White Paper Secure & Seamless Remote Device Management Table of Contents 1. The purpose of this document 2 2. What is a SiteManager? 2 3. Typical Installation 3 4. How is Security ensured in the Production Facility? 4 5. How is Security ensured in the Office Network? 5 6. How is Security ensured by us? 5 7. Why choose Remote Service? 6 8. Appendix 1 Information sheet 7 9. Notices 8 Secure & Seamless Remote Device Management
1. The purpose of this document In today s globalized and competitive 24/7 world, getting the maximum out of your production facilities has a direct impact on the bottom line. A key feature is to keep your machines running continuously and with optimal performance and quality. As your machine builder, we offer more than just machines and technologies we also provide the service to maximize uptime and product quality. Our Remote Service can improve uptime and convenience without changing network security procedures or machine operations. For remote service and support, we use Secomea s state-of-art Remote Device Management (RDM) solution, allowing us to provide previously unattainable levels of uptime through high-speed and secure communication for service and maintenance. Security is priority number one in this solution. Both security for you as our customer and security for us as your machine builder and service provider. Our Remote Service is your gateway to a global network of service specialists from us. Figure 1: Your insurance for secure and seamless remote support when needed is based on a SiteManager at each production plant. This document describes the set-up using the SiteManager 3000 series, but is not limited to this series only. 2. What is a SiteManager? A SiteManager is the part of the Secomea Remote Device Management Solution that is placed locally at your production facility for monitoring the equipment and for providing the access path to the central surveillance server (GateManager). The SiteManager is not a VPN router where security depends on configuration and maintenance, but an intelligent communication unit specifically designed to accommodate the requirement for secure remote access for the industrial- and automation industry without risks and complexity. The SiteManager 3000 represent the off-the shelf series of Secomea Site- Manager hardware appliances that are specifically designed for deploying in production facilities where uptime is important. Secure & Seamless Remote Device Management Page 2 of 8
1 2 3 Figure 2 Connections on the front of the SiteManager Position Description 1 - SERIAL Serial Interface (RS232 socket v.24/v.28) 2 DEV 1-4 Switch with 4 Ethernet ports (RJ45, 10/100 Mbit/s) 3 - UPLINK Ethernet port (RJ45, 10/100 Mbit/s) Table 1 Technological Features of the SiteManager 3. Typical Installation The SiteManager 3000 appliance is a standard component in our all machines where the typical installation is illustrated in figure 3 below. Secure & Seamless Remote Device Management Page 3 of 8
Figure 3 Typical SiteManager 3000 series appliance installation 4. How is Security ensured in the Production Facility? First of all, any remote access to / from the SiteManager is controlled by you. This can be enabled / disabled on demand via a local web interface or simply by unplugging the SiteManager. Secondly, the SiteManager is by default closed for any access to any equipment on your production network that you have not specifically allowed it to access. Once configured by you or us in agreement with you, the Site- Manager can establish access to only the specified equipment. The SiteManager can enable remote access a specific machine or all its associated components using the network ports (DEV1-4), either based on specific IP addresses or entire subnets. Additional the Serial port can be used for connecting a device that does not have native network support, and SiteManager intelligently bridges IP to RS232. Extraordinarily the SiteManager can be configured to also allow access only to specific IP addresses on the Uplink subnet (the dotted green in figure 3). The SiteManager makes an encrypted connection using the network port (UPLINK) to the GateManager server located outside the production network. The IP address of the SiteManager itself is in principle irrelevant, since all access is administered intelligently by the GateManager. Once remote access to the SiteManager is granted for the GateManager, authorized personal from us can administer it and grant access for relevant Field Engineer/Service Engineer accounts. These accounts are easily ad- Secure & Seamless Remote Device Management Page 4 of 8
ministered through the GateManager administration console, which is based on the same principles used for secure web banking solutions. The LinkManager software client, used by our Field Engineer/Service Engineer to obtain access to the industrial equipment through the SiteManager, uses the same web banking access principles. The Gatemanager will ensure that the LinkManager only allow access to the SiteManagers and associated equipment that the Engineer s account provides access to. When the connection is established to your plant, the local SiteManager furthermore logs activity any time the Engineer actually uses a connection. The log can then be viewed in the local web interface of the SiteManager, or centrally on the Gatemanger. 5. How is Security ensured in the Office Network? It is important not to compromise corporate firewall security policy. When using the office network for accessing the internet, the connection from the SiteManager to the GateManager has to go through your Corporate Firewall. This is done using one of the ports 80/443/11444, with or without a proxy firewall, depending on what your IT department requires. The port only needs to be opened for outbound traffic. In most cases no changes are needed in your corporate firewall, because there is already a suitably configured port available. I.e. if the network allows you to browse the Internet, the SiteManager will be able to establish its secure connection also. It is also important not to be or become, even unintentionally, a threat on the office network. The SiteManager has a built-in stateful-inspection firewall configured to block all communication except authorized and encrypted data sent between the SiteManager and the GateManager. Furthermore the SiteManager is based on a hardened operating system, which prevents hostile persons or programs to from exploiting the connection. This neutralizes both internal and external threats. The actual connection between the SiteManager and the GateManager is encrypted using the strong AES standard. Each SiteManager is identified by a factory x.509 digital certificate. The solution fulfils all the security standards stipulated by the National Institute of Standards and Technology (http://www.nist.gov) for encryption and key negotiation. It has complete endto-end security, ensuring that no one - and nothing - can access equipment without permission. 6. How is Security ensured by us? End-to-end security is provided not only between the SiteManager in the production network and our head-quarter where the GateManager is installed, but all the way from our Field Engineers/Service Engineers using the LinkManager client software. Only authorized personal can access the GateManager, and each person is identified by both a factory x.509 digital certificate and password (two-factor security) similar to the authentication method used for web-banking. With the advanced role management module in the GateManager, any remote access by authorized personal is managed centrally. This includes controlling which SiteManagers / production networks a person have access to, A person no longer working within our company will have his certificate and account shut down instantly. Any activity is logged not only in your local SiteManager, but also centrally in the GateManager and on the PC of the LinkManager user. Secure & Seamless Remote Device Management Page 5 of 8
7. Why choose Remote Service? As your trusted supplier, you buy more from us than our machines and technologies you buy uptime and quality. Complex equipment and process lines within industrial automation are expensive. Optimal utilization is necessary to ensure profitability. Downtime scheduled or not is both costly and critical. Downtime can cause critical delays, missed deadlines and loss of future orders. Our Remote Service brings a new dimension to our existing service offering it now enables our global network of service specialists to make online remote diagnostics and resolve problems in real time and without delay. By not being depending on being on-site for doing traditional onsite services, it allow us to assign the best possible service specialist to assist for your specific need, regardless of location and time zones. Our Remote Service provides unparalleled security, and your corporate policies for network, communication and firewall is taken seriously. With the our Remote Service, security is priority number one security for you as our customer and security for us as your machine builder. Our Remote Service is your virtual onsite service specialist secure, at any time and no matter where in the world you are located. Secure & Seamless Remote Device Management Page 6 of 8
8. Appendix 1 Information sheet The purpose of this appendix is to list the ideal information needed before installation of the SiteManager will take place. Headlines in white are typically filled out by the customer / product plant before installation. Continent Country Customer Name Order no. System SiteManager Device Name IP address (DEV1 port) Subnet Mark (DEV1 port) Network specifications (UPLINK) DHCP Static IP address Subnet Mask Default Gateway PPPoE Internet Connection from inside and out (UPLINK) Port 80 Port 443 Port 11444 Web Proxy Port to be used ISP Username ISP Password IP address Username Password Expansion slot (UPLINK2) Only for SiteManager 2029 and 2129 for 3G(UMTS)/EDGE/GPRS SIM PIN code APN GateManager Parameters GateManager IP address GateManager Domain Token GateManager Appliance Name Secure & Seamless Remote Device Management Page 7 of 8
9. Notices Publication and copyright Secure & Seamless Remote Device Management version 4.2, April 2010. Copyright Secomea A/S 2008-2010. All rights reserved. You may download and print a copy for your own use. As a high-level administrator, you may use whatever you like from contents of this document to create your own instructions for deploying our products. Otherwise, no part of this document may be copied or reproduced in any way, without the written consent of Secomea A/S. We would appreciate getting a copy of the material you produce in order to make our own material better and if you give us permission to inspire other users. Trademarks GateManager, SiteManager and LinkManager are trademarks of Secomea A/S. Other trademarks are the property of their respective owners. Disclaimer Secomea A/S reserves the right to make changes to this document and to the products described herein without notice. The publication of this document does not represent a commitment on the part of Secomea A/S. Considerable effort has been made to ensure that this publication is free of inaccuracies and omissions but we can not guarantee that there are none. The following paragraph does not apply to any country or state where such provisions are inconsistent with local law: SECOMEA A/S PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE Secomea A/S shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. Secomea A/S Denmark CVR No. DK 31 36 60 38 E-mail: sales@secomea.com www.secomea.com Page 8 of 8