#Industry (Production, process)
“Precautions to Ensure Production Security”
Plant Operator Sets Standard for Secure Remote Services
When a production plant stops operating, rectifying any malfunctions quickly becomes an urgent matter. Using remote services to assist the technician is one efficient means here. However, many remote service solutions are technically complex and inflexible, or confront operators with additional security risks. For this reason, global automotive supplier ArvinMeritor, now part of Inteva Products, has been stipulating a secure remote service connectivity solution for all of its automation contractors.
For Inteva Products, a high level of plant availability and uninterrupted deliverability are of existential importance. The automotive supplier produces sun roofs for various OEMs, among other products, and in view of very tight delivery schedules, cannot afford any plant downtimes. So for several years the production plants have been administered and serviced online remotely.
From modem to TCP/IP
Facilities, including final test stands with increasingly complex software programs, always require fast data connections. Therefore, the age of modems in remote services is coming to its end. For five years, the remote service at Inteva Products has now been implemented as a TCP/IP connection via DSL. In addition to higher data throughput, the connection is also established faster and in a more stable fashion. A broadband data connection is now the standard, because frequently an entire group of control computers is linked to a single plant. Transmitting monitor images, larger software updates or database inquiries is becoming increasingly data-intensive.
However, as today's production plants are much more strongly networked than previously, a greater safety risk exists for unprotected TCP/IP Internet connections. For instance, a virus attack could cause significant effects on the entire production. "We've taken precautions to ensure security in production and stipulate a secure VPN connection for the remote service with every contractor. In addition, we use an industrial firewall to meticulously seal off any access from the remaining network," reports Stephan Stottmeister, IS System Manager at Inteva Products. The automotive supplier has had positive experiences with mGuard, the remote service connectivity solution from Innominate. Innominate, a Phoenix Contact Company, is a German security specialist and leading provider of Industrial Ethernet security and secure remote maintenance for machines and industrial plants.
Secure VPN technology
The security of the remote service connection is ensured through the use of VPN (virtual private network) technology. In the process, VPNs allow secure "tunnels" to be formed in the public transmission network. This technology offers several advantages: these tunnels cannot be viewed or listened to from the outside and all network packets are encrypted. Alternatively, hardware-accelerated 3DES or AES encryption and the standard IPsec protocol are used.
For Inteva Products, the complete control of internal and external plant access is also of great importance. Using mGuard technology, the activation of VPN tunnels can be controlled by the operator and approved communication can be systematically limited by firewall rules to precisely the desired level. Stephan Stottmeister stresses that an uncontrolled external connection is therefore not possible in the network.
Additionally, each IP/VPN connection must first be actively switched on using a key switch: "Nothing occurs without the requisite control. We know at all times who is doing what on which devices."
Fast amortization of the remote service solution
By using the remote service solution, the company was able to increase its plant availability and also save costs. "It has been our experience that the contractors' technicians no longer have to work here on-site thanks to the remote service solution. If there is a dysfunction in a plant, a specialist is able to intervene much faster, and we also save on travel and local deployment costs for the service technician," says the IS System Manager.
The remote service solution is used for ten plants, six test stands and one server. The online service of the contractors particularly comes into play during the start-up phase of a plant, at the start of serial production, for ongoing optimizations or if any problems arise. A traceability system for production data, which runs on a database server, is also supported via remote service. An external partner provides programming support through this channel. The in-house production planners also use a protected network access to log onto a system and monitor a final test stand, for example.
In practice, the mGuard solution has proven to be very flexible. The online connection is used in different ways, depending on the contractor and plant. Normal service deployments are carried out by remote desktop and database queries via SQL. A Siemens SPS application in a small systems network with two test PCs and peripheral devices is controlled directly by TCP/IP.
Selection and acceptance of the remote service connectivity solution
Inteva Products had defined several requirements when changing from modem technology to TCP/IP Internet connections. The company wanted the new solution to be DSL-based and all plants / final test stands were to be sealed off by firewall from the outside network. Operating the system without additional software installations was also very important, in order to avoid impairing the plants from the very start. "The mGuard solution precisely met our needs. Innominate's consulting services during preparations and also during implementation were exemplary," reports Stephan Stottmeister.
Overall, the IS System Manager is very satisfied with the solution. Enhancements and ongoing support are provided by the Innominate certified partner Propius GmbH from Dresden, Germany. The technology functions without any disturbances and it is very simple to operate: "Contractors that want to access our plants do not have to worry about complicated VPN configurations. They receive the IP address of the final test stand, and that's all there is to it. This is what I consider to be a solution in which everything runs smoothly." Any fears that the plant suppliers would not accept the remote service solution proved to be unfounded. The low level of complexity, intuitive operation and high security standard were all convincing. Additionally, some contractors did not yet have a suitable solution themselves.
Recommendations to other plant operators
When asked which practical experiences could be important for other plant operators, Stephan Stottmeister lists five points. To select and operate a remote service solution, security, simple implementation, continuous advancement, functional expansion and the experience of the manufacturer have all turned out to be the most important issues. Meanwhile many providers of technical solutions are on the market. However, many disappear from it quickly again after just two or three years, meaning the user no longer has access to support and ongoing developments. Regular innovations and state-of-the-art security features are particularly important here.