Currently, we install Niagara on either their server or Jace and then create a VPN to access their station, make changes, and monitor the network. We don’t set up read-write privileges; they can access the complete workbench. We find ourselves at the mercy of how their IT sets up the VPN and remote access points. We end up accessing their station through several different services and using similar passwords. Should we be installing Niagara on their server and allow full access to their platform and station? If not, what is the most effective and secure way to set up and monitor a client system? I don’t understand the need for a VPN when Niagara creates a virtual node for the station. Also, why would we need remote access from our computer when Niagara can access that virtual network? We are creating more portals to travel for no reason. Am I wrong?
A VPN puts you on their network to allow a connection to a JACE/Supervisor/Niagara Controller. VPN’s are a great way to keep the equipment secure instead of putting it on a public IP for the entire world to see. Under a VPN, you would be able to connect and program multiple JACEs, and the supervisor for that matter. You could do with this public IPs and port forwarding as well, but it’s a hassle. VPN’s protect the customer, mostly.
Workbench would only be installed on a server for a few reasons:
-
It is a supervisor station that’s monitoring multiple Niagara systems under one station. It will act as a repository for histories sent to it, as well as viewing alarms, graphics, and scheduling all under one station rather than logging into each controller to look at the graphics.
-
It is specified to be installed on a customer machine (usually this is a laptop if this is just a single JACE job) or the customer purchases an additional copy.
3)… That’s really it.
You cannot limit access to a platform. When a user is created, they have full access to change IP information, delete the station, add/remove modules, etc.
By virtual node, are you talking about virtuals or are you discovering proxy points under a Niagara Controller?
There are people that will adjust categories to limit access parts of a station to the user, and then roles to those categories to allow operator/admin access to each of those. Then those roles are assigned to the user.
Perhaps you can elaborate more to make sure I’m understanding fully.
There is a new service called Niagara Remote, but currently it doesn’t allow access to a platform, though I’m told it will some day. That’s fairly new and I need more time to play with it to give my full approval on it.
So, I would like to keep the client out of the backend and only allow them to access their controls through the web portal. I feel like we should be installing Niagara on a node/server/computer we control and only give them access to make subtle changes, but currently we install the whole Niagara software on whichever type of device they use, create a new platform/station and then give them full range of the system. Why do they even have read write privileges if we are going to do that? We come back and the settings are all messed up because they tried to troubleshoot their own system. There has to be a better way of doing this. When you create a platform and station why do you need an addition virtual network if your security setting is set up correctly?
If you’re installing just a single controller, and workbench wasn’t specified to be supplied, you didn’t need to install workbench. The VPN would allow you to connect to your controllers through your own workbench because the VPN puts you onto their network. Again, putting things on public IPs and thinking that just changing passwords protects you and the system is a very short-sighted thought.
I’m sorry if that sounds hard but there are ways to brute force systems. People can put malicious code anywhere and gain access many ways.
So a VPN should be necessary for any good network, as well as the proper firewalls. Security should be the #1 priority. I recently saw a hospital in FL get hacked because someone didn’t shore up the ALC WebCTRL front end appropriately. They paid the hackers to get it all back due to the ransomware that was put in the server. VPNs can help mitigate that by only virtual local area networks to be controlled.
-
Does this job have a single Niagara controller or several? If it’s several, A supervisor would be installed because you’re sending alarms and histories to a single point rather than having a customer log into to each station to navigate.
-
Technically you’re not creating a platform. The platform is the hardware that Workbench is installed. The station is the application running on that hardware.
If the customer is messing things up, have they been trained? Whether they’ve been trained or not is irrelevant, actually. If they’re messing things up, you can bill them for that time, regardless whether the project is in warranty or not because things like that aren’t contractually covered in warranty work. I will say though that training the customer can go a long way. There are operator courses they can even take directly through Tridium. The instructor that teaches it is a great with the class and operators.
Also, you CANNOT keep your customer out of their own system. They bought it and own it. It’s theirs to do what they wish. Keeping them out of their own system is a quick way of never getting a job with that customer again.
More important questions:
-
What profiles are you giving the customer through the web browser? Reason being is that if you’re giving them the full profile when navigating, they’re going to access it through the web, whether you have workbench or now.
-
Does your company give customers copies of workbench even if it’s not specified?
-
How do you have your graphics set up? What’s the navigation like for a client?
-
What settings are they changing? Like setpoints?
There are ways to give customers access to only graphics. You can even set up their users to where they have access to the web browser but not through workbench.
However, you will need to have someone there with admin rights to their own stuff, as I stated before that they bought the system and they do have every right to do what they want with it.
This sounds like you need to play with the categories and roles to limit the user.
As I stated, we install Niagara on whatever type of system they have and then create a platform and a station. We don’t set up navs or hierarchies. The supervisor is whatever device we use for that job, be it a Jace, server, or laptop, and then we remote to that device’s and its station to do any programming or graphics. We are not using the web interface at all. We are trying to figure out our future. We had many old-timers doing their own thing, and they settled on “this is the way we’re doing it, and don’t rock the boat”. They are gone now, and we want to improve the experience for our clients. I would prefer a service model approach where we monitor and manage their whole system. Clients know nothing about HVAC or networking, so why should they be in the system? Again, if you’re giving them full range of the system, why did Tridium add those read-write features into the software? That’s also why I feel the software should only be housed on a system we control and monitor, and they access their station through the web interface. Currently they can login and do whatever they want. They can delete the graphics, change the whole program, or disconnect the relationship or link marks. The whole thing doesn’t make sense. Which is more secure? Securing the system’s privileges or using the same passwords across all applications. I am looking at this as a programmer or network administrator. What approach are you looking at it from?
I’ve been in the controls industry for for 24 years. I’ve done everything from install to project management. I’m a certified Niagara Instructor and a certified Front End and Back end Niagara Developer.
Niagara is a blank slate that is designed to give full customization to the programmer that is setting up the station. If you give the user access, you can make it read only from both the workbench or web browser. That’s done with categories and roles.
While yes, we are the experts, it’s not our system. It’s the customer’s.
From a programmer perspective I should be able to limit access in the software that the customer has. From a network administrator… it’s the same thing. I can make users not power users at all to the platform and when only changes are needed, give them that level of access.
I can sympathize with you in the ignorance of the old dynasty saying “That’s how it is” is a load of bull. They didn’t want to embrace change because it was more money in their pocket to get paid to fix the customer’s mistakes.
I appreciate you wanting to prevent them from doing that but the software allows for this customization. It has to be you to do that though.
Perhaps I’m missing your point entirely. You want to limit station access, great. Do it. Use the categories and roles to accomplish this. If you’re unfamiliar with the process, I’m more than willing to show you how to do this.
I’m not sure what control systems you’ve dealt with in the past, but the Niagara Framework is set up for you to make this however you want.
This isn’t an issue with a VPN or anything like that at this point. It can be as secure or insecure as you want. This can be fixed from the perspective of categories and roles.
I do apologize as the tone of my messages may have come off as terse. It’s really not meant to be that way.
I think the issue here is just merely setting up the level of access. That’s really not inherent as you first create an admin user. Many contractors just don’t take the steps to continue the setup process.
For example, if I had a single jace job, I will set up the web interface where there the customer views graphics from the system. There’s usually a separate user given to their administrator to add users to the system from the web.
If this is a supervisor station on a PC, I still apply the same techniques.
If the user logs in with an admin user that I give them to make changes especially after I leave, and they make a change that will break the configuration (especially since this can be proven through audit logs), I charge the customer for my time to fix the system. Usually after a few times of that usually gets them to stay in their lane.
I assume that currently the user will use workbench and click on controllers for graphics and such? No Nav files or hierarchies are set up?
No offense taken; I welcome constructive criticism. You are correct about how our systems are currently set up: we do not have any navigation files or hierarchies. My challenge is that I am trying to implement a platform-as-a-service model similar to (N4 PaaS - Cochrane Tech Services), where we manage everything, whether in the cloud or on local servers, and charge a monthly fee. This aligns with the company’s direction, and I have committed to researching our options.
The difficulty lies in convincing long-time employees that solutions outside their comfort zones can still be successful. I genuinely appreciate your assistance and value your input. I look forward to discussing other matters in the future, as it is clear that you have significant knowledge in this field.
As for me, I’m relatively new to this environment; I just reached my one-year mark and received my Niagara N4 TCP certification last month. My future goal is to become a Niagara Developer. Thank you once again for taking the time to share your insights. Please don’t worry about how your message is perceived—sometimes, I need to be put in my place.
Sincerely
I’m very familiar with Cochrane, they are one of my partners. I work for a Niagara OEM Vendor.
Advice I can give to you about helping people understand typically boils down to one thing: Money.
For example, if your company doesn’t charge the customer for when they screw up a system because of the original infrastructure, they’re losing money. If they calculate that lost revenue because of their decision, that could be enough.
When you’re younger in the field, it’s harder for people to respect your decision, unfortunately that is a hard road ahead. My podcast that I’m recording this wednesday and releasing in the next few weeks will cover this. Sometimes people have to be shown the hardship and really be hit in the wallet. However, the people that are the decision makers need to be assertive and tell the seasoned people that this is the direction the company is going in and they have to accept it. That can lead to some disgruntled employees, but primarily that’s because they were used to getting their way and now they’re not.
If you want to go the route that you’re wanting to, you should host a server somewhere, cloud or not, and put all the graphics there. There should be some kind of local graphical interface in case the cloud interface goes down, however that doesn’t require a VPN.
With that, Niagara Remote could be a good option. The other way would have a set of JACEs/Niagara Controllers/Supervisor on non-standard Niagara Ports and forward those ports to the firewall. Then you can hit them from the web without a VPN. For others that need truly secure connections and have stringent requirements for their system, PaaS may not be the best option for them.
I would be more than willing to sit in a meeting with you and some others, to discuss options some time. I don’t know whom you use for controls, but there are also other experts that could talk about the options with you as well.
I appreciate all of your insight. I may take you up on that meeting. I will discuss it with my team and get back to you. As far as controllers, we work with Distech. I don’t know if that’s the route I would have gone, but the company seems satisfied with its decision. Alternatives have been brought up but were shut down immediately. We will see what the future brings, considering we still have one. Most of us are concerned this department isn’t going to make it. We are not making a profit; we are mainly used to sell hardware, equipment, and service for the install department. It’s all profit, but that isn’t how they calculate it. Each department needs to stand independently, and currently we are not.
Are you new construction?
Also, what other alternatives were considered? Distech is a very solid product with probably the most selection to suit a customer’s needs.
Controls companies typically only make 1-3% margin after all is said and done for jobs like that. Service is typically the breadwinner of the group.
Usually core and shell jobs are the most money to make since the tenants eat the costs of upgrades and such. Duplication of programming is easy at that point.
We typically handle replacements or additions, but I haven’t seen a new construction yet. I don’t have an issue with the margins because I view the total profit as part of that margin. We assist the installation department in securing deals. Who’s to say any of those jobs would have occurred without our involvement? The problem is that the General Manager doesn’t see it that way.
In the past, the controls department thrived and generated most of the profit, but that’s no longer true. It may be dismantled if we don’t find a way to be more efficient and increase revenue for our department. Many long-time employees are set in their ways and should have been replaced during our merger. Their established habits no longer work at the scale our parent company aims for.
This General Manager is not the right fit for the company, and every department has issues with him. We have lost a significant amount of knowledge and talent over the past year due to his greed and lack of support. The team in control can’t even get new laptops despite the ones they have overheating.
Distech is a good company, but I don’t believe it’s aligned with the direction they want to pursue. They aim to create a product that can be installed, wired and programmed the same way for every job without needing adjustments. They want to establish a consistent revenue stream through monitoring, managing, and maintaining the client’s system. The business approach is “wash, rinse, repeat.”
Installed, wired, and programming the same way for jobs without needing adjustments… These are called standards. Every company should have them. Not having them causes companies to lose money, quickly. That’s how you make your money. Re-inventing the wheel every time will only cause more headaches.
Not everything is cookie cutter and some things will have to be done by scratch but for the most part, established companies have templates people can use and massage without having to it all from nothing.
Distech has a wide array of products to help with your company’s needs, in every aspect. I worked with Distech for 12 years and I’m still on their technical advisory board. I don’t attend meetings due to conflict of interest and such.
If your company wants to monitor, manage, and maintain client systems, it sounds like they need an entire service department for this:
What they’ll want to do at that point is set up an infrastructure that I don’t think they’d really want to invest in. This would take setting up each system go send alarms directly to your server, implement a monitoring system that once an alarm comes in, your monitors would call the customers and ask them how they would like to implement their alarms.
As far as the maintenance portion, facility managers and such would just take care of the day-to-day adjustments, such as changing set points and whatnot. Otherwise, those companies would just hire property managers such as COPT or CBRE to take care of all of that for them.
To me, the services you can offer after doing some renovations and such are what I mentioned above. If the customer wants to pay, great. If they don’t then they are on their own. Warranty, you have to cover but after that, they’ll have to pay for that service. However, after installing the job, I’d set up a service contract immediately and set it up as a tiered service.
I agree, but we don’t have established standards right now. The few of us still here are trying to develop them, but we don’t know where to start. In the meantime, more deals are being signed, and unfortunately, they’re all very complex projects that none of us have previous experience with. We’ve lost half of our team, which included veterans of this department with over 60 years of combined knowledge. While we did have our issues with those veterans, as they tended to compartmentalize information and keep it tightly held, their expertise is something we truly needed.
This general manager doesn’t believe in ongoing education either; instead, he’s focused on hiring new people instead of bringing us up to speed. It feels disrespectful to those who are trying to hold everything together. In addition to establishing standards, we need a project manager to break down these projects and assign tasks accordingly. The departure of those veterans was primarily due to hiring a project manager, which they disagreed with; however, we didn’t even get a qualified project manager. We ended up with an industrial automation technician who managed a few projects. We need a project manager with some knowledge of HVAC. The entire department was turned upside down in less than a week, and many of us are worried about our jobs. If you have any templates or standards available, could I look at them?
I can respond more to this when I give my test on Friday. Stay tuned.
I’ve got some time now, so I’ll tell you that I don’t envy your position at all and you’re in between a rock and a hard place it seems.
I’ll have to look at some old hard drives for some stations and such, but standards will be very easy to build.
First thing you want to start with is this: What kind of naming conventions do you want to use? For example, I use a lot of abbreviations such as on this spreadsheet I just created for you:
This just an example of what you could use. You can download it and then make all the changes you need. This is a crude example of what you want to name your stations.
After that, as far as programming goes, once you have a set of working programs, they can go into a station you have as a template and that way people can continue is it over and over again.
While not all equipment is the same, Most things are. You can just modify programs that’ll be mostly programmed. Making code snippets with Distech are also good. That way every tech can have them too.
I’m sorry for my delayed response. Thank you for taking the time to get back to me about this issue.
One of our challenges is the lack of certifications within our team. Currently, there are only four of us remaining. Two of us hold Level One Niagara TCP certifications, and I am one of them. The other team member has Distech ECLYPSE Solutions Certification, which I still need to take.
I haven’t seen anyone authorized to pursue higher-level Niagara certifications. We’ve had to take the initiative to get our current certifications ourselves. The company has expected us to learn to work with this software without formal training. This has proven to be almost impossible. It requires navigating through thousands of documents, and there isn’t enough information available online for us to research effectively for this job. We are just winging it the best we can.
The advanced training currently out there is outdated, which per my recommendations, Tridium is rewriting that. They are releasing their intermediate class, which I will be teaching when the company pays for it.
I assume Amanda is teaching the Eclypse certification training (I took the very first Eclypse training many years ago).
Controls, for many companies, is baptism by fire. Basically most won’t offer others to get training until it’s too late. However, there are three philosophies that companies take the approach and they are:
-
Companies value training and will throw employees in it immediately when they become available because they can use all the tools they can. The problem with this approach is that there’s a lot of money dumped up front and sometimes not enough return on their investment. Also, some people jump ship immediately after getting it, knowing they can get better offers with the certs.
-
Companies value training, but they want you to invest some time in the company before they do this. This shows them that you’re dedicated to the craft and will work and produce. One thing that I say, I can teach you all the skills except how to be a good person or be dedicated. So once they see you invest in yourself, then they’ll invest in you. This is my philosophy and I believe the best approach.
-
Companies believe the only training is needed are the very basics and you will learn on your own. I get the concept but sometimes we are creatures that need examples and some cannot do it on their own. Once the example is provided they can use, then it’s easy to reproduce. But the issue with that is, Niagara and controls are continuously evolving, so learning always needs to be done.