Managed Industrial Remote Access
Industrial environments have a variety of players who support them. Equipment manufacturers, system integrators, remote operations companies, regulators, etc. Increasingly, these systems are complex systems requiring some online access in order to function, in order to be efficiently supported.
Water Control Automation found that there was an appetite to provide industrial remote access as a managed service as part of their remote operations and asset management.
The Summary
Industrial Remote Access
In Wastewater Operations Case Study: Zero Trust Remote Operations and Asset Management we discussed the motivators of providing an ongoing remote-operations service, which Water Control Automation achieved using Agilicus AnyX. One of the key discussion points with the end customer was: who should manage the Industrial Remote Access, and how would this be shared across the customer’s staff as well as other vendors. In this document we discuss some of the key reasons that Water Control Automation’s customers chose to buy Industrial Remote Access as a managed service as part of Water Control Automation’s Remote Operations service.
Key discussion points include:
- User Management, Single-Sign-On
- Audit depth and accuracy
- Request on demand to allow ad-hoc access
- Consolidation of existing ‘shadow IT’ backdoor systems such as Ewon, TeamViewer
- Ongoing usage by end-customer staff
- Key trust points such as VNC/HMI with read-only access or simultaneous local + remote access
- Shared Custody Model of configuration and Audit
Water Control Automation leveraged their experience in acquiring, commissioning, and operating complex systems to provide a managed industrial remote access system to their customers, meeting their customers security requirements, increasing their utility of systems, using Agilicus AnyX.
The Company
Water Control Automation Background
In Wastewater Operations Case Study: Zero Trust Remote Operations and Asset Management we discussed Water Control Automation, a full-service system integrator and engineering company. They have an in-house panel shop and expertise in Schneider Electric, Rockwell Automation’s Allen-Bradley Programmable Logic Controllers. A large part of their business is creating and supporting Human Machine Interfaces, using either VTScada or Ignition.
The Challenges
Industrial Remote Access: What, When, Where, Who
When discussing their proposed Remote Operations service with various potential customers (operators), Water Control Automation learned of a set of requirements for Industrial Remote Access for each of the various users in the ecosystem. Initially it appeared that their customers wanted to manage all Remote Access themselves. Upon discussion, Water Control Automation’s customers were finding the variety of systems and requirements overwhelming and wanted a managed system that they controlled the authorisation and worked universally across their own staff as well as all 3rd party support staff.
End-Customer / Operator Requirements
Water Control Automation’s customers own the risk, own any bad outcomes. As a consequence, they expressed their requirements as
- Can individual enable requests in real-time (e.g. user A requests access to B)
- Staff can have first-class access with single-sign-on and multi-factor authentication
- Full audit trail of configuration changes as well as resource access
- All users including external have multi-factor authentication
- HMI remote access would not lock out local (screen would not go black)
- No inbound ports allowed on firewall
- No VPN access allowed to full network
- Must work with Starlink/Cellular NAT’d connections for remote locations
- Must allow inspection by existing next-generation firewall
- No end-user password set/reset flows
- Shared administration (user authentication, resource authorisation)
From above we can see that the operator has a strong requirement for security, for transparency.
In addition, the operator expressed some frustration with existing shadow-IT point solutions such as Ewon and TeamViewer. Each of these was incompatible with some of the above requirements, and, were also not ubiquitously available to all users or all systems.
Manager Requirements
In order to make their Remote Operations service feasible, Water Control Automation has a set of requirements:
- No client software to install
- Each staff member has individual account and multi-factor authentication
- No IP address adjacency (no requirement to change local subnets to match customer)
- Common platform and administration across all customers
- Ability to operate on multiple customers concurrently
- Support for each platform (tablet, laptop) and location (office, road)
- Inbound connectivity for Twilio IVR and alarming platform
- No end-user password set/reset flows
Manufacturer Requirements
The operator’s have various manufacturers. These in turn have two use cases, one being ad-hoc support, and one being ongoing connectivity needs for license-managers, outbound data streaming. For the first case, the manufacturers expressed a strong preference for the following:
- Existing company identity (no new users)
- Web-based (no new software)
- Simple ability to request access
For the outbound connectivity (license-manager, data streaming), the manufacturer expressed no preference, leaving this decision making to the system integrator.
System Integrator / Support Requirements
The system integrators were involved from design through initial deployment of new systems, with warranty and ad-hoc support for some short time after commissioning. These users expressed set of requirements, but were ultimately accepting of whatever the operator provided. Their requirements were:
- Avoid IP adjacency / requirement to change local subnets
- Avoid multi-factor authentication (or, be consistent with other systems they used)
- Operate with a wide variety of resources as if local (e.g. PLC program, read tags)
Requirements Summary
Water Control Automation thus became aware that there was an opportunity to solve the above requirements in a way that was acceptable to each player, but also provided strong (and sticky) value.
Unified Authentication
Each of the constituents expressed a desire, or a hard-requirement, to use their existing corporate identity (regardless of company).
This simplifies multi-factor, simplifies audit, and, simplifies user life-cycle management.
On-Demand Requests
Although some demographics were long-lived same people (e.g. remote operations), others were more ad-hoc (e.g. manufacturer support). A per-use requests flow, with push-based messaging allowed the Operator to manage those user/resource needs.
Outbound-Only Access
The operator required no-inbound ports open, but also used network technologies that did not allow (e.g. Starlink, carrier NAT).
Strong, Inspectable Encryption
For the operator IT team to sign-off, all data had to be strongly encrypted, but also be inspected by the Next-Gen firewall.
Since the end-users were on unknown networks, encryption had to be end-to-end.
The end-user networks were often incompatible with VPN technologies (e.g. Cafe wireless).
Overlapping IP
Several of the demographics expressed a frustration with existing IP-VPN based technologies, often overlapping with their own IP space, or, preventing the operations on multiple customer sites simultaneously.
A non-VPN solution was thus both a strict requirement for security, as well as a strong requirement for operational ease.
Inbound Web Firewall
Remote operations requires always-on monitoring. Water Control Automation uses Twilio with VTScada, this requires HTTPS inbound access.
To provide this securely and within the requirements of no-inbound ports, and, networks which don’t support inbound, a Web Application Firewall was required integrated with the system.
The Solution
Agilicus AnyX: Zero Trust Managed Industrial Remote Access
Agilicus AnyX introduces a Zero Trust framework tailor-made for industrial control systems in public water utilities Zero Trust is the best current practice for Cyber security in Industrial Control Systems for Public Water Infrastructure. It integrates effortlessly with existing networks and offers an affordable and low-risk method to enhance both efficiency and security. Whether you already have deployed an IEC-62443 Zone and Conduit model, or are driven more by the Purdue Model, Agilicus provides a low-risk method to enhance both efficiency and security, providing an ideal platform for Zero Trust Managed Industrial Remote Access.
From an end-user perspective (whether Water Control Automation’s team, or, each of their customer’s teams), the system proved very simple to use. All devices, regardless of operating-system or form-factor, support a browser, the only tool they need for the HMI access (VNC, Ignition, VTScada). For Water Control Automation’s team, they use their familiar PLC programming software. No VPN, no worry about overlapping IP, they can work on two customers simultaneously from the same laptop.
For the single-sign-on, each user uses their existing, native, corporate credentials. Typically this means no sign in is needed, even for the users with the on-premise Active Directory: it behaves similarly to signing into Office 365.
Use Cases: Managed Industrial Remote Access
Agilicus AnyX Applications
Remote HMI Access
Technicians can access HMI remotely, leading to quicker repairs and lesser downtime.
Shared Diagnostics
Share the SCADA workstation between vendor and customer, in real time. No client to install, open the browser and see the shared session.
Unified Authentication
Single-sign-on, no shared passwords, for manufacturer, integrator, and operator, each with their natural credentials.
Remote PLC Program
Technicians can remotely use e.g. Rockwell studio 5000 to diagnose tags, update firmware.
Real-time Log Files
Performance metrics, diagnostic logs, asset inventory. Reach a Share deep inside the plant in a safe fashion, from anywhere.
Remote Alarms
Twilio SMS alarms, SMTP email alarms, both with no inbound port-forward through firewall
The Conclusion
Secure, Simple
Water Control Automation introduced Agilicus AnyX, meeting all the requirements of all of the constituent users, across all of the various companies, providing the security and transparency the operator needs, the ongoing operational efficiency that Water Control Automation needs, and the simplicity that the other users require, all within the operational constraints present. This system provides real value to Water Control Automation’s customers, leveraging their operational expertise in acquiring, commissioning, and operating complex systems. Managing the Industrial Remote Access in addition to their Remote Operations and Asset Monitoring service transformed their relationship with the customer.
The operator achieved all of their objectives:
- Requests flow: ad-hoc users can request access via a web interface, and, be allowed/denied by the operator
- Staff can use their existing corporate single-sign-on (with multi-factor authentication) to use the HMI
- An audit trail exists for all configuration, and, for all resource accesses (who did what from where to what)
- All external users (first party, third-party, use multi-factor authentication, individually)
- HMI remote access, via VNC, allows concurrent local and remote use: no hidden black screen
- The firewall is configured to block all inbound ports
- No VPN is present, no layer-3 full network access exists
- Alternative access technologies such as Starlink and Cellular function with no change, no restrictions
- IT team signed off on security of all encryption (HTTPS, TLS) and, can inspect via their existing next-generation firewall
- No passwords are present to be breached, to be forgotten
- The Operator can administer their users, their authorisation
Get In Touch
Ready To Learn More?
Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.
info@agilicus.com, +1 519 953-4332
300-87 King St W, Kitchener, ON, Canada. N2G 1A7
info@partner.com, +1 555 555-5555
1 Main Street, Townsville, ON, Canada. POST-CODE