Posted to News on 8th Oct 2015, 17:09
Worldwide remote services have become more secure
ZIPPE Industrieanlagen is an equipment manufacturer that provides systems for the glass industry in 75 countries. This is a major challenge for service provision. The equipment manufacturer has been using remote services for the past 20 years. This enables them to react quickly when system errors occur, and to provide an additional range of services. This service is more now powerful and secure than ever before, thanks to new technologies.
ZIPPE develops, manufactures and modernises glass batch plants and cullet plants for the international glass industry. Plant technologies such as scraper conveyors, crushers, glass batch chargers and glass level controllers are manufactured as one-offs, tailored to the individual requirements of the customer.
ZIPPE currently uses remote services for 200 installations in 75 countries. Every new plant is now equipped with the mGuard remote services infrastructure by Innominate. This technology facilitates remote maintenance via broadband and secure IP/VPN (virtual private network) connections. Thorsten Zimpel, Head of Process Control System at ZIPPE Industrieanlagen GmbH, describes the reasons why remote services are of such major importance: "Real-time problem diagnosis and problem solving is becoming increasingly important, because spontaneous, unpredictable errors cannot be ruled out in such complex systems. The customer often finds it difficult to carry out a quick, targeted problem analysis and to introduce and implement the necessary troubleshooting measures."
Specialists can provide worldwide support for the commissioning of every system from their headquarters in Wertheim in the north of Baden-Wrttemberg. The use of broadband connections has opened new possibilities for remote services, because in a modern plant, a software update alone can already amount to several 100MB. During the warranty period, the performance of the system is continuously optimised via remote services and even after the warranty period has expired, online access is used to resolve errors or provide additional maintenance and services in line with the customer's order. Thorsten Zimpel adds: "Remote services mean that we can employ less staff on-site, while expanding our service offering at the same time. In case of more distant system locations, the investment in the technical components already pays for itself after only one saved trip."
Improved system performance
Modern ZIPPE systems, such as fully automatic glass batch production systems, are controlled and monitored by automation devices, weighing and dosing computers, as well as networked control systems. The automation systems take over the control of cyclic processes and accurate dosing and weighing of raw materials. The control system includes the visualisation of the system with manual control, the monitoring and reporting system, data entry, recipe handling, reporting, and production data archiving.
The control system provides numerous "adjustment screws' to fine-tune such complex systems for optimum performance. Remote services make it possible to retrieve statistical functions which are used to control product quality. The analysis of this data indicates whether the scales are still within the tolerance range, dispensing services and dispensing times become visible, and operating protocols provide an insight into the control of the system. Many customers request the assistance of ZIPPE technicians with the correct interpretation of the data and the resulting measures to be derived from it. They remotely configure and optimise all relevant parts of the system, as well as the software modules used to plan and organise maintenance. But before service technicians can access the system online, an important security feature of the mGuard technology comes into play: The customer must first use a hardware switch to enable any online access.
Security features protect the customer network
The basic package of the mGuard remote services product includes a VPN-enabled Ethernet router with IPsec (IP security protocol) encryption, a configurable firewall and the VPN hardware switch. After online access has been enabled via the hardware switch, a VPN tunnel that is safe from eavesdropping and manipulation is established between the customer-side system and the service technician at ZIPPE, using hardware-based encryption. In addition, the firewall ensures that the systems are isolated from the customer's network.
Thorsten Zimpel explains the decision in favour of this technology: "We have been convinced by this total security concept provided by the Innominate remote services solution. It is designed for the industrial environment, administration is relatively easy and we can integrate the DIN rail-mountable metal housings into our control cabinets." He also refers to the excellent support provided by Innominate, stating that help was always provided very quickly when problems arose. The possibility to also integrate the secure remote services technology into existing systems without "default gateway or standard gateway' was important to ZIPPE. The "Remote VPN NAT' function is used to map the entire data traffic, which travels over the VPN, on the local network via the configured address. As a result, a default gateway is not required.
Remote services also with older Windows versions
Legacy systems are also due to be opened for remote services in the near future with an additional feature of the mGuard Firmware. Up until now, plant operators have refused access to legacy systems running Windows NT or Windows 95 for security reasons. mGuard CIFS Integrity Monitoring, an optional mGuard Firmware module, provides an industrial-strength alternative to antivirus software (see text box on CIFS Integrity Monitoring). In connection with the firewall, which isolates the customer network, VPN access can also be achieved for poorly-secured legacy systems.
The CIFS Integrity Monitoring module of the mGuard Firmware also provides older versions of Windows such as Windows 98 with an industrial-strength alternative to antivirus protection, without a constant supply of current virus patterns. In order to do so, Windows network drives are checked regularly to determine whether certain files (such as *.exe, *.dll) change unexpectedly in comparison to a reference state. mGuard also facilitates an external virus scan on drives of systems that are located "behind" mGuard, which cannot otherwise be reached from the outside (e.g. industrial PCs in production cells), and cannot use antivirus software that is installed locally.
CIFS Integrity Monitoring thereby offers improved protection for file shares which are frequently used for exchanging data with the environment, based on the CIFS/SMB (Common Internet File System/Server Message Blocks) family of protocols. These are a feared gateway for malware, which, for example, was also used by Stuxnet and the Conficker worm for their spread. Damage caused by "zero-day' exploits can also be detected with the CIFS integrity check. This damage is caused by malware, which already comes into circulation on the day when a new vulnerability becomes known, and for which no malware signatures are available at that point.
To learn more about Innominate's mGuard technology, please visit www.innominate.com.
