Secure data connection for remote maintenance

26 January 2016

The specialist brewery system supplier, GEA, employs remote maintenance as part of its solution, to ensure a high level of plant availability and efficient plant operation. Security of data connections plays an important role in the process.

Continue reading this article

Register now for free and access every article and to register for the print edition.

With expertise in both hot and cold brewery processes, GEA’s business activities range from engineering, supply, installation, commissioning, and automation right up to service for plants and components. Today the company has a global presence with subsidiary companies in more than 50 countries.

GEA services range from system development right up to commissioning and comprehensive service. “Our automation system integrates a variety of components, supplied by us and third-parties, to create a productive overall system. In addition to the actual PLC controller, the system includes control stations, redundant servers and a network that connects the entire production system, often via fibre optic links. Currently, virtual environments are being added to this, too,” explains Ralph Becker, software development manager at GEA.

Plenty of know-how and experience is necessary for efficient and uninterrupted operation of such complex systems. This is why, at GEA, process optimisation and system modernisation is an important business segment that is implemented with the help of remote maintenance technology.

Remote maintenance
GEA has been offering remote maintenance via modem links since the 1990's in order to be able to remotely visualise exactly what the operating personnel are seeing on their monitors in parallel to discussions on telephone. "Since 2008, we have been using VPN tunnels via a dedicated DSL connection to give us access to all computers in the production network with only one device per customer site,” said Becker. 

Actual disruptions account for only one-third of the remote maintenance assignments. Primarily, remote maintenance is used to attend to the system operator's requirements for modifications and optimisations. Many requests for adaptations come up only in the course of plant operation due to the complexity of the brewing processes. Other activities are necessary in order to adapt the control system to modified hardware or software. 

To optimise the plants or fix problems, GEA technicians can access the recorded data directly via remote maintenance and analyse the current plant status. "Our customers know that when needed, we show up quickly at their plant – at least virtually – without the need to send our engineers on often long trips to their actual plant. With the help of a symmetric DSL connection and efficient software, work on the customer's computers can be done really comfortably, even when several colleagues are using the remote maintenance system simultaneously, continues Becker. 

The need for security
Becker goes on to explain that, subsequent to numerous reports of data protection and IT security incidents in recent years, the acceptance of secure VPN technology (Virtual Private Networks) in place of private free tools has grown considerably. He said: "On the basis of security considerations, we will only consider solutions with VPN routers as a substitute for a modem connection," said Becker. "We use the mGuard technology from Innominate.  This allows us to further improve the availability (simultaneous access to multiple customers), the security (explicit authorisation via a user firewall) and the documentation (centralised Syslog server)." 

A VPN-enabled Ethernet router and a configurable firewall with a dynamic packet filter are integrated in each mGuard device to safeguard the data connections. The mGuard takes over the role of the VPN gateway. Service technicians and the plant network are therefore connected together via the Internet to a common protected network.

For the GEA manager, an illuminated switch in the control cabinet door at the plant operator's premises is another important security feature: "This even allows employees with very little IT experience to establish a VPN link, and to gain the reassurance of knowing that they now have the remote support with them." 

The switch gives complete control over the remote service access to the plant operator. It is only when the switch is operated and the lamp flashes that the VPN gets initiated. A continuous light then indicates the status of an established connection. 

VPN technology 
GEA specified the requirements on the VPN technology and its supplier as a powerful and error-free remote maintenance solution as well as a direct access to firmware support from its manufacturer. With the previous supplier, there had been repeated support problems and enhancements to the solution proved to be inadequate. The GEA manager mentions the ‘hub-and-spoke VPN function’ as an example. This enables multiple employees in the office and others remotely to use a secure VPN remote maintenance link simultaneously via the same device at the central location. This capability was missing in the old system and its supplier could not deliver a solution for this purpose. 

Becker also highlights the fact that the mGuard technology has been specially designed to meet the requirements of industrial production and is, therefore, suitable for use in process technology applications. The important aspects here include the low administrative costs and the special attention to the security of the data through the use of contemporary encryption technology. "Technology that is considered secure today may well be compromised tomorrow. This is why it is so important to keep a constant eye on current developments," said Becker. "Innominate is always at the forefront of new developments. We are always updated on current news and trends via e-mail newsletter, for example, when the Heartbleed bug in OpenSSL was discovered and fixed."

Contact Details and Archive...

Print this page | E-mail this page