Within 6-10 years, the use of automation and robotics is expected to be adopted in some form by over 80% of logistics providers, either in support of manufacturing operations or in support of retail and e-commerce.
These consist of complex system such as Automated Storage and Retrieval Systems, Robotic Cells, Autonomous Guided Vehicles and Conveyors among others. While delivering tremendous improvements in efficiency and cost savings, these systems require service personnel with specialized knowledge to maximize availability of these systems. Additionally, many of these systems may be provided by differing suppliers requiring service availability from multiple organizations. This can be very challenging when coordinating on-site service, so it is critical to support remote service models.
From the perspective of the supply logistics provider, their processes are core components of their intellectual property so being able to support remote service models can be a concern as it is often viewed as exposing their intellectual property to outside parties.
It will be an ongoing challenge to maximize the availability of these systems while addressing security.
There are several ways that remote service can be addressed. These include site-supported VPN connections, Remote Desktop applications, internet routers and cloud-supported Remote Access appliances.
With site-supported VPN, local IT staff manage user authentication and access management for remote service resources in addition to managing access to specific LAN segments based on the user. This has the benefit of giving the end user maximum control over access to their systems by outside resources but can present challenges in terms of availability for service personnel as VPN access may not be in an always-on state and may require manual handling to enable. This means that access for service personnel is often dependent on the availability of IT personnel. Additionally, changes to the machine IP address structure may require reconfiguration of the VPN. Supporting VPNs can require significant IT resources and if not properly managed may expose the broader network to vulnerabilities.
With Remote Desktop applications, the service person would connect to a PC onsite hosting the software applications needed to service a piece of equipment. This is manageable when dealing with single vendors supporting the entire system but can become very challenging with multiple support teams needing connectivity. Each vendor would essentially need their own PC supporting their toolchain of software applications for the machinery they support. This can be cumbersome to support and expensive from a software licensing perspective.
Internet routers/modems that support connectivity outside the facility’s IT network can be useful and reasonably inexpensive if the machine network is well isolated. A common example would be a cellular hotspot. The challenge with these devices is that if the machinery is part of a broader LAN, the larger network may be exposed creating vulnerabilities. This is often forbidden by IT personnel for long-term installations but may be used in times of critical downtime when access is needed.
Lastly, there is the cloud-managed remote access appliance. This typically consists of a hardware router installed in the machine that uses a cloud-based broker to manage the VPN connection. The router normally initiates an outbound-only connection to the broker either through the facility’s IT network or through an external network while the broker authenticates the user (service person) then connects the system for service. This is beneficial for the machine provider as it allows them to create connections when service is needed helping to maximize availability of the machine. The key challenge with these solutions is convincing IT personnel that these systems are providing the appropriate level of security needed to protect their assets and intellectual property. The closing section will help to address these challenges.
There are numerous things to consider when evaluating cloud-based remote access solutions. These include how much control for remote access is afforded the end user versus the machine builder, how data is encrypted, how exposed is the plant network, and how users are authenticated and managed. It is also important to consider how remote access suppliers safeguard their own systems from a security perspective.
It is critical to provide some level of control for the machine owner as to when remote access is available. It could be a significant safety issue if the machine is not properly locked out/tagged out before the machine is serviced by remote personnel. To address this, it is important to have some capability for the router to be hardware disabled from initiating a connection. This would normally be addressed by using a physical input on the device that enables or disables remote connectivity and would require onsite personnel to switch the machine into a service mode.
Encryption processes are also key when looking at remote access solutions. Since the system involves a remote access appliance, VPN broker and end user, it is important that the entire pathway be encrypted. It is important to determine how data is encrypted between the appliance and cloud broker (ex. TLS/SSL), how certificates are handled and how data is encrypted between user and cloud broker (ex. SSL).
Legitimate suppliers for remote access solutions will be very transparent in providing this information.
Another concern is how exposed is the plant network when creating a remote connection. This can be addressed in a couple of ways. First is to address how the appliance connects to the broker. Many solutions accomplish this by creating outbound-only connections typically through secure HTTP ports such as 443 or through UDP ports such as 1194. This means that the facility’s firewall does not need to be compromised through the creation of an open inbound port thus removing a vulnerability. Secondly, the remote access appliance can provide LAN segregation which means that the user servicing the system only sees the local LAN of that piece of machinery. The broader LAN is isolated from the user.
Another important aspect is the ability to manage user rights and access. With cloud-based systems, it is important the machine owner can assume the management of the users and apply their password policies and access rights. Additionally, they may want to apply two-factor authentication where the user must supply a dynamically changing authorization code delivered to a personal device (ex. cell phone) in addition to their standard user credentials. It is critical that cloud-based systems support these features to satisfy the security needs of customers.
Lastly, it is important that suppliers of remote access solutions enact processes to secure their cloud-based infrastructure. This can involve developing processes that are certified to ISO27001 to verify that best practices are in place. Additionally, it is critical that routine penetration testing be performed by white-hat organizations of hackers to expose any vulnerabilities that need to be addressed. Most important of all is transparency. When evaluating solutions for remote service, the ability to provide open, accurate information on how the systems function is key.
Essentials of remote machine access Whitepaper