Cloud-Based Remote Maintenance in Plant Engineering

Innominate Security Technologies AG

If plants are to work efficiently, they must be continuously available. Should disturbances occur, quick assistance via remote maintenance is essential. The dilemma: plant operators tend to avoid such maintenance access for security reasons. And particularly small to mid-sized manufacturers shy away from investing in a security infrastructure that constantly needs to be state-of-the-art. A secure cloud platform addresses this conflict. It can offer the latest security standard, meaning that plant manufacturers do not require their own infrastructure.

As an equipment manufacturer, our core competency does not lie in constructing complex IT infrastructures, but service-friendly plants for our customers, explains Ettore Caurla from the Customer Service Department of STOPA Anlagenbau GmbH. With 200 employees, the medium-sized equipment manufacturer is one of Europes leading providers in the development and production of automatic storage and retrieval systems.

STOPA_01Remote Service Ensures a Quick Solution for Around 80 percent of the Disruptions
STOPAs storage systems need to ensure a quick and efficient material flow for operators. If a storage system is disrupted, the entire production process can be quickly compromised. Common causes of disruptions include plant and operative problems, including a proper handling under Windows or the configuration of Interbus or Profibus applications. Many of the problems can quickly be solved online or by telephone.

Service and system availability have always played a decisive competitive role for the manufacturer. For this reason, remote service has been a common means of support at STOPA for 20 years. Initially, customer plants were remotely accessed using analog modems. However, with the rising scope of automation technology services and data volumes, this was no longer enough. Slow connections led to a situation in which the sensor data status changed during transmission, for example. So the modems were replaced by broadband IP connections. 1,000 of our 1,600 plants are connected via remote service. Only smaller and older plants have not been included. New plants are fully equipped with remote service features, reports the service employee.

The STOPA Customer Service Department systematically evaluates the duration and success rate of the remote service. It received 5,000 calls last year. These included requests for appointments, documents or other service information. Remote support was initiated for 600 calls to resolve disruptions. In 78 percent of these cases, the problem could be conclusively resolved within 24 hours. Only the remaining 22 percent required longer processing times, for instance due to spare parts for defective devices not being available locally.

New Technology Reduces Fault-Clearing Times by 50 Percent
Previously STOPA had used a modem-based service solution for remote support. The average connection time per assignment was 75 minutes. Establishing the connection and the exchange of extensive program files with Siemens Step 7 alone required 20 minutes. A rather complicated handling also extended the support time.

With the conversion to mGuard VPN (virtual private network) technology from Innominate, the average connection time was reduced to just 37 minutes. Here, establishing the connection initially required 30 seconds, but was reduced to just a few seconds after a software update. Basically nothing was changed in terms of the accessibility of the Simatic S7 or S5 systems. The processes merely became more streamlined due to the intuitive operation. The connection time for remote service is an important variable, because the faster we can help the customer, the more cases the support team can attend to, says Ettore Caurla. Not only was the IP connection technology replaced, but with the cloud platform mGuard Secure Cloud, a new remote service approach was introduced.

The operator retains control. VPN connections can only be established from the machine outwards using a hardware key switch.

The operator retains control. VPN connections can only be established from the machine outwards using a hardware key switch.

Remote Service via a Cloud Platform
We were looking for an easy-to-manage and economic solution. It had to ensure the highest security standard for our customers. At the same time, we did not want to deal with complex security architectures or the configuration of VPN clients, proxies and firewalls, explains the STOPA service technician.

From the perspective of the plant manufacturer, setting up an in-house security infrastructure would be too costly: State-of-the-art security requires a reliable and fail-safe infrastructure, disaster recovery and ongoing updates. Due to the high infrastructural and personnel costs involved, these factors are not economically feasible for a medium-sized manufacturer, says Ettore Caurla.

He became aware of the mGuard technology from a business partner, Trumpf, a leading German manufacturer of machine tools and laser systems. The cloud solution is the perfect approach. The mGuard hardware is already pre-configured for use. Just two outgoing ports need to be set up once for customer-side integration. Thats it. We do not intervene in the customers IT, nor does the customer have to install any software, emphasizes the service technician. As supplier of the cloud platform, Innominate has longstanding experience in security solutions for industrial networks and secure remote maintenance via the Internet.

In the mGuard solution, a bug and tamper-proof VPN tunnel is established with hardware-based encryption between the customers plant and the service technician. The connection is established ​​via Innominates mGuard Secure Cloud, a turnkey VPN infrastructure for operators and plant and equipment manufacturers. The cloud platform is operated in a German data center under the highest security and privacy standards (see text box Remote maintenance as a cloud solution).

The Operator Retains Control
Having set up 1,000 installations, the STOPA service technician names the most important requirements for a remote service solution: For the operator, system availability has become even more important in recent years. For this reason alone, operators are willing to allow external access. At the same time, they want to retain control. For us as a manufacturer, the costs and efficiency level are decisive factors.

From a previous job as an IT administrator, Ettore Caurla has extensive experience with various VPN technologies: Centralized IT demands reliable protection of ones own plants. Especially in large companies, access to the in-house network is therefore largely restricted. In addition, many security requirements for authorization of remote service connections make handling extremely inefficient. He cites the example of security tokens that generate a new, one-time password every ten seconds. Once the connection is made, the password has often already expired. In other cases, an IT employee or the supervisor must be called in to enter the password. Such processes make customer support difficult and ineffective.

The STOPA service technician finds Innominates secure cloud approach much more efficient yet still very secure: The machine operator must first enable the connection with a VPN hardware switch. It can only be initiated from the plant operators network. While the connection is being established, an indicator light blinks. Once the connection has been made, this light is permanently illuminated. One push of the switch button is enough to interrupt access. This ensures that there is always an operator on site. For service access, no one can be endangered (safety). Whats more, the operator always maintains control over access to his network, because a connection is only possible after his consent with the hardware switch (security).

Cost-Effective and Efficient for the Manufacturer
The service technician emphasizes that with over 1000 plants, customized solutions are impossible. Acceptance for the uniformly utilized mGuard technology is also very high due to the operators exclusive and permanent control over the VPN connection. Even 20-year-old Simatic S5 systems can be remotely serviced via Ethernet adapter.

This cloud approach is perfect for manufacturers who want to maximize their efficiency: quick connection establishment, ease of use and a security level that only large companies could otherwise attain. Because no in-house infrastructure is required with the cloud platform, we save about 30 40 percent of the costs, sayid Ettore Caurla, summing up the advantages. In so doing, he stresses the good collaboration with the supplier: “Innominate is very customer-oriented. The annual mGuard User Conference hosted by Innominate with diverse practice-based reports on secure remote maintenance is also very helpful to us.

Text box: Remote Maintenance as a Cloud Solution
Innominates mGuard Secure Cloud public primarily provides medium-sized machinery and system manufacturers and their asset operating customers with a turnkey VPN infrastructure. The cloud platform is operated in a security-certified German data center. The cloud solution avoids any user-side problems with the configuration of certificates, NAT, proxies, firewalls, etc. Neither the manufacturer nor the plant operator needs to install any additional software. The mGuard VPN technology is based on the IPsec security protocol with high-level encryption, allowing the mGuard to ensure the confidentiality, authenticity and integrity of all information and data transmitted between service technicians and machines.

Because no technical details need to be clarified, the remote service application is available within a few hours via a secure VPN connection. New mGuard field devices for the integration of further machines and systems are put into service using a preconfigured SD card. The VPN configuration is automatically uploaded, saved, and activated on the mGuard from the SD card, allowing the customers machinery to go online with minimal effort. All operating processes and administrative tasks can be taken care of within the mGuard Secure Cloud public via a web browser.

For more information visit:

Comments are closed.