mb06: scalable secure remote access solutions

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

Scalable Secure Remote Access Solutions

Sal Conti - Product Manager

Shawn Boike – Sr. Application Engineer

April 2014

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2

Agenda

Customer Impact

Secure Remote Access

Demonstration

Scalable Solutions


Customer Impact

You’re most likely dealing with leaner budgets and staffs, an aging work force, remote locations and employees trying to keep pace with ever-changing technology.

Wouldn’t it be great to enable the best qualified engineer to have visibility and access to every site?

Virtual Support EngineerTM provides you secure remote access to your sites while providing you valuable information on the health of your assets and systems. If you choose to support your systems, Virtual Support Engineer provides you valuable information while enables you to securely access your systems. If you would rather have Rockwell Automation experts provide the support for you, Virtual Support Engineer connects knowledgeable resources to prevent or optimize your production, in addition to offering support during unexpected failures. All while giving you total visibility and control over who has access, what they have access to and what information they can see.

If you’re looking to optimize your operations, improve employee efficiency and increase productivity, Virtual Support Engineer from Rockwell Automation is your answer.


The Modern Enterprise

4

The Modern Enterprise

Connected Enterprise

Technology Convergence

Automation and IT Technology

Global Enterprise

Global Partners

Modern Issues

Aging Infrastructure / Workforce

Control System Complexity

Competency

Connectivity

Heightened Security

The Need to Increase Productivity


Cost of Downtime

5

$20B = cost of unscheduled down time

89% of unplanned downtime is completely random,

and unpredictable.

8% is spent figuring out if there is a real

problem,

21% is spent diagnosing the problem,

47% is spent scrambling to get the resources

to fix the problem.

That’s 76% of the time before the fixing

even starts!

Rockwell Automation’s Remote Monitoring and Diagnostics can help resolve issues faster, eliminate unneeded maintenance activity and get you back up and running faster!


Value Statement

Reduce total cost of downtime

Highly-skilled engineers respond quickly to an unplanned downtime

event and savings are realized by a fast, organized response. In most

cases even the problem resolution can be identified in less time than it

takes for a typical internal response.

– Internal response times typically run between 30 – 60 minutes – Large investment in time prior to seeking outside help

Reduce downtime

Dramatic reduction in duration of unplanned downtime

Warnings are passed to engineers who can analyze and provide

recommendations to reduce or prevent unplanned downtime events.


Agenda

Customer Impact


Demonstration

Scalable Solutions


Secure Remote Access Defining “Good – Better – Best”

Good – Virtual Support Engineer Standard

Outbound Only Communication(443 & 80)

User Authentication

Remote Access Audit Trail

End-User Control (On/Off)

Better – Virtual Support Engineer Enhanced

Outbound Only Communication (443)

Secure Socket Layer

Certification

Fingerprint

Limit access by User and/or IP address

User Authentication

Remote Access Audit Trail

Remote Access Notification

Remote Access Surveillance / Recording

Complete End-User control

Best – Virtual Support Engineer Enhanced +CPwE

Virtual Support Engineer Enhanced Features

Rockwell Automation / Cisco Reference Architecture Compliant


Virtual Support Engineer Standard Good Security

9

Level 3

Level 2

Level 1

Level 0

FactoryTalk® Application

Server

FactoryTalk Directory

Engineering Workstation

FactoryTalk Client

Operator Interface

FactoryTalk Client


Operator Interface

Batch Control

Discrete Control

Drive Control

Continuous Process Control

Safety Control

Sensors Drives Actuators Robots

Industrial Security Zone

Cell/Area Zone

Firewall

Basic Control

Process

VSE- Remote Access

Virtual Support Engineer

Standard

• Good Security

• Alarm on PLC Tags

• Reports and Dashboards

Good Security

• User Authentication

• Access to entire network

• End-User Control (Grant / Deny)

• Does Not Limit Device Access

• Not compatible with Virtual

Support Engineer monitoring

Services

Service Center


Virtual Support Engineer Standard Secure Remote Access

User Authentication

No Network Isolation

Access log in Virtual Support Engineer

Service Center

No Audit Log

No Surveillance

Remote access limits set by

network architecture.


Virtual Support Engineer Enhanced Better Security

11

Level 3

Level 2

Level 1

Level 0

FactoryTalk Application

Server



VSE- Remote Access Client

FactoryTalk Client

Operator Interface

FactoryTalk Client


Operator Interface

Batch Control

Discrete Control

Drive Control


Safety Control



Cell/Area Zone

Firewall

Site Operations and Control

Area Supervisory

Control

Basic Control

Process

VSE- Remote Access


Standard

• Good Security

• Alarm on PLC Tags


Good Security

• User Authentication

• Access to entire network

• End-User Control (Grant / Deny)

• Does Not Limit Device Access

• Not compatible with Virtual

Support Engineer monitoring

Services


Enhanced

• Better Security

• Alarm on any Ethernet Device


Better Security

• Multiple Security Levels

• Limits Remote Access

• Limits Data Flow

• Complete End-User Control

• Compatible with Virtual

Support Engineer Monitoring

Services

Internet

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en


Virtual Support Engineer Enhanced Multiple Security Levels

Virtual Support Engineer:

Continuously polling the Comm Server from inside firewall

using HTTPS on Port 443 to 2-3 specific IP addresses.

– Data is compressed, encapsulated, encrypted

– No possibility of VPN bleed or fake connections

– A secure multipurpose tunnel to your sites

Cert.

Cert.

Cert.

Cert.

Finger Print

Finger Print

Finger Print

Finger Print Finger

Print Finger Print

12


Virtual Support Engineer Multiple Security Levels

13

Customer Site

Prepaid Application

DAC Database

Telepath Server

SMSC

Network Device

Other

Site Server

Internet

Only rules approved by site are installed. Each system’s

passwords can be set and managed locally by the Site

Administrator.

Site Administrator can control the data collection

username / password Authentication for

access by Site Administrator

Site Administrator can control the

data flow

Firewall remains intact. Only Port

443 used

Audit Trail

Every action can be approved or denied by the Site Administrator


Virtual Support Engineer Standard Secure Remote Access

User Authentication

End user manages access requests

Grand / Deny

Device Access Control

Data Flow

Remote Access

Remote Access Notification and Control Remote Access Surveillance

Network Isolation through Virtual Support Engineer

configuration

Audit log

Access

Surveillance Video


FactoryTalk Asset Centre Rockwell Automation VSE + FactoryTalk Asset Centre

15

Level 3

Level 2

Level 1

Level 0


Server


Factory Talk Asset Centre


FactoryTalk Client

Operator Interface

FactoryTalk Client


Operator Interface

Batch Control

Discrete Control

Drive Control


Safety Control



Cell/Area Zone

Firewall


Area Supervisory

Control

Basic Control

Process

Internet



FactoryTalk Asset Centre Rockwell Automation VSE + FactoryTalk Asset Centre

Authentication through VSE and FTAC

Network Isolation through FTAC configuration

Audit log in FTAC

Access

Changes

Compare

Audit Log in Virtual Support Engineer

Service Center

Surveillance Video

OEM configured with

their own folder

structure.

Isolating access and

view of entire network.

Complete Audit Log of

OEM Activity.


Virtual Engineer Enhanced + CPwE Best Security

17

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Virtual Support Engineer - Remote Desktop Gateway

Patch Management

AV Server

Application Mirror

Web Services Operations

Application Server

Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.


Server




FactoryTalk Client

Operator Interface

FactoryTalk Client


Operator Interface

Batch Control

Discrete Control

Drive Control


Safety Control


Enterprise Security Zone

Industrial DMZ


Cell/Area Zone

Web E-Mail

CIP

Firewall

Firewall


Area Supervisory

Control

Basic Control

Process

Logical Model – Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network

No Direct Traffic Flow between Enterprise and Industrial Zone


• Remote Access

• Monitor and Alarm Mgmt.

• Maintenance Tools



Agenda

Customer Impact


Demonstration




Virtual Support Engineer End User Control

Secure Vendor Access

Remote Access History

End User Options

Site Administrator Access

Site Administration Access Control

Device Access Control

Data Flow Control

Remote Access Notification and Control

Remote Access Surveillance

19

Virtual Support Engineer Secure Remote Access Demonstration.


Agenda

Customer Impact


Demonstration

Scalable Solutions


Virtual Support Engineer Scalable Solutions

Remote Monitoring and Diagnostics

Virtual Support Engineer Virtual Support Engineer

Managed Services

Standard • Tags and alarms

• Reporting/Dashboards

Enhanced • Tags and Alarms

• Reporting/Dashboards

• Advanced Security Features

• CPwE Network Security

Framework

Secure Remote Access • Vendor access

• End user access

Asset Health Support • Network Infrastructure

• Virtualization

• MV Drives

• PLCs

• LV Drives (coming soon)

• MCCs (coming soon)

• PlantPAx (coming soon)

System/Process Health • Drive systems

• Control systems

Dashboards & Reporting


Virtual Support Engineer Comparison Matrix

Virtual Support Engineer Virtual Support

Engineer Standard

Virtual Support

Engineer Enhanced

Virtual Support

Engineer CPwE

Rockwell Automation support – 24x7x365 English support

and 8-5 local language support

X X X

Remote Access X X X

Outbound only communication to create remote access X X X

Outbound Port 443 Only X X

Outbound Port 443 and Outbound Port 80 X

Alarming on tags X X X

Alarming on PLC tag based devices

X X X

Alarming on any Rockwell Automation

and EtherNet/IP device

X X

Email and Text message alarm notifications X X X

Cellular option available X X X

Supports Modbus TCP and RTU devices X

Supports third party controllers X

Customizable Secure Remote Access and Device Alarming X X

Reporting/Dashboards X X X

Security Layers

Remote Access Log X X X

Ability to create user roles and groups X X X

SSL encryption X X

Security Certificate Registration X X

Security Fingerprint Certification X X

Recording of Remote Desktop Sessions X X

End-user access control rules

End-user grant/deny access X X X

End-user device access control X X

End-user data collection control X X

End-user data flow control X X

Network Security Framework

Complies to the CPwE framework

X


We care what you think!

On the mobile app:

1. Locate session using

Schedule or Agenda Builder

2. Click on the thumbs up icon on

the lower right corner of the

session detail

3. Complete survey

4. Click the Submit Form button

23

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

2

3

4

1

Thank you!!


www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Thank You

mb06: scalable secure remote access solutions

Technology

cpwe virtual support

device access

rockwell automation

virtual support engineertm

application engineer

remote locations

network isolation access

best qualified engineer