Secure Remote Monitoring and Supervisory Control

New technologies such as Software as a Service, the Internet of Things and cloud computing for industrial process temperature bring new challenges, but there are solutions.

Interest in using cloud computing — also known as Software as a Service (SaaS) — to provide remote access to industrial systems continues to rise. Vendors and company personnel alike point to potential productivity improvements and cost savings as well as convenience. Operators and plant engineers may want to receive alarms and adjust heating controls while moving around the plant. Managers would like to see production data in real time — not just in end-of-shift or daily reports. Hardware vendors could benefit from getting live readings from their installed equipment for maintenance and troubleshooting operations.

Some industrial processors are attempting to provide this kind of window into their production systems. Yet, many question the wisdom of opening up a plant’s mission-critical control network to the possibility of malicious attack or even misguided errors. With a proper understanding of what is at stake, what is being proposed and how it can best be implemented, you can better decide whether remote access to your production data could benefit your company.

Security First for Industrial Networks

When talking about remote access to plant data, the first concern is security. Any approach that exposes the control system to unauthorized entry should be off the table. One popular approach is to secure the network against any potential intruders and open it only to trusted parties. Connections into the plant typically originate from smartphones, tablets, laptops or desktop computers. These systems usually are running a human-machine interface (HMI), remote desktop application, database browser or other proprietary connector.

In most cases, the plant engineering staff or IT department can grant client access to the network via a virtual private network (VPN), so authorized users can get the data they need. However, a typical VPN connection provides link-layer integration between network participants. This means that once on a network, an outsider has access to all other systems on the network. Thus, the company must either fully trust each person who comes is granted access to the network, or the company must task the IT manager with securing and protecting the resources within the network.

It would be unwise to risk giving visitors full access to everything that a VPN exposes. Using a VPN this way is a little like having a visitor come into your plant. Suppose a service technician arrives at the gate saying he needs to check a piece of equipment. You could just tell the guard to check his credentials, and if he checks out, give him a hardhat, directions and send him in. That is the limited-security approach. A better way would be to provide a guide to ensure that the technician finds his destination, does his work and leaves with only the information he came to get. It takes more effort and planning, but if you are going to allow someone to enter the premises, such effort is necessary to ensure security.

Better than VPN

An even better approach is to only allow access to the data itself. Consider this: the user of the data — be it vendor, customer or even corporate manager — does not need access to the whole network. Instead, they just need the data. So, rather than allowing a client to log on via a VPN connection while the IT manager works to secure confidential areas of the network from the inside, wouldn’t it be better to provide access to the data outside of the network altogether?

To continue our analogy, this would be like the guard handing the service technician exactly the data he need he arrived at the gate. There is no need to open the gate and no need to let him into the plant. In fact, the service company, vendor or other authorized party could request the data be sent to their own location, so they do not even have to go to the plant in the first place. This approach to remote monitoring is far more secure.

Is such a scenario realistic? Yes, if you use the right technology in the right way. For example, WebSocket is a protocol that supports communication over TCP, similar to HTML. But unlike HTML, once a WebSocket connection is established, client and server can exchange data indefinitely. The protocol also supports SSL encryption, a well-tested security protocol. Thus, WebSocket technology can be used to open and maintain a secure data tunnel over TCP from a plant to a cloud server without opening any ports in any firewalls. Once the tunnel connection is established, data can flow bi-directionally.

Isolating the Industrial Process Data

Such a data-centric approach to remote monitoring and supervisory control has several benefits. One key advantage is that the process can run in complete isolation from the remote client. Low-level control — and, in fact, all systems within the plant — remain completely invisible to the remote clients. The only point of contact for the remote client is the selected data set being streamed from the plant, and that data resides in the cloud.

While nobody seriously imagines making low-level control changes over a cloud connection, a solution based on WebSocket technology could allow both read-only and read/write client connections for those applications where remote changes are deemed acceptable. Authorized personnel then would have the ability to effect change in plant processes for diagnostic or maintenance purposes via a secure connection. This approach would not require any open firewall ports, so the plant remains invisible to the Internet.

Regardless of the intended use of the data, a correctly provisioned WebSocket connection to the cloud provides the process isolation needed to provide access to data without jeopardizing your in-plant systems.

Any Data Protocols

Another advantage to this approach is that it can be protocol-agnostic. Ideally, the system would carry only the raw data over TCP in a simple format: name, value and timestamp for each change in value. The connector would convert the plant protocol, such as OPC or Modbus, to a simple data feed to the cloud. Requiring a minimum of bandwidth and system resources, the data would flow in real time to all registered clients.

Each client, in turn, can convert the data into whatever format is most convenient and appropriate for their application. Options include spreadsheets, databases, web pages or custom programs.

Better yet, this approach to remote monitoring is not necessarily limited to in-plant connections. Custom-developed WebSocket connectors small enough to fit on embedded devices such as temperature sensors or flowmeters could be placed at remote locations any distance from the plant. Then, by wired or cellular connections to the Internet, the devices would connect directly to the cloud via WebSocket tunnels, without going through the traditional SCADA system, if need be. Such high-performance connectivity would support secure, real-time M2M communications and meet essential requirements of the industrial Internet of Things (IoT).

Changes and Challenges

However you look at it, change is on the horizon for industrial process control systems. The current state of the art for networked control systems was made possible by dramatic technical breakthroughs in the 80s and 90s. Many industry experts say that we are now on the verge of similar breakthroughs in remote monitoring and supervisory control. Whether they call it cloud computing, Software as a Service (SaaS), Industry 4.0 or the Industrial Internet of Things (IIoT), most will agree that the biggest challenge right now is security.

New technology provides new capabilities, and it also presents new demands that may challenge our way of thinking. Accessing data from a plant or remote sensor halfway across the world needs a different approach to security than our current models were designed for. Yet, there is no need to remain attached to the status quo if it does not truly meet the needs. These are engineering problems, and there are engineering solutions.

Bob McIlvride is the director of communications with Skkynet Cloud Systems Inc., Mississauga, Ontario, Canada. Skkynet provides secure cloud-service remote monitoring services and can be reached at 888-628-2028 or visit the website at http://skkynet.com.

Advantech B+B SmartWorx Announces Connected Intelligence Ecosystem

Ottawa, IL – January 20, 2015 – Advantech B+B SmartWorx, formerly B&B Electronics, today announced an acceleration for the Internet of Things (IoT) landscape with its Connected Intelligence Global Partner Ecosystem.   As a manufacturer of network connectivity technologies which serve as the heart or technical glue of IoT end solutions, Advantech B+B SmartWorx is launching the ecosystem to enable complementary partner companies to make intelligent connections with each other, combine expertise, and build effective IoT applications for end customers in the demanding, non-consumer IoT space.

Initial Connected Intelligence Ecosystem Partners include IoT technology providers such as  Cumulocity, Davra Networks, ILS Technology, ParStream, PLAT.ONE, SeeControl, Skkynet, and ThingWorx, along with MVNO partners such as KORE and Mobius Networks, and a variety of international carriers.   http://advantech-bb.com/our-partners/

According to Harbor Research, the non-consumer IoT space is approximately 50% of the total IoT market opportunity, comprised of managed services (analytics, system applications, mobile and cloud computing, value added application services), enablement hardware (wired or wireless hardware attached to or embedded in each machine) and network services (carrier and data services). Advantech B+B SmartWorx products fall into enablement hardware while other Connected Intelligence Ecosystem partners fall into the managed and network services areas.

Mike Fahrion, director of IoT and edge intelligence product development at Advantech B+B SmartWorx explained that Advantech B+B created the ecosystem to combine complementary partners under a virtual roof to facilitate IoT applications. “Finding the right partners to fit a specific application’s requirements enables our customers to achieve better results than a ‘one size fits all’ approach.”

From assets to analytics starting at the network edge, the ecosystem aims to create intelligent networks that can collect, manage and analyze the data generated by billions of sensors, transforming that data into actionable intelligence that lets companies make predictions and prescribe actions to cut costs, increase productivity or increase revenue.

Advantech B+B SmartWorx provides the network connectivity “technical glue” – the hardware and connectivity stack – of the ecosystem. Advantech B+B’s IoT Edge Processing Architecture – a combination of its Wzzard wireless intelligent sensing and edge connectivity platform and its cellular edge gateway devices – aggregates data from existing equipment, translates disparate machine protocols into a language IT can understand, transforms that data into useful information and delivers it to applications ready for analysis.

“Rather than trying to become a vertical service provider itself, which can turn partners into competitors, Advantech B+B is smart to focus on its pedigree and core connectivity competence and recognize that an ecosystem of partners, leveraging each other’s core expertise, brings the most value to the end user,” said Glen Allmendinger, founder and president of Harbor Research.  “Advantech B+B’s technology roadmap is impressive, positioning the company as an emerging leader in what Harbor Research calls the ‘enablement hardware’ slice of the industrial IoT pie, a category we project will grow from $16.2B today to $43.8B by 2020.”

Advantech B+B’s CEO, Jerry O’Gorman, added, “We’ve aligned with companies who are credited with some of the most innovative technologies and solutions in their industries. Together, our focus is on extending the capabilities of our combined technologies to provide broad solutions for customers in areas of strategic importance to the global market.”

Generating Business Insight via Connected Intelligence in the Partner Ecosystem

“We are excited that ThingWorx® technology will be a core aspect of the Advantech B+B SmartWorx Connected Intelligence Ecosystem,” said Chris Kuntz, vice president, ecosystem programs, ThingWorx.  “The age of the IoT is upon us and working with forward thinking companies such as Advantech B+B SmartWorx enables us to deploy our leading technology so that customers can profit from complete, end-to-end solutions.”

“I applaud Advantech B+B SmartWorx bold entry into the IoT Marketplace as a deviceWISE Ready partner.   Our two companies share a common strategy of providing robust solutions with Intelligence at the Edge as well as a proven track record with enterprise customers within the industrial market,” said Fred Yentz, CEO ILS Technology, a Telit Company.  “Our strategic and technical alignment and our global reach will provide customers an enterprise ready, fast time to value IoT experience.”

“The IoT has a huge opportunity to connect non-consumer devices to the cloud to collect and share data making factories, automobiles, buildings and cities more intelligent,” said Stefan Vaillant, CTO of Cumulocity. “Advantech B+B SmartWorx complements our portfolio of software system solutions for IoT.”

“IoT is the hottest topic in IT circles as customers look to connect assets they’ve never connected before and make real time decisions based on data collected from the coalface of their business,” said Paul Glynn, CEO of Davra Networks. “Using Advantech B+B SmartWorx Wzzard Sensing Platform gives our customers easy access to information and data that they’ve never had access to before.”

“This ecosystem has the potential to bring industrial process control to a whole new level,” said Paul Thomas, President of Skkynet. “Combining the Advantech B+B SmartWorx platform with Skkynet’s SkkyHub service means remote devices in any location can now connect directly and securely to the cloud, enabling real-time monitoring, control, networking, and big data collection at a far lower TCO than previously thought possible.”

“Enterprise-Grade applications require a robust edge computing infrastructure such as Advantech B+B is providing with Wzzard,” said Filippo Murroni, CEO of PLAT.ONE, the first Enterprise-Grade application platform.

Click here for full article