Secure Remote PLC Maintenance & M2M Communication Platform
Extensive Remote Services for PLCs
For remote maintenance of programmable logic controllers, the internet is of prime importance. First priority was the access for the service experts of the machine manufacturer for troubleshooting. However, a modern remote service platform offers much more possibilities than pure connection management, thanks to web-based services for data acquisition, alarming, remote monitoring, and M2M communication.
The new remote service platform mbCONNECT24 V2.1 not only provides 1:1 connections between the machine and PLC programmers but also direct monitoring of machinery and equipment. For example, data from control systems or digital and analogue measured values can be recorded and processed via the platform:
- Acquisition and evaluation of data
- Monitoring and alerting when limits are exceeded
- Browser-based visualization on smartphone or tablet
- Automatic M2M communication
Depending on requirements, it is possible to combine the data of multiple systems or multiple locations. The web-based visualization can be displayed on any tablet, smartphone, or computer with a standard browser.
Preconfigured data acquisition
Through the router and data modems linked with the platform, the user can log operating data and measurement values. Thus, the direct collection of data from machine controls, heating systems, energy meters, machining centers, and robots is possible.
To simplify the configuration of such applications for the user, the platform now provides preconfigured system templates as a plug & play solution for data acquisition. The logging of temperatures, currents, vibrations, or PLC data can be parameterized with just a few mouse clicks.
Individual values can be directly logged with the data modem mbSPIDER. The user connects the sensors to the data modem mbSPIDER, attaches the device to his project, and selects the appropriate template. Thus, the device is automatically configured and can be used immediately. For a larger number of measurement values, an I/O extender is available which may be linked also to the industrial router mbNET.
A further template allows reading and writing of PLC data via PI / Profibus or S7 ISOTCP.
Is this really secure?
The user needs a system solution that meets both the requirements of information technology (IT) and automation technology.
In practice, solutions based on a central platform have proven effective. Both the staff and the machinery and equipment connect to the remote service platform. The big advantage is that outgoing connections work without changes to existing firewalls. Incoming connection requests on the machine do not occur in principle. Security strategies that are already introduced at the customers remain unaffected.
The transfer of data is encrypted using secure VPN connections. As encryption protocol TSL (SSL) is used. These high safety standards allow the use even in business-critical applications.
An external audit and attestation confirms that mbCONNECT24 provides the highest possible security. An IT security provider, certified by BSI (Federal Office for Information Security in Germany), has examined the remote service platform with tool-assisted and manual penetration testing and has found no exploitable vulnerabilities.
Using your own server
Where is the server? How is it protected? With mbConnect24.virtual for VMware vSphere, the remote service platform can now be operated directly on the server infrastructure of the customer. No tunnel endpoints are therefore located outside its own territory. There are all the benefits of a virtualized environment available such as scalability, availability, performance, data protection, and fast recovery. Through various licensing models from Free to Advanced, the performance of the platform grows with the customer’s requirements.
Thanks to regular security updates, the customer platform is always up to date.
Two-factor authentication
The registration on the platform is done by certificate and additional two-factor authentication (2FA). Thus, the protection against unauthorized access is significantly higher than the usual username-password combination. The 2FA bases on two different identifying features – the factors. The user must enter both to log on to the platform mbCONNECT24.
The user starts the application by entering his username and password as the first factor.
Subsequently, the second factor is a PIN which is sent to the user’s mobile phone from the platform by SMS. There will be no cost for the SMS. The safety advantage results from the two factors password and PIN, which are managed and generated independently. For logging in, the service staff must not only know the password but also have access to the method defined in the platform mobile. Experience has shown that only with a password alone a sufficient level of safety is not attainable. A simple password that you can remember quickly is easily crackable. Complex passwords are more secure but difficult to memorize.
Remote maintenance
Remote maintenance is not just about reading PLC data via an Internet connection; write accesses are also necessary. For example, updates are transmitted to the software of the control systems, control parameters have to be changed, or recipe data have to be updated.
For this purpose, the platform provides secure and transparent access to the control systems of plants. Contrary to proprietary solutions, mbCONNECT24 offers, in conjunction with the industrial routers mbNET, a universal solution. In addition to a direct MPI/Profibus interface, Ethernet ports and serial ports are available. With drivers for more than 90 controllers, drives, inverters, and control panels, complete factories can be controlled remotely.
M2M communication
With regard to the Internet-of-Things, a direct automatic exchange of data plays a decisive role. Machinery and equipment are communicating directly without any user intervention.
With mbCONNECT24, users are prepared for it. The platform supports real M2M communication. Controllers can exchange data across company boundaries as if they are on the same network. Strictly speaking, there is secure networking of equipment over the Internet. For example, a logistics center automatically reorders missing items from a supplier when the minimum stock level is reached. Other applications include the tracking of deliveries or the usage-based billing of rental equipment. If required, with automatic alarm if an object is removed from the allowable working environment.
Independent of the infrastructure
Depending on the industry and customers, the machinery and equipment constructors meet different communication infrastructures. Frequently, Ethernet-based machine networks can be used for remote maintenance. But there are also production plants which are so extensive that the connection is only possible via WiFi. Or the existing wired Ethernet network cannot be used. Movable parts such as cranes can be connected easiest via wireless connection. The new industrial router with WLAN mbNET.mini supports the standards IEEE 802.11b / n / g with up to 150 MBit / s.
If a measuring point or a pump station is located in a faraway area, only a connection via mobile usually is possible, same as in mobile working and construction machinery. For such applications, the new industrial router mbNET.mini with LTE (4G) has been developed. The two versions for Europe/Australia and North America offer data rates of up to 50 Mbit/s upload and up to 100 Mbit/s download.
Interested visitors can join MB Connect Line at the fair SPS IPC Drives 2015, November 24 to 26, 2015 in Nuremberg / Germany. Hall 10 | Booth 202.
7.656 Characters
Siegfried Müller, Managing Director, MB Connect Line GmbH
MB_mbSPIDER_Frequency.png
Various system templates allow a rapid implementation of applications for data acquisition.
