But for remote access to a PLC, Jones says that solution doesn't work well. "First, you must have a PC at the remote site connected to both the Internet and to the PLC. This never is recommended because it creates serious security issues. Second, the remote PC must have the development software installed on it, and this is a licensing headache we prefer to avoid."
Instead, Prism uses Siemens industrial security modules for PLC access. "This is a hardware solution that allows us to install a special security module at the customer's location," he explains. "This module has two Ethernet connections—one for the controls network and another for a network with Internet access. We have a second module installed at our office. When we configure the modules, we use a security configuration tool that forms a permanent VPN tunnel between these two devices."
This configuration provides a secure connection from Prism's office to the remote location with a minimum of configuration. "Since this is a hardware device built specifically for secure connections, we can install it with confidence that it will provide a high degree of protection."
Once the VPN connection is established, Prism can connect to PLCs as if they were at the site. "The PLC software is installed on our computers and connects to the remote PLCs over standard Ethernet. Typically, we see no performance issues with the industrial security modules and find that we truly can support the sites without having to travel."
Another advantage to this solution is that Prism can restrict access on both sides to specific devices. "We can configure the modules to pass data between specific MAC addresses to restrict connectivity to only our modules," Jones explains. "The device records all network activity, so the customer has logs of who connected when and for how long."
