- By Bill Dehner
- Many HMIs can be remotely accessed via a web browser or an app running on a smartphone or tablet.
- Remote access to a PLC is often one-way only, from the PLC to remote devices, to prevent tampering with real-time control.
- Remote access via VPNs has a very high degree of security, and hosted VPN solutions simplify setup, use, and maintenance.
There are several ways to remotely monitor PLCs and HMIs, but VPN connections are most secure
By Bill Dehner
Remote machine monitoring is becoming a common feature of automated equipment as part of Industrial Internet of Things (IIoT) implementations. The software and hardware required varies from vendor to vendor, but most use the same intranet- or Internet-based technologies.
The use of these maturing technologies is making it easier and less expensive to implement remote monitoring connections to machines and processes. These remote monitoring connections are usually made to programmable logic controllers (PLCs) and human-machine interfaces (HMIs) via internal intranets or the Internet, often via a virtual private network (VPN) router. On the other end of these connections are devices such as PCs, smartphones, and tablets. Each of these devices has built-in digital communications with Ethernet connectivity.
This remote connectivity goes beyond access for troubleshooting. In many cases, the remote devices are connected to the automation system to be eyes into the machine for optimizing operation, sending data and production information to engineering, and providing management with summary and analysis information. This article takes a closer look at the methods to remotely monitor a machine or process.
Remote access to HMIs
Many embedded and PC-based HMIs can provide remote access via PCs, smartphones, and tablets. The low cost and small footprint of an embedded HMI is a good example of common remote access connectivity via the HMI’s web server to remote devices (figure 1). Because the HMI has web server functionality, web pages can be configured to reside in it, and these web pages can be accessed by any device capable of running a web browser.
Embedded HMIs provide much of the functionality of a PC-based HMI, including remote monitoring, and are designed for industrial use in harsh environments. The comments below apply to either solution. Ethernet and wireless technologies—along with defense-in-depth, authentication, and firewalls—are making remotely monitoring HMIs through smartphones and tablets part of an operator’s, manager’s, or engineer’s daily routine.
A user can monitor several remote sites via a smartphone or tablet, allowing a proactive response to problems based on information pushed from the HMI (e.g., an email or text message). A “low parts detected” or “motor high temperature detected” message sent to operations and maintenance personnel provides real-time information that workers can act upon to reduce downtime and improve productivity. The data is pushed to users when necessary, with no need to open a browser and connect to the HMI, although this is often the next step to drill down for details.
Some HMIs can log and store data on a periodic basis or when triggered by events. As part of a remote monitoring daily routine or when a message or alarm is received, the user can access the HMI via a web browser to view additional information. This same information can be sent to interested users by email using file transfer protocol (FTP). This type of remote monitoring provides usable information related to both real-time and historical trends to help reduce cost and downtime, while increasing productivity.
HMI mobile apps enable remote users to connect using Wi-Fi, cellular, and Ethernet connections. These remote users can operate and monitor the local HMI system with limited access to functions and controls of the HMI application.
Proper control, security, and safety procedures should be considered and implemented when using any remote access feature. Connecting an HMI on an enterprise network or the Internet exposes it to security risks. HMIs have many ways to control, limit, and log remote users. As a minimum in an HMI application, a user must log in and enter a password to access an HMI remotely. Also, default IP addresses, user names, or passwords should never be used.
For additional security, an encrypted VPN connection is recommended for remote connections. Using a VPN, which is discussed later, greatly reduces the chances of malicious behavior and unauthorized connections.
Figure 1. HMI remote access: This C-more HMI touch panel provides remote access functionality, as well as local control and monitoring.
PLC remote control
As with the HMIs discussed above, remote access to local PLCs is possible via PCs, smartphones, and tablets. This remote access can provide control functions as well as access to logged data, or direct access to a PLC’s tag data.
Note that much of the HMI monitoring is of data created, read, or collected by the PLC. It is the PLC that connects to most of the sensors, motors, valves, and other field devices to perform its control and monitoring functions. Therefore, access to a PLC often will provide connectivity to all the data required, with additional functionality in terms of control and access to PLC data not transmitted to the HMI. Like HMIs, many PLCs have remote access through features such as an embedded web server and push notifications.
PLCs often have some data handling capabilities built in, including data logging, a key requirement considering today’s quest for more data storage. Some controllers include built-in and removable storage for many gigabytes of data, and remote access to same.
Connecting an OPC server running on a PC to a PLC’s OPC client software provides a means of data interaction between the PC and standard databases found in mid- to enterprise-level platforms, such as material resource planning and enterprise resource planning systems. Remote access may include connectivity to this collected data to retrieve, update, add, and delete records in a standard database such as SQL Server, Microsoft Access, or ODBC.
Much of this peer-to-peer or business system networking and eventual remote access is enabled by a controller’s communication capabilities. Some best-in-class controllers include seven or more communication ports, including USB, serial, and Ethernet (figure 2). EtherNet/IP and Modbus TCP/IP protocols are usually used to create remote connections among the Internet, PLC, and smart devices.
Email and web server functionality are standard features on many PLCs, allowing the controller to send an email with text or embedded data to email recipients via the PLC’s Ethernet port. With built-in programming instructions, adding an IP address, email address, subject, message text or embedded data, and recipient email address is all it takes to send an email from the CPU module through an SMTP server. This gives technicians or operations simple monitoring of machine status or alarms.
Web server functionality is also available on some controllers for remote monitoring purposes. With an Internet connection and a device capable of hosting a web browser, remote users can view system tags, error logs, and event history. They can also view any data logged to the controller’s internal memory, thumb drive, or MicroSD card.
This web server functionality can often be accessed by a remote monitoring app running on a smartphone or a tablet. Apps simplify remote Wi-Fi or cellular connections to smartphones and tablets from PLCs. Users can monitor the local PLC system via tags configured for remote access inside the tag database of the controller. Security log-on requirements are provided to protect the data, but that is not enough in some critical applications, where a VPN connection is needed for a higher level of cybersecurity.
Figure 2. Modern controllers, such as this AutomationDirect Productivity3000, have data handling capabilities, including built-in data logging, and communication features for remote monitoring via email, web browsers, and mobile apps.
VPNs and security layers
Leveraging the IIoT requires a secure remote access solution to collect, store, and share data. Cybersecurity is more important than ever as threats continue to rise, and as more systems are monitored and supported remotely.
For any automation system where an HMI or a PLC are connected to the Internet, a firewall should be used. A firewall is a common feature found in most routers, and it greatly reduces the risk of unauthorized access. The use of remote access accounts and passwords, available in both HMIs and PLCs, is an important method of asset protection as well as another layer of security, but adding a firewall provides a more secure connection.
Another layer of security is a VPN connection. The encryption used in a VPN ensures that data cannot be intercepted, and that only authorized users can access the HMI, PLC, or other networked devices. A VPN is part of a defense-in-depth strategy to greatly reduce the chances of malicious behavior and unauthorized connections to automation systems.
VPNs are offered in two main configurations, traditional and hosted. A traditional VPN, best administrated by an information technology (IT) professional, connects a local VPN router and creates a secure VPN tunnel through the Internet to a software client or second VPN router. Traditional VPNs basically make the remote devices on a network appear as local devices, securely, but much configuration may be needed at both the local and remote sites, depending on specific needs. Remote access to a manufacturing plant where large amounts of data must be exchanged is a common use and was the only method available until the cloud and related cloud servers were developed.
With the advent of the cloud, hosted VPN solutions became available. Hosted VPN makes setup, use, and maintenance easier due to simplified network configuration, while still providing a secure VPN connection. A hosted VPN solution starts with the connected devices, such as a PLC or HMI, connected to a VPN router at the plant. This router also connects to the company (business) network and, through a corporate firewall, to a VPN server in the cloud. VPN clients, such as smartphones or tablets, then connect to the VPN server to remotely access data (figure 3).
What simplifies the hosted VPN solution is that once a VPN router is purchased, it connects to a cloud-based VPN server managed by others with minimal IT support needed. After configuration, this cloud-based server automatically handles the connections to remote clients, including verification of connection requests, and it also ensures all data passing through the VPN tunnel is secure.
As a hosted service, there can be monthly costs, but some solutions provide free monthly bandwidth, which is normally enough for troubleshooting and programming needs. Premium hosted VPN solutions, provided under various monthly subscription plans, provide extended data monitoring capabilities.
Figure 3. Hosted VPN Diagram: This diagram depicts a remote access solution implemented with the StrideLinx Secure hosted VPN.
Remote monitoring in action
When it comes to PLC remote access apps, especially if no VPN is used, many users choose to implement only data monitoring to minimize the security risk, with no remote control allowed. Some call this concept a data diode, because it only permits access via one-way communication from the PLC to app, just as a diode only permits the flow of electricity in one direction.
In a water treatment research project at a university, significant data was being stored in a PLC for use by both students and professors. However, with more than a dozen personnel having access to the data remotely via an FTP, as well as direct access via a USB connection, data integrity was in question. Data was being logged, but also read, duplicated, and sometimes erased. The ease of remote access was therefore contributing to the corruption and deletion of test data.
To both solve the problem and provide secure storage, a hosted VPN in the form of a secure, industrial VPN router and related services was implemented. Local data was still stored and used to quickly test and document process changes, but the hosted VPN stored large amounts of data securely in a database, including change control. VPN client applications had dashboards to easily trend the secure data and ensure access to accurate, raw data.
In another application, personnel at a large farm needed to monitor multiple pump stations remotely. They used HMIs for local operation, including troubleshooting and making changes to the pump control system and set points. Remote access to these HMIs was available via smartphones and tablets at any location with Internet access (figure 4).
Remote monitoring enabled quick notification and response to pump system problems, as well as to related process and equipment faults. The embedded HMI’s remote access functionality provided low-cost and simple monitoring via smartphones and tablets.
For remote locations without Ethernet or Wi-Fi access, a cellular-hosted VPN router was installed. Adding a simple, secure client and mobile app, personnel could service, monitor, and troubleshoot the pump station remotely.
PLCs and HMIs can save data locally and format it as required, while providing some degree of security when this data is accessed by remote devices such as PCs, smartphones, and tablets. These types of IIoT-based solutions are common and work well in many instances, especially in applications where access is one way only, from the PLC or the HMI to the remote devices. For added security, often needed when control from remote devices to PLCs and HMIs is required, the use of firewalls and VPN access are a best practice.
Figure 4. HMI remote app: A dedicated HMI can provide local control as well as remote access at a reasonable cost.
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.