Morehouse Engineering Inc. is an engineering firm located in Hopewell, N.J. Since 1993, the company has been involved in a variety of control projects, ranging from basic pump control to instructional tools for laparoscopic surgery. Today Morehouse provides its clients with full service, from research, analysis and design to fabrication, programming, installation, and troubleshooting of plant process systems.
One of our specialties at Morehouse Engineering is designing proprietary Command and Control SCADA systems. SCADA (Supervisory Control and Data Acquisition) systems are designed to monitor and control various processes. These processes could be as simple as a small pump station to a distribution system that covers thousands of square miles. SCADA systems are used in many industries, such as water/wastewater, oil & gas, electricity, and transportation.
In any SCADA system, there is typically one or more Programmable Logic Controller (PLC) and a Graphic User Interface (GUI). The PLC portion can consist of a single small unit with a couple dozen input/output (IO) points or a hundred controllers with thousands of IO points. In these larger systems, the various PLCs may be located in a single plant or scattered over an entire county.
The GUI is the visual interface that the operator uses to monitor and control the process. This is usually a program running on a PC but often includes small operator interfaces located near the process equipment. All of these components are connected, and this connection is very often a standard Ethernet network. Ethernet offers a resilient standardized and economical communications platform that is being used in all industries.
Figure 1. Morehouse Engineering needed to help the customer manage the facility remotely. It also needed to remote-connect to the PLCs with programming software and protect the system from Internet threats. (Photo courtesy of Morehouse Engineering)
Morehouse Engineering’s SCADA systems are designed to make the most of the PLC and GUI capabilities. The company’s SCADA systems have online troubleshooting and complete Web-enabled access. The SCADA systems are often integrated with historical databases. The historian provides the basis for efficiently recording and managing large volumes of time-stamped data for analytical evaluation.
Morehouse Engineering deploys robust, reliable, and configurable SCADA systems across the area in a number of different applications. To maintain these systems and troubleshoot the problems that arise, Morehouse could spend time and money traveling to the sites, or it could remotely access them via phone or Internet.
Remote Technical Support
As a systems integrator, Morehouse Engineering is frequently called upon to troubleshoot problems at various plants. The company’s customers have come to expect outstanding technical support.
In the past, with many of its clients, Morehouse used remote access dial-in Ethernet modems to go online with the PLC processors. Recently, however, the company is finding telephone lines to be troublesome. Phone systems’ aging copper lines are more prone to noise and connection problems, especially with data. Minor noise or static is not a problem when two people are talking, but it can distort data communications. The slower speed also proves to be a frequent problem. To ensure the best service possible, Morehouse needs more reliability.
One of its customers, a water treatment facility, was somewhat ready for Internet-based remote access. The original SCADA network was connected directly to the Internet, which allowed the operating staff to easily monitor the plant from home using PCAnywhere. However, being connected directly to the Internet poses tremendous security risks, both from hackers and from viruses and malware. Further, this approach prevented the PLC programming software from properly connecting to the PLCs, as the software is not designed to deal with the complexities of Internet traffic.
The water treatment plant needed a solution that would allow it to connect to the plant’s SCADA network through the Internet, while at the same time protecting it from unauthorized access.
|Figure 2. The FL mGuard RS2000 can be mounted on a DIN rail and uses 24 VDC power, making it better suited for industrial installation than VPNs designed for commercial use. (Photo Courtesy of Morehouse Engineering).|
Solution: Access for the Industrial Environment
In this application, Morehouse needed to provide remote access in a way that could:
- Accommodate the customer’s needs to remotely manage its facility;
- Allow remote connect to the PLCs with the programming software; and
- Protect the system from Internet-based threats.
Ideally, the solution would be designed for an industrial environment. Unfortunately, most of the security appliances on the market are designed for the office environment, but Morehouse found the Phoenix Contact FL mGuard met the needs of an industrial installation.
The mGuard product line is a family of security devices that provides all-in-one firewall, routing and VPN capability for industrial networks. The mGuard devices combine the needs of the IT world with rugged hardware for harsh environments. The specific model used, the mGuard RS2000, is DIN rail-mountable and has 24 VDC power, making it better suited for industrial installation than our previous solution.
|Figure 3. In any SCADA system, there is typically one or more Programmable Logic Controller (PLC) and a Graphic User Interface (GUI). The GUI is the visual interface that the operator uses to monitor and control the process. (Photo courtesy of Morehouse Engineering)|
It is the VPN, or Virtual Private Network, capability that provided the solution needed for the water treatment plant. This feature allows a network to be connected to the Internet, but acts as a very secure gateway, preventing unauthorized access to the system. The VPN, along with free software that provides the encryption and security keys, ensures that only those who have been given the access information can connect to the SCADA network. In addition, once the VPN connection is established, it is like being connected directly to the local network. The PLC programming software easily recognizes the equipment and can connect without a problem.
Originally Morehouse had hoped that the mGuard’s input signal would make it easy to enable and disable the VPN connection. However, this feature only works when the unit is configured as a client and not as a server. Morehouse’s applications required it to use the devices as servers, so this feature was not usable, which was a bit disappointing, but the mGuard’s Stealth mode was very helpful.
When the mGuard is operated in Stealth mode (the factory-default setting), the user doesn’t need to reconfigure the clients connected to the internal interface of the mGuard (the local SCADA network). The user simply needs to connect the mGuard between the clients that need to be protected and the Internet-connected network. When operating in Stealth mode, the mGuard is completely transparent. The IP addresses of the clients do not change. This hides all processes listening on the TCP and UDP ports from the outside network, which prevents a port scanner from detecting them. All unwanted or unauthenticated traffic from the outside is dropped.
The mGuard’s Stealth mode allowed the main Internet-connected network to interact with the SCADA sub-network. With the mGuard in Stealth mode, we simply configured the internal and external ports to allow easy but protected access from remote PCs, even though they were on different networks. The firewall, antivirus and VPN settings can all be made using a Web browser, so that no changes need to be made on the computer itself. The units can also be configured to all Internet-based connection between different SCADA networks, for when a PC is not needed.
With the first installation, Morehouse spent more time on the setup than it had expected, but some of that was due to a lack of experience with some advanced details of networking. The second installation was peculiar due to the strange way the customer’s networks were configured. It took some extra effort between Morehouse and Phoenix Contact, but the mGuard was able to handle the odd circumstances. Phoenix Contact guided Morehouse through some of the details of networking and was always available to call for help.
|Figure 4. With the installation of the mGuard RS2000, Morehouse Engineering can quickly and securely connect to the plant network. The industrial VPN has a more reliable connection and has proven easier to use than a dial-up connection. (Photo courtesy of Morehouse Engineering)|
Shortly after installing the mGuard, the water treatment plant contacted Morehouse with a problem and asked for help. Morehouse was able to quickly and securely connect to the plant network and go online with the processors. Since then, the water treatment plant says the ease and reliability of the connection has been a great relief compared to the previous dial-up connection.
Matt Maloney is a systems engineer for Morehouse Engineering Inc., where he is responsible for technical support. Morehouse Engineering provides clients with full service, from research, analysis and design to fabrication, programming, installation, and troubleshooting of plant process systems.