mb06: scalable secure remote access solutions
DESCRIPTION
Enable remote support groups and partners to monitor, manage and configure plant-wide automation equipment and machinery via secure remote access. This presentation and demonstration highlight a range of solutions recommended by Rockwell Automation and Cisco for scalable secure remote access. This includes detailing best practices to balance the remote access needs of industrial applications with the secure access policies and requirements of IT. Attendance of the NW09-Design Considerations for Securing EtherNet/IP Networks session is recommended.TRANSCRIPT
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Scalable Secure Remote Access Solutions
Sal Conti - Product Manager
Shawn Boike – Sr. Application Engineer
April 2014
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2
Agenda
Customer Impact
Secure Remote Access
Demonstration
Scalable Solutions
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Customer Impact
You’re most likely dealing with leaner budgets and staffs, an aging work force, remote locations and employees trying to keep pace with ever-changing technology.
Wouldn’t it be great to enable the best qualified engineer to have visibility and access to every site?
Virtual Support EngineerTM provides you secure remote access to your sites while providing you valuable information on the health of your assets and systems. If you choose to support your systems, Virtual Support Engineer provides you valuable information while enables you to securely access your systems. If you would rather have Rockwell Automation experts provide the support for you, Virtual Support Engineer connects knowledgeable resources to prevent or optimize your production, in addition to offering support during unexpected failures. All while giving you total visibility and control over who has access, what they have access to and what information they can see.
If you’re looking to optimize your operations, improve employee efficiency and increase productivity, Virtual Support Engineer from Rockwell Automation is your answer.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
The Modern Enterprise
4
The Modern Enterprise
Connected Enterprise
Technology Convergence
Automation and IT Technology
Global Enterprise
Global Partners
Modern Issues
Aging Infrastructure / Workforce
Control System Complexity
Competency
Connectivity
Heightened Security
The Need to Increase Productivity
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Cost of Downtime
5
$20B = cost of unscheduled down time
89% of unplanned downtime is completely random,
and unpredictable.
8% is spent figuring out if there is a real
problem,
21% is spent diagnosing the problem,
47% is spent scrambling to get the resources
to fix the problem.
That’s 76% of the time before the fixing
even starts!
Rockwell Automation’s Remote Monitoring and Diagnostics can help resolve issues faster, eliminate unneeded maintenance activity and get you back up and running faster!
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Value Statement
Reduce total cost of downtime
Highly-skilled engineers respond quickly to an unplanned downtime
event and savings are realized by a fast, organized response. In most
cases even the problem resolution can be identified in less time than it
takes for a typical internal response.
– Internal response times typically run between 30 – 60 minutes – Large investment in time prior to seeking outside help
Reduce downtime
Dramatic reduction in duration of unplanned downtime
Warnings are passed to engineers who can analyze and provide
recommendations to reduce or prevent unplanned downtime events.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 7
Agenda
Customer Impact
Secure Remote Access
Demonstration
Scalable Solutions
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Secure Remote Access Defining “Good – Better – Best”
Good – Virtual Support Engineer Standard
Outbound Only Communication(443 & 80)
User Authentication
Remote Access Audit Trail
End-User Control (On/Off)
Better – Virtual Support Engineer Enhanced
Outbound Only Communication (443)
Secure Socket Layer
Certification
Fingerprint
Limit access by User and/or IP address
User Authentication
Remote Access Audit Trail
Remote Access Notification
Remote Access Surveillance / Recording
Complete End-User control
Best – Virtual Support Engineer Enhanced +CPwE
Virtual Support Engineer Enhanced Features
Rockwell Automation / Cisco Reference Architecture Compliant
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Virtual Support Engineer Standard Good Security
9
Level 3
Level 2
Level 1
Level 0
FactoryTalk® Application
Server
FactoryTalk Directory
Engineering Workstation
FactoryTalk Client
Operator Interface
FactoryTalk Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous Process Control
Safety Control
Sensors Drives Actuators Robots
Industrial Security Zone
Cell/Area Zone
Firewall
Basic Control
Process
VSE- Remote Access
Virtual Support Engineer
Standard
• Good Security
• Alarm on PLC Tags
• Reports and Dashboards
Good Security
• User Authentication
• Access to entire network
• End-User Control (Grant / Deny)
• Does Not Limit Device Access
• Not compatible with Virtual
Support Engineer monitoring
Services
Service Center
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Virtual Support Engineer Standard Secure Remote Access
User Authentication
No Network Isolation
Access log in Virtual Support Engineer
Service Center
No Audit Log
No Surveillance
Remote access limits set by
network architecture.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Virtual Support Engineer Enhanced Better Security
11
Level 3
Level 2
Level 1
Level 0
FactoryTalk Application
Server
FactoryTalk Directory
Engineering Workstation
VSE- Remote Access Client
FactoryTalk Client
Operator Interface
FactoryTalk Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous Process Control
Safety Control
Sensors Drives Actuators Robots
Industrial Security Zone
Cell/Area Zone
Firewall
Site Operations and Control
Area Supervisory
Control
Basic Control
Process
VSE- Remote Access
Virtual Support Engineer
Standard
• Good Security
• Alarm on PLC Tags
• Reports and Dashboards
Good Security
• User Authentication
• Access to entire network
• End-User Control (Grant / Deny)
• Does Not Limit Device Access
• Not compatible with Virtual
Support Engineer monitoring
Services
Virtual Support Engineer
Enhanced
• Better Security
• Alarm on any Ethernet Device
• Reports and Dashboards
Better Security
• Multiple Security Levels
• Limits Remote Access
• Limits Data Flow
• Complete End-User Control
• Compatible with Virtual
Support Engineer Monitoring
Services
Internet
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Virtual Support Engineer Enhanced Multiple Security Levels
Virtual Support Engineer:
Continuously polling the Comm Server from inside firewall
using HTTPS on Port 443 to 2-3 specific IP addresses.
– Data is compressed, encapsulated, encrypted
– No possibility of VPN bleed or fake connections
– A secure multipurpose tunnel to your sites
Cert.
Cert.
Cert.
Cert.
Finger Print
Finger Print
Finger Print
Finger Print Finger
Print Finger Print
12
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Virtual Support Engineer Multiple Security Levels
13
Customer Site
Prepaid Application
DAC Database
Telepath Server
SMSC
Network Device
Other
Site Server
Internet
Only rules approved by site are installed. Each system’s
passwords can be set and managed locally by the Site
Administrator.
Site Administrator can control the data collection
username / password Authentication for
access by Site Administrator
Site Administrator can control the
data flow
Firewall remains intact. Only Port
443 used
Audit Trail
Every action can be approved or denied by the Site Administrator
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Virtual Support Engineer Standard Secure Remote Access
User Authentication
End user manages access requests
Grand / Deny
Device Access Control
Data Flow
Remote Access
Remote Access Notification and Control Remote Access Surveillance
Network Isolation through Virtual Support Engineer
configuration
Audit log
Access
Surveillance Video
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
FactoryTalk Asset Centre Rockwell Automation VSE + FactoryTalk Asset Centre
15
Level 3
Level 2
Level 1
Level 0
FactoryTalk Application
Server
FactoryTalk Directory
Factory Talk Asset Centre
VSE- Remote Access Client
FactoryTalk Client
Operator Interface
FactoryTalk Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous Process Control
Safety Control
Sensors Drives Actuators Robots
Industrial Security Zone
Cell/Area Zone
Firewall
Site Operations and Control
Area Supervisory
Control
Basic Control
Process
Internet
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
FactoryTalk Asset Centre Rockwell Automation VSE + FactoryTalk Asset Centre
Authentication through VSE and FTAC
Network Isolation through FTAC configuration
Audit log in FTAC
Access
Changes
Compare
Audit Log in Virtual Support Engineer
Service Center
Surveillance Video
OEM configured with
their own folder
structure.
Isolating access and
view of entire network.
Complete Audit Log of
OEM Activity.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Virtual Engineer Enhanced + CPwE Best Security
17
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Virtual Support Engineer - Remote Desktop Gateway
Patch Management
AV Server
Application Mirror
Web Services Operations
Application Server
Enterprise Network
Site Business Planning and Logistics Network E-Mail, Intranet, etc.
FactoryTalk Application
Server
FactoryTalk Directory
Engineering Workstation
VSE- Remote Access Client
FactoryTalk Client
Operator Interface
FactoryTalk Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous Process Control
Safety Control
Sensors Drives Actuators Robots
Enterprise Security Zone
Industrial DMZ
Industrial Security Zone
Cell/Area Zone
Web E-Mail
CIP
Firewall
Firewall
Site Operations and Control
Area Supervisory
Control
Basic Control
Process
Logical Model – Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network
No Direct Traffic Flow between Enterprise and Industrial Zone
Virtual Support Engineer
• Remote Access
• Monitor and Alarm Mgmt.
• Maintenance Tools
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 18
Agenda
Customer Impact
Secure Remote Access
Demonstration
Secure Remote Access
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Secure Remote Access
Virtual Support Engineer End User Control
Secure Vendor Access
Remote Access History
End User Options
Site Administrator Access
Site Administration Access Control
Device Access Control
Data Flow Control
Remote Access Notification and Control
Remote Access Surveillance
19
Virtual Support Engineer Secure Remote Access Demonstration.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 20
Agenda
Customer Impact
Secure Remote Access
Demonstration
Scalable Solutions
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 21
Virtual Support Engineer Scalable Solutions
Remote Monitoring and Diagnostics
Virtual Support Engineer Virtual Support Engineer
Managed Services
Standard • Tags and alarms
• Reporting/Dashboards
Enhanced • Tags and Alarms
• Reporting/Dashboards
• Advanced Security Features
• CPwE Network Security
Framework
Secure Remote Access • Vendor access
• End user access
Asset Health Support • Network Infrastructure
• Virtualization
• MV Drives
• PLCs
• LV Drives (coming soon)
• MCCs (coming soon)
• PlantPAx (coming soon)
System/Process Health • Drive systems
• Control systems
Dashboards & Reporting
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 22
Virtual Support Engineer Comparison Matrix
Virtual Support Engineer Virtual Support
Engineer Standard
Virtual Support
Engineer Enhanced
Virtual Support
Engineer CPwE
Rockwell Automation support – 24x7x365 English support
and 8-5 local language support
X X X
Remote Access X X X
Outbound only communication to create remote access X X X
Outbound Port 443 Only X X
Outbound Port 443 and Outbound Port 80 X
Alarming on tags X X X
Alarming on PLC tag based devices
X X X
Alarming on any Rockwell Automation
and EtherNet/IP device
X X
Email and Text message alarm notifications X X X
Cellular option available X X X
Supports Modbus TCP and RTU devices X
Supports third party controllers X
Customizable Secure Remote Access and Device Alarming X X
Reporting/Dashboards X X X
Security Layers
Remote Access Log X X X
Ability to create user roles and groups X X X
SSL encryption X X
Security Certificate Registration X X
Security Fingerprint Certification X X
Recording of Remote Desktop Sessions X X
End-user access control rules
End-user grant/deny access X X X
End-user device access control X X
End-user data collection control X X
End-user data flow control X X
Network Security Framework
Complies to the CPwE framework
X
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
We care what you think!
On the mobile app:
1. Locate session using
Schedule or Agenda Builder
2. Click on the thumbs up icon on
the lower right corner of the
session detail
3. Complete survey
4. Click the Submit Form button
23
Please take a couple minutes to complete a quick session survey to tell us how we’re doing.
2
3
4
1
Thank you!!
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
www.rsteched.com
Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.
PUBLIC INFORMATION
Thank You