Factorytalk Viewpoint Architecture

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #18291
    mbilal83mbilal83
    Participant
      Karma: 12
      Rank: Padawan

      I need to provide remote read-only access to my FT Studio SE HMI. The purpose is to have the ability to view operator screens remotely.
      I was planning to use FT ViewPoint and have it set up as well but it requires a connection to the same network in order to access the desired PC. Unfortunately, vpn connection is not feasible due to certain IT restrictions.
      Is there any way users can have access to the operator screens either with or without FT ViewPoint without a vpn while they are outside the facility network?
      Can the FT ViewPoint server be hosted in a cloud where multiple parties can directly access it?

      #18367
      PLCGurutfgmedia_admin
      Keymaster
        #18599
        whiskyjimwhiskyjim
        Moderator
          Karma: 262
          Rank: Jedi

          You’ve mentioned VPN restrictions a couple of time.  Reading between the lines a bit here but let me see if I can summarize your situation.

          1. You have an entity outside your company’s IT security boundary that needs to have read-only access to your operation screens running on some type of HMI display.  (You don’t say specifically what display your using for the operator screens but you did mention “PC” at one point.)
          2. Your IT security policy will not allow or support the use of a VPN to connect to the network the displays are on.

          Does that sum it up correctly?

          Is there any way users can have access to the operator screens either with or without FT ViewPoint without a vpn while they are outside the facility network?

          I don’t know what your IT security policy is but, if it’s like most companies I have dealt with what you are asking for is usually strictly forbidden.  First, most companies don’t expose the “Operational Technology” networks to the Internet because the security posture of the equipment on that network (PLCs, PACs, VFDs, I/O cards, etc.) is such that they are easy targets for bad guys.  Second, VPN technologies are typically used to allow a known entity, whose end user device security is controlled by the company, to access internal networks.  The VPN provides a tunnel through which devices can communicate securely.  The VPN doesn’t control what the person on the other end can do once the connection is established.  If the guy on the other end connects a machine that has a virus or other malware on it, that infection can jump to your internal network.  It’s also possible that a bad actor could “hop” through the remote device and get into your internal network.

          You mentioned that the external entity needs read-only access.  Does that mean they need to be able to manipulate the screens or just watch someone else manipulate the screens?  If the network where the screens are located can access the internet, you may be able to use a tool like TeamViewer.  TeamViewer allows remote viewing of a PC or Mac screen.

          Fred provided a link to a thread on using VNC.  VNC wouldn’t work here with exposing the internal network or requiring a VPN.  If, however, you had a PC that was dual homed (a network connection to your OT network and a network connection to a network with access to the internet), it may be possible to use a combination of VNC Viewer and TeamViewer running on that PC to accomplish what you want.  The PC could use VNC Viewer to connect to the HMI display while using TeamViewer to share screen views with the remote entity.

          My apologies for all the network speak.

          Jim
          IT/OT Engineer

        Viewing 3 posts - 1 through 3 (of 3 total)
        • You must be logged in to reply to this topic.