PLC to PLC message across the Internet?

[OkiePC]

Engineers:
So, we are supposed to do some mods to the controls at a pumps station with a SLC 5/03 and it needs to communicate with another new pump station some miles away with a ML1400 (done by others). We know that the 5/03 can't do Ethernet and we understand how to overcome that.

Our tech asked about a radio link and was told don't worry about it, there's hills in the way and we're going to connect them with fiber. Great no problem. Until we find out they are adding fiber Internet to both sites.

How can I establish MSG connection across the internet between two PLCs securely?

We use Stridelinx VPN routers for secure connections for customer HMI access and from our programming PCs to their controls LANs all the time, but I have never been asked to link two control systems together with messages having the world wide web in the middle ... until now.

[Ken Roach]

Does StrideLinx provide a way to configure a "nailed up" VPN that functionally puts two sites on the same IP network ?

Does the Internet service provider offer VPN features, maybe even built into their modem or router ?

Ordinary MSG instructions between Rockwell controllers use ordinary TCP/IP for their transport. Anything that allows connections to be established on TCP Port 44818 between those sites should accomplish the task.

There will be a temptation to enable Port Forwarding on the Internet modem. Resist with every fiber of your being.

[dmroeder]

Quote:

Originally Posted by Ken Roach

There will be a temptation to enable Port Forwarding on the Internet modem. Resist with every fiber of your being.

Or you will end up on shodan.

[OkiePC]

Quote:

Originally Posted by Ken Roach

Does StrideLinx provide a way to configure a "nailed up" VPN that functionally puts two sites on the same IP network ?

Not that I could use with a PLC or another one of their VPN routers. They're rebranded "I X O N" (<sorry for the profanity...at least I didn't spell E W O N). routers and someone asked on the A/D forum about using two of them to do this and the response was "no". There's a web based interface to log in for configuration and to send a command to the remote router to turn on and off its VPN capability along with a client application that can be downloaded to a PC to use it with PLC and HMI software.

Quote:

Does the Internet service provider offer VPN features, maybe even built into their modem or router ?

Not sure yet. My partner who's our lead tech on this job has more of the details, but I want something rugged and ISP agnostic if possible. I'd also like to avoid having to install a PC at either location if possible. Just a hardware based VPN connection between two points.

Quote:

Ordinary MSG instructions between Rockwell controllers use ordinary TCP/IP for their transport. Anything that allows connections to be established on TCP Port 44818 between those sites should accomplish the task.

There will be a temptation to enable Port Forwarding on the Internet modem. Resist with every fiber of your being.

Agreed.

I never wanted to be an IT guy, I just want to fix and program machinery. I know enough to use Ethernet even for somewhat complex control systems that are isolated from the internet. I have read enough (mainly here) to know that the risks are real and saturate the web.

So I have always used a VPN appliance for remote access to controls hardware because I value my time more than I value attaining expert level network security knowledge.

[JeremyM]

Site to site VPN, without knowing much else.

One firewall/router would host the VPN, the other would be client. Shared between each is a routing table to pass traffic sitting on the plant subnet(s) on each side. IP hosts on the plant subnet(s) on either end wouldn’t have knowledge of this and would just communicate with each other normally.

[Ken Roach]

My company relies on WatchGuard Fireboxes, and has for years. I fortunately don't have to set them up or maintain them.

It makes sense to want something ISP-agnostic if you have to set it up yourself.

But if you want to offload the responsibility to the guys who are paying for the Internet connection, it makes sense to require them to get it from the ISP or give the responsibility to the site owner's IT department.

For my personal site-to-site connectivity, I use ZeroTier, often running on Raspberry Pi's. But I don't use it for a Site-to-Site PLC VPN.

[Onstege]

Secomea have solutions for those kind of problems for us dummies.

[SD_Scott]

It would be nice to have more details.

How much data do you want to send and receive?
What frequency do you want to do this transfer?

In manufacturing, you see databases used for keeping track of widgets throughout the process. If you already have an OPC server that you can get this data from the SLC, you could write that data to a database that both stations could have access to. Is there a business network already in place that is secure? We did a similar thing at a large company I worked for. We collected power usage data at each site around the country and sent it to a database. The VPN was already in place and totally secure.

In the database table you could have send and receive tables with a column called "status" or "state". Set that column to default to a certain number when data gets inserted, for example 100. When you read that data, set it to 200. That way the data has state associated with it. This is very common in routing and distribution systems, sortation, etc.

Oh well, just a thought.

[Phil Buchanan]

Lots of ways to skin that cat. If it's budget-challenged, then something like ZeroTier or SoftEther on Rasberry Pi or Intel NUC works great. I have used soft ether in places and situations where a hardware IPsec firewall would not work.

If you want pro hardware, Fortinet or Palo Alto are good solutions for Site to Site Layer 2 VPNs

These are all castle and moat solutions, and these days, we try to avoid those where we can in favor of Zero Trust Network Access Models using things like Tempered Networks, Open Ziti, and others.

A good and free zero-trust solution for this situation would be Cloudflare Tunnels, which gives you all the benefits of a VPN and non of the weaknesses, and it's not a VPN. All of its connections are outbound, so no poking holes in your firewall and can secure devices as HTTPS that don't have native HTTPS (Old devices like SLC 500)

[OkiePC]

These end points are just pump stations that are unattended and there is a desire to avoid having a Windows PC at either location. The amount of data will be minimal. Probably a couple of messages from one to the other every few seconds, less than 100 words each way, based on my best guess at this point.

There is an HMI that will be updated to a Red Lion at one location.

Ideally, we'd buy a pair of industrial din rail mount VPN routers that we can configure to find each other on the internet and establish the secure tunnel.

Maybe that means I have to buy some devices that are somewhat generic and learn how to program them.

Thanks for the feedback so far.

[DBLD99]

We have used this with success - Site to Site VPN

https://www.netgate.com/appliances

PFSense (open source) is high configurable.

[Phil Buchanan]

Quote:

Originally Posted by OkiePC

These end points are just pump stations that are unattended and there is a desire to avoid having a Windows PC at either location. The amount of data will be minimal. Probably a couple of messages from one to the other every few seconds, less than 100 words each way, based on my best guess at this point.

There is an HMI that will be updated to a Red Lion at one location.

Ideally, we'd buy a pair of industrial din rail mount VPN routers that we can configure to find each other on the internet and establish the secure tunnel.

Maybe that means I have to buy some devices that are somewhat generic and learn how to program them.

Thanks for the feedback so far.

For those specs, we would use a Fortinet Fortigate FGR-70F-3G4G to cover all bases now and in the future.

[OkiePC]

Thank you all for the input. I will send some inquiries to some of these manufacturers.

[harryting]

If there are good cell reception at both location, you can get preconfigured cell-VPN-hotspot from your cell providers. Just note it's not typically used for one of situation and you would have to work with the B2B arm of the cell provider to make this happen.