How to set up secure remote access for industrial machines
5 min. readShelly Boom
With remote access to connected industrial machines you can remotely troubleshoot and program programmable logic controllers (PLCs), view and control Human Machine Interfaces (HMIs), connect to an IP camera for assistance or support field technicians with specific problems. About 90 percent of operating problems faced by industrial machine builders, original equipment manufacturers (OEMs) and manufacturing companies can be solved by industrial remote access to a machine’s control system. This is beneficial to both machine manufacturers and manufacturing companies.
For machine manufacturers, troubleshooting machines remotely without going on site drastically reduces support costs and travel time. The recovered time can now be spent dealing with other support questions. For manufacturing companies it means their machine problems are solved more quickly, which improves their overall equipment effectiveness. In this article we show you how to set up machine remote access and give you a bit more background. You’ll learn what security issues we’ve solved for you, how we did it and how easy it is to use IXON Cloud for remote access.Remote Access to Connected Machines (Siemens PLC) via the IXrouter
The IXrouter, our industrial VPN router, is designed to offer you easy machine remote access across the internet to PLC's and installations on customer sites or in the field. It’s fully integrated with the IXON Cloud and automatically connects to the IXON Cloud platform. Your connected machines are remotely accessible in just minutes with our Quick Start Guide.
The required steps are pretty straightforward: all it takes is a PLC, IXrouter, an IXON Cloud account and some time to perform the installation. Notice that you can order an evaluation kit for free.
That’s it! Now you can access your connected machine from anywhere on any device. Establish a secure tunnel via VPN to your machine's PLC to do programming or maintenance from remote. Use your standard PLC software, TIA portal for example, as if you were on site.
Although we’ve focussed on remote access and VPN, IXON Cloud also provides you with easy and secure access to a VNC or HTTP server that runs on your PLC, HMI or other hardware, without requiring a VPN connection. With your IXON account you can quickly access the VNC or HTTP server on any mobile and desktop device with an internet connection over HTTPS.
A prerequisite for remote access is that machines can be accessed from the internet in a secure way. After all, nobody wants to undermine the security or daily operations of the parties involved.
IT departments are loath to grant blanket network access to third parties. To qualify as a solution, it’s therefore imperative that the security of an IoT solution meets their expectations. IXON deflects security concerns by using three key technologies: firewalling, VPN and cloud computing.
Different models of the industrial remote access router (IXrouter) allow you to choose the most appropriate connection type, ethernet, wifi and/or cellular. This way customers have great flexibility to pick the most appropriate technology to allow secure remote connection within their operation. As high-speed local area network (LAN) with fast broadband internet connections are omnipresent, ethernet or wifi usually are the first to be considered. If this is not possible due to local conditions, a 4G/LTE cellular connection can be used.
Our IXrouter, a combined industrial VPN router and edge gateway, is designed to offer easy remote access to machines and installations from anywhere. Works with most PLCs and industrial robots on the market. Main benefits:
As the IXrouter is connected to machine PLC’s, we have to make sure it’s secure from the start. After all, machine PLC controllers were never designed for security. Their operating systems are not updated and do not contain the latest security mechanisms. It’s imperative that machine controllers are never connected to the company network while linked to other devices.
The IXrouter isolates these out-of-the-box with its built-in firewall. By default, the machine network and corporate networks are completely isolated by our remote access gateway. Only if you explicitly changed it during initial configuration, traffic can be forwarded. This way the IXrouter completely secures machines against unwanted access from actors outside the PLC-network (LAN).
While the firewall protects the PLC-LAN from unauthorized access, it does nothing to protect the confidentiality and integrity of traffic from the router itself. For securing this traffic we use a VPN (Virtual Private Network) to connect to our own cloud environment, IXON Cloud.
This VPN ensures that all traffic to the IXON Cloud is sent across an encrypted tunnel. Because the VPN connection is initiated by the IXrouter, no incoming ports need to be opened by the customers’ IT department in either the corporate firewall or the one in the IXrouter, which dramatically lowers the security impact. Apart from the IXrouter, no additional hardware or software needs to be bought, set up or maintained, which significantly reduces implementation time.
As soon as the IXrouter is started, it sets up a network connection and starts the routers' VPN client to connect with the VPN server in IXON Cloud. IXON Cloud exists of a network of more than 50 servers distributed worldwide, that’s robust, secure and reliable. It contains different types of databases, services, user management and infrastructure and offers a highly reliable, secure and scalable VPN service enabling OEM, machine builders to connect at anytime from anywhere.
IXON VPN servers are located in data centers around the world to provide low-latency connections.
In IXON Cloud you can have your own private account. You individually add customers and configure machines. We make sure the networks scalability, integrity and reliability is ensured, so you can focus on what you do best: building machines!
Once the VPN connection with IXON Cloud is established, two ‘tunnels’ are used – one between your browser and IXON Cloud and another one between IXON Cloud and the IXrouter. This way the complete connection is fully secured.
VPN tunnel to between connected machine and your PC
You can access PLC’s remotely on a desktop computer, notebook or mobile device. We support all major PLC, IPC and robot/cobot brands, such as: Siemens, Beckhoff, PLCnext (Phoenix Contact), Lenze, ABB, B&R, Wago, Allen Bradley, Rockwell Automation, Sigmatek, Festo, Panasonic, Universal Robots and many more…
Just start your browser, log in to IXON Cloud and go to the machine you want to connect to and work remotely. The unique combination of a username and password establishes your identity and associates you with your machine(s). Just click on a machines VPN button to set up a secure tunnel with the machine's PLC.
It’s really that simple. Our remote access solution is the most secure and simple solution you can think of.