Securing Remote Internet Maintenance Services

  • December 01, 2008
  • Innominate Security Technologies AG
  • Case Study
December 1, 2008 - Manufacturers of production machinery and automation equipment are driving a broad frontal movement away from modem-based remote services toward more secure tele-maintenance services via broadband Internet connections. Engineers from various industries describe here the benefits of TCP/IP connections for the protection of their customer’s local networks and the advantages of being able to expand the service offerings to their customers.A major manufacturer of packaging equipment had been using remote tele-service since the early 1990’s, primarily to assist during the start-up phase and for commissioning of service in the warranty period and beyond. Their production equipment is installed in over 130 countries around the world and they have more than 5,000 clients. Modem connectivity had been adequate for the previous levels of service but is no longer sufficient. The size of contemporary control programs and the preference for a comprehensive graphical user interface both require a higher level of performance than modems can provide. “Moreover, in many countries, the stability of modem connections is unreliable,” explains the company’s Director of Control Software Development.The experience of Winkler+Dünnbier, a provider of specialty machines for the graphic packaging and paper processing industries, echoes this understanding of the current trend. Since 1998, the company has provided remote maintenance services to roughly 400 customer installations. These installations may be controlled by up to five PLCs, various types of material feed systems and operator visualization methods. “The era of modems is coming to an end, because we increasingly have connection problems with analog circuits,” says Frank Jungbluth, Director of Electrical Engineering. The problem is that in many countries on the Asian and African continents there are often no dedicated modem lines or too few phone lines available. The diversity of different generations of modems with different signaling schemes further complicates the difficulties. An Internet connection usually poses no problem. The client corporation’s connection to a relatively new ISP is typically a broadband connection that bypasses aging and inadequate telephone distribution in the local loop. Tele-Service via the InternetFerromatik Milacron Maschinenbau GmbH manufactures injection molding machines for the production of plastic parts. Their distribution is worldwide. The requirements of their customers demand high productivity and high machine availability in production. Unplanned downtime is costly to production and is a sensitive issue that requires quick resolution. “We observe, however, that the machine operators increasingly have less training. It is increasingly common for preventable trifles to disrupt the production process,” said Thorsten Hoes, Director of Central Engineering at Ferromatik. This is where the use of internet services aided Ferromatik to provide rapid assistance to machine staff by remotely diagnosing faults and restoring equipment to production faster.Ferromatik has had good experience in providing remote maintenance services over fast TCP/IP connections since their initial implementation in September 2007. “Many problems can be quickly and directly resolved via tele-services. In other cases, we can utilize the customer mechanic better by clarifying the problem with him and provide needed spare parts in a timely manner,” said Director Hoes. “We expect that we will reduce time-consuming problems and costly on-site operations by 50% through the use of enhanced maintenance services over the Internet.” Winkler+Dünnbier echoed this conclusion. A survey of their own service personnel in November of 2006 was the basis for the decision of switching to the Internet service concept. The previous modem-based process was roundly criticized and considered too complicated as a result of the diversity of modem versions, software, the maintenance of extensive phone number lists, etc.. The lack of direct visual and voice contact with the machine operator was also considered a barrier to productivity. Internet tele-service offered high speed connectivity, the ability to share the operator’s actual display, see physical machine elements via webcam, and speak to the operator using VoIP. And with the introduction of the latest generation W+D controllers, the need to transmit up to 10Mb of information in a timely manner is simply beyond the range of modem solutions. On this basis, the company decided they needed to provide remote services via secure broadband IP-based Virtual Private Network (VPN) connections.Immediate Online The IP/VPN-Connection brings W+D many practical advantages. The remote machinery can be permanently connected to W+D services via secure VPN tunnels. Such connection means that impending problems can be detected and corrected by early diagnosis, even before a service request is made. This can be advantageous in emerging countries with a lesser skilled workforce, or with poor telephone lines, where establishing a modem connection may take minutes, and then suddenly be lost. Internet connections using TCP/IP are much more stable. An absolutely reliable connection allows rapid access to communicate with the customer via simultaneous voice, high speed data and video. Security Initiatives Emanate from CustomersMany customers prefer to prevent anyone outside the company from dialing into their network unless specifically invited to do so. The manufacturer of packaging equipment required that such connection could only be made by the initialization of the customer. The equipment chosen to provide a connection via a secure VPN tunnel uses a flashing LED to signal whether a service connection has been established. Because the connection can be simply established or terminated by the customer through an electrical switch, even legacy systems can be securely networked to a remote service center. There is no need to modify legacy software or existing Human Machine Interface (HMI).High Security RequirementsFerromatik customers also considered security a prerequisite for remote tele-service connections to their equipment. They demanded a secondary firewall between their network and the machines and highly secure Internet connections via VPN. Ferromatik analyzed a spreadsheet of different solutions and decided on the solution provided by Innominate Security Technologies AG. Their equipment, including an integrated firewall and a secure VPN connection with IPsec (Internet Protocol Security) was a proven technology solution designed for an industrial environment. In contrast to other providers, Innominate could also better support the enablement of large groups of units by the convenient management of firewall profiles and efficient address configuration from a central server. This was similarly convincing to the manufacturer of packaging equipment, as they had already had good experience with the mGuard solution from Innominate. They found Innominate’s depth of know-how and attentive support very helpful in providing answers to many detailed questions during installation, the configuration of firewalls, and VPN connections, while integrating the peripheral machinery to the network. “We chose Innominate after testing various other providers because the mGuard solution is a powerful product with excellent support. All of the functions we required were provided,” states Frank Jungbluth of Winkler+Dünnbier as to the reasons for their decision. “Competitors, despite contrary statements, did not provide equal solutions, or their products did not work as described.”Bosch Packaging, the world's largest supplier of packaging technology, is also a user of the mGuard system from Innominate.Koenig & Bauer AG is one of the world’s largest and most respected manufacturers of presses for the printing of newspapers, magazines and telephone directories. Remote diagnostics and maintenance are critical to KBA because they ship approximately $3 billion dollars worth of printing plants all over the world every year. After an extensive trial, KBA standardized on the Innominate mGuard system, rolling out mGuard devices with their printing systems into all regions of the world. They found VPN connections to be extremely stable and reliable, without experiencing regional incompatibility or network technology issues, as they had with modem systems. “With the growing bandwidth of secure connections via the Internet, we can offer our customers expanded services in the area of remote maintenance,” says Andreas Birkenfeld, Division Director of Systems Technology at Koenig & Bauer.Additional Services via the InternetMany customers, in emerging economies with a poor telecommunications infrastructure and older modem technologies, prefer connectivity over the Internet. “Rapid and secure connectivity for remote maintenance is going to be important for the future of services we can offer. Once this channel is available, it allows us to utilize it to its full potential and is part of our current plans and expanded service business models,” suggests a leading packaging machinery manufacturer. The engineers of Winkler+Dünnbier offer their customers three levels of remote maintenance service. The base level is offered to provide remote diagnosis. The next level offers remote inspection; to evaluate all the error messages, quarterly for example, to anticipate problems and take preventive measures. The third level is still in the planning stage but is similar to the continuous Ferromatik approach. It will provide uninterrupted remote monitoring to address every error immediately and report results to the customer for appropriate resolution.Ferromatik provides remote maintenance services during the warranty period as the most cost-effective service solution. The existing remote services infrastructure is currently being extended to include additional paid service levels. One such offering is proactive remote monitoring called “condition monitoring.” Another service level, called “smart metering,” optimizes machine settings to reduce energy consumption. All of these solutions, existing and proposed, will utilize Innominate mGuard technology, equipment and expertise. Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..