Machine Builders

How Machine Builders Standardize Remote Service Across Customer Sites

A repeatable remote-service model standardizes the service promise, resource scope, responsibilities, onboarding tests, support runbook, and lifecycle controls without forcing every customer network to look the same.

Orenda Connect desktop view listing approved Orenda Box resources

Key takeaways

  • Standardize the service contract and resource-level access model, not the customer’s entire network design.
  • Separate diagnostic visibility, application support, file exchange, and PLC engineering into distinct service capabilities.
  • Give every installed machine an owner, technical baseline, approved targets, support state, and retirement path.
  • Use one responsibility matrix and one service runbook while recording customer-specific exceptions explicitly.
  • Remote service controls do not replace local authorization, machinery safety, change management, or the PLC’s control authority.

Machine builders standardize remote service by turning it into a productized operating model: define what support includes, identify the exact resources each job needs, assign customer and OEM responsibilities, install one of a small number of approved site patterns, test service readiness at handover, and run every case through the same intake, authorization, diagnostic, change, closure, and review stages.

The goal is consistency without pretending every customer plant is identical. Standardize the outcomes, evidence, and decision points. Let the customer retain authority over its network, production schedule, machinery safety, and change process.

Why does installed-base support become difficult to scale?

The first few delivered machines often rely on personal knowledge. One engineer remembers the PLC version, another knows which VPN profile reaches the customer, and a third has the only usable backup. As the installed base grows, that informal model creates queues and exceptions. Service teams spend time reconstructing context before diagnosis begins.

Customer environments also differ in addressing, firewalls, identity rules, engineering workstations, and supplier policies. Define the required controls and a small set of approved patterns instead of demanding one flat network design.

The ISA/IEC 62443 series treats automation cybersecurity as shared responsibility among asset owners, product suppliers, integrators, and service providers across the system lifecycle. That is a useful starting point: an OEM remote-service offer should state where its responsibility begins and ends instead of implying the machine builder controls the customer’s whole OT environment.

What should the remote-service catalog contain?

Define a service catalog before choosing technology. Each capability should have its own target, privilege, prerequisites, and evidence.

Service capabilityTypical targetPermission boundaryRequired local roleExample completion evidence
Status and alarm reviewPublished dashboard, HMI view, or historianRead-only application functions where technically supportedOperations contact confirms machine and time rangeFindings and recommended next check
Application supportNamed MES, SCADA, report, or machine service appOne application and assigned roleApp owner authorizes support caseConfiguration or incident record
Managed workstation supportOEM engineering or maintenance workstationRemote desktop to one host; downstream flows constrainedLocal coordinator available for consequential workSession linked to a case and results recorded
Approved file exchangeControlled transfer location or managed workstationNamed users, file type and destination policyCustomer reviews transfer procedureFile identity, scan or validation result, and recipient
PLC or HMI engineeringManaged engineering workstation and selected device flowSeparate privileged role and protocolAuthorized local person confirms work window and machine stateBackup, approved change, validation, and baseline update
Software or edge-app updateSite-side platform or named applicationSigned or controlled package to an identified targetCustomer change owner approves timingVersion, result, rollback status, and open issues

Do not sell “full remote access” as a single capability. Observation, configuration, and controller changes have different consequences. Separating them makes both customer approval and OEM support training clearer.

Which parts should be standardized across every machine?

Create a machine service record at order or design release, then maintain it through retirement. At minimum, standardize:

  • machine, customer, site, and responsible-owner identifiers
  • product family, controller, HMI, drive, robot, edge, and application baselines
  • the approved service capabilities and exact remote targets
  • site-side gateway or workstation pattern and its maintenance owner
  • OEM roles and customer roles allowed to use each capability
  • backup location and who verifies restoration
  • commissioning acceptance, service-readiness, and outage test status
  • customer-specific restrictions and approved exceptions
  • access review, certificate, license, warranty, and support dates where relevant
  • decommissioning state and confirmation that access and stored secrets are removed

Do not copy credentials or sensitive network details into an uncontrolled spreadsheet. Keep each data class in its authorized system and link it by a stable machine ID.

The NIST Manufacturing Profile describes a voluntary, risk-based approach for manufacturing systems and using current and target profiles to communicate desired cybersecurity outcomes. An OEM can use the same principle internally: document the target remote-service state for a machine family, compare each deployment with it, and track justified gaps.

How should OEM and customer responsibilities be divided?

Publish a responsibility matrix as part of the service offer and repeat it in the customer handover.

Lifecycle activityMachine builder / OEMCustomer asset ownerLocal site or operations role
Service designDefines supported targets, toolchain, versions, and OEM support rolesDefines site policy, risk expectations, and acceptable patternsAdvises operational constraints
Site onboardingSupplies configuration and acceptance testsApproves network placement, identities, routes, and data handlingConfirms machine identity and local readiness
Routine diagnosisAssigns a named engineer and records findingsAuthorizes access according to the support arrangementProvides symptoms, machine state, and local observation
Process-affecting changeProposes change, backup, validation, and rollbackApproves through its change procedureConfirms safe state, witnesses behavior, and can stop work
Platform maintenanceMaintains OEM-controlled components and support compatibility as contractedMaintains customer-controlled network and identity dependenciesCoordinates maintenance window and production impact
Incident responseDisables or investigates OEM-side access as required and communicates impactLeads response for the customer environmentProtects safe local operation and supplies observations
RetirementRemoves machine from OEM service systems and documents closureRemoves site access, accounts, routes, and retained data as applicableConfirms equipment disposition

One company may hold multiple roles, but every row needs a named owner. Service contracts and local rules determine the final division; the table is an operating template, not a legal allocation of liability.

What site architecture can be repeated without forcing one network?

Offer a small pattern library. One customer may approve application-level publishing for a dashboard. Another may require a managed engineering workstation in a boundary zone. A third may permit a narrowly constrained gateway path to a machine resource. Define the same security outcomes for each pattern:

  • unique human identity wherever the platform supports it
  • access limited to the approved machine resource and job
  • separate routine and privileged engineering roles
  • no dependency of local control on the remote connection
  • documented owners for the site component, updates, certificates, and backups
  • tested removal, outage, reconnect, and recovery behavior
  • no unintended route to adjacent customer assets

The NIST Guide to OT Security explains why OT controls must respect performance, reliability, and safety constraints. Do not turn a security pattern into a production dependency. The PLC and local safety system remain authoritative when the remote service, gateway, identity provider, or internet link is unavailable.

For detailed architecture tradeoffs, compare VPN, jump servers, and ZTNA for OT. Use the remote-access rollout checklist to test each site pattern consistently.

What should the standard support runbook look like?

Make the runbook short enough to use and strict enough to stop ambiguous work.

  1. Intake: record the machine ID, customer contact, symptoms, production state, urgency, and requested outcome.
  2. Classify: select the service capability and decide whether the case is observation, configuration, or process-affecting engineering.
  3. Authorize: confirm the customer authorization reference, named OEM engineer, target resource, permitted window, and local coordinator required.
  4. Prepare: check version compatibility, backups, approved files, communications, stop conditions, and rollback.
  5. Connect: verify identity and machine target, then begin at the lowest privilege that can complete diagnosis.
  6. Diagnose: capture observations and distinguish evidence from hypotheses. Do not widen access merely to explore.
  7. Change if approved: use the separate change procedure; record before-and-after state and validate locally.
  8. Close: summarize work, remaining risk, customer action, access state, and whether the service record needs an update.
  9. Learn: review repeated exceptions, missing telemetry, tool incompatibilities, and training gaps in a regular service meeting.

Remote access tools are also used by threat actors, as the joint CISA remote-access guide notes. Inventory support agents and remove redundant or unauthorized tools. Ensure the customer can disable the path without stopping local machine control.

How is service readiness accepted at handover?

Add a remote-service acceptance test to the machine commissioning package. It should prove more than “the engineer connected once.” Test:

  • named OEM and customer identities, role separation, and removal
  • every published app, workstation, or device against its approved scope
  • failed attempts to reach an adjacent target
  • observation and engineering permissions as different tests
  • the supported PLC/HMI functions, including any discovery or file-transfer requirements
  • performance under representative latency and packet loss
  • loss of internet, identity, gateway, remote client, and session
  • current backup availability and the local recovery briefing
  • who receives operational and security notifications from each dependency
  • how the customer requests, authorizes, pauses, and ends a support case

Use the remote machine commissioning checklist to integrate these tests with startup and handover. Record exceptions rather than declaring readiness when a required test was skipped.

Which measures show whether the standard is working?

Choose measures that reveal process health without promising a business outcome the data cannot support. Useful examples include the percentage of active machines with a named service owner, current technical baseline, tested support path, recoverable backup, completed access review, and closed onboarding exceptions. Track cases that required unplanned access expansion, unsupported engineering versions, or missing local coordination.

Operational measures such as time to assign a qualified engineer or time to establish the approved support path can help identify friction, but they are not the same as reduced downtime or avoided travel. Those outcomes depend on failure type, parts, staffing, customer decisions, and many other factors. Measure them only with a defined baseline and comparable cases.

The NIST Cybersecurity Framework 2.0 organizes outcomes around Govern, Identify, Protect, Detect, Respond, and Recover. Use those functions as a review lens: Are responsibilities governed? Is the installed base identified? Are paths protected? Can misuse be detected? Can OEM and customer respond together? Can access and machine service recover safely?

What are the limitations, exceptions, and lifecycle controls?

Standardization cannot make every legacy protocol supportable or every task safe to perform remotely. Give each exception an owner, reason, compensating measures, review date, and exit plan. Contain broad legacy protocols behind a managed workstation rather than extending them to every user. If the customer forbids remote engineering, define a diagnostic-only tier and local service procedure.

Review the service record after controller replacement, HMI migration, customer network change, gateway update, ownership change, contract change, or security incident. At retirement, remove identities, links, certificates, licenses, stored project copies, and machine entries according to the agreed data-retention rules. Confirm the customer-side component is removed or transferred to an identified owner.

ISO/TR 22100-4 highlights cybersecurity threats that can influence machinery safety. Revisit the machine risk assessment when a new remote function or update capability can affect a safety-related outcome. A remote-service standard is not evidence of machinery conformity or standards certification.

Where can Orenda fit in a machine-builder service standard?

Orenda Connect can be evaluated as the OEM user interface to approved customer resources within the selected project. Orenda Box can provide a repeatable site-side platform for selected machine data and local applications. The machine-builder solution supports starting with one service workflow. The installed machine base remote service page explains how teams can document and reuse the pattern across individual customer projects and boxes; each site still needs separate validation.

Orenda does not replace the customer’s approval workflow, service desk, comprehensive per-human audit system, machinery-safety process, PLC change record, backup discipline, or local response plan. Orenda vendor links are target-scoped bearer links that are revocable and can use optional expiry; sharing a link does not by itself establish the identity of the individual using it. Define which product evidence is available and combine it with the OEM and customer systems required by the service standard.

Pilot the model on one machine family and a small set of service capabilities. Validate the exact protocols, customer roles, resource boundaries, outage behavior, maintenance ownership, access removal, and handover evidence before extending the service offer across the installed base.

Frequently asked questions

Should every customer use the same remote access architecture?

No. Standardize required outcomes, target scope, ownership, evidence, and tests while allowing approved technical patterns for different customer networks. A site may use a published app, managed workstation, or constrained gateway depending on its risks and policies.

What information should an OEM keep for each connected machine?

Keep the customer and site owner, machine identifier, software baseline, approved support resources, site-side component owner, connectivity status, support tier, review date, known exceptions, backup responsibility, and retirement state. Store sensitive details only in authorized systems.

Can one service account be shared across an OEM support team?

Shared accounts weaken accountability and make removal harder. Prefer unique identities and role-based access. If a legacy tool forces a shared downstream credential, isolate it behind a managed support target and control who can reach that target.

Does standardized remote service include approval and PLC change control?

It should define how those external processes are invoked, but a connectivity platform should not be assumed to supply them. Customer authorization, safety review, maintenance tickets, backups, local coordination, and PLC change evidence remain separate responsibilities.

Sources and further reading

  1. ISA/IEC 62443 Series of Standards — International Society of Automation
  2. The NIST Cybersecurity Framework (CSF) 2.0 — National Institute of Standards and Technology
  3. Cybersecurity Framework Version 1.1 Manufacturing Profile, NISTIR 8183 Rev. 1 — National Institute of Standards and Technology
  4. Guide to Operational Technology (OT) Security, SP 800-82 Rev. 3 — National Institute of Standards and Technology
  5. Guide to Securing Remote Access Software — CISA, NSA, FBI, MS-ISAC and INCD
  6. ISO/TR 22100-4:2018 — Guidance to machinery manufacturers for cybersecurity aspects — International Organization for Standardization

Related Orenda resources

Published and maintained by Orenda. Product-specific statements are checked against current Orenda documentation; external technical guidance is linked above. Read our editorial policy.

Back to blog