Below are the key considerations emerging from our customer interactions, implementations and industry expert discussions. We’ll start with the critical underlying security and controls foundation and then shift focus to user functions and safety.
- Security, compliance and reliability
- Access controls and monitoring
- Interactive permissioning
- HMI and other user capabilities
- Mobility features and safety
- Multi-vendor and equipment compatibility
Security, compliance and reliability
First things first. A secure zero-trust communications backbone is a must for full risk mitigation and compliance with NERC-CIP and other regulations. Among other things, this requires a dedicated on-premises security appliance and firewall deployed in a separate security zone with no direct connection to the plant equipment.
There are many technical details to note in this domain, including pixel-only transfer (screen images, not actual screens), data encryption, file transfer controls and more that are beyond the scope here, but these details can make the difference of whether a solution forces your site or entire fleet to a NERC-CIP High or Medium category. Here and in the following section we are speaking of the level of sophistication already in use today for online banking and other cases where security is absolutely critical.
Always-on availability and reliability are other important solution attributes. Look for a robust high-availability configuration option and understand what safety features the solution provides should control room communication be completely disrupted. Needless to say, this is especially critical when operating plants with zero onsite staffing.
Access controls and monitoring
Hand in hand with a secure backbone is the control and monitoring of user access. As Kevin Prouty of IDC notes, “Beyond security and compliance requirements, customers need to have granular access, permissioning, and safety controls that allow location-independent work without undue risk.”
Multi-factor user authentication is a must, preferably including hardware tokens. Going further, a central administrator should be able to specify granular access control per user. Must-have parameters for power generators include: equipment lists, time windows, and monitor vs. control. These are basic access scope definitions, final equipment access at a given time should still be granted by a designated control room operator.
For proper system administration, security and compliance, the system must also support full session monitoring, alerting, event logging, log export, and ideally, full session recording. The latter is critical for forensic investigation but can also be leveraged for staff training.
A remote operations solution will often be used as part of a real-time collaboration among staff ranging from in-plant control room operators, to remote operators, engineers or supervisors, to in-plant mobile maintenance staff. Someone must be in charge. Control changes must be clearly requested and granted. Everyone needs a clear view of who is in control.
These features are highly recommended for proper risk and safety management and should include a simple and intuitive built-in user interface for permission controls and status. Compatible audio communication may also be a desirable feature.
HMI and other user capabilities
The user now has secured communications, access rights and has been given active permission. Which existing control room screens are to be accessible? Are there custom or summary views that should be added? Are there other functions, such as remote e-stop, that are desired?
Your goals and circumstances will dictate your requirements. The important solution criteria are that the technology can support all of the above and that your vendor has the capability to provide remote access to any of your existing systems and also can guide and create any new custom screens desirable.
Mobility features and safety
Remote operations access should be enabled for any type of user and location, so native support of iPad or industrial-equivalent devices is important. But simple direct screen display is rarely sufficient. A shrunken replica of a complex HMI screen may have limited use and be a safety risk.
The experience and skill set to create optimized mobile displays is therefore an important factor. Moreover, a highly capable mobile interface in the hands of in-plant maintenance staff demands built-in safety features. Beyond the permissioning features mentioned above, look for: automatic locking, view-only default mode and most importantly, intent verification for actions taken.
Multi-vendor and equipment compatibility
Even if your first phase implementation does not require remote/mobile control of equipment and software from multiple suppliers, rest assured that eventually you will need it. Whether for expanding across plant equipment or for broader fleet deployments, you will want a vendor-agnostic solution. That does not preclude choosing software from a well-known equipment supplier but be sure to validate their credentials outside of their own equipment.