Machine Remote Access and Network Security utilizing eWON
Posted by Mike Wojda in Networking
Today, most modern production equipment utilizes programmable devices (PLCs, HMIs, VFDs, etc.) to efficiently control a machine or process. When trouble occurs or minor changes need to be made, remote access to the machine can significantly improve response time and minimize costs required to resolve issues that may occur.
Your equipment supplier or equipment support team can utilize an eWON, which assists in creating an encrypted network connection allowing for direct communications with the designated machine LAN subnet. This connection provides secure control and appropriate firewalls against unauthorized access.
Establishing a secure connection
When utilizing an eWON. Many of current Security and Industrial Networking design principles are embraced, including:
- Encrypted connections
- Network layer tunneling to unique Machine Layer LAN or Zone
- Firewall protection for both local and public access
- Required Authentication
- Activity Access Logging and Reporting
The eWON utilizes its own cloud based server, Talk2M, to maintain and manage all eWON remote connections making its implementation both easy and secure. The eWON does not require any special ports or firewall modifications to be made by the user site. If internet access exists to a DHCP server, the eWON is typically “Plug and Go”.
In the representation of the eWON layout shown above, the local network (Factory LAN) is used for internet access only, and the encrypted connection data path is shown in green from the remote programing PC to the eWON’s designated machine LAN or ZONE. For eWON systems that utilize an optional Cellular (GSM) connection, there is no direct path to anything other than the machine LAN Zone. Protection is provided by same topology in that an eWON will ONLY respond to the Talk2M server.
When using an eWON for Remote Access, local site concerns of allowing access anytime to a machine can be under the direct control of the end user. Several ways to control access are:
- Key-Switch control (digital input enable)
- Tag value control from PLC or HMI
- Physical removal of internet connection (User un-plugs WAN port)
- Static IP address control (User site IT managed)
- VLAN internet Access (User site IT managed)
- Proxy Server (User site IT managed)
Unlike many other VPN schemes, all connections are monitored and reports can be generated by the Talk2M account manager that shows who made a connection to each device, how long this connection lasted and how much data was transferred during that time. Below is a sample report initiated by the Talk2M account administrator.
In summary, when a eWON is utilized for Remote Access, many of the principles for both modern Industrial Ethernet design and Remote Access Security are implemented. Secure Access is directed to ONLY the Machine LAN. Some of the highlights are:
- Special software required for Talk2M Server access (eCatcher)
- Encrypted (Open VPN) Connection
- Authentication Required. Each user has unique user NAME and PASSWORD
- Site-side implementation REQUIRES separate Machine LAN or ZONE
- eWON setup or configuration changes requires an additional device user NAME and PASSWORD
- eWON only responds to requests from Talk2M server (not pingable)
- Talk2M utilization reports for ALL activity
An expanded discussion of eWON and Talk2M client features can be downloaded here
Additional questions and comments about the eWON can be directed to our engineering support team www.standardelectricsupply.com/supportor call 1-800-318-4618.