Mobile human-machine interface (HMI) access is a necessity for many industrial automation applications, and two typical methods exist to implement this connectivity with routers and virtual private networks (VPNs):
- Standard router without VPN
- Cloud-hosted VPN router.
The first is a standard router, and although it is not secure, it is still used in many existing mobile HMI applications, and even in some newer ones. A primary attraction is its low cost, but this approach is discouraged because it poses significant cybersecurity risks when port forwarding is enabled in the firewall as this exposes the network to external threats.
A cloud-hosted VPN router simplifies information technology (IT) complexity by creating an encrypted connection from a local VPN router to a cloud-hosted VPN router via the internet. Remote users can securely access the local components and systems via the cloud-hosted VPN router. This option provides a high degree of cybersecurity, along with simpler configuration and maintenance.
A third type of router connectivity with a traditional VPN router implementation is not considered here due to the complexities of deploying this type of connection. It involves opening inbound connections and creates complications and risks similar to a standard router implementation.
To evaluate each of the two types of remote access for mobile HMIs, accessed from a laptop, smartphone or tablet, see the table summarizing differences.
Table comparison of remote access HMI connections
|Standard router||Cloud-hosted VPN router|
|HMI programming from a laptop PC||Not secure||Secure|
|3rd party mobile app support||Not secure due to port forwarding||Secure through mobile VPN|
|Security risk – laptop||High||Low|
|Security risk – mobile||High||Low|
|Changes to existing firewall||Required||Not required, although an outbound rule may be required|
|Required technical expertise||Medium||Low|
|Data dashboards, alerts||Typically not available||Available through subscription|
Standard router for HMIs
In many industrial applications a standard router and firewall is used to protect the corporate and industrial plant network (Figure 1), requiring users to manually configure and manage all routing and firewall settings. This type of router does not usually have a VPN to encrypt data, but it creates port forwarding “holes” in the firewall for remote users to access specific applications and components in the plant network.