Efficient and secure industrial remote access
Remote access to electronics and machines around the globe is gaining importance quickly, both in industry and other areas related to it. Experts point out that remote control and monitoring are some of the most important mechanisms for increasing productivity and reducing costs, raising the interest of companies to implement them. The need for information about industrial machines is of the utmost importance so that company managers can become aware of the current scenario of their factory and take action quickly. The ability to use the internet to access the installed machines greatly reduces maintenance costs, optimising the monitoring processes and eliminating the need for large displacements to verify problems, allowing control of remote industrial plants without any frontiers.
The integration between process variables, gateways, virtual private networks (VPNs) and PCs forms the technological basis for the concept of smart environments, in which the generated information can be shared among several platforms and applications, allowing the control and remote monitoring of certain safely. The concept of intelligent environments encompasses different technologies, such as sensor networks and embedded systems, working together to track device states such as location, temperature and movement.
An important factor regarding this type of remote connectivity is the security of information and connections. Any remote access implies data travelling through public networks and ensuring the integrity and confidentiality of the information collected in the field is vital for a reliable remote operation. Among the main security tools we have a firewall, which is an important barrier of entry between public and private networks, and should be used to restrict the available ports on the network, the types of packets that can pass through the network, allowed protocols, etc. Another important point regarding information security is encryption, which aims to create a sequence of data that is not understood by those who are not part of the VPN, that is, only the true recipient will be able to understand the original data. There are some protocols responsible for providing security and encryption for the VPN connection. One of the most used is IP security protocol (IPSec), which is an IP extension and aims to provide greater security and privacy for the packets carried in a network, and can be used in two modes: transport mode and tunnelling mode. In transport mode, only the message is encrypted and the IP header is not modified. In the tunnelling mode, the IP packet is encrypted in full, so it is necessary to encapsulate a new IP packet to distribute it.
Industrial machines integrate a large number of embedded systems, connected or not to a communication network. These machines may have sensors and actuators that enable monitoring and control operations. This article explains the application and configuration of AirGate-3G router as gateway for reading a field logger via Modbus TCP, using the mobile data connection and acting as VPN client within the network architecture. In this type of solution, we have the topology shown in Fig. 1.
Fig. 1: Network topology for remote access using AirGate-3G cellular router as VPN client.
The proposed architecture provides that the field logger will be physically connected to the router through its Ethernet port and, using a mobile data connection, the modem connects as a client to the company’s VPN server, performs the authentication process and receives an IP which is part of the internal network, making it visible to a PC with supervisory software, for example. The details of this connection will be explained below.
As the equipment to be read will be connected to the network port of the router, it is important to have the physical address of the network board of the device, because when we configure the dynamic host configuration protocol (DHCP) server of the modem port we will have to have a static lease so that the router is turned on and assigns the same IP address to the equipment physically connected to it. This filter uses the media access control (MAC) address of the network board of the connected equipment, as this is always the same. It is important to note that the address reserved for the lease must be outside the range of IPs reserved for the DHCP of that port. Reading the equipment at the end of the network is done using a router feature called network address translation (NAT) which is a protocol that, as its name implies, translates IP addresses and TCP/UDP ports from the local network to the internet. That is, an IP relation will be elaborated: Requestor’s port of the connection with an IP address: Destination port. The role of the AirGate-3G is to perform this “translation” and redirect the connection.
Fig. 2: Configuration of the network port of AirGate-3G router with an integrated data logger.
In Fig. 2, the Ethernet port of the 3G router had the DHCP server enabled and in the static lease configuration area, for the data logger with MAC address 00: 26: A4: 00: 00: 9E, the IP address 192.168.0.2, which is outside the range of IPs reserved for DHCP. This will ensure that when configuring the modem NAT service, you can configure a fixed destination IP address.
Fig. 3: Access settings.
In Fig. 3, the first configuration called “PC-Server” refers to a computer responsible for this access, which is IP-fixed at 10.51.11.195 and, regardless of the port requested on the connection, it will access the equipment at the end. The second connection called Modbus indicates that any computer (Address 0.0.0.0 allows any IP requestor to be included in this rule) that trying to access the 3G router through the Modbus TCP port (Port 502) via VPN will access the data register on the Modbus TCP port (502) as well. The same goes for the third connection, where you are requested to connect to the file transfer server (FTP: Port 21).
As the internet connection provider in this solution is the mobile data carrier, the IP provided for the SIM card is private and for exclusive access of the operator. In order to be able to access the 3G router through its IP address, it must be on the same network as the machine requesting the connection. The solution that makes this connection viable is to use a VPN tunnel on the modem, which will use its external IP, coupled with an authenticated user and password on the VPN server, so that it can be viewed on the company’s private network. The router supports the main VPN protocols currently used in the market, mainly OpenVPN, PPTP and L2TP over IPSec.
Fig. 4: OpenVPN client configuration.
Fig. 4 is an example of setting the OpenVPN client within a 3G router. It is necessary to enter the information provided by the VPN server (Eg, server IP address, port, compression, encryption, etc). To authenticate the router to the VPN, you can use the following options:
- Pre-shared
- User/password
- X.509 certificate
- X.509 certificate + User/password
X.509 certificates, which specify the format of digital certificates, are commonly used in such a way that a name can be securely attached to a public key, allowing strong authentication. The local IP address will be the address where the SCADA software can view the 3G router, and upon access to this address, the NAT function of the modem will take effect so that the connection is redirected to read the data logger retentive registers.
Therefore, the application of remote access to an equipment using a 3G router with mobile data connection and VPN based on the OpenVPN protocol is based on the following pillars:
- Static IP lease using the MAC address of the data logger.
- Configuration of the VPN client (in this case, OpenVPN client).
- Configuration of address translation and redirection rules (NAT).
Enabling remote access to machines and equipment, without giving up data security, is to stand side by side with technological trends in the industrial automation market. With the help of the solutions available in the market, it is possible to deploy several applications of different sizes, reducing maintenance costs and, consequently, improving productivity.
Contact Tiago Siqueira, Novus, tiago.siqueira@novusautomation.com
Related Articles
BROWSER-BASED E-ZINES
BACK ISSUES
SERVICES
DAILY CARTOON
-
