VPN into isolated PLC network

Hi all,
I have a CompactLogix with some 1736-AENT point I/O and Allen Bradley PanelView on a local Ethernet network.
This network is isloated from the Company-wide network and I would like to keep it this way. I have read about VPN and how you can connect/tunnel into a network like this. Would anyone tell me how to do it?
Would AB Stratix 8000 switch enable you to do that? If so can you explain how it's done?
Thanks

Is this all on a local site, i.e. you want to access the PLC LAN from the same sites office LAN ?
If so, a Router between the two LANs will do the job.

Or do you mean from one site, to another site ?
If so, VPN is the answer.
There are many variants possible.
For example the IT department on the remote site setup a VPN connection with access to the machine LAN.
Or, you can have hardware devices that provide a VPN connection via a regular LAN connection that goes via the internet. I use E Won for this purpose. There are several others.

For a single machine and if you lack lots of networking experience the E Won or like device is the best option for you.

Rockwell even offers one now. It's just a spectrum controls box / E Won with some AB software features.

I like buying them direct from spectrum controls myself.

It's the same hardware no matter which vendor you choose.

The hardware for VPN is pretty straightforward, it's a well traveled area in IT security. Make sure it uses standards like SSL or IPSEC, supports strong authentication (like long passwords, and preferably two-factor).

First things first, a lot of companies have policies now for the security of their automation networks, and putting your own device in place may violate that. Check first.

Second, what do you need access for? Are you remotely reconfiguring PLCs? Are you doing some basic checks when you get a call at 0'darkthirty? That will drive what you allow through the VPN.

I do cyber security for industrial systems for a living, and because of the insecure nature of industrial protocols I don't recommend any direct communications with PLCs from outside, ever. Rather I recommend remoting into an existing system (like an engineering console) that has the capability.

Regardless, you need to realize that you are making a risk decision, you have decided the benefit of remote access from corporate outweighs the risk to the automation network. With all the attention automation security has been getting, I'm a lot less comfortable with that risk these days.

*** Edit - That means the router idea is a bad idea. Hackers have the capability these days to scan for automation protocols, and it's fast and effective. A router isn't even a bump in the road.