Cybersecurity and Remote Access – Secure Internet Access to PLCs
Today digitalisation of processes, data in the cloud and remote Internet access are the new norm. What still lingers, however, and following some unpleasant experiences has even heightened is concerns over digital threats. As a result, cybersecurity requirements have increased. Apart from banking institutions and big corporations, it is now also medium-sized manufacturing companies that are in danger of being targeted by hackers.
It is not only financial data or sensitive personal information that can be put in jeopardy. The more your devices rely on production and technological data, the more attention you have to pay to IT security. Your know-how may be compromised and the seamless operation of your production endangered.
When connecting various systems, for example sensors, HMI panels and PLCs, you have to ensure that your connection is secure enough to eliminate the risk of unauthorised people gaining access to and managing your devices. This does not mean that you should reject connectivity at all. It is enough if you set your security standards well.
Why Your IT Department Will Disapprove of Simple Solutions
Let us now explore what your remote access should (not) look like.
To connect to a remote computer, you can of course use one of the free, simple programs. In the case of home use, although you may not care, this means unsuspectingly opening the gate to your network and exposing it to any potential outside threat.
In the context of businesses, this is something that no sensible IT department will ever allow. It will demand that network security standards are complied with by anyone who needs to access its network.
5 Elements of Secure Remote Access to PLCs
When choosing your tool for remote access to production control systems, you should consider several security factors – appropriate certification, multi-factor user authentication, (adherence to) advanced password management, the assignment of specific IP addresses to particular users and log traceability.
All of these factors are dealt with in the following chapters and illustrated with the example of Ewon routers and the Talk2M cloud service (if you are unfamiliar with them, please feel free to learn about them here).
"Years ago, we were looking for secure, user-friendly tools for remote access to PLCs for our customers. In the end, we chose Ewon routers. They are fast and easy to deploy and highly secure for the IT infrastructure. On top of that, they are affordable for small as well as medium-sized companies," says Jaromír Peterka, the owner of the company FOXON.
How easy is it to work with Ewon routers without active support of your IT department? We have written about this a few times already. You only need your IT department to approve your router and to authorise and prepare an Internet connection for it. After that, you will be able to manage the actual work with the router yourself at the level of production or maintenance.
So let us now take a closer look at what cybersecurity standards you need to establish so that you get the green light from your IT experts.
1. Security Certifications
You should ensure that your remote access tool has at least the ISO 27001, which guarantees a certain level of information security with regard to products.
Ewon routers have this ISO certification. In addition, in cooperation with the independent cybersecurity company NVISO, the manufacturer of Ewon routers, the company HMS, has implemented a project that aims to scrutinise Ewon systems on a regular basis and provide continuous feedback on how to improve them in terms of cybersecurity.
For more information on Ewon routers and their certifications, please go to Ewon's website.
2. User Account Management and Multi-Factor Authentication
The Talk2M Pro cloud service boasts a very sophisticated user account management system. The Talk2M administrator – who does not have to be an IT specialist but can be a maintenance manager or a PLC programmer – can create an account for each user and set the account's name, password creation rules and the user's rights.
You can also take advantage of two-factor authentication. To log in, the user must enter their password and a one-time verification code received via SMS. This eliminates the risk of user accounts being misused.
3. Log Traceability
Thanks to the sophisticated user account management system, you can easily find individual logs and, see, for example, who was connected to a particular IP address via the Ewon router, when and how long for. This enables you to identify the person responsible for certain changes made, as well as anyone who had access to the device.
4. A Comprehensive Firewall and Restricted Access
A big advantage is that the Talk2M administrator has full control over who connects to what. In the paid Talk2M Pro version, the administrator grants each user access to particular IP addresses, ports and protocols.
This means that when there are ten devices installed on your production line and each is from a different manufacturer, using a single Ewon router you can allow all the users concerned access to the production line and grant each user access only to particular devices.
5. Advanced Password Management
Speaking of information security, we should not forget about the rules for creating secure passwords. Your password should be unique, long enough and contain various character types (lower case and upper case letters, punctuation marks and numbers). And you should of course change it regularly.
The Talk2M Pro enables you to do all of the above-mentioned. When you are creating your password, it tells you whether it is secure enough. Most importantly, the administrator can establish rules for password creation, including the password's length and complexity. They can also set its expiry date for someone who will only be granted one-time access. By doing that, the administrator does not have to remember to block it when the person gets the job done and does not need it anymore.
Would you like to learn more about remote access to control systems and cybersecurity? Go to our online shop and read on.