Industrial Ethernet

Why Use a VPN? - The Challenges and Benefits of Secure Remote Access

Mark Cooksley

As the processes and technology used in industrial settings rapidly evolve, the improved precision and efficiency of devices will need to be monitored in equally advanced ways. This need can be met with an emerging method of monitoring known as secure remote access.

Secure remote access uses a combined hardware and software system to simplify remote network access, programming and diagnostics. At a glance, it seems a cloud-based secure remote access solution would perform in essentially the same way a traditional Virtual Private Network (VPN) would. They both allow two IP-enabled devices to communicate securely with each other remotely over the internet, just as if the devices were connected over the same physical network. However, aside from this similarity, the advantages of secure remote access over traditional VPN links quickly add up.

Why Use a Vpn - 6 Challenges and How to Overcome Them

While VPN is more widely used today and meets the general needs of interconnecting remote networks, it has several drawbacks when compared to a modern, secure remote access approach:


1. Subnet Conflicts

VPN: Networks connected via traditional VPN must not use the same local subnet. However, it’s not uncommon that a machine builder or systems integrator, who could be managing hundreds of customer installations, will encounter one or more locations using the same subnet addresses. The result is the need to juggle NAT rules in order to deal with the addressing schemes – a truly dreaded process.


Secure Remote Access: With secure remote access, all locations can use the same subnet, and all equipment can have the same IP address. The engineer and remote device are simply linked to each other.


2. Routing Challenges

VPN: Connecting two remote networks with traditional VPN via a central VPN concentrator requires configuration and management of advanced forwarding routing rules. Additionally, routing equipment usually needs to be able to support network address translator traversal (NAT-T) and User Datagram Protocol (UDP) encapsulation. Traditional VPNs are suitable for one-to-one or many-to-one connections, but not one-to-many (one engineer to many sites) or many-to-many (many engineers to many sites).


Secure Remote Access: Cloud-based systems for remote access easily administer thousands of engineers needing access to thousands of sites, including management of individual access rights.


3. Firewall Opening Challenges

VPN: Traditional IPSec-based VPNs require special ports to be open (unprotected), and therefore some firewall protocols allowed to communicate through this configuration may be exploited by attackers.


Secure Remote Access: All relay VPN connections are established inside out, and only standard Web ports are used. These encrypted connections are terminated at the central internet-based server. Through these encrypted connections, the linking between engineers and devices is dynamically established.


4. Firewall Blocking Challenges

VPN: VPN routes everything (and not just the protocols you need) unless you make the effort to create and manage a number of firewall rules.


Secure Remote Access: Defined device agents are automatically limited to only allowing access to the ports or services defined for the agent type. They are only activated when connecting to the agent representing the end device.


5. Activity Logging

VPN: The principle of traditional VPN is to connect two networks and have everything accessible between the two peers. It is possible to restrict what traffic is allowed through the VPN (the function is called Traffic Selector), but that goes against the purpose of the VPN. When you have so much traffic passing through a VPN, it is impractical to log all activity.


Secure Remote Access: Because traffic travelling between secure remote access points has to be tightly specified, it is easy to log the activity in the process. When you are connecting to someone else’s network, it is smart to have easy access to these activity logs, which is an added benefit secure remote access can provide.


6. Concentrator Management

VPN: Typical IPSec-based VPN solutions require an IT-administered concentrator, since they require networking knowledge. Also, individual concentrators must typically be installed at each service provider to avoid very complex triangular routing and firewall setups.


Secure Remote Access: The concentrator in a cloud-based solution is a central service where each service provider gets an isolated account. Here the administrator issues account certificates and controls dynamically what equipment and which sites each service engineer should be allowed to access. There is no networking or other IT skillset required.


Benefits of Secure Remote Access

Although the complexity cannot be removed from current processes completely, a secure remote access solution requires far less technical knowledge than traditional VPN concentrators.


Here are a few of the most apparent benefits:

  • Easy to implement – Simple configuration settings allow those with limited technical knowledge to network devices together.
  • No intervention required by IT departments – This is achieved by using only outgoing connections via ports, which are normally open on corporate firewalls (HTTP / HTTPS).
  • Secure – State-of-the-art security technology results in a secure system. A secure remote access solution uses relevant IT security components for internet-based communication, such as strong end-to-end encryption, two-factor security, event audit trails and role-based account management.
  • Greater flexibility – Cloud-based secure remote access solutions allow simultaneous access by multiple users to multiple services on the same device (HTTP, TELNET, FTP, remote desktop, SCADA systems, etc.) The flexibility lies in the ability for these services to be accessed through standard ports, which are already open through a firewall.

How to Know if Secure Remote Access Is Right for You

Knowing the benefits of secure remote access is meaningless unless you can identify opportunities to implement it in your applications or networks.


Have you ever reported a problem with your PC to your IT department? Of course you have. What happened once you did? Did they visit your desk personally? Unless they happened to already sit next to you, then that’s doubtful. What they likely did was remotely access your PC and fix the problem. Why? Because it allowed them to respond quickly, it was an efficient use of their time, and if they are in a different geographical location, it saved travel costs.


When it comes to remote access, industrial users have the same requirements for the same reasons. Here are some ideal applications:

  • Remote PLC programming and diagnostics of industrial equipment – remote programming using your standard PLC and HMI tools, just as if you were on-site.
  • Remote control and monitoring of industrial equipment – remote control and monitoring using your PC, iPhone or Android device, Web virtualized devices, remote desktops, and HMI app access.
  • Remote data logging of industrial equipment – let your log server fetch real-time data from any devices transparently through firewalls and IP networks.
  • Remote technical support – temporarily connect to the cloud, with no hardware required, and provide instant technical support or connect with access points. This could be within your company or helpful for machine builders, system integrators or other vendors who may provide technical support to your company.
  • Centralized control – from a central location, users can temporarily connect to conduct uniform monitoring and maintenance with many remote access points at once.

If any of these applications seem relevant, it should also be said that the cost of moving to secure remote access does not involve a large capital investment. And perhaps most importantly, expanding the solution does not require expansion of personnel to maintain the solution.



Although there are many remote access solutions on the market, most started as IT solutions and are now being shoehorned into industrial environments. Solutions such as these are complex for all administrators and users and a far cry from the simplicity offered by a sophisticated industrial secure remote access solution.


True secure remote access solutions are also complex, but the complexity should be moved from the user to the system administrator. This way, the knowledge is centralized among a few employees rather than being required across the entire organization.