Security of Cloud-based Machine Remote Access

01 March, 2017

First published in the February 2017 issue of Quarry Management as Access All Areas

Cloud-based machine remote access: how secure is it?

For machine builders that offer remote-access support and diagnostics for their installed machines, security is obviously a major concern. Security is also a concern for the IT staff at the end-user/customer sites where these machines are located. Dave Hammond, product manager for Ethernet & Communications at M.A.C. Solutions, explores this issue.

Following the installation of a machine at an end-user site, the machine builder or supplier is often contracted to support that machine during a fixed warranty period. In the past, a service engineer from the machine supplier would have travelled to the remote site to resolve any machine issues during this warranty period, even if the site was located thousands of miles away in a different country.

Many of the IT engineers who manage the networks at end-user sites will probably only have experience of providing remote access to machine suppliers using ‘traditional’ VPN methods.

With such ‘traditional’ VPN, the end-user IT department needs to configure and maintain a dedicated inbound VPN tunnel, through the corporate firewall, for each machine supplier. Once through the firewall and on the site-wide network, the machine supplier’s engineer can then reach the machine control devices.

Immediately, it is obvious that there are inherent problems associated with these ‘traditional’ VPN tunnels. First, the machine control devices (PLCs, HMIs, drives etc) must be connected to the end-user site network. This will involve the machine supplier configuring network (IP) addresses for these devices during the site installation phase. Thus, each machine will have to be modified to suit each installation.

Secondly, the IT department must provide the machine supplier with a copy of its preferred VPN software and help to configure it for each PC or laptop that is to be used for remote access. Obviously, such computers will be administered by the machine supplier and so may not meet the strict security standards that would apply for ‘native’ site PCs.

Since the IT department is allowing this ‘foreign’ user to access its production network, it must also take comprehensive precautions to protect its site network from the actions of this user, over which it has limited leverage. This can range from limiting the IP addresses that the machine supplier can access, to providing sophisticated anti-intrusion, packet-sniffing and antivirus systems.

Taking all of the above into consideration, many IT departments understandably take the view that the operational benefits of providing remote access to machine suppliers are outweighed by the potential security risks to their site network. However, there are modern ‘cloud-based’ remote-access solutions available for which the above actions are not necessary, since they work in a fundamentally different way to ‘traditional’ VPN tunnels.

To illustrate how such modern remote-access solutions work, consider the well-known and widely used eWON Talk2M solution, which comprises an ‘eWON’ VPN router, used with the ‘Talk2M’ remote-access cloud service.

The first consideration is the issue of network isolation of the specific machine from the site network. A VPN router can both isolate the machine network from the factory (site) network, whilst also providing firewalled connectivity between the two. Therefore, the machine devices are not directly connected to the site network and so can be configured with IP addresses to suit the machine supplier. Indeed, every machine produced by the machine manufacturer could be identical to every other machine, which reduces complexity as well as costs associated with design, build and installation.

The next challenge is securing the site network from the actions of machine suppliers’ engineer users. The ideal scenario is that the machine supplier’s engineer can only reach the specific machine devices for which they are responsible, whilst not being able to gain access to the rest of the site network. And this is exactly what the eWON Talk2M ‘cloud-based’ solution provides.

Once enabled, each eWON VPN router device initiates an outbound, point-to-point, secure VPN tunnel, all the way to a specific account in the Talk2M VPN cloud. This authenticated, encrypted HTTPS tunnel travels across the site network, outbound through the site firewall and across the Internet, to one of the nine clustered servers, located across the world, that comprise the Talk2M cloud.

The machine manufacturer’s engineer then also makes a secure VPN connection to the same account in the Talk2M cloud as the one to which the eWON is connecting. Therefore, he can only reach the eWON and the devices located ‘behind’ it, on the machine network. At no point can this engineer interact with any other devices on the site network, ie devices which the machine manufacturer did not supply and therefore has no need to access.

Since each VPN tunnel is initiated from inside the site network, out to the Talk2M cloud, the only facility required of the site network is the ability to make an outbound Internet connection, through the site gateway/firewall. Consequently, the IT department does not need to provide inbound VPN services to the external user, which yields major security advantages. No inbound firewall ports are exposed on the Internet, no static Internet IP addresses are required and the machine supplier does not have access to the entire site-wide network.

The outbound VPN connection used by the eWON uses HTTPS port 443, which, for the vast majority of firewalls, will already be open. The outbound connections can be carried over any type of media that can carry IP traffic, ie cabled Ethernet, WiFi, 3G or even satellite.

As with any remote-access system, end-user companies will understandably be concerned that a machine manufacturer can interact with machines, which they have supplied, but which operate inside the end-user site/factory.

Therefore, in order to provide additional security and control, the eWON VPN tunnel can be enabled and disabled via the 24V DC digital input on the eWON VPN router, which can, in turn, be wired to a key-operated switch or a PLC output. This means that the machine builder will only have access to the machine when the end-user decides to allow them access.

Most readers will be familiar with session authentication, even if they are not aware of the term, since this is widely used by major secure websites, such as online banking systems. Such systems typically send a unique, one-time code by SMS message to the user’s mobile phone, at the point of connection. The purpose is to prove that the person connecting is the valid, genuine user, rather than an intruder trying to gain access using stolen username and password data.

Such security systems are termed ‘2-factor authentication’ systems, since they rely on more than one security measure to ensure secure access. The use of such a ‘2-factor authentication’ system should be an intrinsic part of any remote-access solution used by a machine-manufacturer, since it helps to add a second level of security in order to overcome poor password security or malicious intent. For more information, visit: www.mac-solutions.net