Enabling secure remote access in building automation and energy monitoring applications is a major challenge. Will Darby, managing director of Carlo Gavazzi considers the advantages of Virtual Private Networks in preventing cybersecurity breaches.

The ubiquity of Internet of Things (IoT) objects has grown exponentially, transforming the way we both work and consume. Energy monitoring and building automation systems are following this trend with increasing interconnection to the Internet. Typically, users want to control their devices from their smart phones while system integrators prefer to solve problems remotely by connecting from their office to their customers’ plant to avoid having to visit, which saves both time and money.

While there are obvious benefits to remote access, the downside is that it can also expose a system to cyberattacks. A wide range of operational and maintenance scenarios in the IoT space rely on end-to-end device connectivity to enable users and services to interact. While IoT devices may seem too small or too specialised to be dangerous, they are best considered as network-connected computers that can be hijacked by attackers.

Even the most mundane device can become dangerous when compromised over the internet. And, once attackers have control, they can steal data or commit any other cybercrime they'd do with a computer.

One method of ensuring secure, remote access to IoT devices is through a Virtual Private Network (VPN). A VPN enables a company network to be isolated from the internet through the use of an IP address which permits access only from authorised external devices.

Provided there are adequate authentication procedures in place to control access, the target IoT device will be securely interconnected with a user's PC over internet through an encrypted channel or 'VPN tunnel'. This tunnel goes through the public internet, but the data sent back and forth through it is protected by encryption and security protocols to help keep it private and secure. Nobody, not even those on the same Wi-Fi network, can monitor or intercept the traffic and decipher the data.

The advantages of a VPN include:

  • Ease of use: it allows a seamless connection from field devices to a Cloud-based server through gateways
  • It enables secure, remote control of devices and remote problem solving, without the need for operators to visit the field, saving both time and money
  • A VPN eliminates the difficulties of accessing devices concealed behind firewalls and makes it easier to manage firewall rules
  • A VPN also avoids Network Address Translation (NAT) issues which can occur when mapping multiple local private addresses to a public one before transferring the information.
  • In addition, the VPN's data encryption will provide protection against insecure Wi-Fi

When it comes to responsibility for cybersecurity of an energy monitoring or building automation system, all parties involved in setting it up and its operation have a role to play. The software supplier, for example, has a responsibility to provide recognised security measures and technical documentation; the device supplier has a responsibility to develop both software and hardware security measures and to provide technical documentation; the system integrator must implement system security measures and provide technical documentation; while the end-user/operator must use the system security measures and test, audit and certify the system. End users also have a responsibility to ensure users' security training is up to date.

It should always be remembered that cybersecurity is a process not a product. By simplifying common actions VPNs and remote access tools allow users to focus their efforts on maintaining the system to improve cybersecurity. While a VPN can facilitate procedures it does not change peoples' roles or responsibilities; it should always be remembered that cybersecurity is the result of collective efforts of coordinated users.

For a business looking to improve the cybersecurity of its BEMS with the addition of a VPN, one option is to build and maintain a dedicated VPN platform. This can be expensive. Instead, using a Platform as a Service (PaaS) system can provide users with VPN access via the Cloud but without the need to install and maintain the hardware, software and infrastructure.

Carlo Gavazzi's MAIA Cloud is a PaaS-based solution developed to allow a secure, seamless connection of remote devices through its Universal Web Platform (UWP) 3.0 Gateways. The UWP 3.0 Edge separates Cloud-based services from the fieldbus while enabling data to be transmitted between the local network and the Cloud. Users with access to the MAIA Cloud can easily reach the gateways and endpoints, provided they have the necessary access rights, using a standard web browser and a PC application called the MAIA Cloud Connector.

The benefit of a MAIA Cloud solution is that its VPN tunnels are provided with best-in-class authentication. Users always need to authenticate themselves to a trusted portal before being able to access the system; to prevent any misuse, permissions for access for specific users or user groups can easily be set by the organisations administrator.

Data breaches in today's highly connected world have become commonplace with news headlines frequently shouting about major organisations falling prey to cyber attackers. These headlines are a warning that security should be a top priority for any business that allows remote access to its systems. Without a remote access VPN, these companies are putting their private information (as well as their employee and customer data) at risk.