyze the data and take corrective actions if necessary, such as "fine-tuning" or operational maintenance. Yet, data center support personnel are significantly challenged to access automation devices that may be located behind automation network firewalls. Staff may also have trouble accessing devices that are dispersed across multiple logically or physically separate network segments each having their own security elements. Historically, to perform remote connectivity, dialup models have been utilized. However, due to the bandwidth intensive requirements of today's automation applications, along with the security and accountability limitations inherit to dial up, this is no longer a viable option.
Alternatively, simply opening of the automation network to the corporate Intranet or Internet goes against common automation security practices to maintain the "air-gap" security model found in the older network topologies. Air gap models restrict the ability of any direct inbound or outbound communications between the automation network and the outside.
To overcome these challenges, plant managers have experimented with a combination of internally-based VPNs and Demilitarized Zones (DMZ) in order to gain secure access between the data center and the automation devices. Unfortunately this is not the most efficient approach due to the complexity and cost introduced as the result of the setup, management and associated additional hardware required for these connections. Further, these connections still do not fully address the necessary security practices for accountability and control of the "who, what, where and when" aspects of data center remote connections.
The answer to the data center remote connection challenge is an RPS tool that allows the plant managers to:
- Utilize the ubiquity and bandwidth availability on their Ethernet-based networks
- Remotely leverage the embedded management capabilities of automation devices
- Leverage centrally located or dispersed resource pools for automation device management
- Meet security and accountability practices between the automation and corporate network, as demanded by Corporate IT departments
External Access Challenge: Third Party Support
As hardware margins erode in the automation market, manufacturers and distributors have begun to offset their diminished hardware sales by offering more service-centric offerings into the automation market. These services can include managed services that allow plant managers to outsource automation management and/or support third-party vendors such as OEMs or local system integrators. These outsourced services can be complete turn-key managed services or a subset which includes on-demand product expertise, thus, eliminating the need to wait for an on-site technician.
While these services can provide the desired values of outsourcing such as reduced operating costs, and minimized Mean Time To Repair (MTTR), their adoption has been slow. This is because plant managers face many of the same challenges corporate IT face when allowing remote vendor-based access to critical resources within their datacenters. These challenges include additional layers of complexity resulting from the need to provide external vendors with secure, accountable and controlled access into the network.
The ultimate solution to third-party access challenge is for the plant manager to leverage the same type of RPS tool that corporate IT organizations utilize for remote access. RPS should also be extended to all remote locations, including vendors and remote internal expertise. A centralized RPS tool enables standard corporate practices to be created for remote monitoring and management without concern for the device type, the tools that are used, or the location from which the services are being performed.
Summary
Round the clock availability and performance of automation equipment is crucial to manufacturers' business success. As the equipment becomes more complex and relationships between partners and technicians more sophisticated, this has become a harder challenge to meet. Yet, through RPS solutions, manufacturers can provide remote access to internal and third-parties and can fully meet this challenge. The results include increased uptime and efficiency that do not undermine the security of either the corporate or automation networks of the company in the process.
Dave Boulos is VP of Product Management at ComBrio, a provider Remote Product Service (RPS) solutions for remote service environments. ComBrio's solutions are used by critical datacenter workers, industrial automation plant managers and their equipment suppliers, distributors and independent managed service providers. http://www.combrio.com