Day in and day out, I work alongside machine builders who share a common problem: Once equipment has been shipped to a customer site, it is quite difficult to ensure that it is running properly and being adequately maintained.
I once heard the phrase, "even a Cadillac will fail prematurely if you drive it into a brick wall." Premature failure of the machinery (regardless of whose fault) can tarnish the image of the manufacturer, lead to increased warranty costs, and create tension between OEMs and end users.
But how do I (the machine builder) get access to the control system if it is operating inside a customer’s firewall?
Perhaps, in order to gain access to my machine data, I can convince the customer to create a port-forward rule, by opening an inbound port in their firewall. While not unheard of, opening a port is often described as "creating a hole in the firewall."
Even if this port forward is properly configured to access a secure piece of OT hardware, good luck explaining to your customer's IT department why you need to poke holes in their sacred firewall.
Virtual Private Networks
No problem! We’ll simply create a VPN (virtual private network), so that we can gain access over an encrypted channel, right?
Wait, did I say "no problem" and "simply"? We may have to take a step back…
Creating VPN connections requires additional complex hardware and software, and we still have to explain to the customer's IT department why they need to provide a secure encrypted channel to some third-party machine builder.
Outbound: a better way
But wait, isn’t there some way to SIMPLY report data?
YES, using automation controllers with edge data processing capabilities and IoT connectivity, we can simply report relevant data on an outbound basis—all without any additional hardware.
Involvement from IT is now unnecessary.
A great example is our new groov EPIC® (Edge Programmable Industrial Controller), which needs only to be plugged into power and an Ethernet network. It will grab an IP address automatically using DHCP and immediately begin reporting the data you need, over the internet.
Making use of publish/subscribe messaging protocols like MQTT with Sparkplug, the groov EPIC establishes these remotely originated and secure connections using outbound communications only. Most firewalls allow outbound communications, so there's rarely a need for port forwarding or VPNs.
Perhaps you just want to send an email or text alert when certain parameters are out of range. Or maybe you want to collect data every second or minute to gain a better understanding of long-term trends on important data tags like temperature, vibration, current draw, gas line pressures, and more. Oddly enough, these outbound connections can even support two-way communication, so you can respond when problems appear.
Recently, a customer of mine implemented an outbound data collection solution to troubleshoot machinery that was operating erratically. Using Node-RED (an open-source software tool offered as a standard with the new groov EPIC processor), this customer grabbed data from a machine operating overseas and forwarded the data into a database on Amazon’s cloud for analysis.
How does this change things?
I’m glad I asked! The ability to remotely monitor machinery more reliably could change your business model entirely.
You would know what's working on your machine and what needs improvement or redesign. You'd know how much your machine is being used. You'd know when maintenance is necessary.
I’ve heard of OEMs leasing their machinery to clients on a "per use" basis. For example, "every hour you run the machine we will charge you $xxx." This kind of lease could provide end customers with a clearer picture of their production costs and reduce their capital expenditures. Perhaps you could offer end customers incentives or rebates for adequately operating and maintaining the machinery, which would result in a longer life for the machine and lead to increased income for you.
What do you think?
Do you have experience monitoring remote assets inside of a client’s firewall? Or are you an IT/OT professional who has an opinion on what I’ve said here? I’d love to hear some of your experiences.