Accessing PLCs tag data across the Internet

Hello, I have been asked by management to help design a PLC-based solution which will retrieve data from multiple geographically disparate locations to a central control station for viewing/historical tracking. Also a few remote control commands need to be sent to the remote stations.

All the locations will be able to access the internet via either a cellular modem or land-line connection with at least 2Mbit speeds in both directions. We would also consider redundant multi-provider service where available, for greater reliability. The locations may not have static IP addresses.

We are considering Productivity or Do-More series for this project, but at this point we're open to the best/simplest/least expensive option which provides reliability and security, as well as reasonably simple connection setup and maintenance.

What are your recommended best-practice methods of accessing PLC tag data across the internet? Should a VPN always be used, or are there other secure approaches supported by modern PLCs which don't require VPNs? (i.e HTTPS with authentication, etc.) Do any modern PLCs support built-in security features which allow direct, secure PLC-to-PLC communication?

We basically need to pull tag data from all the remote locations, as well as update a few tags at each location from the control center. Polling rate would probably be 10+ seconds, and there would probably be ~10 numeric tags per location for about 5-6 locations.

Any advice is greatly appreciated!

I prefer not to go across the internet. I use a private cellular backhaul so that my devices are not on public IP's. No need to fool with a vpn to each device either. 10 tags every 10 seconds could get expensive on cellular though, your definition of expensive may vary.

Check out secomea or e.w.o.n secure routing and port forwarding which will give you static ip's via the router

There is also Clearscada from schneider which is designed for remote applications

It depends on how cost-sensitive the project is. If you are looking for 10 registers every 10 seconds, it could be a bit expensive with cellular.

We recently completed a project using cradlepoint routers, assigned with public IPs, and a Red Lion DSPLE as the protocol converter to map everything to modbus, polled by the public IP. The cradlepoint and/or the Red Lion can be configured to reject queries from any polling master not at the location of the SCADA performing the polling at the centralized location. This can mitigate the risk associated with using a cellular network for industrial control/monitoring. I'm not sure how well the PLC world is keeping up with security and authentication practices, this will likely be handled better by a firewall at each PLC site.