Zero Trust Remote Operations and Asset Management

Making Agilicus AnyX part of Water Control Automation’s new remote operations service unlocked high value in a short time, without increased security risk. Zero Trust Remote Operations and Asset Management was a win.

Water Control Automation (not their real name) is a full-service system integrator and engineering company. They have an in-house panel shop and expertise in Schneider Electric, Rockwell Automation’s Allen-Bradley Programmable Logic Controllers. A large part of their business is creating and supporting Human Machine Interfaces, using either VTScada or Ignition.

Historically Water Control’s business has grown in a project-based fashion. They would bid on projects, build, commission, and warranty their work, with ad-hoc support handled after the first year on a time and materials basis. This growth pattern, while ultimately successful for Water Control, has created a feast-or-famine problem. During some time periods there has been insufficient work, and, in others, they have had to defer new business being unable to fulfill it. Water Control sought to create an ongoing, subscription revenue stream that would allow them to create a more predictable business, scaling their team and capacity more linearly, with higher utilisation and efficiency yielding more billable hours per person.

Water Control Automation set out to create a new service offering that would include Remote Operations and Asset Management (ROAM). This Remote monitoring package would leverage Twilio, cloud-based monitoring and reporting, as well as on-call remote maintenance. In this case study we discuss some of the challenges found, and how Agilicus AnyX was used to overcome them, and some of the unexpected benefits to Water Control Automations customers.

Water plants are notoriously complex for remote access. They typically use an air-gap style network architecture, blocking all inbound and outbound traffic. They do so since there is no internal security: all internal devices are wide open to each other with minimal or no authentication. In order to be simple to deploy, and, acceptable by the security staff of their customers, Water Control Automation will need to have a strong method of achieving remote access that works with all firewall types, ensuring that all traffic is both encrypted, and, simple to create firewall rules for.

As a consequence of this remote access complexity, it is not common for the plant operator to have remote connectivity for their own staff. Once Water Control Automation has solved their own needs, this presents an additional upsell possibility as well as differentiation. Once Water Control Automation’s customers use the service for their own needs, with their own single-sign-on, the service becomes very sticky and differentiated, allowing Water Control Automation to charge more, and defend themself versus competitors. With Agilicus AnyX, Water Control Automation was able to achieve single-sign-on for even local identity systems within the plant (see “Merging Local Identity With Online Identity“)

The plant operator’s security policy typically requires non-shared accounts and multi-factor authentication. This rules out back-door type solutions using TeamViewer and Ewon.

VPNs are not an acceptable solution. From a Water Control Automation standpoint, they cannot install multiple VPN’s on each staff laptop. They need concurrent access to each customer, even though those customers have overlapping IP space (making routing impossible). From a customer standpoint, they do not allow a VPN since it would provide over-broad access into their customers netwok, increasing the risk.

In addition, some of the wastewater plants do not have public IP or inbound access possible: due to their remote nature, they use satellite or cellular connectivity.

Water Control Automation thus became aware that they had 6 primary challenges slowing their desire to launch a turnkey remote operations service.

Agilicus AnyX introduces a Zero Trust framework tailor-made for industrial control systems in public water utilities Zero Trust is the best current practice for Cybersecurity in Industrial Control Systems for Public Water Infrastructure. It integrates effortlessly with existing networks and offers an affordable and low-risk method to enhance both efficiency and security. Whether you already have deployed an IEC-62443 Zone and Conduit model, or are driven more by the Purdue Model, Agilicus provides a low-risk method to enhance both efficiency and security, providing an ideal platform for Zero Trust Remote Operations and Asset Management.

Trust starts with identity. Instead of relying on shared passwords, Agilicus AnyX uses federated authentication, from existing identity providers (Microsoft Entra, Okta, Google Workplace, on-site Microsoft Active Directory, etc). This allows users like “jane@manufacturer.domain” to securely access the system without compromising security.

With Agilicus AnyX, system access isn’t binary. You can specify user roles at granular levels, ensuring that users only access what they are supposed to. Moreover, every action is logged for meticulous audit trails. Fine-grained authorisation is necessary for cybersecurity in Industrial Control Systems for Public Water Infrastructure.

Agilicus AnyX is designed for the modern world, offering seamless integration with existing firewalls. It uses an outbound-only connection, compatible with NAT systems and non-public IPs, ensuring any user can access any application without the need for a VPN, without inbound ports.

One of the core learnings for Control Water Automation was that their customers also wanted remote access, an unexpected benefit of the new remote operations service. And, the customers required single-sign-on using existing credentials coupled with multi-factor authentication for their security compliance. In some cases, existing credentials meant Azure Active Directory or Google Workplace, but in others, it was an on-premise Active Directory: behind the firewall. Agilicus AnyX solves this seamlessly, allowing both types to act as modern OpenID Connect Single-Sign-On (see Merging Local Identity With Online Identity)

Using Group-Based and Role-Based authorisation means simple config for Control Water Automation: 1 step to add the user, and all rules flow automatically.

Control Water Automation’s customers demanded that there be no inbound port-forward, no DMZ. The Agilicus AnyX Connector, with its outbound-only data flow, all on port 443 to a fixed IP, and inspectible by a next-generation firewall gave the customers the comfort they needed to deploy.

From an end-user perspective (whether Control Water Automation’s team, or, each of their customer’s teams), the system proved very simple to use. All devices, regardless of operating-system or form-factor, support a browser, the only tool they need for the HMI access (VNC, Ignition, VTScada). For Control Water Automation’s team, they use their familiar PLC programming software. No VPN, no worry about overlapping IP, they can work on two customers simultaneously from the same laptop.

For the single-sign-on, each user uses their existing, native, corporate credentials. Typically this means no sign in is needed, even for the users with the on-premise Active Directory: it behaves similarly to signing into Office 365.