Post-installation service commitments have provided a new revenue source for machine builders and system integrators, but have also introduced complexities that need to be addressed.
Being able to remotely access your clients’ equipment as needed is a must for many vendors for two key reasons:
∙ During the pandemic, the ability to remotely access equipment has been key so companies can ensure the safety of vendors and clients’ on-site employees.
∙ Prior to the pandemic – and surely afterward as well – fulfilling these service contracts remotely has been a cost-effective option for the vendor, and helps reduce downtime for the client as well. (We love a win-win.)
However, some customers may be reluctant about this process for a major reason: They think they won’t be able to control vendors’ access to their machines, or other portions of their facility.
The concern about controlling access is a valid one. And unfortunately, some remote access techniques – especially those that aren't intended for industrial applications – do not allow for customized access control. This type of method is typically a PC with a remote desktop connection, as compared to a more secure, dedicated remote machine access gateway.
A PC in the Machine Zone of a client’s facility – essentially comprising their machine control equipment and the network it resides on – has access to the other local equipment on that network, and can serve as an entry point for cyberattacks into that area and beyond. While your client may have safeguards in their facility, that remote desktop connection may not be protected by their efforts.
In contrast, a dedicated cellular or wired remote machine access gateway can plug in to the local machine network on one side and an Internet-accessible, secure wide area network on the other. Since it’s intended only for remote access, the gateway wouldn’t have PC capabilities and thus would not provide a platform for the attacks that a PC can. This restricted access and dedicated purpose help make this option an acceptable one for clients’ IT departments.
In addition, clients may have instances where they don’t want you to access the equipment at a certain time, given their real-time knowledge of the plant. For example, an emergency or even maintenance in one part of the facility could affect the operation of a vendor-supplied machine.
In this case, using an electronic request process can help control machine access. With a virtual lockout-tagout approach, the person who needs to remotely connect to the equipment would need to send in a timed request before doing so. The approver at the client site could then decide whether to grant access, or deny the request based on the current status at the plant. (Belden Horizon, formerly known as ProSoft Connect, features this type of approval process, which is logged and can be used for future forensic analysis.)