Remote Access to Facilities Network for PLC / HMI Troubleshooting

jeffconn

Member
Join Date
Aug 2009
Location
Mechanicsville, VA
Posts
3
Hello -

I am trying to find the best way to connect into a facilities controls network. It is ControlLogix PLCs and FactoryTalk distributed server HMIs. This network is totally seperate from the IT network, so it currently has no internet connectivity. I am working on getting IT to give a couple of channels of the T1, or maybe get a broadband connection.

My main problem is: Once I have the internet connectivity issue solved, what is the best VPN method for me to connect into this network from home? I have a laptop with all of the required software (RSLogix5000, FactoryTalk, RSLinx, etc). I am trying to find out what VPN is best, along with what hardware I would need to purchase. I would like it to be so that when I am at home, it appears no different (I can use all of the programs, access all of the PLCs, VFDs, etc) than if I was at work.

Thanks for any help
 
Check these out http://www.****.biz/Pres4005CD.htm

I use them a lot and look at the talk2m software. This is a vpn that will be common (not different for every plant you support) which is a real advantage because trying to keep multiple vpn client software installed and working without conflicts on your system is a real task.

These modems are for plant lans and some for cellular and standard modems.

Most models have a built in standard modem for backup.

Some equipment on remote sites have all 3 methods employed.

Using talk2m there needs to be it involvement it listens for a wake ping then makes a route out to the internet through the network.

It will work from behind firewalls without it giving access.

Just a foot note but in most cases you really want to keep your machine network seperate from the corporate network as much as posible.I have always found it easier to connect all the plants equipment back to one router with a $60 per month dsl or cable broadband conection as this should be sufficent for your needs

If you need extra security use a tofino firewall as these are made for industrial automation equipment http://www.tofinosecurity.com/node/45

http://www.byressecurity.com/pages/products/tofino/

Choose a good router and enable NAT and SPI

Sonicwall is the best for the money. Stay away from the watch guard firebox stuff.Back in the day it was real good but now you can bust through them easier than a six pack.
 
If you can get just one internet connection you can access the controls network with this product from Spectrum Controls called the WebPort. It provides a VPN connection. I saw a demo last year, and I'm just waiting for the right opportunity to use one myself. There's no periodic cost, just the price of the Webport device. I think it may be around $1200 USD

http://www.spectrumcontrols.com/webport.htm
 
Thanks all. I am going to have a dedicated broadband cable line brought in for facilities. In that case, would it just be best to have a rack-mounted Sonicwall router installed in the rack with the rest of the facilities servers? (NSA E5500, or is that overkill?)

Would that do everything I need it to do?
 
What does the plant use to maintain these machines? The reason I ask, it is almost always easier to just drill into the maintenance PC using a remote desktop type control (RDP, netmeeting, PCAnywhere, Logmein) that connects to the machine network. That way, all changes are documented and kept in one repository whether you are making changes or someone at the plant level is making changes.
 
We are going to have an engineering workstation in my office, which I will use for most development. I also have a laptop with the necessary software to make changes or troubleshoot out on the plant floor when needed.

The reason I am not so thrilled with always using that machine via remote desktop control, is that I need to make sure it is always on and all of the software running and available. I just thought it would be more fool-proof and robust if I can just get my laptop connected in remotely to the network.
 
Last edited:
Make sure you have a switch with IGMP snooping directing traffic to the sonic wall or you will have major problems.

I doubt a standard IT soniocwall switch will have IGMP snooping but i could be wrong.
 
We are going to have an engineering workstation in my office, which I will use for most development. I also have a laptop with the necessary software to make changes or troubleshoot out on the plant floor when needed.

The reason I am not so thrilled with always using that machine via remote desktop control, is that I need to make sure it is always on and all of the software running and available. I just thought it would be more fool-proof and robust if I can just get my laptop connected in remotely to the network.

Understandable, however, I would assume you would be in communication with plant personnel anyway when going online. I'm not a proponent of having remote access and making changes without proper personnel present. That's a recipe for disaster. One wrong keystroke and damage to equipment or person could occur. Back to my point, if in communication with personnel they could insure the gateway PC is turned on. Just another option.....
 
Tofino

In regards to Tofino VPNs:

The Tofino VPN solution creates secure ‘tunnels’ of communication over untrusted networks, such as the Internet or corporate business networks. Unlike other VPNs, the Tofino VPN is easy to deploy, test, and manage. This ensures that good security is not compromised because of configuration errors. The Tofino VPN also supports legacy automation devices and protocols, and is industrially hardened.


Please visit http://tofinosecurity.com/node/19 for more information of Tofino Security Appliances, and all various software security solutions that compliment it
 

Similar Topics

I have to provide remote access and control to a touch screen. I was thinking about using Weintek and the Weincloud. Does anyone know if this is...
Replies
3
Views
138
Hi everyone, I have a project involved with Toyota whereby the customer would like to be able to control devices within a booth using a portable...
Replies
0
Views
177
Hello, I am looking for a solution to remotely access any kind of device securely across the internet. I know this has been done in piecemeal...
Replies
22
Views
2,090
Hello everyone, nowadays i am working on a project for remote access to our machines. We are using a remote access module, but i want to make my...
Replies
0
Views
376
Hello PLC Friends, I'm starting my final year project with a given rig and I'm thinking about incorporating a remote access feature where I can...
Replies
2
Views
362
Back
Top Bottom