Engineer in a Box from Grantek
August 18, 2020
What is Engineer in a Box?
It is an easy-to-use, elegant solution consisting of a plug-in network device that provides secure access to any piece of equipment on a facility’s network. Grantek provides the hardware and the ability to utilize a wide variety of ICS applications and tools and Dispel provides the secure cloud infrastructure for connecting to the device.
The traditional practice of establishing remote access to the ICS through a corporate IT-managed system can further complicate the tasks required to implement, update, maintain and troubleshoot ICS assets. Grantek, partnering with Dispel, is pleased to offer Engineer in a Box, the simple, secure way to rapidly gain access to a manufacturing facility’s ICS equipment and applications from anywhere, at any time.
What is Engineer in a Box?
This easy to use, elegant solution consists of a plug-in network device that provides secure access to any piece of equipment on a facility’s network. Grantek provides the hardware and the ability to utilize a wide variety of ICS applications and tools and Dispel provides the secure cloud infrastructure for connecting to the device.
The network device (hardware) does the following:
– Establishes an encrypted connection to an Enclave on the Dispel cloud. An Enclave is a group of Virtual Machines (VMs) leased from public or private clouds and networked together over
private interfaces [10.8.X.X]. Enclaves are Moving Target Defense networks that provide a nonattributable pathway for end-to-end encrypted connectivity to either the Engineer in a Box
device, or to cloud resources in the Enclave. All connections to an Enclave are protected within two layers of AES-256 with independent 4096-bit RSA for initial key exchange.
– Enables connections to ICS devices as permitted by an internal whitelist.
– Provides an optional cellular connection to make the connection (or can otherwise connect to the Enclave via Wi-Fi or the facility’s LAN).
Dispel’s unique secure connection technology is much more than a virtual private network (VPN). When users request to connect to the ICS network from any remote location, a virtual desktop – pre-loaded with the required programming software – is created in the cloud for the session. The connection from the new virtual desktop to the on-site device is automatically configured on the fly to provide access to the required device. In this way, the device permits a qualified remotely-located engineer or Grantek to support personnel on the plant floor in order to troubleshoot or provide other support services that may be necessary.
The Engineer in a Box solution can be used for system development, commissioning or troubleshooting. After consulting with the customer to determine how best to support the customer’s equipment, Grantek pre-configures the industrial software for the customer in the Dispel cloud environment.
The cloud server is accessible for a user over the public internet. Though it may seem insecure at face value, the enclave prevents anything from connecting to the Engineer in a Box even though the traffic is flowing on the public internet. A user logs into Dispel’s site with a username and password using Dispel credentials (or the system can be configured for 2-factor authentication or Active Directory integration if desired).
When the login is complete, the platform requests a new server and the website provides a new IP and a unique username and password. RDP is then used to connect to the public cloud server. The new server is then able to connect to the machine through the Engineer in a Box using Dispel’s Moving Target Defense technology.
To enhance security, the onsite Engineer in a Box may only initiate the connection to the cloud – any incoming connections to the Engineer in a Box are rejected. It can only connect to Dispel’s enclave in the cloud, and it cannot connect to anything but the Dispel cloud.
Virtual Desktops serve as portals through which authorized users can securely reach an asset from an untrusted computer. The virtual desktop creates itself when a vendor or other user logs in and destroys itself when the user logs out. The virtual desktop image can be set up with the programming software needed for your remote staff and/or outside vendors to support your facility.
Benefits of Engineer in a Box
Other vendors may offer a remote access solution, but Engineer in a Box is unique for the following reasons:
Initially, Grantek works with each customer to determine the best way to fulfill the customer’s needs, and then configures the required software in the Dispel cloud.
In a situation where Engineer in a Box will be used as-needed for software changes or troubleshooting, the only setup needed on the plant floor is for someone at the facility to power on the device and plug in an Ethernet cable when it is necessary to connect the device to the facility’s ICS network or to a specific piece of equipment. The remote user logs into the cloud platform and the device connects to the Dispel secure cloud via the facility’s Wi-Fi, LAN or an optional 5G or LTE cellular connection.
Engineer in a Box may also remain permanently on the facility network – such as within the Industrial DMZ – so it is always available. This is advantageous when doing system development. One device can be used, or a device can be located at each facility in the enterprise. Whether the device is moved around as required or left physically connected to a site’s ICS network at all times, the connection to the cloud utilizes a moving target defense, where the servers are created for each session and then destroy themselves when the user logs off.
Remote testing capabilities
Engineer in a Box can be used to conduct remote testing of new or upgraded ICS equipment, which is a benefit and timesaver as the COVID-19 pandemic requires sites to limit physical access even more than usual.
Cost savings are realized by performing activities remotely instead of bringing personnel onsite. Just ship Engineer in a Box to the location where a new machine needs to be commissioned. Because the software is in the cloud, all that is needed onsite is the Engineer in a Box device and an internet connection. The ability to perform commissioning without having to send personnel to the site saves travel costs, engineering expense, simplifies scheduling, and of course saves time.
Reduced downtime: Downtime is reduced by allowing remote troubleshooting—instead of flying in a vendor’s support engineer and waiting until they arrive onsite, Engineer in a Box allows the same personnel to remotely access the plant equipment much more quickly to perform troubleshooting and get the machine back online in less time.
Reduced travel costs: As demonstrated during the pandemic, travel costs are significantly reduced by eliminating the need for in-person visits to a facility. This is predicted to be a benefit that will persist even after the pandemic is brought under control.
Reduced setup costs: The traditional build and setup of an onsite, dedicated server can cost tens of thousands of dollars. With the Dispel security platform and Grantek’s services, a cloud server can be up and running in days versus months.
The cloud-based software can be used for troubleshooting or programming. For example, PLC programming software can be deployed in the cloud, and an Engineer in a Box device can be shipped to each facility in an enterprise. Your developers can write the programming for any facility in the cloud and deploy it as needed, without having to visit the site.
Flexibility is one of the biggest advantages of using Engineer in a Box. A customer may choose to buy an Engineer in a Box for each of their facilities, and Grantek will set up the required software on the cloud platform. Any facility can then access the software in the cloud when needed. For troubleshooting, facility staff just have to plug the Engineer in a Box into the appropriate point on the manufacturing network, and a Grantek engineer can access the machine or controller through the cloud without having to go to the facility. Similarly, staff at one facility can log onto the cloud and troubleshoot a problem at another facility, provided there is an Engineer in a Box at the other facility.
Greater flexibility is also achieved by eliminating the need to rely on IT to allow and schedule activities involving the ICS or requiring on-premise servers and software to be established.
For customers who want to take the capabilities of Engineer in a Box to the next level, the platform can be deployed across your network. For an enterprise-wide solution, the IT department will be interested in the ROI of Engineer in a Box as compared to using existing infrastructure to achieve the same level of accessibility.
Operations IT staff on the plant floor will want to use Engineer in a Box, but deploying it as an enterprise-wide solution will be perceived as a value by the business IT staff as well – the return on investment is high and the reduction needed in IT time for arrange remote access provides additional savings.
Commonly available plug-in cellular communication devices that connect directly to machines are convenient ways to communicate remotely with a machine, but they are not secure and many facilities do not allow their use as a result.
Engineer in a Box is a plug-in solution that will work with any device in the production line if properly configured and provides extremely high levels of security. It uses moving-target defense SD-WAN, somewhat analogous to the way a TOR network continuously randomizes traffic routing. IP addresses and traffic routing are continuously changing, reducing the risks inherent in using a static connection for remote access. The Dispel platform is more secure than some other IT technologies due to its unique enclave approach to moving target defense network implementation and being built upon modern technologies and security approaches.
When an authorized user logs into Engineer in a Box, a new server is configured in the cloud, on the fly. The server exists only for the duration of the activity, and even the network provider cannot store data on the server, because it is destroyed at the end of the session. For a user to access the platform and request a server, they must log in. A facility’s IT group can control access to the Engineer in a Box, and it can be set up in advance, so it is ready and available if the need arises, without having to request anything from IT at the time the remote access is needed. If desired, Grantek can tie Engineer in a Box access to the facility’s Active Directory, allowing the customer to decide who can and who cannot log into Engineer in a Box.
IT can maintain access control in this manner, but it may be advantageous for a facility to cede access control to the ICS to the Operations Technology staff (OT). When IT sees how secure Engineer in a Box is, and they realize they will have the ability to know who is accessing it, they may choose to take a handsoff approach and let OT manage it. IT may maintain a level of access control authority by tying the solution to Active Directory groups which they manage. Improved security is also achieved by separating remote access to the ICS from the business side of the company.
The platform permits session recording so facility personnel can monitor the activities of the virtual desktop users when they are logged in.
Simplify remote access scheduling
Any authorized user can use Engineer in a Box to connect to the platform to access, maintain, update, or troubleshoot ICS within a manufacturing facility, regardless of the user’s location. This eliminates the need to request network access from IT each time remote access is needed.
Usually, vendor access to a manufacturing facility’s network must be requested from a company’s IT infrastructure. Engineer in a Box provides a solution that bypasses the need to involve a facility’s IT group every time remote access is needed, whether by a supporting vendor such as Grantek or by staff located at a different facility or working remotely. The COVID-19 pandemic resulted in an urgent need for such a method in order to limit onsite personnel, but the efficiencies and cost savings Engineer in a Box provides will remain a valuable asset even when travel restrictions are lifted in the future. Migrating to a remote ICS solution provides cost benefits and good return on investment now and post-pandemic.
In a typical scenario when remote access by a vendor or support personnel to an industrial network is required, the access must be requested from the IT department, and it must be set up in advance. This can take time that could be better spent troubleshooting a problem and costs the company money if production is affected. Setting up remote access through IT can be a time consuming, inflexible process requiring coordination of login accounts, resolving software compatibility issues, and clearing the individuals who may need access.
Advantages of the Grantek-Dispel partnership
Grantek has partnered with Dispel on the Engineer in a Box solution. Dispel utilizes a remote access network built out of moving target defense SD-WANs, not static defense VPNs. The partnership provides the ability to deploy ICS software in the cloud.
Grantek’s ability to deploy an enterprise’s ICS software applications in the cloud, and then accessing them using Engineer in a Box, can result in significant cost savings and better ROI when compared with using company-owned assets for ICS development applications. The IT staff will appreciate not having to maintain and manage the infrastructure traditionally used for such software. Another value Grantek brings to the Dispel partnership is the knowledge and experience needed for licensing cloud-based instances of industrial control software. Licensing can pose challenges when applications are used in an environment where the virtual desktops are created and destroyed for every login session. Grantek can set up an enterprise’s virtual desktop image with the software needed for a company’s staff and vendors to support the facility, regardless of their physical location.
Grantek is also highly experienced and familiar with the strict requirements applicable to highly regulated industries such as pharma and food processing, such as audit trail and data integrity.
Grantek first determines how many Engineer in a Box devices are needed by each customer, based on number of facilities, type of equipment located at each facility, and estimated usage. For customers who prefer to start small and scale up, it is also possible to obtain just one Engineer in a Box and ship it from one facility to another as required. Grantek helps customers estimate how much time they will be using the services on average and determines what software the customer needs deployed in their cloud. The type of equipment potentially needing remote troubleshooting is also considered.
Customers have the option to start small and scale up as needed. Grantek can provide one Engineer in a Box device and one cloud app, and let the customer try it out for a few months. The system is easily expandable to add more applications and more capacity as required. Services can be scaled up or down as required. For example during the access restrictions imposed by COVID-19, a facility could scale up to allow more remote users access to the cloud, and then when personnel are gradually transitioned back to in-house work, the cloud access capacity can be scaled down as required.
The server utilities are licensed with Dispel. Grantek adds value by navigating the licensing agreements with various ICS software vendors on a case-by-case basis, saving our customers the need for dealing with software licensing issues. Grantek has partnerships with major vendors like Rockwell, streamlining our ability to license commonly used ICS software in the cloud. If a customer needs to purchase and add another application to their cloud, Grantek will navigate the licensing agreements as part of the Engineer in a Box service. Part of the value of Engineer in a Box is that Grantek does the legwork for the cloud-based software licensing. This often ends up costing less money and time than deploying the same software onsite on a customer-owned server.
Engineer in a Box is a great way to get a complete software platform set up for reduced cost and expand as required over time. Customers can migrate their entire development infrastructure into the cloud, providing an organization-wide platform. All ICS software development can be managed in this way with the proper licensing in place. Grantek will help determine the optimum setup for each facility so costs are known upfront.
Many businesses are contemplating migrating to a cloud, but it can be a significant cost to spin up an Amazon Web Services cloud and move software to it. The Dispel platform already exists in the cloud—customers who want Engineer in a Box can have it practically the next day, with minimal internal activity required for setup and deployment of the services. Dispel maintains hosting locations around the globe and has already built the cloud infrastructure needed.
Frequently used development software applications are good candidates for Dispel cloud deployment, leveraging its accessibility from multiple facilities by using Engineer in a Box at the sites.
For less frequently used applications or machine updates, customers can use Engineer in a Box to grant qualified, authorized vendors access to the machine or system at the plant as needed. The platform will also securely support atypical connections or software if needed. This capability can eliminate the need to bring to bring a vendor into the facility.
Grantek sets up the platform for each customer. The system provides robust security logs to track access and can be integrated with the customer’s active directory service if desired, further enhancing system security.