Opinion: Access to Customer PLC/HMI system

Hello everyone,

Here is my situation:
I have recently built my largest system to date. The plant that it is installed in is on the other side of the country. I have requested that they give me VPN access to the PLC system so I can make changes or corrections that are required from my office. Which is something quite a few of my customers have done for me. Anyway the plant IT said not just no but HELL NO.

So now anytime there is a issue I have to fly out and waste several days doing something I could fix in minutes in my office. The **** of the whole thing is the system is still under warranty and the cost to travel and stay is getting out of hand. I know I should have put more $$ into the bid to cover that but hind sight is 20/20.

What I need your opinion on is how do you handle this type of situation? I was thinking of putting in our contract that if VPN access can or wont be provided that on-site warranty work will require a PO to cover travel cost. What do you guys think? Do you do anything like that?

I have also been talking to the people at **** to get some other ideas. I was also thinking about adding a **** into each panel that wont give me access. That way I can at least get into the system via a cellular modem. Have you had any experience with ****?

Like I said I am just fishing for some ideas because as I move forward I can see this type of thing becoming a issue more and more.

Thanks for your help!!

Edit: the **** is for e_w_o_n. Why does this site filter that out????

What about something similar to what Rockwell uses on remote service i'm talking about webex. This way you use no VPN.

Yea but how do they get into the system? If IT will not let them into the network how would a WebEX work?

The other issue is this place doesn't have a copy of RSL5K or FTVME in the plant. So unless I can get into the system that is a direct connection and use the software on my computer it wont work.

Would it be cheaper to just load a laptop with RSL5K and FTVME, ship it to the site, and have the someone connect it to the network on demand when you need it so you can remote desktop it?

We thought about using a cellular modem for the duration of the warranty period. But it's been awhile since we have add issues with VPN access. Might be something to consider?

Would they allow you to have a cell modem on site? They could get ****y about you having any remote connection ability.

At a previous company we put a Red Lion/Sixnet cellular modem in a Pelican case and shipped it around the country to provide remote support. You could put one in the case with a small 24 VDC power supply for $1,000 - 1,500.

One complication with this is setting up the VPN on the modem so that you can connect to it. In order for us to reliably find the modem (and its IP address) we need to get a static IP address from Verizon, which has something like a $500 entry fee to get that process started. This would allow us to find the modem and connect to the VPN server on it through openVPN. An alternative to that would be to create an openVPN server somewhere on a computer that you control (preferably with a static IP) that the modem would dial into to allow you to connect through it. This introduces the fun of configuring servers, firewalls, networks, etc...

Keep in mind that reception isn't always ideal and you may need an external antenna to have a chance of coverage. A clever end user could also end up using the cell modem to watch YouTube and rack you up a nice data bill as well.

I gather that these devices are beginning to meet approval from those dastardly IT guys.

http://www.tosibox.com/

http://www.secomea.com/

I personally have not yet used them as yet.
Anyone who has, please post your experiences.

One of my colleagues has just set up a remote site on an E_W_O_N cellular modem. I accessed a Schneider M340 over this VPN link and it worked great. Don't know the details though but i believe he set it up with support from the local supplier here.

If you have an ADSL / broadband connection at your office you can probably get a fixed IP assigned. Have an **** VPN this end. The remote site then initiates a site-to-site VPN to your office.

If there are concerns about leaving it connected 24/7 then simply put it on a on-off selector switch in the panel. When they need support they turn it on and call you. Their paranoid IT guy can go turn it off himself if he wants after.

As you say in future. .. would be good to include in the contract. Free remote support during warranty, anything requiring travel they pay the travel costs at least.

We use a Netbiter cellular modem. We have four of them that we ship around the country. A little slow but so far IT friendly.

I would like to recommend Secomea Sitemanagers. There are few other products that have saved me such amounts of cash and time... They claim that you are up and running in 15 minutes without a single call to IT-department and that's true!

Bullzi,

We have a similar situation here as do many other plants I would think.
We ended up with 2 different networks: one for corporate / management, and one for plant plc's and manufacturing. That way, no one could get access to the plant side from the corporate side without special rules and assistance from the IT department.

We use k**** to establish a network connection from outside the plant and access the plc network. We do our work and then sign off.

regards,
james