Water Treatment Facility
Protecting Critical Municipal Infrastructure and Securing Operational Technology
A Canadian town has turned to Agilicus to ensure that its critical infrastructure resources can be securely accessed by technicians, employees, and third-party partners, whether on-premise or remote.
Read the case study and learn how Agilicus helps protect operational technology against cyber threats through user, resource segmentation while delivering a seamless end-user experience.
Read MORE
Water Treatment Facility
Protecting Critical Municipal Infrastructure and Securing Operational Technology
Summary
Our customer is a rural municipality based in Ontario. The local government is dedicated to creating a safe, sustainable municipality where the economy, environment, community, and heritage can flourish. One of the key responsibilities of the local government is to manage critical infrastructure for the citizens. This includes managing, operating, and securing the SCADA systems for their water treatment facilities. The municipal IT organisation works with the water treatment facility teams, providing support for these key services and their operation.
Enhancing Cybersecurity at Water Treatment Facilities and Enabling Secure Access
One of the biggest challenges our customer faced was that the physical water treatment facility is in a remote location and not easily accessible by staff and partner organisations. The SCADA system contained in this facility needs to be accessed by multiple user groups including a partner municipality that shares the facility and systems.
To reduce the complexity of reaching the physical facility and to meet data storage requirements, the customer placed a remotely accessible machine on site. This device transmits data to the townhall and is used to access, control, and monitor the facility by all parties concerned, whether remote or on-premise. However, due to the nature of SCADA systems, the machine must always be connected, and it can never go offline. The requirement for continuous connectivity means the device can never power off or receive patches and system updates, further complicating security for the device and the networks it connects to.
What made the problem especially complex for our customer was enabling secure access for their partner municipality and users outside of their native active directory without impeding security or user experience. The traditional solution of adding client software (VPNs) and dictating new workflows, practises, and protocols for non-employees meant greater operational overhead and longer roll-out times. Additionally, the inability to implement traditional security mechanisms for such a critical system was creating immense cyber risk, especially as so many different user groups needed to be able to access the system.
Secure Access to Critical Systems and Operational Technology through the Agilicus AnyX Platform
With Agilicus, our customer was able to deliver third-party access, maintain continuous connectivity to enable data transfer to and from townhall, and enable secure remote access to their broad user groups and third-party partners.
Starting with a review of the overall system and the user groups who need access to the water treatment facility the team at Agilicus developed a path to implementation that could run in parallel to current systems to avoid the risk of service disruption. This included:
Simple Single Sign-On
Integrating the municipality’s native active directory and that of their partner organisations to institute single sign-on.
Secure Web Interfaces
Introduction of the Agilicus AnyX Identity Aware Web Application Firewall to secure access to the SCADA system web application interface.
Virtual Air-Gap: Isolate risky machines
Blocking all inbound and outbound traffic to the host machine that is not authorised through the Agilicus AnyX Connector.
Least-Privilege Role-Based Access Control
Enacting strict, least privilege and role-based access controls to authorize user access to the SCADA system.
Multi-Factor Authentication
Enforcing multi-factor authentication policies to gain access to the remote system through the web application or RDP.
Granular Audit Trail
A granular audit trail of how a user or technician accessed the SCADA system, when they accessed it, and what they did while they accessed it.
Through the Agilicus AnyX platform, any authorised user could securely access the SCADA system from a remote desktop or through the web application without sacrificing security or impinging on the end-user experience. This streamlined maintenance and operation processes across the partner organisations and enabled secure access for all personnel who required access to the water treatment facility. Finally, because traffic would be routed through the Agilicus platform for authorisation, our customer also benefited from DDOS protection and improved cyber resilience.
User, Resource Segmentation and Secure
Access with Agilicus
The network diagram is a visualization of how the access workflow changes when operational technology resources are secured through Agilicus.
Business Impact
Streamlined User Onboarding
11 internal users and 14 third parties including contractors and technicians from their partner municipality.
Deployed in a Single Afternoon
The Agilicus AnyX platform was implemented in a single afternoon.
Parallel Implementation
Agilicus AnyX ran in parallel to existing infrastructure, allowing the municipality to migrate at their own pace.
Seamlessly Adopted
Adopting Zero Trust Network Access didn’t require clients, network changes, appliances, or new licenses.
Friction-Free User Experience
With Agilicus, IT security became invisible to the end-users enabling simple, secure access for the technicians to do their jobs.
Municipalities are required to obtain and maintain cyber insurance to mitigate the fallout of intrusions, breaches, and hacks. Complying with these requirements has proven most difficult when it comes to securing operational technology and SCADA systems due to their 100% uptime requirements. As a result of implementing the AnyX platform from Agilicus, our customer has been able to achieve their cyber insurance compliance requirements for privileged access management and multi-factor authentication.
Beyond the business requirements of management and council, the Agilicus platform is securely connecting authorized technicians to the SCADA system with an invisible IT security experience. Technicians can now perform their duties from any device, on-site or remote, without having to manage new credentials or install software to gain access. Technicians from the partner organisations can use single sign-on for the instant access they need to get the job done.
Get In Touch
Ready To Learn More?
Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.
info@agilicus.com, +1 519 953-4332
300-87 King St W, Kitchener, ON, Canada. N2G 1A7
info@partner.com, +1 555 555-5555
1 Main Street, Townsville, ON, Canada. POST-CODE