Industrial automation is no longer limited by the walls of a production facility. More and more, automation is being handled via remote communication, whether it’s from the office or from the comfort of your own home. Today’s programmable logic controllers (PLCs) give you the ability to access your control system to handle such tasks as monitoring via a Web site to determine the condition of a machine or check other statistics. With the latest PLC technology, almost anything that can be accomplished next to the machine can be accomplished wherever there is an Internet connection.
Connecting to the PLC from a remote location
The latest generation of PLCs has an integrated Ethernet port on the controller for two main operations. The first is controlling remote input/output (I/O) on Ethernet-based protocols like EtherNet/IP, Profinet or Modbus/TCP (UDP), to name a few. The second is to program and/or debug the internal program of the controller. With these features, and utilizing the Ethernet’s other services such as a Web and FTP server, remote administration of a control process becomes possible.
The first step in connecting remotely is to set up the controller to handle communication from both the local network as well as handle messages from a wider network such as the Internet. This is accomplished by adding a gateway address to the Ethernet communication settings on the controller, thereby allowing the controller to send and receive IP messages that are not established inside the local network.
This gateway address is usually assigned to an Ethernet router. Routers provide a way of directing, or “routing,” IP traffic to the correct Ethernet device inside the Local Area Network (LAN). Routers come in all shapes and sizes: from a computer (with two NIC cards and routing software) to an off-the-shelf broadband router, both handle the communication traffic pretty much the same way. The most common way of routing network traffic between a LAN and wide area network (WAN) is to use a network address translation (NAT). NAT provides a way of taking a single IP address, supplied by the Internet service provider (ISP), and allowing multiple devices to share the same Internet connection.
Unfortunately, the NAT does not provide a true end-to-end connection. This means, by default, that a TCP connection established outside the local network may not be able to connect with the destination device – due to the fact the IP address of the destination device is hidden behind the router. In order for this type of communication to occur, the process of port forwarding must be used. Port forwarding occurs when communication from outside the network sends a message to the router’s IP address; the router determines where to send the packet based on the port number. NAT lack of end-to-end connectivity may be considered a problem in some circumstances but it also provides a simple means of network protection.
By attaching a PLC to a network with Internet access, the device will be exposed to all of the same possible security threats as a computer.
One of the best security measures is to select a controller that utilizes an embedded operating system not popularly used by the consumer public. This helps keep the PLC from being vulnerable to attackers using known exploits to the operating system because the knowledge base is much smaller. “Security through Obscurity” is the phase coined by this type of security measure.
In addition, a properly configured router can provide effective protection for the control network from potential attacks. Utilizing the lack of end-to-end connectivity prevents most unsolicited requests for communication outside the local area network. When setting up a router, be sure to limit the amount of open ports. For example, an open FTP port can lead to a possible exploit by uploading a program to override the operation of the controller. The best rule of thumb is never keep a port open that is not being used regularly.
For increased protection, a virtual private network (VPN) can be setup to increase the security by encrypting the data transmission when traveling over a public network – such as the Internet.
Instead of opening all the ports that are needed to handle communication to the control network, one single authenticated network port passes the encrypted communication so the user can have all of the access as if they were inside the local area network.
By applying these simple techniques to modern-day control networks, new options are available for the control design. Data collection over great distances is one of the best uses for this technology. Control systems can be more easily integrated within a business network for coupling the supply chain management to the factory floor.
About the author:
Paul Reszka is an application engineer for WAGO Corporation. For more information, e-mail firstname.lastname@example.org call 262-255-6333, ext. 154.