Can local production staff really control when remote access is allowed? Yes PleasE!
Let’s be fair & square: for the IT of a machine user, a remote access router, on a supplier’s machine, is nothing else than a more-or-less-legal trojan horse that they may or may not tolerate on the factory network.
The IT department is responsible for looking after the security and the integrity of the factory network, so the least you can do, as an OT supplier, is to go by their rules and follow the IT security recommendations of agencies worldwide, from the German BSI to the European ENISA and many others.
All MB connect line routers have the common feature to let the local staff control the VPN uplink to mbCONNECT24 public or private Remote Services Portal, so they can enable remote access only when it is needed.
Yet, mbNET and mbNET.rokey go one step further : local staff can also control when remote users can access the LAN ports and thus the machine.
Following Teletrust’s state of the art recommendations for secure remote access, the key has 3 positions:
- OFF: the VPN uplink is disabled, the device is disconnected from the remote access service.
- ONLINE: the VPN uplink is active, but the embedded firewall holds remote users from accessing the LAN ports. They can only access the device services, not the machine.
- REMOTE: VPN uplink is active and remote access to the machine is allowed.
This is especially useful when the device is part of an IoT project, as remote users can consult dashboards on the device without interfering with the machine or the device can take advantage of the secure link to transfer data to a central system.
Note: some users will prefer to use a strong mechanical handle on the control cabinet door or a soft button on the HMI, therefor mbNET & mbNET.mini offer such functionalities through onboard DIO’s.