Zero Trust
VTScada Twilio Alerts
Zero Trust VTScada Twilio Alerts
The power of VTScada Twilio SMS and voice alerts
The security of an airgap
No firewall reconfiguration
No public IP address
The Challenge
Twilio Appears To Require Public Inbound Access to VTScada, No VPN
Would putting your SCADA system on the public Internet keep you up at night? Are you posed the challenge: that, or no proactive monitoring? Want to use Twilio to get push alerts, but can’t in good conscience make SCADA meet Internet? The answer is Zero Trust VTScada Twilio Alerts
Twilio is a simple, reliable service allowing sending and receiving SMS, Voice calls from your VTScada system. Twilio is well integrated to VTScada, powerful, convenient.
Nonetheless, this powerful integration appears to require exposing your VTScada to the public Internet. This is at odds with your plant security regime. How can it be both air-gapped and accessible without VPN or firewall? Can this be achieved?
Three of the key VTScada Twilio integration challenges solved by Agilicus AnyX are:
No Public IP, DMZ, Inbound
Your site might be connected via SpaceX’ Starlink, via cellular, with no public IP possible.
You may be forbidden from using a layer-4 DMZ or port-forwarding via policy.
Agilicus AnyX achieves the direct-access objective compliant your security needs.
Outbound-only HTTPS traffic.
No Firewall Changes
Allow outbound, deny inbound. No change needed. You can even lockdown to a specific hostname or IP, immutable, unchanging.
No complex firewall reconfiguration or upgrades required.
Complex Remote Access
Cloud-based SaaS doesn’t use fixed IP, so configuring inbound allow/deny ACL on it will not be stable or reliable.
Use stable, reliable properties such as VTScada GUUID realm, Twilio Authentication Key.
No spoofing, no constant reconfiguration.
The Solution
Agilicus AnyX: Zero Trust VTScada Twilio Alerts
Agilicus AnyX provides a unique Zero Trust architecture which is ideal for VTScada integration. Whether its giving an end-user access to the HMI from a tablet (with Single-Sign-On, with multifactor authentication, without a VPN), or allowing a service-account-based system like Twilio the access it needs, the Agilicus AnyX Identity-Aware Web Application Firewall makes a complex task secure and simple.
Agilicus AnyX creates a unique hostname, with a unique, properly-signed, managed, rotated SSL certificate. The AnyX firewall rules match on the Twilio authentication, the VTScada installation GUUID, as well as on HTTP path, method, parameters. Zero Trust VTScada Twilio Alerts
You get a perfect audit trail, a system that sees no network traffic except for what is allowed. And, no change to the site-firewall (allow outbound, deny inbound: no port-forward, no DMZ, no public IP).
The Highlights
Agilicus AnyX Key Features
ANY DEVICE
No software to install. Works in any web browser. Tablet, Mobile. Desktop. Windows. Linux. Mac.
Stop the truck, pull over, pull out tablet, 1 click sign in, solve the issue.
NO PASSWORDS
No API keys, no HTTP Basic Authentication. Proper cryptographic access tokens. Full audit trail of each and all use.
1-CLICK SIGN IN
No passwords to remember or share. No network addresses to disseminate. Each user sees an icon for each desktop they have permission to.
REQUEST ON DEMAND
Contractors and support staff can request access when needed, you will receive a push-notificaation to accept or reject.
AUTOMATIC PASSWORD STUFFING
Operate on URL PATH, Method, Body. Match only Twilio, to only your VTScada Realm.
Allow GET, POST as needed.
Read-only access if desired.
HTML BROWSER ACCESS
No client to install or license. Works with any browser, no matter how locked down the device.
Any browser means any device, whether BYOD or managed, owned or partner.
MULTI FACTOR AUTHENTICATION
Securely sign-in as you to do any enterprise application. Use code-based or biometric-based second factor authentication. Regardless of user type: multi factor for employees, contractors, vendor support.
STRONG ENCRYPTION
All network traffic is HTTPS over WebSocket, with strong SSL/TLS encryption. Full compliance for your security controls. No self-signed certificates.
Data Flow
Twilio to VTScada Theory of Operation
The Agilicus Connector runs inside the network where it has access to the VTScada Server. In some cases this means running on the same machine (in which case you can entirely block access locally). In others a switch is used to facilitate micro-segmentation. This Connector makes an outbound connection using HTTPS to the Agilicus AnyX cloud.
Twilio makes an outbound (inbound to VTScada) HTTPS GET/POST request. It is to a specific endpoint (/realm/GUUID) and uses an API Key (authentication) you have set up. Twilio does this to a hostname provided by Agilicus AnyX (using your domain, e,g. my-site-vtscada.mydomain). Agilicus AnyX responds with a well-formed SSL certificate: no self-signed, these are properly attested and rotated. The Firewall then decides if it is really Twilio, and, to a proper VTScada endpoint. If so, it is then forwarded transparently to the VTScada, else it is rejected.
Transparent to Twilio, transparent to VTScada, simple to configure. Zero Trust VTScada Twilio Alerts.
The data flow for VNC is shown below, this is similar in nature.
The detailed Product Config walks you through the specific setup in the Agilicus AnyX platform for Zero Trust VTScada Twilio Alerts.
Get In Touch
Ready To Learn More?
Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.
info@agilicus.com, +1 519 953-4332
300-87 King St W, Kitchener, ON, Canada. N2G 1A7
info@partner.com, +1 555 555-5555
1 Main Street, Townsville, ON, Canada. POST-CODE