CASE STUDY: Secure Access to Critical Infrastructure for Partners and Vendors
A Municipality set out to modernise their water treatment facility to better enable secure connectivity for various internal teams (IT, Public Works), partner organisation, and their systems integrator. The Municipality chose Agilicus AnyX, to adopt a Zero Trust Architecture that enabled simple, secure remote connectivity with precise control over privileges.
Fill out the form to read the technical case study and learn how Agilicus AnyX worked to enable secure remote connectivity for so many unique users.
Read MORE
Case Study
Secure Access to Critical Infrastructure for Partners and Vendors
A Municipality set out to modernise their water treatment facility to better enable secure connectivity for various internal teams (IT, Public Works), partner organisation, and their systems integrator.
The Municipality chose Agilicus AnyX, to adopt a Zero Trust Architecture that enabled simple, secure remote connectivity with precise control over privileges.
Executive Summary
A municipality located on the west coast in North America set out to modernise their water treatment facility to better enable secure connectivity for various internal teams (IT, Public Works), partner organisations, and their systems integrator. Facility management is shared with a partner municipality. A systems integrator needs access to perform maintenance and support. Given the number of internal and external individuals that need remote connectivity to the site, the municipality needed a secure solution that protected the critical infrastructure from external threats.
Of particular importance was implementing a solution that did not require new accounts or interfere with the responsibilities or capabilities of all parties. The municipality chose Agilicus AnyX, to adopt a Zero Trust Architecture that enabled simple, secure connectivity and precise control over privileges leveraging the existing identity providers of each organisation, achieving Secure Remote Access to its Critical Infrastructure for Partners and Vendors. The result is a mature cyber posture without requiring a VPN that creates a modern industrial air-gap for the water treatment facility. In turn, the municipality also benefited from detailed audit logs of all activity on the network, and the ability to extend just-in-time access for third parties and external vendors.
Protecting municipal critical infrastructure and shared resources.
How can I enable remote connectivity in a way that keeps my critical systems off the public internet but allow access for maintenance and support?
Municipal critical infrastructure is an essential service and citizens depend on the secure and reliable operation of municipal facilities. Remote connectivity and the ability to leverage data are two increasingly important requirements when it comes to successfully and safely operating critical infrastructure. The challenge is enabling remote connectivity in a way that protects the critical systems from online threats and attackers. It was particularly important for the municipality that they maintained a true air-gap without having to rework their entire network.
To adequately support the water facility, individuals need to be able to remotely connect via Secure Shell (SSH), Remote Desktop Protocol (RDP), and access various SCADA web applications. However, governance, compliance, and the current threat environment made it especially complicated to use conventional technology such as a VPN or remote access tools like TeamViewer. While traditional access tools could partially solve internal remote needs, it would open the organisation and water treatment facility up to a host of attack vectors and cyber risk that was simply unacceptable.
The team had several essential needs in addition to a secure remote connection for Critical Infrastructure for Partners and Vendors:
On site machines needed to stay online at all times. These are systems that are unable to receive security updates and patches.
The systems integrator needed secure remote access but organisational security policies must be adhered to (no shared credentials, multi-factor authentication).
The SCADA (supervisory control and data acquisition) system at the facility needed to maintain an always on connection to city hall to export data for record keeping and analysis.
All access and activity need to be tracked and recorded through detailed logs with evidence if something were to go wrong.
Water treatment facilities and other critical infrastructure demand high security due to their vital role in society. The municipality needed a solution that offered a modern air-gap to deliver resource segmentation without limiting remote connectivity for operations, service, and support.
Solution
A Zero Trust Architecture by Agilicus AnyX proved to be the right solution for enabling secure remote connectivity while creating a virtual air-gap at the facility. Zero Trust consists of three central tenets – Identity, Authorisation, and Access.
Identity
Every user or operator must be individually known and authenticated.
Authorisation
Every action an individual takes must be authorised based on their identity and privileges to interact with a resource
Access
Authenticated and authorised user actions are routed only to the destination resources.
A modern air-gap was achieved with a 15 minute installation that did not require a full network rework.
Identity – Any User
Identity is the way a given user proves who they are. For example, employees have a corporate email address – that corporate email address allows individuals to prove who they are. Agilicus AnyX allows an unlimited number of corporate email addresses, from different organisations to work together as if they were part of the same organisation – this is called federated identity.
Authentication across so many organisations without issuing new accounts or passwords was achieved by federating identity and leveraging the Agilicus Open ID Connect proxy for session management and to enable single sign-on.
Authentication is performed by known upstream issuers (Azure, O365, GMail, Okta, etc.) or a customer’s known identity provider. As a result, Agilicus uses an authenticated user’s JSON Web Token (JWT) and never requires or stores passwords and credentials.
A simple identity layer on top of the OAuth 2.0 protocol, OpenID Connect (OIDC) allows the verification of an identity and can request and receive information about authentication, sessions, and end-users.
Within the Agilicus AnyX Authentication Issuer, the Municipality had several configuration options:
- Configure the sign-in screen theming with Municipal logo and branding.
- Select from a set of Agilicus-Managed Upstream Identity Providers (Apple, Google, Linkedin).
- Add their own Identity Providers and that of their partners (Azure Active Directory, Microsoft Active Directory, etc) – In this case the municipality used Azure Active Directory. Their partner organisation was able to use Okta, and their systems integrator was able to use GSuite.
- Configure and enforce multi-factor authentication
- Control rules regarding when/how/who can authenticate to the system
A detailed example of how Agilicus uses OpenID Connect can be found here.
Authorisation – Least Privilege
Through Agilicus AnyX, the municipality gained precise control over resources and user privileges. Every resource (network, server, application, etc.) has a set of permissions that are both role and resource specific – Owner, Editor, Viewer, Self. For each resource the municipality could select a user or user group and delegate necessary privileges.
In order to fold those resources into the Zero Trust Architecture, Agilicus AnyX uses a connector to facilitate the connection between a network and the authorised end-users. The Agilicus Connector is installed on a device to create a unidirectional pathway to the Agilicus Cloud. This outbound only connection blocks all ports and remote connectivity unless achieved through the authorised path, Agilicus AnyX. The Agilicus connector is self updating and follows The Update Framework (TUF Framework). The TUF Framework offers a means of protecting mechanisms involved in automatically downloading software updates. A changelog is readily available to ensure the municipal team is informed of any updates that have occurred.
Each Agilicus Connector uses a Globally Universally Unique Identifier (GUUID) to individually identify the resource and an OpenID connect issuer to control its authentication domain. This ensures Agilicus AnyX can confirm the identity of a given resource and enforce privileges. Once installed on the destination resource, new directories and services to share or expose are managed entirely from the administrative web interface. Combined with Role-Based Access Controls, users and user groups at the Municipality could be paired with only the resources they need with strict, least privilege access.
Complete, micro-segmentation of users, resources, and sites are also achieved by the Agilicus Connector. The Agilicus Connector can be installed at different points in the network or on individual systems allowing for a per-site, or per-resource approach to micro-segmentation. As a result, users and resources are protected from themselves and cannot connect unless authorised.
In order to achieve the objective of creating a secure, always on connection between the water treatment facility SCADA system and city hall, a small router with a firewall that denied all inbound and outbound traffic except through the Agilicus Connector was installed on site. This introduced a service forwarder where only an authorised and authenticated connection can be established. All data such as chlorine levels could now be recorded and transmitted under a Zero Trust security framework, with complete end-to-end encryption.
Access – Simply and Securely
The Agilicus AnyX platform centralises authorisation management ensuring municipal operators and administrators can easily add or remove users and enable or disable access privileges through a single web-based portal. Meanwhile, the various end-users perform authentication using their designated accounts via Single Sign-On through the Agilicus AnyX platform to gain access to only the applications and resources they have permissions for.
The authentication workflow performed by end users, and the outbound only connection from the resource meet in the middle (The Agilicus Cloud) where a connection is only established if all authentication and authorisation parameters are met (user identity, multi-factor authentication, privileges).
Agilicus AnyX easily supports SSH, RDP, and Virtual Network computing (VNC), Web Applications, and even access to PLCs. These access methods to specific resources are created through the administrative portal. Each resource is further secured by the patented Identity Aware Firewall which acts as an HTTP-proxy. This ensures SSL and TLS are enforced for every connection and protects the resources from various issues such as server misconfiguration. The Identity Aware Firewall blocks all traffic unless authenticated and authorised adhering to the never trust, always verify Zero Trust principle.
Deployment
Least Privilege Access
Outcome
The municipal team was able to adopt a virtual air-gap and implement a Zero Trust Architecture to secure the water treatment facility achieving their goal of enabling secure, least privilege access for all authorised parties – internal users, partner organisations, and their systems integrator. Agilicus AnyX also equipped the municipal team with detailed audit logs of all activity on municipal water infrastructure. The team now has a clear view of who is accessing their systems, what they are doing with that access, and when they are accessing facility resources.
Federating Identity with OIDC ensured no new identity management services or licences were required. Passwords stay with the users and are never passed to, or stored by Agilicus AnyX. This also means if an employee leaves, their access is instantly revoked as soon as they are deleted from their own company.
Multi-Factor Authentication is easily enforced across all users for access to any resource, including non-participating systems, such as the machine hosting the facility Human Machine Interface (HMI).
Complete, micro-segmentation of both users and resources was achieved via the Agilicus Connector, preventing network traversal and requiring authentication and authorisation for access.
The Agilicus Connector was used to establish a secure, always on connection to the city hall for data collection from the water treatment facility. The data is necessary for record keeping as well as management and monitoring of the facility resources to ensure proper function.
The Agilicus Connector enabled secure accessibility to the resources without needing a public IP, VPN, or client. That means while the various teams were able to establish a secure and convenient remote connection, water treatment facility resources are neither exposed to nor visible on the public internet.
The Water Treatment facility cyber posture was greatly enhanced through the Identity Aware Firewall and Agilicus Connector. That means no lateral traversal, enforced SSL, and the blocking of peripheral devices on facility machines.
Both the systems integrator and the partner organisation no longer needed to send workers to site for troubleshooting, maintenance, and operation leading to cost and labour savings.
Get In Touch
Ready To Learn More?
Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.
info@agilicus.com, +1 519 953-4332
300-87 King St W, Kitchener, ON, Canada. N2G 1A7
info@partner.com, +1 555 555-5555
1 Main Street, Townsville, ON, Canada. POST-CODE