One of the new features in recent versions of the groov EPIC firmware (R1.4.0+) that hasn’t gotten much attention yet is the built-in virtual private network (VPN), client. I’m excited about it because it’s an incredibly rare feature in PLCs and PACs and makes it much easier to create a secure architecture for managing remote equipment.
Why? Because a VPN essentially creates a secure tunnel through the internet—using encryption and user authentication—that can connect remote EPICs to your PC or trusted company network. From a security and connectivity standpoint, it’s like the EPIC is on your desk or in your facility, protected in all the ways you protect your company network. Anything you can do with a locally networked device, you can do with a remote system using VPN.
Say you’re an OEM or machine designer. You build your machine with the EPIC embedded inside (you’re using it for real-time control, an operator interface, and more), and then you install the machine at your customer’s site. Wouldn’t it be useful if you could view that machine’s HMI and control strategy from your office? You could diagnose problems more easily, predict possible failures, and deploy fixes before problems happen. You could even invoice more accurately or monitor performance data that helps you design a more efficient machine. And for system integrators, you know the project never ends at start-up. You'll continue to troubleshoot issues and support future software updates and expansions. What would it mean for your company and your customers to reduce your dependence on being on-site? What about MQTT?
Could you do some of these things with MQTT? Absolutely! And it’s worth understanding how these two features of groov EPIC compare. Both provide a form of secure communication with remote
systems, but each gives you different options.
MQTT is a lightweight communication protocol for efficiently sharing process variables. You can program your EPIC to publish useful data for predictive maintenance, performance logging, billing,
etc. and securely share that data around the world simply by pointing it to a mutually accessible MQTT server. You can read and write this data from a remote interface or programmatically interpret this data for use in more advanced applications. VPN, on the other hand, is a method of joining private networks together over the public internet. Once the tunnel is established, you have the flexibility to do anything with your remote equipment that you could do over your local network. Rather than building a remote interface, you have the option of viewing the same groov View HMI you’re running on your EPIC. However, it particularly complements an MQTT network by allowing you to complete administrative tasks, update control strategies, and build custom applications using SSH access.
Better together
These are all potential ways direct VPN can enhance your product offering or even spin-off billable services. But with groov EPIC, VPN is even better. Historically, gaining VPN access to remote equipment required the customer’s IT staff to grant you access to their VPN server after creating a secure internet connection to their equipment. Not always a fun conversation. To simplify this, a common alternative is to use a dedicated VPN router on-site with a connection to a hosted VPN server. Both of these options come with up-front and on-going costs, however, which may not be feasible for the applications I mentioned above.
However, because the groov EPIC is essentially an industrial Linux PC, it’s highly customizable, with an array of enterprise-grade IT tools available from the open-source world. In the latest firmware release, we baked OpenVPN client configuration into groov Manage so you can have secure VPN access without touching your customer’s IT. All the EPIC needs is internet access to an OpenVPN server, and since groov EPIC is not a router, there is no risk of exposing the control network to the outside.
Already have a VPN server? Many support the OpenVPN protocol. Provide the necessary information about the server and the connection through groov Manage, and now you can tap into that resource to securely communicate with your groov EPIC processors. By all means, you should be following best practices, like segregating your trusted and untrusted network traffic using Eth0 and Eth1, closing unused ports, and taking advantage of user access controls, but with this combination of features in groov Manage we finally have a realistic business case for equipment-level VPN. 
If you already have a groov EPIC processor, updated firmware with the VPN client is a FREE download. Just log into manage.groov.com with your MyOpto username and password, click Manage, find the EPIC in your list of groov products, and click Manage to get the latest firmware. See the updated groov EPIC user guide , chapter 7, for details on configuring and managing your VPN client.
Opto 22
www.opto22.com