Edge Gateways Deliver Secure Connectivity
EP Editorial Staff | April 1, 2022
For new and retrofit projects, IoT edge gateways provide needed connectivity, while fortifying network security.
By Jonathan Griffith, AutomationDirect
Most are familiar with the idiom “if it ain’t broke, don’t fix it.” On the other hand, a small group of tech folks may occasionally follow the lesser-known guidance of “if it ain’t broke, keep fixing it until it is.” All kidding aside, there are a lot of existing industrial-automation installations that do not appear broken, and others that need modification to enable remote access. The former may already be insecure from a cybersecurity standpoint. For the latter, it is possible that certain upgrades may weaken cybersecurity.
New installations also require secure remote access, but they can be designed from the ground up with the latest hardware and software. However, most companies have a significant amount of legacy equipment, and it would be of great benefit to remotely connect with many of those systems. Whether automated equipment is brand new or a legacy installation, end users need to understand the benefits of connectivity versus the potential security issues, along with best practices for achieving secure remote monitoring and control.
Gaining remote access and data connectivity to improve monitoring and control are key aspects of industrial internet of things (IIoT) initiatives. The IIoT maturity model (Fig. 1) offers five steps that will take your operation from computerization to adaptability.
Most companies have benefited from the initial digitalization stage through the computerization of equipment using programmable logic controllers (PLCs) or similar devices. Many have taken the next step of connecting these intelligent assets to plant networks so they can access and visualize the data, either on the local network or using the cloud.
To gain maximum value, it is necessary to advance into the Industry 4.0 stage where the data is analyzed to determine how assets are performing. Once this is understood, it becomes possible to predict what will happen in the coming hours/days/weeks. Then, with closed-loop communications back to the factory floor, automation systems can be designed to respond and adjust operating conditions adaptably and autonomously.
Connectivity makes remote access, analytics, and responses possible. The benefits are applicable to end users, OEM building-automated equipment, and system integrators who support these groups. However, effective connectivity must also overcome cybersecurity and other risks.
Understanding the issues
While a cyberattack—where a malicious party either disrupts operation or extracts data—is often perceived as the greatest threat associated with connectivity, there are other equally valid concerns. An unexpected example is the risk of not adopting remote access at all. Failing to implement remote access results in lost opportunities for improving efficiency and quality, and for reducing operating and support costs and effort.
Other connectivity concerns and risks include:
• connecting to an active system, which might disrupt operation
• connecting a laptop to a system and inadvertently enabling a virus or other breach
• making unintended configuration or firmware changes.
The problem of achieving secure connectivity is compounded by the fact that operational technology (OT) machines typically have 15+ year lifecycles, which is far longer that IT asset lifetimes of 5 years or less. Cybersecurity threats change rapidly and therefore require user vigilance over the long OT lifetimes.
In the most general terms, wired and wireless networking technologies facilitate connectivity from edge-located machines and sensors to the plant production network, the site business network, and perhaps the internet/cloud. The machine and plant manufacturing networks are squarely OT, while business and internet/cloud networking is considered IT.
There can be many small, localized machine networks, each interconnected with the plant manufacturing network, and all within the OT network. Human-machine interfaces (HMIs), installed locally to PLCs, are almost always part of the OT network. More advanced SCADA/MES/ERP systems can exist in either the OT or IT network, or both.
In an ideal world, every network-connected device—whether a sensor, PLC, PC or other—would provide its own impeccable security provisions. The reality is that the vast majority of legacy devices, and many modern devices, simply do not have these security provisions. If they do, it is a massive and basically unworkable burden for users to keep the multitude of security firmware and settings up to date.
The answer for protecting all these assets in a practical manner, while providing the necessary connectivity, is to apply an IoT edge gateway to each machine (Fig. 2). This isolates the machine network from higher-level networks by only enabling specifically configured connectivity. Integrated IoT edge gateways are multifunctional devices that include:
• a router to separate networks
• a firewall to block unwanted connections
• a modem to securely connect to the internet
• the ability for remote users to connect to devices on the machine network for programming or debugging
• the ability to interface with a cloud-based IoT platform and provide data collection, visualize data on PCs or mobile devices, and send alarms/notifications to specific users.
An IoT edge gateway protects the underlying machine network from the greater OT and IT networks, preserving machine operation and avoiding the need to modify any existing real-time control or other programming. It also provides secure remote connectivity to higher-level computing systems.
Gateway in action
For the OEM machine builder, the remote connectivity application may be as simple as adding secure remote visibility to assets installed at customer sites. Some machines may be offered with HMIs, or PLCs that can work with mobile apps. Both typically require opening ports in the plant firewall for remote access.
Instead, these machines should be upgraded with an IoT edge gateway to include a virtual private network (VPN) connection through which the mobile app can securely connect, while preserving full machine functionality. This provides a secure machine network and improves the end user’s plant security, without requiring the OEM to fundamentally change their product. Another consideration for OEMs is that selecting an IoT edge gateway compliant with IEC62443-1 and IEC62443-2 is another step toward increasing the value for the end user, as it allows OEMs to pursue IEC62443-3 on their machines, ensuring that the entire machine is cyber secure.
IoT edge gateways address this in two ways. First, shortcuts to HMI web servers or VNC servers can be accessed conveniently and securely from the associated gateway mobile app without requiring open ports in the firewall. Second, the gateway app also offers mobile VPN, which provides secure communication when a third-party HMI or PLC app is required.
Some cybersecurity challenges are easier to spot than others, but industrial automation systems can afford no lapses. Many end users want to add remote connectivity to new and existing systems so they can improve the monitoring and control of their equipment, but they are rightfully concerned with how to do this in a secure manner. IoT edge gateways are a universal method of providing this connectivity, while effectively segregating and securing machine networks from the plant production, business, and cloud networks. EP
Jonathan Griffith is Manager of Industrial Communications & Power Supplies at AutomationDirect, Cumming, GA (automationdirect.com). Prior to joining AutomationDirect, he worked at ANADIGICS, a Wi-Fi networking company. Griffith holds MBA, MSEE, BSEE degrees from the Georgia Institute of Technology, Atlanta. He can be reached at firstname.lastname@example.org