One thing all industrial control installations have in common, they straddle the complexity of modern information technology with the dangers of operational technology and its inherent control of things which can go bump and boom. They have Hard Industrial Cybersecurity, but are hardly secure.
My observation of industrial installations is that policy and technology choices often make it hard for people to operate securely, and, they inevitably find a way to make it simpler, at the cost of security. If its hard to operate securely, it becomes hardly secure.
One of the most common risks comes around the authentication system. The air gap architecture of the typical plant, whether its a waste water treatment plan, a nuclear waste processing facility, energy, etc, makes typical cloud services unavailable. And, this removes the common single-sign-on, necessitating a parallel identity scheme. And, this means that users, forced to remember this parallel password with different rules fall back, as you would expect, to the 3 big risks:
sharing the password with other users
sharing the password with other less secure systems
writing the password down
In the Oldsmar water treatment hack, a desire for efficiency caused users to add a parallel access system (TeamViewer) with shared passwords. In the Colonial Pipeline attack, a VPN with a parallel authentication system, shared with external partners, gave deep and wide access, allowing ransomware to wander in.
In the featured image above, we can see a TV crew given access to a nuclear processing site (Stellafield) uncovering the dirty secret of ‘writing it down’. The password looks hard to remember, and, seems to be on a shared console (shared account). It makes me think of one of my favourite xkcd comics, the committee coming up with the password rules on the left, and the operators on the right:
Now, traditionally in cybersecurity we think of money as the objective. And, if its not money, its reputation. But here, in a nuclear waste plant, the penny might be dropping. The downside might not be $ or resigned CISO’s, but, might be far more sinister. Its the health and welfare of many people that makes this require Hard Industrial Cybersecurity.
So what is the solution? If unguessable passwords are defeated by postit and TV, what can we do? Make it simpler to be secure. If all users can use their existing, native, account across all systems, with a simple single-sign-on that is common, consistent, familiar, they are much less likely to move to ‘shared’ alternatives, written down alternatives.
To achieve this Hard Industrial Cybersecurity, you need a form of unified authentication (allowing each of your own staff, your partner staff to sign in natively), you need a method of securely, precisely, narrowly, traversing that air gap. You need Agilicus AnyX Zero Trust.
Agilicus AnyX supports personalising the sign-in and usage environment to match your corporate brand. This is more than just asthethic: a consistent look and feel helps train users to reduce the likelihood of a successful spear-phishing attack.
Setting up your theme on Agilicus AnyX is quite simple. The basic steps are:
Download template
Modify template
Test locally in browser
Upload template
Test live
So lets get started. Before you start, you will want 3 files that can often be found on your company website:
favicon.png. This should be a square-aspect ratio, usually 256×256 or 512×512, of your company logo. It will show in a browser tab.
logo.png. This should be rectangular in size, approximately 1600×300 resolution. This will show in Profile in place of the Agilicus logo. We recommend a transparent background, and a foreground that will look proper with a blue background (#0057b8).
my-login.svg. This should be a square-aspect ratio svg, it will show in Profile in place of the Agilicus logo. The foreground should work with a blue background (#0057b8)
NOTE: Remote Links, Content-Security-Policy
❗
The Agilicus AnyX uses a strong, restrictive content-security-policy. This prevents linking to external 3rd-party css/js/images/fonts during the sign-in process. These must be mirrored into the theme file and served via the platform to be used.
First, we will download the ‘default’ theme.
This default theme can be unpacked somewhere on your computer.
The ONLY files you can modify are in the ‘theme’ subdirectory. The rest are read-only and just for the purpose of testing on your desktop.
When you re-pack this file, repack from the root directory, e.g. your new zip file should look the same as below, with an ‘index.html’ file in the top directory, and a theme-subdirectory.
You may add fonts/logos/etc to the theme directory and refer to them by relative path.
Once you have downloaded and unpacked this file, you will see the below contents. Do not change files other than in the theme directory (your changes will be ignored by the system). Overwrite the favicon.png and logo.png files in the theme directory. You may now proceed to testing.
On your desktop, in the directory you have unpacked the files, there is a file ‘index.html’. Double-click this, it should open in your browser. You can now see a list of links to the various pages, try each one to assess your changes. You may edit the styles.css and reload in the browser to iterate.
Once you are satisfied with your changes, proceed to the re-pack and re-upload.
Upload Template
Now that you are satisfied with your changes, make a zip-file of the entire directory structure you unpacked. E.g. ‘index.html’ will be in the root directory of the zip, and theme will be a sub-directory.
From your browser, use the UPLOAD THEME button in Authentication/Theming. Select the zip file you just made.
The theme will take affect after approximately 60-90 seconds. You may then test by signing-in again (e.g. in an incognito window).
NOTE: Browser Caching
❗
Your browser may cache the icons and fonts. Flush your cache if they do not seem to have changed.
Custom fonts
You may add your own fonts. To do so, we will do these steps:
Create a font-face entry in theme/styles.css
Add font-files to theme/my-font/
Adjust h1/body entries in theme/styles.css to reference your font
You might consider modifying the styles.css to set a background image, to change hover behaviour, etc.
To change the background image and colours, consider e.g. put an image called ‘background.jpg’ in the theme dir, then add a background-color/image/repeat to body or navbar as appropriate:
You may also have your own identity-provider and wish to change its icon (the Microsoft and Google ones are default). To do so, you will need an SVG file which is square in aspect ratio (see the my-login.svg as an example).
Add your ‘my-company.svg’ file, add a section in styles.csss to reference it:
Recently some Human Machine Interface (HMI) used in Public Water systems, specifically wastewater treatment plants, have come under attack. The first I read of it was in “Iranian hacker group CyberAv3ngers allegedly breach Municipal Water Authority of Aliquippa“, which was immediately followed by me heading to Google Maps and typing in “Aliquippa“. Reading through the various articles, I was able to piece it together, how this Exploitation of Unitronics PLCs used in Public Water Systems was happening:
For political reasons, someone has chosen Unitronics PLC and HMI as a target
Simple holes through firewalls, missing Zero Trust, were used
Most people focused on the specific grafitti/damage, rather than on the lateral traversal (the onwards damage) that might have come
CISA advisory on Exploitation of Unitronics PLCs used in Public Water Systems
CISA issued an advisory on this Exploitation of Unitronics PLCs used in Public Water Systems with some good information and recommendations, specifically:
Change the Unitronics PLC default password—validate that the default password “1111” is not in use.
Require multifactor authentication for all remote access to the operational technology network, including from the corporate/IT network and external networks.
Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
Backup the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
Update PLC/HMI to the latest version provided by Unitronics. to avoid Exploitation of Unitronics PLCs used in Public Water Systems
The only think i really quibble with here is the Firewall/VPN. I strongly recommend a per-resource authentication + authorisation, as provided by a Zero Trust product, shamelessly plugging Agilicus AnyX here. You really need the comfort of strong authentication, single-sign-on, multi-factor, and, fine-grained audit. A VPN is just an Ethernet cable with more length, no specific controls on the lateral traversal.
Using everyone’s favourite tool, shodan.io. we can see there are at least a few Unitronics HMI devices hanging out there for ease of access. And, all have the default ports open, leading me to suspect, maybe more.
So, if you are using these (or similar devices), and worried about the balance of removing team efficiency by removing access versus having some hacker waltz in, have I got a solution for you.
And, I would love to talk with you about it, using either the Chat icon on this page, email info @ agilicus,com, or Contact. If you would like to pick a specific time, Book a meeting.
As the moderator of the recent webinar on attainable municipal Zero Trust, I was privileged to lead a discussion with Jake Jakop from the Town of Mono, ON and Rob Blain from Northern Rockies, BC. Their shared experiences implementing Agilicus AnyX provide valuable insights into the challenges and opportunities faced by municipalities in safeguarding their digital infrastructure.
Learn more about the speakers and their municipalities on the event page.
I recommend watching the video to learn for yourself, but a few things I learned stood out to me.
Urgent Call for Enhanced Cybersecurity met by Attainable Municipal Zero Trust
The words of Jake and Rob resonate with a stark truth: no municipality is immune to cyber threats.
“Everyone is targeted, from the smallest town to the largest city, If they look like a municipality or a government entity, they are going to be phished, they are going to have malicious software sent to them. It’s just a matter of time.”
For Rob, it’s clear that this spreads from “the most junior casual employee that might only do 2 hours a month, but they have the same opportunity of causing catastrophic results as the person with administrative privileges”. He highlights a very critical point: cybersecurity is a non-negotiable element of modern municipal operations, “especially when you’re dealing with critical infrastructure. We run water treatment plants, sewage plants. The impact of a problem there …we’ve seen towns that still have a bad name because of something that happened a long time ago.”
Across the board, municipalities are playing catch-up when it comes to cybersecurity. The goal of this webinar was to explore how through strategic, informed, and valuable investments, municipalities of all sizes can implement modern cybersecurity strategies and that Agilicus is one of the best ways to achieve Attainable Municipal Zero Trust.
Rob put it best as he emphasized the economic considerations of investing in cybersecurity:
“We are 10% of the province of British Columbia’s land mass — that’s just a bit bigger than Austria the country, but we have a population of less than 5,000”
Introducing security initiatives are known to have “a great impact on our taxpayers and these are the same taxpayers that [Rob] will see at the grocery store, or that serve [him] at the restaurant”.
Transforming Cybersecurity Post-Pandemic
It’s undeniable that the pandemic has been a catalyst for change. Remote work models forced municipalities to reconsider and revamp their cybersecurity strategies. Jake’s initiative towards multi-factor authentication and privileged access management highlights this shift. The transition from unreliable VPNs to more robust solutions became imperative, needing an Attainable Municipal Zero Trust.
Jake: “We had to start factoring in everybody else who had privileged access which included our tax clerks and people who had access to ownership information – okay now what are we going to do? That’s when things started to shift towards, okay, we’ve got to do something better than the VPN. It was very slow and we would get complaints all the time about how slow it was so we have to do something differently because we’re like the VPN isn’t working, we have to change something”
For Rob, it was about insurance:
“Can we get it [insurance]? How much is it going to cost? How many restrictions are there going to be on it? What do we need technically to have? We need Multi-Factor Authentication. Okay, how are we going to get MFA? Who’s going to manage our identities? The meter on the taxi just kept running up and up and up and then Agilicus was presenting and as we dug out all the details we realized, okay, so it’s not just Multi-Factor Authentication, it’s not just VPN, it was all these other things that were bundled with it – and then we looked at the economies of it and Agilicus was about the same cost as one of the pieces, but it did all of it. Then it became whoa, okay, this is something that we can’t afford not to do!”
While Jake and Rob implemented Agilicus at different times, the common theme was clear: each organisation transitioned from traditional, inefficient cybersecurity methods to the comprehensive, agile, and user-friendly approach offered by Agilicus, making it Attainable Municipal Zero Trust.
Beyond Traditional Cybersecurity
Prior to Agilicus, municipalities like Mono and Northern Rockies grappled with fragmented and inefficient cybersecurity measures. The integration of Agilicus revolutionized this landscape, replacing multiple tools with a singular, cohesive solution. As Jake aptly puts it,
“It’s like choosing between an Allen Key and a Swiss Army knife – Agilicus is the obvious choice.”
Access and Vendor Management
One of the standout features of Agilicus is its transformative impact on remote access and vendor management. Jake shared an instance of granting remote access within 15 minutes – a testament to Agilicus’ simplicity and efficiency. This Attainable Municipal Zero Trust extends to all vendor management, making it more secure and efficient for municipalities to add, manage, and automatically offboard vendors who have a legitimate need to access their network and systems.
Rapid and Seamless Implementation
Rob’s experience with Agilicus’ implementation speaks volumes:
“It was a matter of hours, not days or weeks, and the implementation was 15 minutes max”.
This rapid deployment means that whether you’re a municipality that is under a tight insurance renewal deadline, or you’re simply under-resourced – this is not a multi-week problem To be Attainable Municipal Zero Trust you have to be time-affordable as well as dollar affordable. You can have the system operational in under an hour and move on to your next task without hassle. As Rob explains: “There’s not a whole lot of learning, the uptake of it is very quick, and it enables me to do these things that I need for my clients very quickly – and everyone’s happy. It’s really been the tool that I wish I had in my toolbox from the start.”
Seamless Integration with Industrial Systems (SCADA, HMIs, etc.)
Agilicus excels in integrating with critical infrastructures like SCADA systems, as Jake illustrates. “Users access only what they need, ensuring security and efficiency.”. Agilicus facilitates seamless access to SCADA systems and enables efficient remote HMI access:
“Based on the credentials… users can access an HMI that is on one of our water sites from their iPad from a web browser and not be able to access anything beyond that since they don’t actually have network access…to me that is amazing”
Similarly, Rob’s experience in Northern Rockies reveals how Agilicus facilitated mobile access for water operators, enhancing flexibility and responsiveness:
“One of the things we did is we implemented Agilicus for our water operators and organically they started using it with their phones. We used to have a dedicated laptop that they had to shift change and handoff and things like that. They came in and corrected us and said, ‘we just do it on our phone’ and it’s like, oh why didn’t we see that use case? It was one that the users just found. It doesn’t need software so now they all use their phones and it’s great because wherever they are whenever they need – even if they’re off shift – they can know what’s going on. It’s really getting a lot of positive feedback”
Measuring Impact and ROI
The return on investment (ROI) from adopting Agilicus was almost immediate, as Rob explains:
“The ROI was almost instantaneous for us. We needed an identity provider, first and foremost. And the cost of that identity provider versus the cost of your full suite was within a dollar. That really meant that everything else that you offered was a dollar. I can’t find a VPN for a dollar. I can’t find remote access securely for a dollar. So, really, we needed that authentication of the user. We paid for that, and every other feature was a freebie. It was plain, easy math. Here’s this cost, and here are the things we won’t have to buy. And it became instantaneous. Yeah, Agilicus was the right thing to do. And I appreciate how Agilicus was willing to work with us and understand our situation before saying, here’s your price tag. They looked, and it was really scaled to what we needed and what we were using. Not a one-size-fits-all. There was a lot of thought that went into it and a lot of care went into it. So I really appreciate that. That made the whole process that much easier.”
Leveraging Agilicus for Comprehensive Cybersecurity
Agilicus has proven to be a comprehensive, Attainable Municipal Zero Trust solution for municipalities, addressing a wide range of cybersecurity needs efficiently. For Jake, the platform’s capability to provide strong identity and authentication, multifactor authentication, and least privilege access, all within a single suite, has been a game-changer:
“We never anticipated being able to meet the multifactor authentication and Privileged Access Management requirements in a single solution. However, Agilicus made this possible at an economical cost”
Agilicus Support Levels
Of course, all of this is backed up by the Agilicus support team and excellent support levels, as highlighted by Rob:
“Whenever we’ve had questions, even at 5:00 PM our time, we’ve received immediate and effective responses. Often, we’re directly in touch with senior members or even the software developers, which is incredibly valuable. This level of support, where you’re directly connected with someone who can resolve your issues promptly, is extraordinary and a true lifesaver for us.”
Conclusion
The experiences of Jake Jakop from the Town of Mono and Rob Blain from Northern Rockies with Agilicus AnyX paint a clear picture: Agilicus stands out as an essential tool for modern municipalities, offering security, scalability, user-friendliness, and cost-effectiveness. More than just meeting current challenges, Agilicus is defining a new standard in Attainable Municipal Zero Trust cybersecurity, propelling municipalities into a more secure digital future.
This blog post explores how modern technology enables remote and real-time monitoring of water treatment plant assets, with a focus on the challenges of securing remote access to SCADA systems. It introduces the Zero Trust security model as a solution, emphasizing identity verification, micro-segmentation, and continuous monitoring for enhanced security in critical infrastructure.
The monitoring of asset performance in water treatment plants has seen rapid technological advancements in the face of changing requirements and best practices.
Plant operators are no longer required to perform physical asset checks at fixed intervals or wait for issues to surface. Instead, modern equipment and network technology enable remote and real-time access to assets, with the ability to analyze data proactively to detect and address potential problems before they manifest.
Water systems are among the critical infrastructure that ensures the well-being of communities. To manage and monitor these systems efficiently, Supervisory Control and Data Acquisition (SCADA) systems play a crucial role. However, enabling secure remote access to SCADA for water systems comes with its unique set of challenges.
In this article, we delve into the realm of secure remote access to SCADA for water systems and how the Zero Trust security model can provide an effective solution.
The Challenges of Remote Access to SCADA for Water Systems
Remote access to SCADA systems presents several significant challenges for water systems:
Cybersecurity Threats: Water systems have become a prime target for cyberattacks because of their ease of exploitation. Traditional remote access approaches can expose vulnerabilities, making it an attractive attack vector for malicious actors to disrupt operations, steal data, or compromise the safety of the water supply.
Legacy Systems: Many water utilities still rely on legacy or obsolete operating systems for their SCADA infrastructure that were not designed with robust security features and do not support up-to-date security fixes. These systems may lack minimum levels of encryption, authentication, and monitoring capabilities, making them susceptible to attacks.
Network Complexity: Water systems often encompass a vast network of industrial-grade sensors, pumps, and reservoirs. Ensuring secure remote access to every component across vendors can be challenging, especially when they are spread across large geographical areas.
Regulatory Compliance: Water utilities must comply with various body regulations and standards, such as the Safe Drinking Water Act. Meeting these requirements while enabling remote access can be complex and costly to maintain.
Authentication and Authorization: Traditional access control methods may not be sufficient to protect against unauthorized access. Managing user credentials and permissions can be daunting when dealing with a large number of operators and technicians. This work also often falls out of scope for OT managers who defer such tasks to the IT group
The Zero Trust Model: A Modern Solution to Secure Remote Access to SCADA
Zero Trust Architecture is a security framework that operates on the principle of “never trust, always verify.” It assumes that threats may exist both outside and inside the network. With this model, remote access to SCADA systems becomes more secure and manageable. One of its core principles is strict identity verification for all users and devices attempting to access any part of the SCADA systems, ensuring that only authorized personnel with the appropriate permissions can gain network access, thereby reducing the risk of unauthorized entry.
Additionally, the framework promotes micro-segmentation, wherein water systems are divided into isolated zones, each equipped with its own security controls, preventing lateral movement for potential cyber attackers even if they manage to infiltrate. Continuous monitoring and real-time threat detection are crucial components, helping swiftly identify any suspicious activities to mitigate potential threats before they escalate, thus limiting their potential impact. Data transmitted between remote users and the SCADA system is also safeguarded through encryption with up-to-date ciphers to protect against interception or tampering by attackers.
Furthermore, Zero Trust advocates for a “just-in-time access” approach, ensuring that access is granted only when necessary, with users and devices receiving the minimum level of access required for their tasks. This strategy significantly reduces the risk of privilege escalation attacks across devices.
Zero Trust in Action for Water Systems
Implementing Zero Trust for secure remote access to SCADA systems involves careful planning and investment in various key areas. These include Identity and Access Management (IAM), where IAM solutions are deployed to manage user access and enforce robust authentication methods. Network Segmentation is another vital component, which entails dividing the network into segments with stringent access controls and firewalls to isolate and safeguard critical assets.
Multi-factor authentication (MFA) plays a critical role in Zero Trust, as it is enforced for remote access, third-party organizations, or critical applications, adding an extra layer of security to verify user identities. Additionally, Security Information and Event Management (SIEM) tools are employed to ensure continuous monitoring and threat detection, enabling a comprehensive set of audit records to be applied to Risk Management and Compliance frameworks.
Finally, a fundamental aspect of Zero Trust implementation is the creation and enforcement of security policies. These policies outline who can access what and when, ensuring that access to SCADA systems is tightly controlled and only granted to authorized individuals, thus enhancing overall security and reducing the risk of unauthorized access.
Secure Remote Access to SCADA, Solved
The challenges of enabling secure remote access to SCADA for water systems are real, and the Zero Trust security model offers a robust solution. It provides a proactive approach to safeguarding critical infrastructure, protecting against cybersecurity threats, and ensuring the safety and reliability of our water supply.
By implementing Zero Trust, water utilities can build a resilient defense against potential breaches and provide a secure environment for remote system management.
In this post, we’ll dive into the Zero Trust vs. VPN security model differences and why the former is ultimately the far superior choice for secure, seamless remote access.
Traditional VPNs: An Aging Technology
VPNs have long been the standard for secure remote access.
By virtue of being private, they create a point-to-point tunnel with encryption to secure data transmission between networks, effectively routing between a plurality of networks securely. This effectively shields the data from external threats when transiting over insecure links or the Internet. However, while VPNs offer a certain level of security over the tunnel itself, they are not without their vulnerabilities:
VPNs operate on the principle of ‘trust but verify’, a model of implicit trust that can lead to significant security risks. If an attacker manages to gain access to the VPN, they can move laterally across the network, potentially causing significant damage. In this approach, the traffic remains secure over the VPN but the traffic payload itself has become malicious.
VPNs often lack granular access controls, meaning that once a user is inside the network, they often have access to more resources than necessary. And when these controls are available, they are often complex and require frequent updates.
VPNs can also be complex and cumbersome to manage, requiring detailed configurations and continuous management. This exposes an organization’s security posture when their configurations become out of sync with the latest security best practices.
VPNs also often lead to complications with firewall rules and access control lists. This complexity not only places a significant burden on IT teams but also increases the likelihood of configuration errors, which can lead to security vulnerabilities.
Efforts to simplify and make VPN usage more efficient through techniques such as split tunneling have been demonstrated to be a potential and exploitable attack surface for nefarious actors.
The True Cost of VPNs
But surely VPNs are budget-friendly, right?
Traditional VPNs may appear cost-effective, but hidden costs from security breaches, user frustration, and IT management can quickly add up from a financial and reputational perspective. Let’s delve deeper into what these hidden costs could look like:
Security Breaches
The average cost of a security breach through a VPN can be substantial. Assuming that a company with around 200 employees experiences two security breaches per year, each costing $50,000 in damage and mitigation efforts, the total cost would be $100,000. This doesn’t even account for the potential damage to a company’s reputation and customer trust, which can be immeasurable.
User Frustration
Traditional VPNs can often frustrate remote employees due to the need to manually connect and disconnect based on their remote location and tasks. If each remote employee spends about 15 minutes daily dealing with VPN-related connection and access issues, this translates to 6,500 hours lost annually for an organization with 100 remote employees. Assuming an average hourly rate of $25 for these employees, this results in $162,500 lost annually due to user frustration.
IT Management Overheads
Managing traditional VPNs is a continuous and tedious process. Assuming IT teams spend around 10 hours weekly managing VPN configurations, troubleshooting connectivity issues, and addressing firewall rule changes, this accumulates to 520 hours per year. With an average hourly rate of $40 for IT specialists, the annual cost of IT management for VPNs reaches $20,800. Not to mention, these management tasks also carry the risk of human or configuration errors that can compromise security and increase costs further.
Add all of this up, and the true total cost of a VPN can be as high as $283,300 per Year.
Zero Trust: The Future of Secure Remote Access
In contrast to traditional VPNs, Zero Trust Network Access offers a fundamentally different approach to secure access. This architecture operates on the principle of ‘never trust, always verify.’ Every user and device, whether inside or outside the network, is assumed to be a potential threat. Every access request is treated as originating from an untrusted network, and the identity and level of permission of the user or device must be verified before access is granted. This effectively removes the traditional network perimeter where users and devices are implicitly trusted.
As a result, the overall attack surface is reduced because the concept of trust has been eliminated from the network altogether. There is no implicit trust granted to users or devices based on their network location or login credentials. Instead, access is automatically granted based on the user’s identity and the context of the access request.
This approach significantly enhances security by preventing unauthorized access, even from within the network. In addition, Zero Trust implementations simplify the management of remote access by eliminating the need for complex VPN configurations and firewall rules, ultimately reducing the burden on IT teams.
Zero Trust vs. VPN: At a Glance
When it comes to infrastructure network security, Zero Trust significantly outperforms traditional VPNs in a number of ways:
VPNS
Zero Trust
Operate on a ‘trust but verify’ model that typically grants access at the network layer, leading to potential security risks and lateral movement within the network.
Built on a ‘never trust, always verify’ philosophy, continuously verifying the identity of users and devices, preventing unauthorized access.
Can be complex and frustrating for end users, requiring them to repeatedly manage connections based on where they are and what they’re doing.
Provides a seamless user experience, eliminating the need for manual connections and granting access to only the necessary resources across networks.
Requires tedious and constant attention, making it easy for configuration errors to occur and persist.
Simplifies remote access management, eliminating the need for complex configurations and reducing the burden on IT and OT teams.
Getting Started with Agilicus
As the network security landscape continues to evolve, it’s clear that the ‘trust but verify’ model of traditional VPNs is no longer sufficient to maintain security best practices on IT and OT networks. As we’ve described in detail above, the ‘never trust, always verify’ approach offers a more secure, efficient, and manageable alternative.
While traditional VPNs have served us well in the past, the increasing sophistication of cyber threats necessitates a more robust and secure solution. Agilicus’ Zero Trust solution, with its superior security, simplified management, and granular access control, offers a compelling alternative for IT and OT professionals. By choosing Agilicus, you’re not just choosing a product; you’re choosing a partner committed to securing your network and safeguarding your data.
Discover the transformative impact of our client-less Zero Trust Architecture to safeguard your critical infrastructure, simplify access, and reduce the burden on your team.
In this blog post, we’ll delve into the challenges of enabling SSH for remote access and how you can do so without compromising security through Zero Trust.
As its name implies, it’s secure, but also reliable, and has the built-in ability to encrypt data while ensuring authentication.
However, challenges arise when you need to provide exclusive access to a particular resource via SSH alone.
The SSH Conundrum
More often than not, you’re struggling to find a proper gateway protocol ‘jump box’ for SSH, and unlike a straightforward reverse proxy, SSH ends up exposing the entirety of a host. This ‘all-or-none’ issue then results in the necessity for a public IP to map inbound connections into your private network.
Imagine having a battalion of virtual machines, each needing access from a set of remote users. These users could be vendors, contractors, or simply temporary staff. Without a standard mechanism in place to handle this, things can get messy pretty quickly.
Next on the list of issues is the question of two-factor authentication (2FA). While HTTP-based protocols have their own well-understood methods for 2FA, integrating this into SSH is often an uphill task. It’s complex and something most people aren’t used to or give up trying altogether.
What if there was a simpler way to secure your SSH access points without grappling with jump box complexities, 2FA setup hassles, or needing to expose the services to a public IP at all?
Zero Trust: The Simple Solution
Zero-Trust Networking Access might be the answer you’re looking for. When implemented, it becomes possible to provide SSH for remote access to your pool of hosts for anyone, regardless of their identity provider.
The best parts? The extra layer of security provided by enabling 2FA eliminates the need for public IP mapping to internal hosts and maintains end-to-end encryption.
SSH then becomes straightforward: Users can directly log into the hosts, all while ensuring that security remains intact.
Ready to Learn More?
This novel approach of deploying SSH with Zero Trust can be achieved with ease with Agilicus. Get in touch with us to learn how you can simplify your systems administration without compromising on security.
Enabling Zero Trust Architecture to streamline Rockwell Automation remote PLC access without requiring a VPN improves security while still allowing your crucial users to remotely access systems for critical client support. In this piece, we’ll explore the security implications of legacy VPNs and delve into how Rockwell Studio 5000™ suite can be used remotely, sans VPN, to securely and easily program industrial devices like PLCs.
In today’s evolving manufacturing landscape, straightforward and secure access to Programmable Logic Controllers (PLCs) is pivotal for optimizing production processes.
Ensuring seamless remote PLC access is becoming more of a necessity for many organizations. However, achieving top-tier security best practices without sacrificing efficiency can be challenging, mainly due to the inherently broad access challenges associated with Virtual Private Networks (VPNs) and other outdated security approaches.
The VPN Challenge
VPNs have been the traditional choice for secure remote access for over 25 years. And they have proven to be effective in securing data transmission between remote users and the central network. However, they have some notable drawbacks, especially in Industrial Control Systems’ programming:
Security Vulnerabilities: OT systems must live on an air-gapped network. However, industrial air-gapping often prevents or limits just-in-time access to OT and industrial control systems, leading to long repair cycles, customer complaints, increased costs, and workarounds. Keeping these systems off the public internet remains essential to prevent risks, but leveraging an antiquated VPN for vendor and remote access can actually compromise your air gap, by bridging disparate networks together, ultimately leaving these vital systems vulnerable to cyber threats.
Complex Setup: Setting up a VPN can be complex and time-consuming when defining security rules at the network layer, requiring IT expertise that many manufacturing engineers may not possess.
Performance Issues: VPNs can introduce latency and reduce network performance, potentially impacting real-time control and PLC monitoring.
User Experience: VPNs can be cumbersome for end-users, requiring them to install and configure additional software on their devices.
VPNs are also limited in the security they offer. While the perimeter protection model they offer is based on establishing a secure boundary around a trusted network, the concept is no longer ideally suited to the distributed nature of today’s Industrial Control Systems. This approach also lacks the requisite flexibility, visibility, scalability, and user-friendly experience that modern manufacturers need.
In particular, the challenge posed by using the Rockwell Automation suite of software such as FactoryTalk™ Linx Browser (FTLinx), or RSLinx™ Classic to access PLCs within an Industrial Control System facility should be facilitated by a solution that makes EthernetIP connectivity to remote PLCs transparent to the user and the underlying software tools, which maintaining performance and security.
Embracing A VPN Alternative Remote PLC Access
The ideal way to achieve PLC access is through a Zero-Trust security model, not a VPN providing connectivity to everything.
What is Zero Trust?
Zero Trust is a cyber security framework that is built on the ‘never trust, always verify’ principle. It presumes threats both outside and inside the network, negating any inherent trust. All users and devices, even those within the network, undergo continuous authentication and authorization.
Implementing Zero Trust in OT requires a thorough understanding of all assets and resources. With this knowledge, companies can apply granular security controls, prioritize continuous authentication (especially for vendors and other partners), and enforce protection at multiple network points.
In contrast to a VPN approach, a VPN alternative approach built on a foundation of Zero Trust provides considerable advantages:
Heightened Security
Enabling Rockwell Automation remote PLC access through Zero Trust fortifies the entire OT network and its PLCs against cyber threats. By leveraging modern features like role-based access control, end-to-end encryption, micro-segmentation, and two-factor authentication, you can safeguard these systems from unauthorized access. With this in mind, it becomes possible to use clients such as RSLinx™ and RSWho and seamlessly combine them with two-factor authentication.
Simplified Remote Access
Zero Trust, when implemented well, greatly simplifies remote access without compromising security. For example, Agilicus achieves this by enforcing user authentication (both internal and external) with the existing identity provider such as Azure/Office 365 or Google Suite login. And it only grants users access to the resources they need to do their work with the least amount of continuously validated privileges. When enabled, an organization can choose who gets to access PLCs with Rockwell Studio5000™, and what operations they can undertake.
Enhanced Productivity
In manufacturing, downtime equals lost revenue and time. A VPN alternative, Zero Trust-based environment boosts productivity and efficiency. It elevates the user experience and maintains strong network performance to streamline operations while ensuring unparalleled transparent security in the process. The end user can not access multiple PLCs across multiple sites without the need to re-establish VPN connectivity to individual locations. PLCs can even be deployed with overlapping internal IP address spaces on a site-by-site basis and still be accessible.
Cost-Efficiency
Shifting from a VPN infrastructure to a VPN alternative setup is economical. VPNs often demand investments in hardware, software, and maintenance. Transitioning away saves capital and operational costs.
See Zero Trust in Action: On-Demand Rockwell Automation Remote PLC Access Platform Showcase
Enabling VPN alternative Rockwell Automation remote PLC access within a Zero Trust model offers comprehensive benefits that extend beyond remote access alone. At Agilicus, we maximize easy access to your PLCs for employees and vendors alike while strengthening security in the process.
Witness its prowess in our on-demand platform showcase and explore how the Agilicus Zero Trust solution can redefine your manufacturing operations.
The Cybersecurity and Infrastructure Security Agency (CISA) has announced a free (as in beer) service to pro-actively scan water and waterwater systems for vulnerabilities. Agilicus has participated in this scanning (against our infrastructure) for a year now, receiving weekly reports.
In their words:
The Cybersecurity and Infrastructure Security Agency (CISA) can help your drinking water and wastewater system identify and address vulnerabilities with a no cost vulnerability scanning service subscription. CISA, the Water Sector Coordinating Council, and the Association of State Drinking Water Administrators encourage drinking water and wastewater utilities to use this service
CISA’s Free Cyber Vulnerability Scanning for Water Utilities
Identifies vulnerabilities at the layer 3, 4, and some layer 7 level
Identifies poor cryptographic practices
trending of recommendation progress
nothing to install
A public-endpoint scanner such as this one is a valuable part of an over all security program, helping to identify forgotten systems, inadvertent configuration errors or changes, etc. The ideal stance would be the report would show empty, nothing accessible, and, use a Zero Trust outbound-only product to facilitate identity-based access to specific systems as needed, in a domain-specific fashion (PLC, HMI, SCADA aware). Defense in Depth, Industrial Micro-Segmentation, IEC-62443 zones and conduits.
Waste Water Treatment Case Study
For more information see the case study on how the Agilicus AnyX platform allowed a municipal water treatment facility to safely, securely, simply, facilitate remote maintenance and management.
I’ll be back. An iconic line delivered in a memorable Austrian accent, foreshadowing the actual rise of cyber-physical systems. In the Terminator franchise, we saw for the first time the trifecta of physical machines, artificial intelligence, and, cyber-security gone awry. Science fiction moved from the War Operation Plan Response (WOPR) of the 1983 film WarGames (which merely thought about wars) to physical machines that could do something about it. While this is all good fun in a theatre, it’s now becoming a reality. And all good realities need succinct standards to guide them towards good from evil. Into this gap has emerged NIST with an update to NIST SP 800-82, expanding its scope to include these cyber-physical systems as well as building management systems and other operational technology goodness.
NIST SP 800-82 Rev 3
One of the main changes in the upcoming revision three of NIST SP 800-82 is an expansion in scope. Industrial Control Systems are a part of the greater Operational Technology (we explain this acronym soup in more detail in Piercing The Purdue Model: Zero Trust In Operational Technology) rubric, which also includes Distributed Control Systems, Building Management Systems, etc., as well as updates to threats, vulnerabilities, risk management, and best practices. Of particular interest is the alignment to the NIST Cybersecurity Framework (CSF), which I believe is a lot more manageable and achievable for many companies. NIST CSF is also in the process of a major revision to 2.0, adding a Govern function.
Coverage
The scope of NIST SP 800-82 Revision 3 (Draft) has been broadened to include not only traditional Industrial Control Systems (ICS) used in critical infrastructure sectors but also emerging technologies like the Industrial Internet of Things (IIoT) and other systems such as Building Automation Systems (BAS) and Physical Access Control Systems (PACS). The term “Operational Technology” (OT) is now used to refer to these broader systems, including Industrial Control Systems as one of the main entities. This acknowledges the evolving threat landscape and the need for enhanced security measures.
The addition of Building Automation Systems and Physical Access Control Systems moves this from solely critical infrastructure sectors (water, energy, and transportation) into everyday life (malls, apartment buildings, and office buildings).
Risk
Risk Management: The new version emphasizes a risk-based approach to cybersecurity. It introduces the concept of risk management frameworks, which help organizations identify and prioritize potential threats and vulnerabilities. This approach enables more targeted and effective security measures.
Response Plan
Enhanced Incident Response: The latest version places greater emphasis on incident response and recovery. It provides detailed guidance on developing and implementing robust incident response plans specific to Operational Technology environments. This helps organizations minimize the impact of cybersecurity incidents and restore operations quickly.
Integration
Integration with Cybersecurity Framework (CSF): NIST SP 800-82 Revision 3 (Draft) aligns with the NIST Cybersecurity Framework (CSF), providing a cohesive approach to managing cybersecurity across an organization. This integration allows organizations to leverage existing CSF practices and frameworks to secure their Operational Technology environments.
Supply Chain
Supply Chain Security: NIST SP 800-82 Revision 3 (Draft) recognizes the importance of securing the supply chain, particularly for Operational Technology environments. It provides guidance on assessing and managing risks associated with third-party suppliers, ensuring that the software and hardware components used in Operational Technology systems are trustworthy and free from vulnerabilities.
I’ve talked many times about supply chain, e.g. “Multi-Factor Authentication and the Supply Chain“, but it remains one of the more pervasive and complex problems to solve, both on the technology side (their code inside the code of my vendor), but also on the people side (their staff supports my site).
Access
Access Control and Authentication: The new version emphasizes the importance of access control and strong authentication mechanisms. It provides guidance on implementing multi-factor authentication, password management, and user access controls. These measures help prevent unauthorized access and enhance the overall security posture.
As you can likely see by watching my video about this topic, this is an area our team at Agilicus is very passionate about.
Threat
Threat Intelligence and Monitoring: NIST SP 800-82 Revision 3 (Draft) emphasizes the need for continuous monitoring and threat intelligence. It provides guidance on implementing security controls and tools to detect and respond to potential threats in real time. This proactive approach enables organizations to stay ahead of emerging threats.
Controls
There is new tailoring guidance for NIST SP 800-53, Rev. 5 security controls with an Operational Technology overlay that provides mapped security control baselines for low-impact, moderate-impact, and high-impact Operational Technology systems.
I have covered some of the mappings between SP 800 53 and Zero Trust, and some of the risks it seeks to control, including some mappings in “NIST SP 800 53 Mapping To Zero Trust“
I covered a lot, but the standard covers even more. I find each of these standards pretty accessible, I recommend starting with the Cybersecurity Framework, followed by the NIST SP 800-82. Even if only to understand and assess the risks you face that you might be unaware of, these are worth reading.
In “Your VPN Hates Your Video Conferencing. Here’s Why” I discussed why VPN’s often very negatively impact the performance of non-corporate applications. End users often complain of performance on YouTube, performance on video conferencing, VoIP issues, etc. But VPN users also complain, since the corporate network upstream becomes their downstream, and someone else watching Netflix reduces the performance of all users.
In each case, the reason is the same: in order to safely operate VPN, you must force all of the traffic into it. Companies often sacrifice security for performance by running what is called a ‘split horizon’ VPN. In a nutshell, a split-horizon VPN cherry-picks certain routes, forcing those to route into the VPN, but allowing others to use the default route, the default ISP. The end user may see this as better (since the performance is improved) but the security is dramatically reduced.
The attack vector is the routing table. Networks route to the most specific route (longest-prefix match). The corporate VPN, once configured for split-horizon, has a set of more-specific routes. A local ISP, wifi provider, etc, can in turn advertise even more specific routes, causing that traffic to be captured, altered, inspected…. things you do not want.
Is there a better solution? If the full-route VPN is too slow, and the split-horizon VPN is too weak, what should you do? We recommend a Zero Trust solution. In Zero-Trust Makes Working From Home Secure And Reliable, Unlike VPN, we discuss how making each resource available as its own, public endpoint, with appropriate authentication and authorisation, provides better performance, stronger security, simpler use. Everybody wins.
Read more of the Tunnelcrack paper including the author’s summary here.
Who are you? Identity involves knowing who you are, and then later proving it. NIST sp 800-63A enrollment is the first step, let’s talk about that!
NIST sp 800-63A covers “How do I become aware of who you are for the first time’, also known as enrollment. In NIST sp 800-63B: How Well Do I Know You I covered how we would authenticate you the 2nd and subsequent times, but here we talk about that first time, the unambiguous ‘who are you” setup, and the levels.
The NIST sp 800-63A covers 3 levels of “how well do I know your identity”. Quoting from the standard:
IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a CSP asserts to an RP). Self-asserted attributes are neither validated nor verified.
IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.
IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.
Paraphrasing, in level-1, you can create sock-puppet accounts, as many as you like. In level-2 you exist (this is getting kind of existentialist sartre descartes, right)? In level-3 you exist and were there in person to prove it.
Now, there’s a brief segue into privacy. You can exist, prove you exist, and still not give all of your details each time. The attestor in level 3 might need your passport, birthdate, and a photocopy of that mole on your butt. But, the subsequent system that identifies you downstream might replace all this with its own trust “user42 is who they say they are” without more details. The more details the attestation of level 3, the more you might care (since, unlike a password, you cannot change your identity… your biometrics, your DNA, etc).
The NIST sp 800-63A relies on traditional real-world identity (name, date of birth, home address). The general idea is these are hard to fake, and presence of one or two is usually unambiguous.
The NIST sp 800-63A standard goes through three general stages: collect, validate, verify.
Since identity is intertwined with Personal Identifiable Information (PII), there is a lot of the NIST sp 800-63A standard dedicated to what to collect when.
Identity proof is not related to entitlement to a service
Limit to minimum necessary to validate claimed identity
Indicate purpose at time of collection
Provide redress mechanism for complaints
Have a written policy
Maintain audit log record of all steps taken, including PII examined
Protect PII
Perform transactions over secure (encrypted, authenticated) channel
Use fraud detection (e.g. anomaly detection, geolocation, etc). This might involve checking against e.g. the US Social Security “Death Master File” (am I alive?)
Delete data when you stop being an identity provider
Do not collect (US Social Security Number)
In NIST sp 800-63A level 1, the user self-attests: there is no validation. Think your reddit account. I am since I say I am.
In NIST sp 800-63A level 2, you can be remote or in-person. PII is required, but minimised. At least one piece of ‘STRONG’ (‘SUPERIOR’) evidence is needed if the source had two. Note: this is sort of like the stratum-1/2/3 clocks in NTP. The place I check identity against needs to be stronger than I need. Also, interestingly, Knowledge-based is not used (e.g. I cannot use the fact I know you already). Physical address checks are done (e.g. sending a postcard). Interestingly, a PSTN number can be used here (I trust the phone company?). No word on the homeless or indigent.
In NIST sp 800-63A level 3 we get serious. Biometrics are a must. We check for duplicate enrollment. We have a method to re-adopt previous identity (no right to be forgotten here). And, we do it old school, face-to-face in person. With 2 pieces of strong evidence.
The NIST sp 800-63A standard provides a summary table:
Requirement
IAL1
IAL2
IAL3
Presence
No requirements
In-person and unsupervised remote.
In-person and supervised remote.
Resolution
No requirements
The minimum attributes necessary to accomplish identity resolution.
KBV may be used for added confidence.
Same as IAL2.
Evidence
No identity evidence is collected
One piece of SUPERIOR or STRONG evidence depending on strength of original proof and validation occurs with issuing source, or
Two pieces of STRONG evidence, or
One piece of STRONG evidence plus two (2) pieces of FAIR evidence.
Two pieces of SUPERIOR evidence, or
One piece of SUPERIOR evidence and one piece of STRONG evidence depending on strength of original proof and validation occurs with issuing source, or
Two pieces of STRONG evidence plus one piece of FAIR evidence.
Validation
No validation
Each piece of evidence must be validated with a process that is able to achieve the same strength as the evidence presented.
Same as IAL2.
Verification
No verification
Verified by a process that is able to achieve a strength of STRONG.
Verified by a process that is able to achieve a strength of SUPERIOR.
Address Confirmation
No requirements for address confirmation
Required. Enrollment code sent to any address of record. Notification sent by means different from enrollment code.
Required. Notification of proofing to postal address.
Biometric Collection
No
Optional
Mandatory
Security Controls
N/A
SP 800-53 Moderate Baseline (or equivalent federal or industry standard).
SP 800-53 High Baseline (or equivalent federal or industry standard).
https://pages.nist.gov/800-63-3/sp800-63a.html
Now, here’s where it gets interesting. Its one thing to say “I am X”, its another thing to say “let me figure out who you are”. Think the difference between a passport to let you in to the country vs dental records to prove who these beautiful ashes belong to. In the first case, the test is easier. “Identity XXX, lookup and match”. In the other, its “here is a set of factors we know, search all and find the one and only best match”.
The last section of NIST sp 800-63A is also quite interesting, the derived credentials. This is a way to go from e.g. stratum 1 (the source) to stratum 2 (a system) to stratum 3 (e.g. a smart card on your belt). In it you can restrict access to some of the facts and rely on the chain of trust.
So. We have now talked about “How do I know who you are” the first time, the levels (1/2/3), and some of the items to consider. Identity, and authentication against it, are a key aspect of any security system. Want to discuss more? Please feel free to reach out!
In today’s digital landscape, the concept of Bring Your Own Device has gained significant popularity. In this model, employees are allowed to use their personal devices, such as smartphones, tablets, and laptops, for work-related tasks. And your third-party vendors might have their own company devices they may be using to access your network. We’ll help you understand the benefits of BYOD and the robust, secure support Agilicus AnyX offers so you are equipped to assess it if it aligns with your organisation’s security strategy.
By using Agilicus AnyX, organisations can seamlessly connect diverse devices, enabling employees to work efficiently without the need for specific devices issued by the company. This flexibility enhances user satisfaction and eliminates the need for restrictive device policies.
Take an internal server. Remote Desktop. Access it from a contractors tablet. Full single-sign-on, multi-factor. But not joined to your domain.
How BYOD Works in Agilicus AnyX
Agilicus AnyX takes a web-first approach, meaning that most functionalities are accessible through a web browser. This eliminates the requirement for dedicated applications on individual devices.
Many organisations can no longer dictate that specific hardware must be used, as it goes against the nature of BYOD. This realization raises questions about identity management. Organisations accustomed to using Microsoft Active Directory for identity management may face challenges when devices not affiliated with their domain require access. However, Agilicus AnyX offers a solution: federated authentication. It extends identity management capabilities beyond the organisation’s domain. This allows for seamless integration of BYOD devices into the authentication framework, ensuring secure access for users.
It’s important to note that Agilicus AnyX does not solely focus on BYOD; Rather, it provides the same powerful tools and functionalities for both BYOD and non-BYOD environments. By adopting Agilicus AnyX, organisations can bridge the gap between different device types and security settings. Limitations that commonly arise in other systems, such as the inability to dictate VPN clients or identity configurations, are significantly reduced with Agilicus AnyX. It offers a unified authentication system, enabling single sign-on and multi-factor authentication, even for devices that are not part of the organisation’s Windows domain. This seamless integration is achieved through Open ID Connect, allowing users to access resources securely, regardless of the device they use.
Agilicus AnyX also addresses the challenges associated with running specific software on BYOD devices. Instead of requiring the installation of numerous applications or conflicting VPN clients, the platform offers alternative methods. Users can leverage remote desktop or VNC (Virtual Network Computing) through Agilicus AnyX, which ensures a clientless and hassle-free experience. Additionally, a lightweight launcher can facilitate the execution of custom programming software without the need for a VPN. These features significantly reduce the complexity and potential conflicts that arise from running software on various devices.
With Agilicus AnyX, the gap between BYOD and traditional device management is narrowed significantly. We empower organisations to embrace BYOD while providing a secure and seamless experience for employees. By eliminating restrictions, supporting various devices, and streamlining identity management, Agilicus AnyX enables organisations to leverage the benefits of BYOD without compromising security or productivity.
Conclusion
BYOD has become a prevalent trend in today’s workplace, and Agilicus AnyX offers a robust solution for effectively managing BYOD environments. With its web-first approach, federated authentication capabilities, and seamless software execution, Agilicus AnyX ensures a smooth and secure BYOD experience. Embracing BYOD with Agilicus AnyX allows organisations to unlock the potential of diverse devices, enhance productivity, and create a flexible work environment for employees.
Managing user accounts and access permissions can be a time-consuming task for organisations. However, Agilicus AnyX offers a powerful feature called auto-creating users that simplifies this process and enhances efficiency. We’ll help you understand the benefits and use cases for auto-creating users so you can leverage it for your company.
There are two primary reasons why auto-creating users can be advantageous.
The first scenario applies to companies where the majority of users work directly for the organisation and already exist in the company directory.
In this case, there is no need to manually create user accounts in Agilicus AnyX: instead, upon their first login attempt, the system automatically creates user accounts for them. These auto-created users are placed in specific groups, such as the “all-auto-created users” group, for easy management. While auto-creating users does not grant any permissions initially, it eliminates the need for manual user creation and reduces administrative effort.
The second use case involves third-party contractors or vendors who require temporary access to certain applications or resources within the organization. Using the request flow feature in Agilicus AnyX, administrators can handle these access requests efficiently. When a contractor requests access to a specific application, their user account is automatically created, and the administrator can grant the necessary permissions for the requested resource. This process saves time and avoids the hassle of manual user creation and permission assignment for each contractor.
See a specific example of auto-creating users from a single Google Workplace domain.
The Benefits of Auto-Creating Users in Agilicus AnyX
Auto-creating users in Agilicus AnyX offers several benefits. Firstly, it simplifies the user provisioning process, eliminating the need to input user details like first name, last name, and email manually. This saves time and reduces the chances of errors during user creation. Additionally, auto-creating users can enhance accuracy by ensuring consistent user account setup, preventing the omission of crucial information.
Implementing auto-creating users involves enabling the feature in the company’s identity provider. By default, the feature is turned off to provide organisations with control over user creation. However, for organisations with a high level of trust in their identity provider, enabling auto-creation can be a time-saving practice. Users can log in immediately, even though they may not have access to any resources initially. Administrators can later assign the appropriate permissions as needed.
To make use of auto-creating users, organisations can inform their users about the profile creation process. Users can log in to their newly created profile, although the dashboard may initially appear empty. This allows for a seamless onboarding experience while ensuring that users have a central access point to manage their permissions and resources.
Conclusion
Auto-creating users in Agilicus AnyX is a powerful feature that simplifies user management and improves efficiency. By automating the user creation process, companies can save time, reduce administrative overhead, and ensure consistent user provisioning. Whether it’s for internal users or third-party contractors, auto-creating users streamlines access management and enhances the request flow process.
Embracing this feature in Agilicus AnyX empowers companies to optimize user management and focus on core tasks, ultimately boosting productivity and security in their systems.
In the world of user management and access control, assigning permissions can quickly become a complex and time-consuming task. However, by utilising the power of groups, organisations can simplify this process and effectively manage role-based permissions. We’ll help you understand the benefits of assigning role-based permissions using groups in Agilicus AnyX and the advantages of this approach.
Traditionally, administrators assign permissions directly to individual users, leading to a convoluted and cumbersome configuration over time. In Agilicus AnyX, you can mitigate this by creating groups based on specific roles or responsibilities within the organisation. You could create a group for HVAC Contractors and Network Administrators, for example.
By assigning permissions to these groups, rather than individual users, the administration process becomes much more streamlined and efficient.
The Benefits of Groups in Agilicus AnyX
One of the key advantages of using groups in Agilicus AnyX is the ease of adding or removing users. Instead of modifying permissions for each user individually, administrators simply need to add or remove users from the appropriate group. This significantly reduces the configuration workload and ensures that permissions are consistently applied across the organisation.
Additionally, when new resources or tools are introduced, administrators only need to update the permissions for the relevant groups, rather than modifying each user’s settings.
Groups also offer flexibility for users who may hold multiple roles or have access to shared resources. For example, an individual may be both an HVAC administrator and a network administrator. By being part of both relevant groups, they can effortlessly access the resources and permissions associated with each role. This flexibility allows for efficient management of permissions in complex scenarios.
Leveraging Groups in Agilicus AnyX
Determining the number and structure of groups depends on the organisation’s specific needs and existing systems. Many organisations already leverage tools like Microsoft Active Directory, which already utilises groups. These existing group structures can be imported into Agilicus AnyX, simplifying the transition and ensuring consistency.
However, it’s important to consider whether the existing group structure adequately meets the permission requirements within the platform. If not, creating additional groups may be necessary to ensure proper access control.
Conclusion
Using groups for assigning role-based permissions offers significant benefits in terms of efficiency, scalability, and consistency. By organising users into groups based on their roles or responsibilities, administrators can streamline the configuration process and simplify user management. This approach reduces the complexity of managing permissions individually and ensures that access control is applied consistently across the organisation.
With proper naming conventions and regular auditing, organisations can effectively implement and maintain group-based permissions, enhancing security and productivity in their systems.
End users will inevitably encounter issues in accessing resources they need to do their work, which need to be resolved promptly and efficiently. While some problems may require complex solutions, many common user issues can be diagnosed and fixed relatively easily thanks to Agilicus AnyX’s robust auditing capabilities. We’ll help you explore the importance of audits in diagnosing user issues and discuss how using them in Agilicus AnyX empowers administrators to resolve problems more efficiently.
Understanding User Issues
When users encounter problems, they often struggle to articulate the specific nature of the issue. They may simply state that something is broken without providing further details. As a result, IT teams need effective tools to identify and address the underlying causes of user problems.
Common User Issues
Here are some typical user issues that frequently arise:
Incorrect URL: Users may not know where to go or may be using outdated or incorrect URLs to access applications.
Insufficient Permissions: Users may not have been assigned the necessary permissions to access certain features or perform specific tasks.
Incompatible Devices: Some users may be using devices that are not compatible with the applications they are trying to access.
Multi-Factor Authentication: Users may forget to enroll in or set up multi-factor authentication, leading to login difficulties.
Geo IP Restrictions: If an organisation has set up restrictions based on geographical locations, users attempting to access applications from blocked countries may face issues.
User Audits in Agilicus AnyX: A Diagnostic Approach
User Audit Table: Administrators can quickly identify if the user has the appropriate access permissions for reported issues.
Multi-Factor Authentication Preferences: Audits include multi-factor authentication preferences and settings, enabling administrators to check if the user has enrolled and identify the chosen authentication method.
Deadline for Multi-Factor Authentication: Administrators can see if the user has adhered to the deadline for multi-factor authentication setup.
Login Sessions and Details: User audits provide detailed login session records, helping administrators verify successful logins and troubleshoot login-related issues.
Benefits of User Audits
Leveraging user audits in Agilicus AnyX offers several benefits:
Empowering Users: Audits empower administrators to resolve users’ issues by providing visibility into access permissions, multi-factor authentication settings, and login history.
Efficient Troubleshooting: With comprehensive audit information, administrators can efficiently troubleshoot user issues, pinpoint potential causes, and provide targeted solutions.Reduced
Dependence on Support: Audits reduce the need for constant support as you can explore and understand different parts of Agilicus AnyX to find solutions to issues independently.
Conclusion
User audits in Agilicus AnyX are a valuable diagnostic tool for efficiently resolving common user issues. By leveraging these capabilities, you can resolve problems faster, enhance productivity, and improve user satisfaction. These audits will help you maintain a smooth workflow by quickly diagnosing and addressing user issues.
The Agilicus AnyX Desktop feature marries the simplicity and security of single sign-on, Zero Trust, and multi-factor authentication with a resource that is graphical in nature. It is ideal for both embedded systems as well as remote productivity applications.
You have two different choices for how to enable a desktop resource for your users, the tried-and-true Virtual Network Computing (VNC) and the Windows desktop-oriented Microsoft Remote Desktop Protocol. Which one is the best for your application and users?
Executive Summary
Agilicus AnyX VNC is best for you if:
You have a shared machine
You need multiple users to access the device at the same time
You want to use it from any device, including tablets
Your use pattern is short sessions checking something which is always running
Your device only supports VNC (e.g. embedded device)
Your use case is relatively long productivity-oriented sessions
You need to share a printer or device
You have a single-user pattern
Your application stops and is logged out when the user does
Detailed Considerations: VNC
One of the main concerns people have with VNC is its poor security model. A single user, no encryption, an 8-character 3DES-encrypted password. It is intrinsically unsafe to use… except when coupled with Agilicus AnyX.
AnyX allows you to keep the VNC server hidden in a secure enclave. It provides a single-sign-on, multi-factor, passwordless authentication, with strong per-user authorization (including read-only mode).
The HTML5 web-first Agilicus AnyX Profile allows any user, on any device, to have instant seamless access. Have a contractor with a tablet on a cellular connection?
One of the unique aspects of the Agilicus AnyX VNC Desktop is ‘password stuffing’. This allows you to ensure no one (except you!) knows the VNC password. Users supply their Azure Active Directory or Google Workplace credentials and are instantly using the resource. Security facilitates efficiency, rather than reduces it.
The unique ‘read-only’ vs ‘read-write’ password allows for the ability to create two roles, perfect for use with Agilicus Group & Role-based access control.
The Agilicus Connector can be paired with the VNC on a 1:1 basis (meaning no network access is possible), or, via other network segmentation techniques, can finely control and micro-segment as needed.
And, more importantly, no inbound access, no firewall hole, and a perfect audit trail.
VNC is the best solution for your team if:
You need access to embedded devices without local users
You have infrequent, short usage patterns
You don’t need shared printers, USB devices
You don’t have control of the users’ device
Detailed Considerations: Microsoft Remote Connect
Microsoft’s Remote Desktop Protocol is tightly coupled with the Microsoft Windows ecosystem. It provides excellent performance even on low-bandwidth network connections. Because it is geared around non-shared desktop usage, it is best used when you have single-user applications and pairs nicely with a local-desktop native client.
The Agilicus AnyX Desktop integration implements a Zero Trust Remote Desktop Gateway to create a seamless single-sign-on (with optional multi-factor) to a machine running remotely with Remote Desktop. It can be launched directly through the Agilicus Profile, or, from the ‘start’ menu of your operating system. Native clients can directly connect without a VNC or proxy owing to the unique nature of the Desktop Gateway.
Encryption is end-to-end from the user’s desktop to the end server. Owing to this, password stuffing is not possible. In common implementations, the user will ‘sign in’ with the local identity.
Remote Desktop is the best solution for your team if:
You run productivity applications such as ERP, word processor
You may want to locally print or share storage
You have relatively long sessions
Your sessions tend to be from desktop-style computers
Regardless of which method you use, the basics apply:
Requests flow “May I please have permission for”
Multi-Factor: “I have, I am, I know”
Unified authentication: your team, and your partners’ teams, all with single-sign-on
Precise authorization: user A can do B to C at this time
Seamless access: no VPN to bring up, no overlapping IP or split horizon
Conclusion
In conclusion, the Agilicus AnyX Desktop feature offers a powerful combination of simplicity, security, and graphical capabilities through single-sign-on, Zero Trust, and Multi-Factor Authentication. This feature caters to a wide range of needs, including embedded systems and remote productivity applications. When it comes to enabling a Desktop resource for users, there are two viable options: Virtual Network Computing (VNC) and Microsoft Remote Desktop Protocol (RDP). Choosing the best option for your application and users depends on various factors.
It is important to carefully assess the specific requirements and considerations of your use case to make an informed decision. By evaluating the strengths and weaknesses of both VNC and RDP, you can determine which protocol aligns better with your application’s needs, user preferences, and security requirements. Ultimately, selecting the most suitable approach will help provide an optimal user experience and enhance productivity while maintaining a high level of security.
Water and wastewater facilities have relied on Virtual Private Networks (VPNs) for years.
But how secure are they, really?
The short answer is they aren’t.
The longer answer is that as the number and complexity of security threats continue to increase exponentially, VPNs and other traditional network access tools simply can’t keep up with modern solutions. This should be especially concerning for water and wastewater facilities as critical infrastructure services like these are being increasingly targeted by cyber attacks.
In this article, we’ll help you understand the risks and what to do instead so you can protect your critical infrastructure and the community you serve.
Security Risks for Water and Wastewater: Why VPNs Leave You Open to Cyber Attacks
VPNs leave your water and wastewater facilities vulnerable to cyber threats for several reasons:
Insufficient Access Control
VPNs allow remote access to the facility’s entire network, which can be convenient for remote monitoring and maintenance tasks. However, if unauthorized individuals gain entry to the network, they could potentially control or manipulate your critical water networks.
Inadequate Security
VPNs often rely on poorly configured and outdated encryption protocols to protect data transmitted over the network. This can create significant security vulnerabilities and potentially expose sensitive data or allow malicious actors to intercept and manipulate network traffic.
Vulnerable to Insider Threats
VPNs can also inadvertently provide an opening for insider threats. Malicious insiders, such as disgruntled employees or contractors, can abuse their access privileges to laterally traverse your network and sabotage or compromise critical infrastructure systems.
Lack of Network Segmentation
Water and wastewater facilities typically have complex and interconnected networks that include various operational technology (OT) systems. A VPN may not have the secure segmentation needed to prevent unauthorized access to critical systems via the VPN.
Dos and Don’ts
Don’t overlook VPN software vulnerabilities: Stay informed about potential vulnerabilities and exploits related to the VPN software you are using. Regularly check for updates and security patches released by the vendor, and promptly apply them to protect against known vulnerabilities.
Don’t rely on VPNs for security: Better yet, don’t use a VPN at all! While VPNs are often used in water and wastewater facilities to provide an additional layer of security, they aren’t an effective modern solution.
Do leverage Zero Trust instead: Instead, switch from a perimeter-based (firewall and VPN) model of access to a user-to-resource model through Zero Trust. It’s simpler and more secure.
Do Enforce Strict Access Controls: Implement granular access controls to ensure that only authorized individuals can connect to your network. Regularly review and update access privileges to prevent unauthorized access and regularly revoke access for employees or contractors who no longer require connectivity.
Do implement strong authentication: Ensure that strong authentication mechanisms (like multi-factor authentication) are leveraged as much as possible to verify the identities of users attempting to access your network. This adds an extra layer of security and helps prevent unauthorized access.
Transition Your Water and Wastewater Facilities to a Zero Trust Architecture with Agilicus
Now that you know the risks and the best practices, how do you transition to a Zero Trust architecture?
Well, with Agilicus, you can leverage Zero Trust to deploy a robust, seamless solution in just one hour with no disruption to your operations and no VPN.
Here’s How We Do It:
Agilicus grants access to specific resources based on stringent authentication and authorization principles, rather than allowing broad access to your entire network (like a VPN would). This significantly reduces the damage a cyber attacker can do once they’re inside your network and eliminates the risks associated with lateral traversal entirely.
We also make it easy to proactively defend your critical infrastructure too by enforcing multi-factor authentication, eliminating shared credentials, (which we discussed in more depth in part one of this series), and providing comprehensive visibility into the network. This allows your IT team to detect and respond to potential threats promptly.
Finally, Agilicus gives your remote workers and third-party vendors secure access to only the resources they need to do their work. This restricts them from accessing the rest of your network, further securing your systems. We also allow you to enforce strong security measures on their third-party devices to prevent anything from being introduced to your network.
Discover the Agilicus Difference
Learn more about how Agilicus can help you implement a Zero Trust Architecture here. Or, check out this case study to learn how we helped a municipality secure its water treatment facility’s operational technology.
This is the first in a series of five blog posts about the biggest cybersecurity risks for water and wastewater and how you can address them so you can keep your critical systems protected from cyber threats. Keep an eye on our blog or make sure you follow us on LinkedIn so you don’t miss any posts in the series.
You probably know about the significant risks sharing credentials poses for your water and wastewater facilities.
This is especially concerning for water and wastewater facilities. After all, these organizations provide invaluable services that our communities depend on.
Moreover, these facilities heavily rely on both information technology (IT) and operational technology (OT) systems to ensure smooth operations. If these systems are compromised, it could result in service disruptions or worse, a harmful impact on your organization and the people you serve.
By eliminating shared credentials, you can avoid these risks and consequences. You’ll be protecting your systems from unauthorized access while significantly reducing the risk of a cyber attack.
The Risks of Using Shared Credentials in Water and Wastewater Facilities
Shared credentials leave you vulnerable to cyber threats for several reasons:
Lack of Accountability
When multiple people share the same credentials, it becomes difficult to establish individual accountability for actions performed within the system. If an unauthorized or malicious activity occurs, it becomes challenging to identify the person responsible. This lack of accountability hinders effective incident response and can delay or impede the investigation of security breaches.
Increased Vulnerability to Insider Threats
Insider threats occur when individuals with authorized access to a system misuse their privileges. Shared credentials make it challenging to trace unauthorized activities back to specific individuals. In a water and wastewater facility, insiders could potentially manipulate critical systems, disrupt operations, or cause damage to infrastructure. Shared credentials make it difficult to attribute such actions to a particular person, increasing the risk of insider threats going undetected.
Limited Access Control
Shared credentials often lead to a lack of granular access control. Different users within a water and wastewater facility may have varying roles, responsibilities, and authorization levels. By sharing credentials, there is no way to differentiate between users or enforce fine-grained access restrictions. This means that an individual with shared credentials might have more privileges than necessary, increasing the potential impact of any security breach or unauthorized activity.
Weakened Password Hygiene
Shared credentials typically require passwords to be known by multiple individuals. This often leads to poor password hygiene practices. Passwords may be shared through insecure channels, written down and left in plain sight, or stored in easily accessible files, increasing the risk of password compromise. Weak or easily guessable passwords may also be used, further undermining the security posture of the system.
Difficulty in Revoking Access
When shared credentials are used, revoking access for specific individuals becomes challenging. If one person’s access needs to be revoked due to a change in employment, termination, or any other reason, it requires changing the shared credentials and distributing the new credentials to everyone else. This process is cumbersome, time-consuming, and prone to errors, potentially leaving revoked individuals with continued access to critical systems.
What Not to Do
Don’t give out new usernames, IDs, or passwords for each application: Instead, leverage single sign-on using your Microsoft or Google workplace accounts whenever possible so everything is connected to one account, not 20. This also makes it easy to revoke access.
Don’t give out clients and VPNs: Clients and legacy access technologies like VPNs don’t provide sufficient security against modern cyber-attacks. Implementing a Zero Trust architecture not only protects your systems but also helps you align with EPA cybersecurity recommendations.
Don’t forget about multi-factor authentication: Multi-Factor Authentication is the strongest protection against phishing, identity theft, and other account-takeover attacks. In the case that credentials are compromised, it can be the failsafe that stops a cyber attack in its tracks.
How Agilicus Eliminates Shared Credentials in Water and Wastewater Facilities
Now that you know why you should eliminate shared credentials, here’s how you can do it with Agilicus.
For simplicity, let’s use a common scenario of a decade-old application as an example. This particular application doesn’t participate in any of this new mumbo-jumbo cybersecurity stuff and the organization can’t get rid of it because it’s necessary for business operations.
In this example, Agilicus solves this challenge by putting our platform – which is known as an identity-aware web application firewall – in front of the legacy application.
This accomplishes a few things. First, it makes it easier for your users to access the resources they need with a one-click single sign-on experience. That means no more memorizing new passwords and a consistent login experience every time. And more importantly, it makes it more difficult for hackers to spear phish you with random forms that ask for your user’s passwords, thereby significantly reducing the risk of compromised credentials. All of this happens without any changes to your existing network or configuration.
In addition to removing shared credentials, Agilicus’ platform also strengthens the security of your water and wastewater facilities in other ways, including:
Multi-factor authentication, which you can enforce for all your systems, even on legacy applications (like the one in the example mentioned above) or for your third-party vendors.
Vendor access management with centralized managed permissions
Granular, audible administrator control so you can see who accessed what, when, and from where.
Want to learn more? Check out this on-demand webinar hosted by our CEO, Don Bowman, for a deeper dive into how Agilicus can help you eliminate shared credentials.
Or, if you want to see specifically how Agilicus can help water and wastewater facilities like yours, read this case study about how we helped a municipality secure its water treatment facility’s operational technology.
The Agilicus Connector facilitates a private connection between a network and end-users. It installs on a device somewhere inside the protected network, creating an outbound connection, and is an essential part of Agilicus AnyX. But you may have questions about how to install and configure it. Do you run one per site? Or per host? What type of machine do you pick to put it on? We’ll share best practices so you can decide what works best for you.
The only thing technically required for the Connector is the ability to reach (connect, ping) the resource you’re trying to get to. These resources can be remote desktops, web applications, SSH, or another similar service. The closer your users get to the resource they want to access, the more it will be secured against local risks. This is why we encourage you to have every machine that exposes resources to have its own Connector on it. This approach is more commonly known as micro-segmentation.
There are ways through network deployment technologies that you can create that micro-segmentation without having a Connector. You can read more about that in this whitepaper.
Consider the below comparison. On the right, in blue, shows the data paths for an Agilicus AnyX deployment via the connector. On the left, in red, shows how a VPN might work. In this model, a dual-homed industrial PC handles 2 segments, 1 entirely internal.
Where to Install the Connector
We often get asked where the Connector should be installed, and we recommend putting it on a stable machine that will be up all the time. You don’t want it on a laptop in reception, for example.
The machine you install it on should of course have access to the resources and be close enough to the resources so that you’re not worried about something that’s closer that’s able to reach them without it. The Connector doesn’t require a lot of Memory or CPU and runs on almost any platform, so you have considerable flexibility.
So in practice, most of our customers initially use one Connector per site or one per network. Let’s use an example of a company that has three subnets: a production network, an engineering network, and a marketing network. There could be three Connectors in that environment, but if the production environment has five different production lines, that might be one per line.
In the diagram shown, installing a connector at (1) means the blast-radius is the entire building. Installing a connector at (2) means we can control access in and out of our data centre with high precision. Instaling at (3) means we can do privileged access to a single server (e.g. block all inbound traffic for remote desktop except through the Agilicus AnyX Zero Trust).
A connector at (4) might suggest a departmental breakdown.
Looking at a production facility, we might find one connector per manufacturing ‘line’ (5). This would allow e.g. ensuring upgrades stay in the appropriate area and downtime. Moving the conector internal to each IPC can give perfect micro-segmentation.
Not shown, but common, using network devices (e.g. VLAN’s with isolation) to achieve the same effect with less software deployed.
High Availability
When should I use this?
When should I not?
Agilicus Connectors support high availability. This means there is more than one Connector that is always active. If, for whatever reason, the machine running the Connector died, your end users won’t experience any loss of service.
High availability is not appropriate if you have a Share (in this model, you might handle the high-availability externally, for example using Windows Clustering).
Connector Nomenclature
It’s up to you how you choose to name your Connectors, but it should mean something to you. Most of our customers just use either the machine it is installed on, or the site/region/network segment for the name, but you may want to take a different approach.
Conclusion
These best practices will help you use Connectors effectively in Agilicus AnyX and give you the information you need to set them up the way in the best way for your organisation’s needs.
If you have any feedback, questions, or issues you’re experiencing, message our team via the chat button in your administrative portal or email us at support@agilicus.com.
Multi-Factor Authentication, sometimes called Two-Factor Authentication, is a method of proving your identity using something you know (typically a password) and something you have (a phone, a key, etc.) or something you are (e.g. fingerprint). It is the strongest protection against phishing, identity theft, and other account-takeover attacks. In this post, we’ll walk through some best practices to help you implement multi-factor authentication for the first time or just want to know how best to enforce it.
For more information on multi-factor authentication in Agilicus AnyX, refer to our product guider or whitepaper.
What is Multi-Factor Authentication?
Simply put, multi-factor authentication needs at least two distinct categories of verification. That’s why a password and a PIN are still considered a single factor, for example. In the past, companies could only do multi-factor authentication with expensive hardware tokens. They also were always a completely different experience and never worked the same way.
Agilicus uses a web interface that’s graphical and has consistent messaging so your users always get the same experience. Other providers use one of those devices with a VPN and then mount the share. But then the VPN stays up all the time. Does that mean the multi-factor authentication only worked once? If so, that’s a problem if you need it to be presented every day. Telling your users to just log out of the VPN doesn’t work, so you’re left trying to figure that out on your own.
The reason that multi-factor authentication is so strong is the risk that someone can guess your password is uncorrelated from the risk that I steal your phone. We’ve included best practices below, but it’s ultimately up to you to figure out how you want multi-factor authentication to apply and when it applies.
Best Practices for Multi-Factor Authentication
Avoid SMS
One of the most common methods of multi-factor authentication is SMS text messages. The problem with that is SMS is not a secure medium. Hackers have several tools in their arsenal that can intercept, phish, and spoof SMS. This is why we highly recommend avoiding using SMS for multi-factor authentication when other methods are available as it is not nearly as secure.
Let’s start by understanding the differences between the two:
WebAuthn is a huge family of standards. On your mobile phone, it’s the fingerprint or face ID or the special chip installed on Windows Desktop called a TPM (which is pretty common now because the Windows 11 requires it). There is a way to have that hooked up in your browser, but it’s not on by default. But you can also do push notifications through it. It’s a very strong approach. Webauthn is often interpreted as biometric, which isn’t completely accurate, but it does allow you to use biometrics. What’s great about this is not only that the biometric is completely unique to you, but the biometrics are only stored locally. This means when your users use Agilicus AnyX to unlock with the fingerprint on their phone, we don’t get that fingerprint. We’ve never seen it. We can’t even tell that’s happened. It’s completely secure.
Time-Based One-Time Password (TOTP) produces distinct numerical passwords using a standardized algorithm that incorporates the present time as an input. These time-dependent passwords can be used offline and offer enhanced account security as a user-friendly second factor. In most cases, we recommend WebAuthn over TOTP.
Now for frequency. Should users be prompted with a second factor every time they log in? Or once a week? Enforcing multi-factor every time a user logs in might cause multi-factor fatigue and can actually lead to attacks. Instead, presenting once a week plus on every new device has been a compromise that has worked well for our customers.
Enforce Multi-Factor Authentication for Other Devices
What about if you need to enforce multi-factor authentication for things that aren’t web-based like a share, remote desktop, or a desktop application? Agilicus AnyX uses the browser as the facilitator to make it easy to enforce for all your devices, not just users’ own devices. Overall, it makes it a seamless process for you.
Conclusion
These best practices will help you set up Multi-Factor Authentication effectively and exactly the way you want in Agilicus AnyX.
If you have any feedback, questions, or are experiencing any issues, message our team via the chat button in your administrative portal or email us at support@agilicus.com.
Agilicus AnyX gives all your users a unified single sign-on experience that simplifies the end-user experience while enhancing your overall security posture. But what do we mean when we talk about ‘all users’ or providing a unified experience? And what are the best practices around that? This article will help you better understand those concepts and what Agilicus recommends.
Understanding Unified Authentication and Federated Identity
To understand why a unified single sign-on experience is valuable, we need to go over the concept of federated identity. Federated identity is a method of linking a user’s identity across multiple separate identity management systems. It allows users to quickly move between systems while maintaining security.
There are several advantages to this. If your organisation uses thirty different tools, all with their own individual login experience and credentials, it’s a lot easier to spear phish you since the user will not be expecting consistency, and will be expecting boxes that say username/password. With Agilicus, your users log into Google or Microsoft once and from there are signed into your resources, but you the administrator control what they can do, which significantly reduces this risk and better protects against threat actors. So from a security perspective alone, it’s incredibly useful. It’s also helpful for end users to log in once and then access multiple different tools without needing to login again.
When we say ‘all users’, this doesn’t just mean employees or internal users. It includes all of your external users too (like contractors or third-party vendors). Giving all of them a universal, secure, and straightforward access experience is what Agilicus AnyX does best.
Best Practices
Shared Identity Providers
Most users sign in via Google, Microsoft.
Google might be personal (gmail) or professional (workplace).
Microsoft might be Azure, Office 365,Active Directory, or hotmail.
For simplicity, these are one-click enabled.
One advantage to shared providers is it allows conveniently working with partners and their identity systems with zero config.
A downside to a shared identity provider relates to ‘auto creation’. It is usually not appropriate to auto-create users from a shared provider.
Configure Additional Identity Providers
In most cases, you usually shouldn’t need to configure additional identity providers. We have what’s called a multi-tenant Azure Identity Provider. This means there is just a single instance of our software and its supporting infrastructure serves multiple identity providers like Azure and Google. Google is actually already intrinsically multi-tenant, so anybody who has a Google workplace or Gmail address can sign into our system.
Meanwhile, for Azure, we work with anybody that has Office 365 or Microsoft account, or an Azure account, but they have to allow it. You might have what’s called conditional access, which is sort of like embedded multi-factor authentication. You might want to control that in your own identity provider or a second identity provider.
For more information on this, refer to our breakdown of Azure consent flow in the Agilicus AnyX product guide.
Multi-Factor Authentication
It’s not a best practice to do multi-factor authentication twice in a row with different types. And so if Company A has multi-factor authentication embedded in their identity system, but Company B doesn’t and Company C assets that everybody must use multi-factor authentication, how do you make everyone happy?
So what Agilicus would do is use our authentication rules to say, if the identity providers don’t do multi-factor authentication, we’re going to force it. This allows you to achieve your corporate objective of everybody having multi-factor authentication without making users do it twice.
Conclusion
By understanding our unified single sign-on experience and these best practices, you’re on your way to simplifying your end-user experience while enhancing your overall security posture
If you have any feedback, questions, or are experiencing any issues, message our team via the chat button in your administrative portal or email us at support@agilicus.com.
A Zero Trust Network Architecture is a powerful, modern way to protect your network from cyber-attacks.
In the past, organizations relied on perimeter security to protect their networks.
This meant that they built walls around their networks and only allowed authorized users to access them: access everything or nothing.
However, this approach is no longer effective.
With the rise of cloud computing, mobile devices, and remote work, the perimeter of the network has become increasingly porous. This makes it easier for attackers to gain access to networks. We now have the ironic situation of making it harder for legitimate users while lowering security for the illegitimate.
Zero Trust Network Architecture is a new approach to network security that is designed to address the challenges posed by the modern threat landscape. Zero Trust Network Architecture assumes that no user or device is trusted by default. Instead, all users and devices must be authenticated and authorized before they are allowed to access any resources on the network.
There are three key things you need to ensure in order to have a Zero Trust network architecture:
Who: Who is this actor (person, system) proposing to do something with my systems?
What: What is this actor entitled to do on a specific system?
How: How will I get the traffic from the actor (the Who) to the resource?
Rephrased, the three key things are:
Unified authentication: A single authentication mechanism for all users and devices. This makes it easier to manage authentication and reduces the risk of passwords being compromised. Unify the authentication across multiple types of users, and multiple types of identity. Allow a contractor, a temp, or your peer in a joint venture each and all to have a single sign-on without a new account or identity.
Precise authorization: A VPN is the definition of imprecise. You are all-on, or all-off. Precise authorization to control access to resources individually, with roles. Can you edit the Wiki? Or only read it? This means that users are only granted access to the resources they need to do their job with the least privilege. This helps to reduce the risk of unauthorized access to sensitive data.
Simple access: A simple and user-friendly access experience. This makes it more likely that users will follow security best practices. Make multifactor and single-sign-on ubiquitous. Make it work regardless of network, regardless of device. Overlapping IPs and lack of public IP should be immaterial.
Zero Trust Network Architecture is a powerful security architecture that can help organizations to protect their networks from attack. By implementing Agilicus AnyX, organizations can reduce the risk of data breaches, improve their security posture, and save money on security costs.
Here are some of the benefits of using Agilicus AnyX:
Increased security: Increase the security of your network by assuming that no user or device is trusted by default. This makes it more difficult for attackers to gain unauthorized access to your network, and, if they do, they cannot travel laterally. Defense in Depth.
Reduced risk of data breaches: Reduce the risk of data breaches by preventing unauthorized users from accessing sensitive data.
Improved user experience: Improve the user experience by providing a simple and user-friendly access experience, browser-first, and device-agnostic. This makes it more likely that users will follow security best practices.
Reduced security costs: Reduce security costs by consolidating security infrastructure and eliminating the need for multiple security products. Implement multifactor policies in an Identity-Aware Web Application Firewall to provide ubiquitous audit without rework of existing systems.
If you are looking for a way to improve the security of your network while simplifying the end-user experience, Agilicus AnyX is the best option.
Strong industrial network cybersecurity is more important (and more mandated) than ever. As the sophistication of cyber-attacks increases, understanding how to protect your critical infrastructure systems—energy production, water, gas, and other vital systems—has become imperative. In this article, we’ll arm you with the knowledge you need to understand and secure the vulnerabilities of your third-party vendors to reduce the cyber risk to your industrial control systems.
Securing industrial operational networks has become a serious business in recent years.
And rightfully so.
One needs to only remember the now-infamous Colonial Pipeline cyberattack on May 7, 2021, which led to 5,500 miles of pipeline – 45% of the United States’ east coast’s fuel supplies – being shut down for nearly a week.
This is a high-profile example, but unfortunately not an unusual one. Cyber attacks and attempted breaches on industrial facilities have increased exponentially over the past 5 years. They are predicted to continue on the same trajectory for facilities that fail to update their security measures.
There’s no doubt the threat level and danger are high for industrial networks. But thankfully there are measures you can take to mitigate the risks and better protect your systems.
If you rely on third-party vendors or other external users, Vendor Access Management is something you should consider implementing to secure your critical industrial systems against threats like the one that threatened Colonial Pipeline.
What is Vendor Access Management?
Vendor Access Management is a specific application of a broader concept called Privileged Access Management, the strategy and processes for controlling, managing, and monitoring privileged access to essential systems, networks, and data. It ensures that only authorized individuals have access to your sensitive resources, significantly reducing the risk of unauthorized access and potential data breaches.
What is a Privileged User?
Privileged users refer to users who have been granted special permissions or elevated access rights within a system or network. These users typically include system administrators, IT staff, executives, third-party vendors or contractors, and automated processes or applications.
In the context of vendor access, Privileged Access Management empowers these external users with the ability to securely access an organization’s resources while extending robust cybersecurity measures to all vendor interactions with the enterprise, going beyond traditional perimeter defenses.
By implementing Vendor Access Management, the Principle of Least Privilege is enforced for vendor remote access. Additionally, this approach typically incorporates various Zero Trust controls for vendor access, such as continuous authentication, just-in-time access provisioning, and behavioral session monitoring and management.
How Vendor Access Management Improves Industrial Network Cybersecurity
Vendor Privileged Access Management plays a crucial role in enhancing industrial network cybersecurity by providing control and oversight over the privileged access granted to vendors or third-party entities. It helps mitigate the risks associated with providing vendor access to critical systems and infrastructure, ensuring the integrity, confidentiality, and availability of industrial networks.
Here’s how it can improve industrial network cybersecurity:
Granular Access Control
Vendor Privileged Access Management enables organizations to define and enforce granular access controls for vendors. It ensures that vendors have only the necessary access privileges required to perform their specific tasks and limits their access to sensitive systems or data. By minimizing unnecessary privileges, the attack surface is reduced, lowering the risk of unauthorized access or malicious activities.
Secure Remote Access
Industrial control systems often require vendors to access critical systems remotely for maintenance, troubleshooting, or support purposes. Vendor Privileged Access Management provides secure remote access mechanisms, especially when used in tandem with a Zero Trust Architecture, that authenticates and authorizes vendor connections. It ensures that all remote access sessions are encrypted, logged, and audited to prevent unauthorized access and so you can keep a finger on the pulse of any suspicious activities.
Strong Authentication and Authorization
Vendor Privileged Access Management enforces strong authentication methods, like multi-factor authentication. This requires vendors to provide multiple proofs of identity before being granted access. Additionally, it verifies vendor credentials and authorizations against predefined policies and access rules, preventing unauthorized vendors from accessing critical systems or resources without permission.
Monitoring and Auditing
Continuous monitoring and auditing of vendor activities within industrial networks provide real-time visibility into vendor sessions. This allows organizations to track what actions vendors are taking, commands executed, and the changes they make. If any unusual or suspicious behavior is detected, you can take immediate action to mitigate any potential threats.
At its core, Vendor Privileged Access Management strengthens industrial network cybersecurity by providing controlled, monitored, and audited access for vendors. It reduces the risk of unauthorized access, insider threats, and potential disruptions caused by vendors while ensuring the integrity and availability of critical systems and data.
Vendor Privileged Access Management Best Practices for Industrial Systems
Develop Comprehensive Vendor Access Policies
It’s important to clearly outline the rules, responsibilities, and acceptable use of privileged access. These policies should define the scope of access, authentication requirements, session recording, and any other relevant guidelines.
Apply the Principle of Least Privilege
Use the Principle of Least Privilege to grant vendors only the minimum privileges necessary to perform their specific tasks. Avoid granting excessive access rights that could increase the attack surface and potential risks.
Empower Your Vendors with Simple, Secure Remote Access
Utilize modern secure remote access mechanisms instead of deprecated approaches like VPNs or Teamviewer. These connections should be encrypted, require strong authentication, and be monitored and continuously auditable.
Enforce Multi-Factor Authentication
Multi-Factor Authentication is one of your best tools for reducing cyber risks, and for vendors, it’s no different. We strongly recommend enforcing multi-factor authentication for vendor access to ensure strong authentication. You must avoid any new usernames or passwords as the risk of shared credentials being compromised is not a risk you should take. Agilicus’ Zero Trust platform enables your vendors to use their existing identity provider and means of logging in so you don’t have any credentials floating around that you aren’t aware of. Our solution also allows you to enforce multi-factor authentication, even on non–participating systems (you can learn more about that here).
Continuous Monitoring and Auditing
Implementing real-time monitoring and auditing capabilities allows you to track vendor activities as part of your Governance, Risk Management, and Compliance strategy. Taking advantage of this allows you to monitor sessions, commands executed, and changes made by vendors within the industrial network. This helps detect any suspicious behavior, anomalies, or security incidents promptly so you can respond immediately.
Strengthen Your Industrial Network Cybersecurity with Agilicus
At Agilicus, we know how hard it important it is to implement Vendor Privileged Access Management without disrupting vital business operations. That’s why we’ve streamlined vendor management to strengthen your cybersecurity without any downtime or network changes. Learn more about what we do and why our vendor access management solution is a no-brainer for your organization.
Or check out this recent webinar our CEO, Don Bowman, recently ran for an in-depth look into how our platform solves vendor access for industrial networks.
In 2018 Agilicus set out to build the best Zero Trust Network Architecture. We recognized immediately that a few building blocks were needed (Encryption, Identity) that we would partner on, rather than build. For Identity, we found we needed two types of Identity: User (e.g. Authentication), and Machine (e.g. Certificate). Since this would be cornerstone technology, it was critical to us to pick the best partners, the best technology: if I’m making the best product for my customer, it can only have the best ingredients.
In the Agilicus AnyX Zero Trust Network Architecture, we rely on being able to create a new TLS certificate for each and every unique resource (endpoint). This means we need a first-class API, a reliable service with good performance and latency. We need the certificates created to be trusted by our customers’ machines (their browsers etc). And, we need first-class security and world-class transparency.
There was no contest for us in this selection area. Let’s Encrypt has a powerful, easy-to-use API (ACME). This is well integrated with our platform of choice (Kubernetes). Internet Security Research Group (which runs Let’s Encrypt) is an exceptionally transparent organization, down to the individual certificate level. For example, you can see each certificate we have been issued to this very web page at crt.sh.
Let’s Encrypt has been a great enabler in the first 5 years of our company. Without this great technology, expertly and reliably run, Agilicus likely would not be here today. Running a certificate authority is hard, so I do not think we would have tackled that problem. Using the alternative certificate authorities available would have meant a lot of manual work, and likely settling for wildcard certificates due to cost and scale.
It seems like a lifetime ago, 10 years in fact, that Let’s Encrypt set out to solve one of the last big Internet challenges (making Encryption accessible to all by making the Certificate Authority reliable, trustworthy, and free). It seems like a lifetime ago that I started Agilicus, 5 years in fact. I am happier than ever with our choice of technology service partner for this core part of our system.
Internet Security Research Group is celebrating 10 years of building a better internet, and Agilicus is proud to help celebrate this milestone by sponsoring its tenth anniversary.
Our water systems are more interconnected than ever, and this digital evolution has left them more vulnerable to cyber threats than ever. On March 3, 2023, the Environmental Protection Agency (EPA) issued a memorandum expanding state audits of Public Water Systems to include an evaluation of operational technology cybersecurity.
Although this memorandum has since been withdrawn, the EPA continues to stress the importance of cybersecurity best practices for public water systems to ensure safe drinking water, offering support to states and systems while aligning with the Biden-Harris Administration’s focus on cybersecurity and critical infrastructure resilience.
And most importantly, it still underpins the urgent need for water utilities to evaluate their current efforts and take steps to protect their critical infrastructure.
Aligning with the EPA’s recommendations is vital to safeguard your water utility and the community it serves. However, navigating through these guidelines might seem daunting. This is why we’ve distilled the essential EPA recommendations into a clear and comprehensible format for you. Key topics include account security, data security, and vulnerability management, among others.
Keep reading on as we explore the EPA’s guidelines in detail, dissect their implications for your organization, and suggest practical solutions. If you have any questions or need clarity along the way, feel free to engage us via the chat option in the corner of your screen and someone from our team will respond promptly.
Part 1: Account Security
Multi-Factor Authentication
What Does the EPA Say?
Deploy multi-factor authentication as widely as possible for both Information Technology (IT) and Operational Technology (OT) networks. At a minimum, multi-factor authentication should be deployed for remote access to the OT network.
Why Does This Matter?
Multi-factor authentication significantly enhances security by adding an extra layer of protection to your systems. Even if someone acquires a user’s password, they still can’t gain access without the additional factor, such as a code sent to the user’s mobile device. In the context of remote access to your OT network, which controls your critical infrastructure, multi-factor authentication is vital to prevent unauthorized access and potential sabotage.
Recommended Solution
Your organization should adopt a solution that enables the enforcement of multi-factor authentication, not just for all your employees, but also for any third-party vendors. This should even extend to legacy technologies, such as VPNs, that typically do not support multi-factor authentication. Agilicus has helped countless customers deploy multi-factor authentication to secure their systems. In doing so, they protected their critical infrastructure by limiting unauthorized access, reducing the risk of a breach, and ensuring regulatory compliance.
System Administrator Privileges
What Does the EPA Say?
Restrict System Administrator privileges to separate user accounts for administrative actions only and evaluate administrative privileges on a recurring basis to be sure they are still needed by the individuals who have these privileges.
Why Does This Matter?
System Administrator privileges grant substantial access and control over systems and data. By restricting these privileges, you reduce the risk of unintentional changes or malicious actions that could jeopardize your systems or data.
Recommended Solution
Your organization should implement procedures to restrict and regularly review administrator privileges, including removing shared login credentials. This should be combined with a process of regular evaluations to verify whether these privileges are still required by the individuals holding them. Incorporating granular permissions, such as view-only access, can further reduce potential risks. Agilicus achieves this by implementing role-based access controls to limit privileges and enhance security. Our customers maintain an extra layer of security by setting granular permissions, allowing certain users to have ‘view only’ access, and restricting others from making potentially harmful changes. This careful control over permissions has strengthened our clients’ security posture and reduced the potential for internal risks.
Individual Usernames and Strong Passwords for IT and OT Networks
What Does the EPA Say?
Require a single user to have two different usernames and passwords; one set should be used to access the IT network, and the other set should be used to access the OT network.
Why Does This Matter?
This recommendation is crucial because individual user authentication and robust passwords significantly enhance security by making unauthorized access more challenging. By dissuading shared accounts and promoting strong passwords or multi-factor authentication, you can reduce the risk of compromised credentials and potential cascading effects throughout the systems.
Recommended Solution
Your public water system should consider implementing policies and systems that encourage individual user accounts and the use of strong passwords or preferably, dynamic codes used in multi-factor authentication. This will necessitate educating staff on the importance of unique authentication and promoting the use of robust passwords or multi-factor authentication for all users. With Agilicus, organizations are equipped with solutions designed to meet these challenges. Agilicus fosters individual user authentication (even for external vendors), does not have any passwords, and promotes the use of multi-factor authentication. This not only bolsters your cybersecurity posture but also simplifies user access, aligning security and convenience for all involved.
Terminating Network Access
What Does the EPA Say?
Take all steps necessary to terminate access to accounts or networks upon a change in an individual’s status making access unnecessary
Why Does This Matter?
Unnecessary access privileges can lead to security breaches, either through malicious actions or accidental misuse. It’s crucial to keep access controls up-to-date to prevent these scenarios.
Recommended Solution
Your organization should implement a process to review and revoke access when an individual no longer requires it. This could be due to role changes, terminations, or project completion. Agilicus centralizes and automates all of this. Our Zero Trust model constantly evaluates access needs, ensuring that only the necessary individuals have access at any given time. In addition, access can be set to automatically expire and if someone were to leave your organization, their access would be automatically revoked. This has helped our customers maintain a tight security posture and reduce the risk of insider threats.
Part 2: Data Security
Collecting Logs
What Does the EPA Say?
Collect and store logs and/or network traffic data to aid in detecting cyberattacks and investigating suspicious activity.
Why Does This Matter?
Collecting logs helps track user activities, identify anomalies, and detect potential attacks. These logs provide valuable insights in case of a security incident and can help determine what happened and how to prevent it in the future.
Recommended Solution
Your organization should set up systems to automatically collect and store logs and network traffic data. Make sure you have a secure and sufficient storage solution to retain this information. Agilicus supports comprehensive logging with granular auditing capabilities. This allows our customers to monitor who does what, when, and for how long. This capability has proven invaluable in detecting and mitigating threats, providing greater visibility into network activities.
Storing Security Logs
What Does the EPA Say?
Store security logs in a central system or database that can only be accessed by authorized and authenticated users.
Why Does This Matter?
Centralizing security logs in a restricted-access database ensures that crucial data is protected and easily accessible for review and analysis. This also safeguards sensitive log data from unauthorized access, which could potentially be used to hide malicious activities or to gain information about the network.
Recommended Solution
Your organization should establish a secure, central database for storing security logs. Access to this database should be controlled and monitored.
Agilicus aids in centralizing and securing the storage of security logs, enforcing strong access controls, and steaming logs to the destination of your choice. This has simplified log management for our customers, ensuring data is both protected and readily available when needed.
Encrypting Sent Data
What Does the EPA Say?
When sending information and data, use Transport Layer Security (TLS) or Secure Socket Layer (SSL) encryption standards.
Why Does This Matter?
Encrypting data in transit ensures that even if data is intercepted, it cannot be read without the encryption key. This prevents sensitive information from being compromised during transmission, a common point of vulnerability.
Recommended Solution
Your organization should enforce the use of TLS or SSL encryption for all data transmissions. This may require updates to network configurations and additional training for staff. Agilicus provides robust encryption for data in transit as a built-in feature of our platform. This protects our customers’ data during transmission, significantly reducing their risk of data breaches.
Storing Sensitive Data
What Does the EPA Say?
Do not store sensitive data, including credentials (i.e. usernames and passwords) in plain text.
Why Does This Matter?
Storing sensitive data in plain text exposes it to unnecessary risk. If a system is compromised, attackers could easily access and exploit this data. Protecting sensitive information is fundamental to maintaining trust and compliance with regulations.
Recommended Solution
Your organization should implement systems to encrypt sensitive data at rest, including passwords and other credentials. Regular audits should verify compliance with this practice. Agilicus does not store any credentials. Instead, we leverage security tokens passed to our platform by existing identity providers. This level of protection increases data security and regulatory compliance.
Part 3: Vulnerability Management
Exposed Ports and Services
What Does the EPA Say?
Eliminate unnecessary exposed ports and services on public-facing assets and regularly review.
Why Does This Matter?
Exposed ports and services increase the potential attack surface for threat actors. By minimizing these exposures, you decrease the opportunities for attackers to exploit vulnerabilities and gain unauthorized access.
Recommended Solution
Your organization should conduct regular reviews to identify and close unnecessary ports and disable unused services. Agilicus’ Zero Trust approach inherently minimizes exposure by eliminating the use of inbound ports. This proactive security strategy helps our customers maintain a robust defensive posture against potential threats and keep their facilities off the public internet.
Connections to the Public Internet
What Does the EPA Say?
Eliminate OT asset connections to the public internet unless explicitly required for operations.
Why Does This Matter?
Connections to the public internet can expose OT assets, which control critical infrastructure, to potential threats. Eliminating these connections helps safeguard your operations from potential cyberattacks.
Recommended Solution
Your organization should carefully evaluate and minimize OT asset connections to the public internet, making exceptions only when operationally necessary. Agilicus secures OT environments, mitigating unnecessary exposure to public internet threats. This protection has greatly reduced risk and ensured stable, secure operations.
Part 4: OT/IT Connections
Connections Between OT and IT Networks
What Does the EPA Say?
Require connections between the OT and IT networks to pass through an intermediary, such as a firewall, bastion host, jump box, or demilitarized zone, which is monitored and logged.
Why Does This Matter?
An intermediary ensures any connection between OT and IT networks is carefully controlled and monitored. This reduces the risk of threats spreading from one network to another.
Recommended Solution
You should never require connections to the OT network. Instead, you should implement a secure intermediary for connections between OT and IT networks at all times, and ensure these connections are closely monitored and logged. Agilicus supports such secure connections and monitoring. By closing all inbound ports, and only leveraging outbound-only connections, Agilicus securely bridges OT and IT networks. Our customers maintain strong network security while enabling necessary cross-network communication.
Act Now with Agilicus!
In light of these EPA cybersecurity recommendations, it’s important to act decisively and ensure your public water system is protected. We know this can seem daunting, but with Agilicus, your operations can not only align with these guidelines but can also provide enhanced user experiences for both your staff and third-party vendors.
Agilicus’ robust Zero Trust Architecture offers you a secure, user-friendly alternative to traditional VPNs and perimeter-based access tools. Our platform empowers your organization to step up to the challenges of today’s cybersecurity landscape with confidence and efficiency.
Are you ready to fortify your operations and serve your community with confidence? Let our skilled and knowledgeable team help you on this journey. Discover how Agilicus can align your systems with the EPA’s cybersecurity recommendations, safeguarding your public water system and the community that relies on it.
Don’t wait until it’s too late. Get in touch with us today!
Agilicus has successfully qualified to sell its innovative Zero Trust solution, Agilicus AnyX, directly to the Government of Canada. This will help us bolster Canada’s cybersecurity ecosystem and help agencies defend against cyber attacks.
TL;DR
Organizations can no longer depend on conventional perimeter-based defense to protect their critical systems.
Through the Pathway to Commercialization program, Agilicus is now eligible for direct purchases from any government department up to $8 million per contract and without further competition for three years.
The future is bright for cybersecurity innovation in Canada
IT networks have grown in size and complexity to meet organizations’ needs with newly evolved technologies, such as hybrid cloud infrastructures.
Unfortunately, cyber threats have kept pace with these changes and often take advantage of the security gaps following these hasty transformations. As users, information, and services are dispersed across various locations, there are no longer defined perimeters around organizations’ resources.
Organizations can no longer depend on conventional perimeter-based defense to protect their critical systems.
Zero Trust: The Standard for Strong Cybersecurity
Clearly, a Zero Trust approach is more important now than ever before. This was solidified with the release of ITSM.10.008 in March 2023, a publication that provides a description of Zero Trust Network Architecture security concepts and how organizations can benefit from implementing this framework to safeguard their assets.
That’s why I’m excited to share that Agilicus has successfully qualified to sell its innovative Zero Trust solution directly to the Government of Canada.
Through the Pathway to Commercialization program, Agilicus is now eligible for direct purchases from any government department up to $8 million per contract and without further competition for three years.
Obviously, as one of only a handful of teams that started this process, I am immensely proud of our team and the federal government’s recognition of our innovative approach to Zero Trust Network Access.
We’re on a mission to protect Canada’s critical infrastructure from cyber threats. We empower teams with precise controls and easy-to-implement security features to manage any resource, user, or device, simply and effectively. And your internal and external employees will get seamless access to the resources they need using a unified single sign-on experience.
Because in the end, organizations shouldn’t be forced to choose between enabling their people, securing critical systems, or reducing the cost of cyber security. With Agilicus, adopting modern, cloud-native security quickly and effectively isn’t just a reality – it’s the standard.
So it’s really exciting to see the Government of Canada go all-in on supporting innovation for Canada’s cybersecurity industry.
Agilicus is all-in too. And we can’t wait to get started.
Protect Your Critical Infrastructure with Agilicus
Curious to learn more? Check out this case study about how we helped a Canadian town protect critical municipal infrastructure and secure operational technology.
In this article, we’ll provide a high-level overview of the CISA Zero Trust Maturity Model, the recent changes made in version 2.0, and how it can benefit your organization.
TL;DR
The CISA Maturity Model is a voluntary framework you can use as a roadmap for evaluating and improving your security posture.
There are five levels of cybersecurity ‘maturity’ outlined by CISA: Partial, Risk-Informed, Repeatable, Adaptive, and Risk-Optimized. Knowing what ‘level’ your organization falls into is valuable insight.
By implementing this framework, you can identify weaknesses and assess your cybersecurity capabilities using a standardized framework.
Version 2.0, released in April 2023, now covers a broader range of cybersecurity domains, including identity and access management, supply chain risk management, and vulnerability management.
Agilicus can help you align with this framework while empowering your workforce with simple, secure access for all your users through Zero Trust.
As an IT leader, there’s a lot of responsibility on your shoulders to protect your critical systems against cyber attacks.
You need to protect sensitive data, meet specific cyber insurance requirements, and reduce risk.
No pressure.
Thankfully, there are already several different frameworks available to use as a roadmap for evaluating and improving your security posture.
In this blog post, we will delve into the CISA Maturity Model in particular, how it can benefit your organization, and how it compares to its predecessor.
What is the CISA Maturity Model?
The CISA Maturity Model is the federal government’s answer to the increasing number of cyber threats and risks. It is a voluntary guideline developed by the Cybersecurity and Infrastructure Security Agency (CISA) to help organizations evaluate and improve their cybersecurity posture.
In it, CISA outlines five different levels of ‘maturity’:
Level 1 – Partial: At this level, the organization has limited awareness of its cybersecurity risks and has not implemented any formal cybersecurity practices.
Level 2 – Risk-Informed: At this level, the organization has started to identify its cybersecurity risks and has established some basic cybersecurity practices.
Level 3 – Repeatable: At this level, the organization has established a formal cybersecurity program and has implemented a set of standard cybersecurity practices that are consistently applied across the organization.
Level 4 – Adaptive: At this level, the organization has established a dynamic and flexible cybersecurity program that can respond to changes in the threat landscape and business environment.
Level 5 – Risk-Optimized: At this level, the organization has fully integrated cybersecurity into its overall risk management strategy and is continuously monitoring and improving its cybersecurity posture.
Why Should You Use It?
There are many advantages of the CISA Maturity Model:
By using this model, your organization can identify and address weaknesses in your cybersecurity program. This can lead to a more robust security posture that can better protect against cyber threats.
It also provides a standardized framework for assessing your cybersecurity capabilities. This can help organizations benchmark their cybersecurity program against industry standards and identify areas for improvement.
The maturity model is a voluntary guideline, which means you can choose to adopt only the components that are relevant to your needs. This can make it an effective and flexible solution.
Finally, it aligns well with other cybersecurity frameworks and regulations, such as the NIST Cybersecurity Framework, the EU General Data Protection Regulation (GDPR), and ISO 27001. By implementing the CISA Maturity Model, organizations can better meet regulatory requirements.
What Changes Were Made in Version 2.0?
CISA Maturity Model Version 2.0 builds on the previous CISA Cybersecurity Framework, which was initially released in 2021. The new version includes several updates and improvements, including:
Notably, it now covers a broader range of cybersecurity domains, including identity and access management, supply chain risk management, and vulnerability management.
Version 2.0 provides more detailed guidance on how to implement the framework, including how to measure cybersecurity maturity and develop a roadmap for improvement.
It provides more flexibility for organizations to tailor the framework to their specific business needs.
The CISA Maturity Model 2.0 places a greater emphasis on risk management, including identifying and mitigating cyber risks and developing a risk management strategy.
Conclusion
By understanding the CISA Maturity Model and how it can help your organization, you can decide if it’s the right framework for your team to align with.
But unfortunately, implementing a Zero Trust Architecture to align with this framework is often far from easy.
With this in mind, here’s a case study you might find interesting about an organization that quickly enabled secure access to resources through Zero Trust.
In this article, I’ll help you understand NIST 800-207, Zero Trust, and how to meet the standards mandated by the US federal government’s recent cybersecurity mandate.
TL;DR
The VPN and other similar perimeter-based network solutions are ineffective at protecting your organization against unauthorized lateral resource access. With those solutions, once someone is in your network, they have virtually free rein to your entire network.
In contrast, a Zero Trust Architecture segments your information and resources into smaller ‘buckets’. This significantly reduces how much damage an attacker can do to your organization.
NIST SP 800-207 was published in 2020, and it gave us a standardized definition of Zero Trust. The document also laid out different approaches and common use cases.
While analyzing every aspect of NIST 800-207 is beyond the scope of this article, we have provided an overview of the different approaches to give you a high-level summary.
Agilicus makes it simple to align with NIST 800-207 guidelines while also dramatically increasing security across your entire network.
Today, your critical systems are more vulnerable than ever to cybersecurity threats.
We’ve all heard this before. News of organizations falling victim to ransomware attacks is all too common. But what you might not know is why we continue to see organizations fall victim to ransomware and other similar attacks.
In a 2021 CISA report, the top three initial infection vectors for breaches were phishing, credential theft, and vulnerabilities.
The common thread? All of them had the common root cause of unauthorized resource access.
What is Authorization?
The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system (NIST).
The Problem with ‘Castle and Moat’
Protecting your organization against this problem isn’t always so simple, however. For a long time, legacy network solutions like the VPN used a traditional castle and moat architecture of protecting your perimeter and stopping the bad guys from entering your sacred space. The thinking was that if you can control who comes in, you can trust everyone within your network. Bad people out there. Good ones in here.
And that served us well for many years. But the modern network doesn’t have clear boundaries. The castle and moat approach fails when what you need to protect is outside your castle.
What is Zero Trust?
This is where a Zero Trust Network Architecture (ZTNA) shines. Whereas a traditional perimeter typically takes a “Trust, but Verify” approach, Zero Trust asserts that nothing should be implicitly trusted – not your identities, devices or even your network components.
What is Identity?
The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system (NIST).
Because information and resources are segmented into smaller ‘buckets’, users are given access to the least amount of data they need to do their job. This approach severely limits the amount of damage that an intruder can do because the pool of data that they can see and access is much smaller.
This ultimately prevents attackers from gaining access to systems and users that will help them advance deeper into the network (a technique commonly known as lateral movement).
Despite the stronger security that comes with Zero Trust, the concept is still a relatively new one. It was only when organizations began making the rapid shift to remote-first or hybrid workforces in 2020 as a result of the COVID-19 pandemic that organizations began to take Zero Trust seriously.
NIST’s Response
In response to this evolving cybersecurity landscape, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-207, Zero Trust Architecture in 2020.
Even today, it stands as the gold standard for understanding the requirements, challenges, and nuances of implementing Zero Trust.
Although other federal bodies like NSA and CISAhave published their own guidance and recommendations, we will focus specifically on NIST 800-207 in this post. We will give you an overview of the document and the different ways of implementing ZTNA so you can meet the guidelines and improve your organization’s security posture.
What is Included in NIST 800-207?
In a world where remote work prevails and traditional network defenses are increasingly ineffective, NIST SP 800-207 provides enterprises with systematic guidelines for updating their network cybersecurity
The document itself (which you can read here) lays out a clear, albeit abstract definition of Zero Trust, which has been key to standardize the concept. That being said, this definition has been left purposely vague to let organizations decide how best to implement it within their organization.
NIST clearly understood that this could also spark some confusion, so the special publication also lays out common components of a Zero Trust Architecture, as well as the ways it could interact with existing federal guidance (more on that below).
Perhaps more importantly, NIST 800-207 gives you general deployment scenarios and different use cases where Zero Trust so you can see how it can improve your overall information technology security posture.
How does NIST 800-207 define Zero Trust?
What is Zero Trust?
Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero Trust Architecture is an enterprise’s cyber security plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan (NIST).
Why It Matters
I’ve talked a lot about the increased security that Zero Trust brings to organizations like yours, especially with increasingly distributed users, resources, and systems.
The federal government has also noticed the value of NIST 800-207 and the benefits of Zero Trust. So much so that on January 26th, 2022, the US government issued a memorandum that formally established a federal strategy for implementing Zero Trust across the country.
It requires that government agencies move to Zero Trust by the end of Fiscal Year (FY) 2024.
With recurring references to NIST 800-207, this mandate sent a clear message: Zero Trust is the future of cybersecurity for critical infrastructure.
With this order in place, similar protective regulations will likely also be mandated at the state and local levels of government in the coming weeks and months. We have already seen some of these mandates from some agencies (like the Federal Aviation Administration) following high profile incidents.
With a tight 2024 deadline, it’s vital for government agencies and public bodies to meet the standards set out in NIST 800-207 as soon as possible.
How to Align Your Organization with NIST 800-207
As I mentioned, there are many different ways you can set up a Zero Trust Architecture to satisfy the guidelines set out in NIST 800-207.
Here are a few different approaches you can take.
The Different Approaches
Zero Trust Architecture Using Enhanced Identity Governance
In this approach, policies for enterprise resource access are created based on the identity of users and assigned attributes. Access to resources is primarily based on the access privileges granted to the user. Other factors like the device used, asset status, and environmental factors may be considered to alter the confidence-level calculation, which ultimately decides access authorization. Agilicus, for example, uses your existing native identity provider (Ex. Azure, Google, etc…) to authenticate, avoiding the need for new user names, passwords, or active directory licenses.
This approach is typically employed in open network models or enterprise networks with frequent non-enterprise devices on the network (like vendors, for example).
Because access to resources is restricted to identities with the appropriate privileges, this approach is typically more secure than the others mentioned below. Let’s use Agilicus as an example – our platform authenticates and authorizes you before a connection is established (you can learn more about that here if you’re curious).
Zero Trust Architecture Using Micro-Segmentation
In this approach, individuals or groups of resources are placed on a unique network segment protected by a gateway security component. The enterprise can use infrastructure devices such as intelligent switches, routers, next-generation firewalls, or special-purpose gateway devices to act as Policy Enforcement Points (PEPs) that protect each resource or a small group of related resources. Alternatively, the organization can choose to implement host-based micro-segmentation using software agents or firewalls on the endpoint asset(s).
The gateway devices dynamically grant access to individual requests from a client, asset, or service. Depending on the model, the gateway may be the sole PEP component or part of a multipart PEP consisting of the gateway and client-side agent. This approach can be applied to a variety of use cases and deployment models, as the protecting device acts as the PEP, with the management of said devices acting as the Policy Engine/Policy Administration (PE/PA) component.
This approach requires an Identity Governance Program (IGP) to function fully, but it relies on the gateway components to act as the PEP that shields resources from unauthorized access and/or discovery. The key necessity to this approach is that the PEP components are managed and should be able to react and reconfigure as needed to respond to threats or changes in the workflow.
It is possible to implement some features of a micro-segmented enterprise by using less advanced gateway devices and even stateless firewalls, but the administration cost and difficulty to quickly adapt to changes make this a poor choice.
Zero Trust Architecture Using Network Infrastructure and Software-Defined Perimeters
This approach uses the network infrastructure itself. This can be done through an overlay network, which operates at the application layer (layer 7) or lower layers of the Open Systems Interconnection (OSI) network stack.
These approaches are sometimes referred to as software defined perimeter (SDP) approaches and may include concepts from software defined networks (SDN) and intent-based networking (IBN). In this approach, the policy administrator (PA) acts as the network controller, setting up and reconfiguring the network based on decisions made by the policy engine (PE).
Clients still request access via policy enforcement points (PEPs), which are managed by the PA. The most common deployment model for this approach is the agent/gateway, where the agent and resource gateway establish a secure channel for communication between the client and resource. Other variations of this model may exist, including for cloud virtual networks or non-IP-based networks.
Agilicus Can Help!
While this post only begins to scratch the surface of NIST 800-207 and Zero Trust, you should now be equipped with a high-level understanding so you can decide how best to implement a Zero Trust Architecture for your organization.
And although Zero Trust has many clear benefits, it can be challenging to make such an enormous shift. At Agilicus, we believe the fastest path to adoption is to make it simpler. That’s why our Zero Trust platform removes the need for a VPN, leverages your existing identity providers for secure authentication, and gives you fine-grained authorization tools to precisely manage access.
It’s the easiest way to align with NIST 800-207 while also greatly elevating your organization’s security posture.
Curious to learn more? Check outthis case study to see how we helped a municipality modernize its critical infrastructure to better enable simple, secure connectivity with precise control over privileges.
Vendor privileged access management is the process of managing and securing the privileged access of third-party vendors who have access to an organisation’s critical systems, data, and networks. Here are some best practices for vendor privileged access management:
Implement Access Controls: It is important to have proper access controls in place to limit vendor access to only the systems and data they need to perform their tasks. This can include implementing role-based access controls (RBAC) and limiting access to specific times and locations.
Use Strong Authentication: Vendors should be required to use strong authentication methods, such as two-factor authentication (2FA) or multi-factor authentication (MFA), when accessing the organisation’s systems and networks. Do not introduce a new identity (e.g. a mirror), instead use federation to their existing employer Identity system.
Do no allow shared passwords (e.g. account per company)
Monitor and Audit Activity: Regular monitoring and auditing of vendor activity can help detect any unauthorized access or suspicious behavior. This can include logging and reviewing all vendor activity and implementing real-time alerts for any unusual activity. Audits should be fine-grained, per resource, per transaction, rather than general “accessed something in these hours”.
Use Secure Remote Access Methods: When providing remote access to vendors, it is important to use secure remote access methods, on a per-resource basis. Use a Zero-Trust Network architecture rather than a ‘secure’ remote desktop or VPN.
Train Vendors on Security Best Practices: Vendors should be required to undergo security awareness training and be educated on the organisation’s security policies and procedures. This can help ensure that vendors understand their roles and responsibilities and are equipped to handle sensitive data and systems securely.
Regularly Review and Update Access: Regularly reviewing and updating vendor access privileges can help ensure that access is still necessary and appropriate. This can include revoking access when vendors are no longer needed or when their contracts expire.
By implementing these best practices, organisations can better manage and secure vendor privileged access, reducing the risk of unauthorized access, data breaches, and other security incidents.
Would you like to learn more about implement multi-factor authentication across vendors? Or about using single-sign-on federated identity across your 3rd-party work-force? Use the Chat icon in the lower left, email us info@agilicus.com, or fill in the form and we’ll get back to you.
