Area Control Network over VPN

This could get interesting!
We have 3 sites that are around 10 miles from eachother. We were sold on the idea that we could use a mesh VPN tunnel to connect the 3 of them together. The topology would be 1 ProPlus at the main site with 3 PK controllers and 3 workstations spread across the 3. So, each of the 2 satellite sites just have a workstation and PK controller. This necessitates that the control networks, primary and secondary be connected in some way.  This proposal was made by people from Emerson as well as our/their impact partner. The technology and how to actually accomplish such a task was not detailed for us. 

Fast forward a couple months and talking with our IT department and they had major concerns about being able to do this because of the way the NAT worked and the common subnet at each site. All a little outside my expertise. But, in general, the idea is that it wouldn't work because the NAT would require a different subnet at the different sites and of course our primary and secondary addresses for nodes is defined in the configuration for us 10.4.x.x and 10.8.x.x and we can not change that basic requirement. 

We went back to our customer (this is a new project, new system) and told them the issue and proposed the solution of a dark fiber lease through the ISP that would allow us to essentially connect all 3 locations through a single fiber pair, which would allow us to VLAN the networks as needed where the fiber enters the site from the ISP. They didn't want to pay the lease each year... very upset about that proposal...

They came back to the idea and questioning why we wouldn't use VPN.. I had to explain to them how these nodes aren't just some HMI or server that you can address and install client software on. They have to communicate "natively". It didn't sink in. They challenged me and even behind my back said they were going to contact Emerson directly and ask why they can't use OpenVPN.......

So... here we are. I know that a software VPN solution like OpenVPN is clearly not possible. But, are there hardware VPN solutions that would work?  I'm thinking our only choice would be to have VPN routers at each of the sites that have the PK controller and workstations connected to. Then the proplus could have the client/configuration software on it at the main site. 

I've learned quite a bit about IP technology in the past few weeks, but this is still a problem to understand for even our IT guys. let alone a controls person. I'm hoping this can either be shut down immediately... "DeltaV can't do it.. here's why".. or "this has been done and here is exactly how"... I don't think it's feasible to present a cheaper solution if it means we are trying something new and just crossing our fingers hoping to get it to work.. We will also probably have to support this technology for at least the first year. 

Oh.. and save the replies about security and reliability.. that was my very first comment I made on why we should choose a dark fiber lease and they immediately crapped on that reasoning.. So,... i guess this is going to be the pill they want to swallow. We are just the EPC... we don't own any of it. We'd NEVER do this sort of thing at our own plants.

Thanks.... Slight smile

13 Replies

  • Disclaimer: This is my opinion and not Emerson's opinion and this is probably not a supported installation, but it does interest me.

    There is something you can do with routers called a layer 2 tunnel or layer 2 bridging. You have routers that are VPN'ed together with each of their own subnets on either side. Then underneath that you can create a bridge between two other networks. This makes use of the l2tp (en.wikipedia.org/.../Layer_2_Tunneling_Protocol). This might give you something to look into for more research.

    Hope this helps!

  • Consider using radio's i.e. Reline. Dedicated radio link for primary and secondary. 10 miles should be doable.
  • In reply to Donald Dron:

    it sounds like there isn't a proven solution.... I have a meeting next wednesday with the same Emerson folks, but time is ticking. Trying to deploy unknown and new solutions in a couple months is a recipe for disaster and I'll be left holding the bag.
  • In reply to RickV:

    ohhhh wow. That seems exactly the type of solution i've been dreaming of... question though. Would you know about the distances covered?? I couldn't find anything in the datasheets. Nor was am i clear on if it would support VLAN. We would of course be spanning the control networks, which it seems it acts as a native delta v node (fabulous), but what about the Plant network. Accessing the different workstations over the plant network from a single location might be necessary, but it would certainly be ideal. I frankly don't care what IT does with the office networks, those will remain separated or they can do their own VPN solution for the business side.
  • In reply to TreyB:

    The Emerson solution is standard industrial WIFI, so a few hundred yards / meters. The technology is standard cisco, so you might be able to use a directional wireless link solution, but I'm not aware of any that are in the Emerson catalog (though I'm sure someone in sales would be able to correct me if there is).
  • Wireless Plant Networks (WPN) are engineered solutions and the discussion is more than simply point-to-point distances using basic radios. WPN is based on Cisco technology, and the communication goes through encrypted paths as part of the Cisco wireless infrastructure, so perhaps VPN would not be needed in this case. However, there are multiple things to be discussed here and it’d be best if you can work with the Emerson team who designs this type of applications to understand its flexibility, options, limitations, etc.
     
    WPN is currently offered by our Measurement Solutions group, and I’ve forwarded this thread to some contacts for a follow up.
     
    Alexandre Peixoto 
     
  • In reply to RickV:

    The referenced solution is based on Cisco hardware and the data sheet is dated 2016. This particular solution I don't think is currently available, but the architecture is totally possible.

    Andre Dicaire

  • In reply to Andre Dicaire:

    okay, but we're still talking hundreds of yards, not miles?
  • In reply to Donald Dron:

    I was involved in a project with Reline backhaul radio in a highly distributed deployment involving well pads communicating back to the central processing facility. I would suggest contacting them. There are different solutions involving various frequencies, some private and different technologies for distance. Typically need an audit to determine the best solution given distance and topology. The backhaul radios were for point to point versus wifi coverage in each location. There were VLans configured to pass the primary and secondary networks. Each location was semi autonomous so they did not need redundancy in the radio hardware.

    The solution worked well. Customer was happy.

    Andre Dicaire

  • In reply to Andre Dicaire:

    My recollection is that the backhaul radios (300MHZ?) were tens of kilometers. Required masts to elevate above the trees and terrain was relatively flat, low rolling hills. Much further than a wifi solution. Off shore platforms have used microwave technologies as well. But I'd give Redline a call for sure. This is an engineered solution. It connects two DeltaV switches, just like a length of Cat5e cable. As long as you have the VLans properly set up, DeltaV will not care. That's where the "engineering" comes in.

    Andre Dicaire

  • In reply to Andre Dicaire:

    I was indeed typing up an email to Redline provider earlier today before i waited to hear more about the WPN option. Seems we are back to this. And you answered the most important question.. It can AND has been done. It seems then that if we can VLAN the switches and pass multiple networks, so that also answers my question about the plant network in addition to just the 2 control networks. This is promising!!
  • In reply to TreyB:

    I have a new request for wireless extension of DeltaV network that I have to investigate a solution for. Short distance to cross a public road to join two network segments in two buildings. I'll be giving Redline a call as well.

    Andre Dicaire