Software Toolbox Technical Blog

6 min read

The Benefits of Secure Remote Access to Industrial Process Data

Apr 2, 2020 2:00:00 PM

It can be tricky in this era of increasing cross-connectivity of anything and everything, from a lowly household appliance to IT/OT hybrid systems applying predictive analytics to an industrial process, to balance connectivity everywhere and the required security to mitigate cyber threats.  In the past, remote access to industrial process data often required network access to the actual HMI or SCADA system on the process network.  But why do you need network access to your SCADA system, when all you really need is just to access the data?

In this blog post, we'll discuss a few of the key benefits to having remote access to your industrial process data, which can be essential to making timely business decisions and discuss a flexible solution for enabling remote access without exposing your industrial process network to outside threats, including how to sign up for a free account for a limited time.

In many companies across multiple industries, current remote access to the industrial control system is facilitated through the use of industrial tunnellers with a VPN connection. This way users can login, request the data and log-out. VPN is considered the security measure, when in fact VPN is not a security measure but a secure path.  Such a method still ultimately requires open firewall ports and direct access to the control system.

Are you just interested in finding out how to get a free account for that flexible solution for enabling remote access that I mentioned earlier?  Click Here

Diagram - Traditional Remote Networking
Such security risks are typically tolerated as a "necessary evil" due to the benefits of having remote access to industrial process data.  Let's have a look at some of those benefits before then taking a look at a more secure and flexible method of remote data access.

Reason 1: Enabling decision maker access to key process data anytime

The most basic requirement of those needing access to their company's industrial control system is access and visibility to the actual data, whether that is the current level in a tank, the temperature of a piece of equipment or the production level for some period of time.  Access to timely information for those making the daily decisions in a business is critical to making the right decisions.

Diagram - Benefit #1 - Remote Monitoring & Supervisory Control
And it is frequently only necessary to have read-only access to that data.  That's a key differentiator - do you really need full-blown access to your HMI or SCADA if you only need to know what a tank level?  The short answer is, NO, you don't.  As long as you can easily access that tank level and it is accurate at the time, that's all you really need.

Reason 2: Providing centralized access to geographically distributed site data anytime

Taking the last benefit one step further, having remote access makes it possible to access that key process data from anywhere in the world, all from one place.  Whether that's from your laptop as you lay in bed at 2 am in your pajamas worrying about a decision you need to make that will affect your global operations or from a centralized operations center, having the ability to know everything about your operations on a global scale is key to making the right decisions for an enterprise as a whole.

Diagram - Benefit #2 - Geographically Distributed Access
Having one place to look for data from all locations saves the time and effort of having to remotely access all sites individually or bring resources from those individual sites together to report on current statuses.  It can provide a bird's eye view of global operations, making decisions more timely and effective.  Not to overstate matters but when the difference between the status quo and making a change can cost thousands of dollars or more by the minute, cutting out the middle man when it comes to the data required for the decision can make a huge difference.

Reason 3: Safe access to key process data by third-parties and external systems anytime

And, in many industries, the ability to work efficiently and effectively with third-party vendors is critical to profitable operations.  But do you really want to provide full-blown remote access to your HMI or SCADA to a third-party?  I'd be very surprised if you answered yes to that rhetorical question.

Having the capability of sharing key important data points with a third-party, though, can be very beneficial when done in the right way.  For example, we work with a smelting company who had a unique issue regarding how they interact with a third-party raw materials supplier.  In the past, this raw material supplier would simply show up periodically to refill the holding tanks for that raw material.

The problem, though, was that this replenishment was occurring even if the tanks were still full, resulting in tank overflows, wasted materials and wasted manpower.  Providing that third-party supplier with read-only access to the holding tank levels made it possible for replenishment deliveries to only occur when needed, increasing the efficiency of the process.

Diagram - Benefit #3 - Safe External Party and System Access
Additionally, making all of your industrial process data (or even a subset of it) available to big data, analytics or even historian systems might be necessary as part of corporate initiatives.  Having a means of exposing the required data to those systems without compromising the security of your process network is imperative.

How remote industrial process networks are traditionally accessed

It's undeniable that secure remote access to industrial control systems is beneficial for many companies.  But the "how" of that remote access is a gray area of pitfalls.  As I mentioned earlier, it has traditionally been the accepted practice to simply have VPN access to the industrial network and just directly access the system.

The problem with that architecture is that it requires your IT department to open at least one firewall port, possibly more to enable that access.  An open firewall port, no matter how many security rules have been applied to it, is still an open path for a cyber threat to worm its way onto your process network.  VPNs, in general, assume a trusted device is connecting. And that’s the problem – any connected device on a VPN can access everything else on your network! A high quality proxy firewall can limit ports and do filtering, but do you have that? Did your IT set it up right? Do you really trust those devices you cannot see?

Diagram - Pitfalls of Traditional Remote Access

Security, though, ultimately rests in who has physical possession of a device.  Attack surfaces multiply relative to the number of connected devices, increasing the risk that a connected device could be compromised and used for a cyber-attack.

But there is a better way.

Secure remote access by reversing the master/slave relationship

Instead of directly accessing and requesting the data from your industrial control system, what if your control system could privately publish the data where it is remotely accessible to your users in real-time?

To that end, the SkkyHub Secure Cloud Service™, an SaaS solution provided by Skkynet is a secure end-to-end platform making it possible connect virtually any industrial or embedded data source, visualize the data, and monitor or control your process or system from almost anywhere.  And SkkyHub does this with no custom programming, no open inbound firewall ports, no required VPNs and it allows full bi-directional communications and supervisory control (where desired).

Diagram - SkkyHub with DataHub Remote Monitoring Architecture
SkkyHub accomplishes this by reversing the traditional master and slave relationship.  Initial connections to the SkkyHub cloud server are outbound from either an embedded device or the Cogent DataHub®.

This connection is made using a WebSocket connection which allows required process data to flow freely through closed firewall ports while remaining secure, since the WebSocket connection is encrypted. You can choose whether you allow data to flow back in or if you just push data out to the cloud for authorized users to see. You can also put incoming data on a separate path from incoming if you want. You are in control of your data with this solution, not someone else.

Best of all, no VPN is required and both the data and the connection path are encrypted and secure.  This makes end-to-end data access possible – from the device to the SCADA system.  The connected external device or system is never granted direct access to the SCADA network - only the process data passes.  This isolates each connection or remote system from cyber-attack or virus propagation, as a result.

And all of this occurs in relative real-time with data updates in milliseconds as opposed to seconds or minutes on potentially thousands of data points.  Since SkkyHub is an SaaS solution, it can be scaled up or down easily based on your project needs, as well.

It's easy to sign-up and run a proof of concept to confirm secure remote connections to your industrial control systems, all without disrupting any existing systems - take advantage of the flexibility of SkkyHub to enable secure remote access to your process data with a free account, for a limited time.

As of April 1st, you can sign up for a SkkyHub Basic or Standard account available for free from April 1st to until July 1st, 2020.  Click below to request yours!

Get Free Trial of SkkyHub and DataHub Now

Kevin Rutherford
Written by Kevin Rutherford

Join Our Journey

Working in industrial automation since 1996, the Software Toolbox team has seen a lot. The level of automation system sophistication of our integrators and users has evolved, each driven by the demands of their market and clients.  Everyone's learning continues as technological change accelerates.

This blog is about sharing from these journeys.  From tips on implementing software, successes our clients have experienced, or new ideas and things to consider in your journey, we'll be sharing them here.

Subscribe to our Blog

Recent Posts

Posts by Topic

See all