# Managed Industrial Remote Access

1. [Home](https://www.agilicus.com/)
2. [Case Studies](https://www.agilicus.com/case-studies/)
3. Managed Industrial Remote Access

# Managed Industrial Remote Access

Industrial environments have a variety of players who support them. Equipment manufacturers, system integrators, remote operations companies, regulators, etc. Increasingly, these systems are complex systems requiring some online access in order to function, in order to be efficiently supported.

Water Control Automation found that there was an appetite to provide industrial remote access as a managed service as part of their remote operations and asset management.

[CONTACT ✉](/contact-us/)

[BOOK A MEETING 📅](https://www.agilicus.com/book-calendar-meeting)

1. [Managed Industrial Remote Access](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#managed-industrial-remote-access)
    1. [Industrial Remote Access](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#industrial-remote-access)
    2. [Water Control Automation Background](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#water-control-automation-background)
    3. [Industrial Remote Access: What, When, Where, Who](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#industrial-remote-access-what-when-where-who)
        1. [End-Customer / Operator Requirements](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#end-customer-operator-requirements)
        2. [Manager Requirements](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#manager-requirements)
        3. [Manufacturer Requirements](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#manufacturer-requirements)
        4. [System Integrator / Support Requirements](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#system-integrator-support-requirements)
        5. [Requirements Summary](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#requirements-summary)
    4. [Agilicus AnyX: Zero Trust Managed Industrial Remote Access](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#agilicus-anyx-zero-trust-managed-industrial-remote-access-1)
    5. [Agilicus AnyX Applications](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#agilicus-anyx-applications)
        1. [Remote HMI Access](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#remote-hmi-access)
        2. [Shared Diagnostics](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#shared-diagnostics)
        3. [Unified Authentication](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#unified-authentication)
        4. [Remote PLC Program](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#remote-plc-program)
        5. [Real-time Log Files](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#real-time-log-files)
        6. [Remote Alarms](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#remote-alarms)
    6. [Secure, Simple](https://www.agilicus.com/case-studies/managed-industrial-remote-access/#secure-simple)

The Summary

---

## Industrial Remote Access

In [Wastewater Operations Case Study: Zero Trust Remote Operations and Asset Management](https://www.agilicus.com/case-studies/zero-trust-remote-operations-and-asset-management/) we discussed the motivators of providing an ongoing remote-operations service, which Water Control Automation achieved using Agilicus AnyX. One of the key discussion points with the end customer was: who should manage the Industrial Remote Access, and how would this be shared across the customer's staff as well as other vendors. In this document we discuss some of the key reasons that Water Control Automation's customers chose to buy Industrial Remote Access as a managed service as part of Water Control Automation's Remote Operations service.

Key discussion points include:

1. User Management, Single-Sign-On
2. Audit depth and accuracy
3. Request on demand to allow ad-hoc access
4. Consolidation of existing 'shadow IT' backdoor systems such as Ewon, TeamViewer
5. Ongoing usage by end-customer staff
6. Key trust points such as VNC/HMI with read-only access or simultaneous local + remote access
7. Shared Custody Model of configuration and Audit

Water Control Automation leveraged their experience in acquiring, commissioning, and operating complex systems to provide a managed industrial remote access system to their customers, meeting their customers security requirements, increasing their utility of systems, using Agilicus AnyX.

The Company

---

## Water Control Automation Background

[READ CASE STUDY 🔗](https://www.agilicus.com/case-studies/zero-trust-remote-operations-and-asset-management/)

In [Wastewater Operations Case Study: Zero Trust Remote Operations and Asset Management](https://www.agilicus.com/case-studies/zero-trust-remote-operations-and-asset-management/) we discussed Water Control Automation, a full-service system integrator and engineering company. They have an in-house panel shop and expertise in [Schneider Electric](https://www.se.com/), Rockwell Automation's [Allen-Bradley](https://www.rockwellautomation.com/en-us/products/hardware/allen-bradley.html) Programmable Logic Controllers. A large part of their business is creating and supporting Human Machine Interfaces, using either [VTScada](https://www.vtscada.com/) or [Ignition](https://inductiveautomation.com/ignition/).

The Challenges

---

## Industrial Remote Access: What, When, Where, Who

![identity-venn](https://www.agilicus.com/www/7531b7ba-identity-venn.png)    When discussing their proposed Remote Operations service with various potential customers (operators), Water Control Automation learned of a set of requirements for Industrial Remote Access for each of the various users in the ecosystem. Initially it appeared that their customers wanted to manage all Remote Access themselves. Upon discussion, Water Control Automation's customers were finding the variety of systems and requirements overwhelming and wanted a managed system that they controlled the authorisation and worked universally across their own staff as well as all 3rd party support staff.

### End-Customer / Operator Requirements

Water Control Automation's customers own the risk, own any bad outcomes. As a consequence, they expressed their requirements as

- Can individual enable requests in real-time (e.g. user A requests access to B)
- Staff can have first-class access with single-sign-on and multi-factor authentication
- Full audit trail of configuration changes as well as resource access
- All users including external have multi-factor authentication
- HMI remote access would not lock out local (screen would not go black)
- No inbound ports allowed on firewall
- No VPN access allowed to full network
- Must work with Starlink/Cellular NAT'd connections for remote locations
- Must allow inspection by existing next-generation firewall
- No end-user password set/reset flows
- Shared administration (user authentication, resource authorisation)

From above we can see that the operator has a strong requirement for security, for transparency.

In addition, the operator expressed some frustration with existing shadow-IT point solutions such as [Ewon](https://www.agilicus.com/infosheet/agilicus-anyx-vs-nebula/) and [TeamViewer](https://www.agilicus.com/infosheet/agilicus-anyx-versus-teamviewer/). Each of these was incompatible with some of the above requirements, and, were also not ubiquitously available to all users or all systems.

### Manager Requirements

In order to make their Remote Operations service feasible, Water Control Automation has a set of requirements:

1. No client software to install
2. Each staff member has individual account and multi-factor authentication
3. No IP address adjacency (no requirement to change local subnets to match customer)
4. Common platform and administration across all customers
5. Ability to operate on multiple customers concurrently
6. Support for each platform (tablet, laptop) and location (office, road)
7. Inbound connectivity for Twilio IVR and alarming platform
8. No end-user password set/reset flows

### Manufacturer Requirements

![Managed Industrial Remote Access User Flow: Securely connect remote users to industrial assets with Agilicus. See how operators, engineers, and vendors gain controlled access for monitoring, maintenance, and troubleshooting. Simplified access management for OT environments.](https://www.agilicus.com/www/c98be7b9-user-flow.png)    The operator's have various manufacturers. These in turn have two use cases, one being ad-hoc support, and one being ongoing connectivity needs for license-managers, outbound data streaming. For the first case, the manufacturers expressed a strong preference for the following:

1. Existing company identity (no new users)
2. Web-based (no new software)
3. Simple ability to request access

For the outbound connectivity (license-manager, data streaming), the manufacturer expressed no preference, leaving this decision making to the system integrator.

### System Integrator / Support Requirements

![Agilicus Admin Laptop](https://www.agilicus.com/www/005fe235-agilicus-admin-laptop.webp)    The system integrators were involved from design through initial deployment of new systems, with warranty and ad-hoc support for some short time after commissioning. These users expressed set of requirements, but were ultimately accepting of whatever the operator provided. Their requirements were:

1. Avoid IP adjacency / requirement to change local subnets
2. Avoid multi-factor authentication (or, be consistent with other systems they used)
3. Operate with a wide variety of resources as if local (e.g. PLC program, read tags)

### Requirements Summary

Water Control Automation thus became aware that there was an opportunity to solve the above requirements in a way that was acceptable to each player, but also provided strong (and sticky) value.

![01](https://www.agilicus.com/www/40c531ca-01.svg)    Unified Authentication

Each of the constituents expressed a desire, or a hard-requirement, to use their existing corporate identity (regardless of company).

This simplifies multi-factor, simplifies audit, and, simplifies user life-cycle management.

![Managed Industrial Remote Access Solution by Agilicus: Securely connect to your industrial assets remotely. Learn how Agilicus helped [Customer Name - if available from case study] improve uptime and reduce costs with secure remote access to PLCs, HMIs, and other industrial equipment. Explore our managed remote access solutions for OT environments.](https://www.agilicus.com/www/d2bcda55-02.svg)    On-Demand Requests

Although some demographics were long-lived same people (e.g. remote operations), others were more ad-hoc (e.g. manufacturer support). A per-use requests flow, with push-based messaging allowed the Operator to manage those user/resource needs.

![Agilicus Managed Industrial Remote Access: Securely connect and manage remote industrial equipment with Agilicus. Visualize your network architecture with this diagram illustrating secure access points and data flow within your managed industrial environment.](https://www.agilicus.com/www/b6041fda-03.svg)    Outbound-Only Access

The operator required no-inbound ports open, but also used network technologies that did not allow (e.g. Starlink, carrier NAT).

![Managed Industrial Remote Access: Securely connect and manage remote industrial equipment with Agilicus. Visualize your network architecture with this diagram illustrating secure access points and data flow.](https://www.agilicus.com/www/65eba380-04.svg)    Strong, Inspectable Encryption

For the operator IT team to sign-off, all data had to be strongly encrypted, but also be inspected by the Next-Gen firewall.

Since the end-users were on unknown networks, encryption had to be end-to-end.

The end-user networks were often incompatible with VPN technologies (e.g. Cafe wireless).

![Secure and Managed Industrial Remote Access Solution by Agilicus: Visualize your industrial network architecture with secure remote access for OT devices, enhancing productivity and reducing downtime through centralized management and granular access control.](https://www.agilicus.com/www/2ad266ce-05.svg)    Overlapping IP

Several of the demographics expressed a frustration with existing IP-VPN based technologies, often overlapping with their own IP space, or, preventing the operations on multiple customer sites simultaneously.

A non-VPN solution was thus both a strict requirement for security, as well as a strong requirement for operational ease.

![Agilicus Managed Industrial Remote Access: Securely connect and manage remote industrial equipment with Agilicus. Visualize network architecture with remote access points.](https://www.agilicus.com/www/b3e38117-06.svg)    Inbound Web Firewall

Remote operations requires always-on monitoring. Water Control Automation uses Twilio with VTScada, this requires HTTPS inbound access.

To provide this securely and within the requirements of no-inbound ports, and, networks which don't support inbound, a Web Application Firewall was required integrated with the system.

The Solution

---

## Agilicus AnyX: Zero Trust Managed Industrial Remote Access

![wastewater-remote-operations-and-asset-management](https://www.agilicus.com/www/4047a159-wastewater-remote-operations-and-asset-management.svg)    Agilicus AnyX introduces a Zero Trust framework tailor-made for industrial control systems in public water utilities Zero Trust is the [best current practice](https://www.epa.gov/system/files/documents/2023-01/information_security_identification_and_authentication_procedure.pdf) for Cyber security in Industrial Control Systems for Public Water Infrastructure. It integrates effortlessly with existing networks and offers an affordable and low-risk method to enhance both efficiency and security. Whether you already have deployed an [IEC-62443 Zone and Conduit](https://www.agilicus.com/white-papers/zero-trust-microsegmentation/ "IEC-62443 Zone and Conduit") model, or are driven more by the [Purdue Model](https://www.agilicus.com/white-papers/piercing-the-purdue-model-zero-trust-in-operational-technology/ "Purdue Model"), Agilicus provides a low-risk method to enhance both efficiency and security, providing an ideal platform for Zero Trust Managed Industrial Remote Access.

From an end-user perspective (whether Water Control Automation's team, or, each of their customer's teams), the system proved very simple to use. All devices, regardless of operating-system or form-factor, support a browser, the only tool they need for the HMI access (VNC, Ignition, VTScada). For Water Control Automation's team, they use their familiar PLC programming software. No VPN, no worry about overlapping IP, they can work on two customers simultaneously from the same laptop.

For the single-sign-on, each user uses their existing, native, corporate credentials. Typically this means no sign in is needed, even for the users with the on-premise Active Directory: it behaves similarly to signing into Office 365.

Use Cases: Managed Industrial Remote Access

## Agilicus AnyX Applications

[![Green Check](https://www.agilicus.com/www/2cd3dab3-green_check.svg)](https://www.agilicus.com/www/2cd3dab3-green_check.svg)

### Remote HMI Access

Technicians can access HMI remotely, leading to quicker repairs and lesser downtime.

[![Green Check](https://www.agilicus.com/www/2cd3dab3-green_check.svg)](https://www.agilicus.com/www/2cd3dab3-green_check.svg)

### Shared Diagnostics

Share the SCADA workstation between vendor and customer, in real time. No client to install, open the browser and see the shared session.

[![Green Check](https://www.agilicus.com/www/2cd3dab3-green_check.svg)](https://www.agilicus.com/www/2cd3dab3-green_check.svg)

### Unified Authentication

Single-sign-on, no shared passwords, for manufacturer, integrator, and operator, each with their natural credentials.

[![Green Check](https://www.agilicus.com/www/2cd3dab3-green_check.svg)](https://www.agilicus.com/www/2cd3dab3-green_check.svg)

### Remote PLC Program

Technicians can remotely use e.g. [Rockwell studio 5000](https://www.agilicus.com/example/sample-rockwell-studio-5000/) to diagnose tags, update firmware.

[![Green Check](https://www.agilicus.com/www/2cd3dab3-green_check.svg)](https://www.agilicus.com/www/2cd3dab3-green_check.svg)

### Real-time Log Files

Performance metrics, diagnostic logs, asset inventory. Reach a Share deep inside the plant in a safe fashion, from anywhere.

[![Green Check](https://www.agilicus.com/www/2cd3dab3-green_check.svg)](https://www.agilicus.com/www/2cd3dab3-green_check.svg)

### Remote Alarms

Twilio SMS alarms, SMTP email alarms, both with no inbound port-forward through firewall

The Conclusion

---

## Secure, Simple

Water Control Automation introduced Agilicus AnyX, meeting all the requirements of all of the constituent users, across all of the various companies, providing the security and transparency the operator needs, the ongoing operational efficiency that Water Control Automation needs, and the simplicity that the other users require, all within the operational constraints present. This system provides real value to Water Control Automation's customers, leveraging their operational expertise in acquiring, commissioning, and operating complex systems. Managing the Industrial Remote Access in addition to their Remote Operations and Asset Monitoring service transformed their relationship with the customer.

The operator achieved all of their objectives:

1. Requests flow: ad-hoc users can request access via a web interface, and, be allowed/denied by the operator
2. Staff can use their existing corporate single-sign-on (with multi-factor authentication) to use the HMI
3. An audit trail exists for all configuration, and, for all resource accesses (who did what from where to what)
4. All external users (first party, third-party, use multi-factor authentication, individually)
5. HMI remote access, via VNC, allows concurrent local and remote use: no hidden black screen
6. The firewall is configured to block all inbound ports
7. No VPN is present, no layer-3 full network access exists
8. Alternative access technologies such as Starlink and Cellular function with no change, no restrictions
9. IT team signed off on security of all encryption (HTTPS, TLS) and, can inspect via their existing next-generation firewall
10. No passwords are present to be breached, to be forgotten
11. The Operator can administer their users, their authorisation

BOOK A MEETING

Ready To Learn More?

Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.

[BOOK A MEETING](/book-calendar-meeting/)

First Name

Last Name

Email

Comment

Submit

![](https://www.agilicus.com/www/9f758437-agilicus-logo-horizonta.svg)info@agilicus.com, +1 ‪519 953-4332‬

300-87 King St W, Kitchener, ON, Canada. N2G 1A7

[![partner](https://www.agilicus.com/www/42b9b652-partner.svg)](https://www.agilicus.com/www/42b9b652-partner.svg)