fbpx
Back

Contents

Whitepaper

Enabling secure remote access to Industrial Automation Devices with SDA connectivity service

25 Apr, 2023

Philip Ketterer

Dr. Philip Ketterer

Senior Product Manager

Automation is crucial to increase productivity and efficiency in the manufacturing industry. Remote access to industrial automation devices is essential for manufacturers to control and update their devices from anywhere at any time. However, this is often a challenging task due to cybersecurity requirements, communication protocols, and complex network architectures. This white paper discusses a secure connectivity service that enables remote access to industrial automation devices from SDA’s cloud‑hosted services.

Introduction

In today’s rapidly evolving manufacturing industry, automation plays a crucial role in increasing efficiency and productivity on the one hand and reducing downtime on the other. To achieve this, remote access to industrial automation devices is essential, enabling manufacturers to control and update their devices from anywhere, at any time. However, enabling remote access to automation equipment is often a challenging task due to various factors, including high cybersecurity requirements, proprietary third‑party communication protocols, and complex network architectures. This white paper provides an overview of the connectivity service that establishes secure remote access from SDA’s services hosted in the cloud to industrial automation devices such as PLCs on the shop floor. The service leverages MQTT communication and establishes on‑demand, device‑specific VPN tunnels, allowing manufacturers, machine builders and system integrators
to securely connect remotely. All communication is fully encrypted and different manufacturers are fully isolated from each other via tenant‑specific connectivity host servers. In addition,
manufacturers can use a dedicated SDA connectivity client on existing gateway devices minimizing the need to install new and expensive hardware.

The importance of remote access to industrial automation devices

The manufacturing industry has undergone a significant transformation in recent years with automation playing a critical role in driving growth and efficiency. Industrial automation devices
such as Programmable Logic Controllers (PLCs), sensors, and Human‑machine Interfaces (HMIs) have become increasingly sophisticated and complex, requiring manufacturers to monitor,
control and adjust their production processes in realtime.

However, with the increasing complexity of the programs running on those devices, the need for connecting to them remotely has become essential. Remote access allows manufacturers to troubleshoot issues, perform maintenance, and make adjustments to their equipment from anywhere, at any time. This results in significant cost savings, increased uptime, and improved
overall efficiency.

For instance, system integrators working with manufacturers don’t have to let their experienced engineer travel on site. Instead, they can help their customers remotely, thereby saving cost and improving their carbon footprint. As a result, manufacturers with their own automation engineering teams can increasingly source PLC engineers globally to work remotely, thus helping them to attract rare talent and reducing their own costs.

Despite these benefits, enabling remote access to industrial automation devices can be challenging as it requires secure and reliable connections that do not compromise the security of any devices or production processes. The connectivity service of SDA addresses these challenges and provides a secure and efficient solution for PLC operators such as manufacturers and machine builders seeking to enable remote access to their industrial automation devices. As it is integrated in SDA’s PLC Ops offering, it is more cost‑effective than single‑function solutions and reduces effort in setting up and connecting different solutions.

Challenges of enabling remote access to industrial automation devices

Enabling remote access to industrial automation devices presents a number of challenges to manufacturers. Some of these challenges include:

Security concerns: Industrial automation devices often control critical production processes. Hence, security is a major concern. Remote access must be secure and not compromise the integrity of the devices or the production process.

Legacy devices: Many manufacturers have legacy devices that are not designed to support remote access, making it difficult to enable this functionality without expensive hardware upgrades. In addition, those legacy devices have often not been patched.

The complexity of network’s architecture: The architecture of typical OT (Operational Technology) networks is quite complex due to their specialized nature and unique requirements. Devices are often split into many subnets and the OT network is separated from the enterprise network via a demilitarized zone (DMZ).

Proprietary network communication protocols: Many industrial automation devices rely on proprietary software (e.g., Siemens TIA Portal) with proprietary communication protocols that can make it difficult to establish secure remote connections to all devices via a single solution.

Connectivity reliability: Remote access requires reliable and secure connections, which is challenging in areas with poor network coverage or unreliable internet connections.

The connectivity service presented in this white paper addresses these challenges by providing a secure solution that enables remote access to industrial automation devices, including legacy devices. The service enables the usage of third‑party communication protocols and works with existing devices meeting minimum system requirements to minimize the need for expensive hardware upgrades.

Introduction to SDA’s connectivity service

The connectivity service presented in this white paper enables secure remote access from the cloud‑hosted SDA solution to industrial automation devices. The service utilizes MQTT for base communication and opens additional communication channels on demand such as a device‑specific VPN tunnel, e.g. to enable remote deployments to PLCs. Some of the key features and benefits of the connectivity service include:

Secure connections: All communication is fully encrypted and does not require any open inbound ports.

Support for legacy third‑party software: The service supports legacy third‑party software (e.g., Siemens Step7 V5.7) enabling manufacturers to continue using their existing software tools.

Compatibility with existing gateway devices: The service can be installed on existing gateway devices, minimizing the need for expensive hardware upgrades.

Secure tenant isolation: SDA strictly separates traffic between different tenants within its cloud architecture. For every tenant a dedicated connectivity host server is instantiated that all traffic is routed to.

Comprehensive permission management: Manufacturers have full control over who of their users can access which device. In addition, they can enable temporary access for third parties (e.g., system integrators) to perform changes on a specific device (e.g., access to just one PLC for 3 hours).

No connection from unsecured engineering workstations: SDA’s connectivity service allows restricting connections to be only between its secured cloud servers and the manufacturer’s automation devices. It thereby prohibits direct access of unsecured engineering workstations (e.g., from system integrators) to automation devices.

Multi‑protocol support: The connectivity service supports multiple communication channels that are opened on‑demand.

For instance, many PLCs can be accessed and updated using port forwarding such that there is no need to establish a VPN tunnel to manage those devices remotely.

State‑of‑the‑art VPN tunnel on‑demand only: In case a VPN tunnel is needed for communication with a specific device, the service opens temporary, device‑specific, and encrypted VPN tunnels on demand only, such that no permanent VPN connections are established. The VPN technology is based on WireGuard.

Nested gateway devices: Future releases will include the capability to use nested gateway setups within the on premise network for increased security. In this case, there will be a parent gateway with multiple sub‑gateway devices.

Technical details of the connectivity service

The connectivity service utilizes the MQTT (Message Queuing Telemetry Transport) communication protocol to enable secure communication between the industrial automation devices

and the customer’s network. MQTT is a lightweight messaging protocol designed for IoT (Internet of Things) and other low‑bandwidth, high‑latency environments. It is reliable, efficient and supports secure communication through of SSL/TLS encryption.

In addition to the MQTT protocol, the connectivity service also utilizes WireGuard VPN tunnel technology to provide secure connections between the devices and the customer’s network. WireGuard is a modern open source VPN protocol that is designed to be fast, efficient, and secure. It uses a streamlined code base and employs state‑of‑the‑art cryptographic algorithms to ensure secure communication.

The connectivity service requires a connectivity client application provided by SDA that can be installed on existing edge devices running a Linux distribution and meeting the minimum system requirements. The client application communicates with the devices using the MQTT protocol and opens on‑demand communication channels to establish a connection between SDA’s solution hosted in the cloud and customer’s automation devices. Such a communication channel can be a VPN tunnel based on WireGuard technology or an SSH Port Forwarding connection.

Overall, the use of MQTT and WireGuard technology ensures that the connectivity service provides a secure and efficient solution for enabling remote access to industrial automation devices, while minimizing the risk of unauthorized access or data breaches.

SDA Connectivity Solution Architecture
SDA Connectivity Solution Architecture

Deployment and implementation of the connectivity service

The following steps are needed to setup the SDA connectivity service:

Identify target network architecture: Decide where to place the connectivity client in the customer network (see best practices in the previous section).

Identify device(s) or VM(s) to host the connectivity client(s): Select a device or a VM to host the SDA connectivity client and ensure that the minimum system requirements are met (see user manual on SDA website).

Generate an account in SDA Console: This will generate a unique customer‑specific domain required for the firewall configuration.

Ensure correct firewall configuration: Adjust firewall configuration to allow outbound access on selected ports to SDA’s customer‑specific connectivity domains.

Generate Gateway client installation key: Generate a new gateway entry in the SDA Console and retrieve the installation command.

Install connectivity client and check connection: Login to a selected edge gateway device (e..g, via SSH) and install SDA connectivity client. Check successful connection in the SDA Console.

Note that, at any time, the connectivity service can be deactivated by turning off the respective device or the VM.

Security considerations and best practices for using the connectivity service

Users have multiple options to place the SDA connectivity client in their network infrastructure. Important boundary conditions are that the gateway needs to be able to communicate with the respective automation devices via their proprietary protocols and have outbound internet access to selected SDA‑specific domains.

Exemplary implementations (see figure below):

  1. Place SDA connectivity client inside a demilitarized zone (DMZ)
  2. Place SDA connectivity client inside the OT (sub)network

Note: Users can also use multiple gateway instances in their networks (e.g., in different OT subnets). SDA is working to enable nested gateway setups ‑ e.g., a parent client inside the DMZ and nested clients inside the OT subnets.

Schematic network architectures with SDA connectivity client
Schematic network architectures with SDA connectivity client

SDA recommends the following zero trust‑based networking best practices:

Multi‑Factor Authentication (MFA): Any remote access solutions should require users to pass multiple forms of authentication.

Role‑Based Access Control (RBAC): Access to industrial devices should be based on the user’s role or job function to ensure that users have only access to resources and data that are necessary for their job.

Network segmentation: Manufacturers should segment their network such that a potential attack can be contained to a limited portion of their network.

Device authentication: Every device with access to industrial devices should provide a method to authenticate itself (e.g., via a certificate).

Continuous Monitoring: Manufacturers should continuously monitor their network to detect any intrusions.

SDA enables zero trust best practices through:

  • SDA allows MFA for all users and will enable linking customer’s SSO
  • SDA allows defining fine‑grained access control (e.g., per device) via user roles and groups.
  • In the cloud, SDA strictly segments its network to ensure security and tenant separation.
  • SDA only allows connectivity from its secured cloud servers and uses certificate‑based encryption.
  • SDA continuously monitors its network traffic in the cloud based on the latest network technologies.

Conclusion and summary

The connectivity service presented in this white paper provides manufacturers with a secure and efficient solution for enabling remote access to their industrial automation devices. By utilizing MQTT communication and WireGuard VPN tunnel technology, the service ensures secure communication between the devices and the customer’s network, minimizing the risk of unauthorized access or data breaches. The service is easy to deploy and manage, and is compatible with existing gateway devices.

Looking to the future, there is potential for the connectivity service to be expanded to include additional features and functionality. For example, the service can be integrated with other cloud‑based manufacturing tools and platforms, providing users with a comprehensive solution for managing their manufacturing processes.

In conclusion, the connectivity service presented in this white paper provides manufacturers and machine builders with a secure and efficient solution

for enabling remote access to their industrial automation devices. Utilizing the latest communication and VPN tunnel technology, the service provides a comprehensive solution for managing industrial automation devices, improving efficiency, and increasing productivity.

Acknowledgments

We highly appreciate the contributions of our developer team and engineers who worked tirelessly to develop and implement the connectivity service. We would also like to thank our partners and customers who provided valuable feedback and insights throughout the development process.

Finally, we would like to thank the open‑source community and the creators of the tools and technologies used in the development of the connectivity service, including the MQTT protocol, WireGuard VPN technology, and Debian Linux distribution. Their significant contributions made the development of the connectivity service possible.

 

MQTT specifications MQTT.org, MQTT Version 5.0 specifications available under https://docs.oasis‑open.org/mqtt/mqtt/v5.0/mqtt‑v5.0.html

WireGuard Technical White Paper https://www.wireguard.com/papers/wireguard.pdf

Stay up to date. Subscribe for our latest news.

subscribe icon