Wastewater Operations Case Study
Zero Trust Remote Operations and Asset Management
Water and Wastewater plants are commonly remotely operated. In this case study, learn how an industrial control systems integration and engineering company expanded their service offerings to provide real-time operations, monitoring, and asset management using Agilicus AnyX.
Increased profit, better predictability.
The Summary
Add Remote Operations Service, Profit
Water Control Automation, a system integrator, added a new wastewater remote operations service. This service proved more profitable than their existing time & materials support.
– charging based on value rather than cost-plus
– predictable long-term contracts lowered staffing challenges and costs
Water Control Automation discovered that by effectively resolving the issue of remote access for their customers, they were able to position themselves as the go-to solution for connectivity needs. They offered authentication and access services, which set them apart from competitors and enabled them to command higher prices while reducing concerns about competition.
Water Control Automation’s customers were pleased with the increased security, as well as the improved mean-time-to-repair.
Making Agilicus AnyX part of Water Control Automation’s new remote operations service unlocked high value in a short time, without increased security risk. Zero Trust Remote Operations and Asset Management was a win.
The Company
Water Control Automation Background
Water Control Automation (not their real name) is a full-service system integrator and engineering company. They have an in-house panel shop and expertise in Schneider Electric, Rockwell Automation’s Allen-Bradley Programmable Logic Controllers. A large part of their business is creating and supporting Human Machine Interfaces, using either VTScada or Ignition.
Historically Water Control’s business has grown in a project-based fashion. They would bid on projects, build, commission, and warranty their work, with ad-hoc support handled after the first year on a time and materials basis. This growth pattern, while ultimately successful for Water Control, has created a feast-or-famine problem. During some time periods there has been insufficient work, and, in others, they have had to defer new business being unable to fulfill it. Water Control sought to create an ongoing, subscription revenue stream that would allow them to create a more predictable business, scaling their team and capacity more linearly, with higher utilisation and efficiency yielding more billable hours per person.
Water Control Automation set out to create a new service offering that would include Remote Operations and Asset Management (ROAM). This Remote monitoring package would leverage Twilio, cloud-based monitoring and reporting, as well as on-call remote maintenance. In this case study we discuss some of the challenges found, and how Agilicus AnyX was used to overcome them, and some of the unexpected benefits to Water Control Automations customers.
The Challenges
Remote Operations and Water Plants
Water plants are notoriously complex for remote access. They typically use an air-gap style network architecture, blocking all inbound and outbound traffic. They do so since there is no internal security: all internal devices are wide open to each other with minimal or no authentication. In order to be simple to deploy, and, acceptable by the security staff of their customers, Water Control Automation will need to have a strong method of achieving remote access that works with all firewall types, ensuring that all traffic is both encrypted, and, simple to create firewall rules for.
As a consequence of this remote access complexity, it is not common for the plant operator to have remote connectivity for their own staff. Once Water Control Automation has solved their own needs, this presents an additional upsell possibility as well as differentiation. Once Water Control Automation’s customers use the service for their own needs, with their own single-sign-on, the service becomes very sticky and differentiated, allowing Water Control Automation to charge more, and defend themself versus competitors. With Agilicus AnyX, Water Control Automation was able to achieve single-sign-on for even local identity systems within the plant (see “Merging Local Identity With Online Identity“)
The plant operator’s security policy typically requires non-shared accounts and multi-factor authentication. This rules out back-door type solutions using TeamViewer and Ewon.
VPNs are not an acceptable solution. From a Water Control Automation standpoint, they cannot install multiple VPN’s on each staff laptop. They need concurrent access to each customer, even though those customers have overlapping IP space (making routing impossible). From a customer standpoint, they do not allow a VPN since it would provide over-broad access into their customers netwok, increasing the risk.
In addition, some of the wastewater plants do not have public IP or inbound access possible: due to their remote nature, they use satellite or cellular connectivity.
Water Control Automation thus became aware that they had 6 primary challenges slowing their desire to launch a turnkey remote operations service.
Firewall Traversal
Firewall configuration is complex. Avoid requiring inbound access. Avoid requiring unknown or unfixed IP outbound.
All traffic must be HTTPS to go through firewall inspection systems.
Authentication
Shared accounts are a security risk. All users, customer, partner, must have unique, single-sign-on identities with strong authentication.
No new passwords: they get written down, breached, shared.
See “Eliminating the Business Risk of Shared Credentials” for more details.
Multi-Factor
All users must use multi-factor authentication. This cannot be shared.
It would be impractical for Water Control Automation to have a separate multi-factor setup for each customer: the users would not be able to operate efficiently.
See “Multi-Factor Authentication On The Internal Network” for more detail.
VPN
A VPN is an all-or-nothing access. The wastewater plant operator has many resources internally, not all of them are required, or suitable, for Water Control to remotely operate. Some of the RTU are sensitive and yet not segmented.
See “VPN Alternative” for more detail.
Overlapping IP
All wastewater plants use private IP (RFC 1918) address internally. A VPN would require routing rules, and, would pervent Water Control from managing multiple customers concurrently.
It would be impractical to change the subnets on Water Control’s laptops for each customer they connect to.
SSL Certificate Twilio
Water Control has chosen to partner with Twilio owing to their tight integration to VTScada.
Twilio requires inbound public hostname access via SSL, and, that the name match the properly issued certificate.
See “VTScada Twilio Alerts” for more detail.
The Solution
Agilicus AnyX: Zero Trust Enables Remote Operations and Asset Management
Agilicus AnyX introduces a Zero Trust framework tailor-made for industrial control systems in public water utilities Zero Trust is the best current practice for Cybersecurity in Industrial Control Systems for Public Water Infrastructure. It integrates effortlessly with existing networks and offers an affordable and low-risk method to enhance both efficiency and security. Whether you already have deployed an IEC-62443 Zone and Conduit model, or are driven more by the Purdue Model, Agilicus provides a low-risk method to enhance both efficiency and security, providing an ideal platform for Zero Trust Remote Operations and Asset Management.
Better User Experience. Better Security
Authentication
Trust starts with identity. Instead of relying on shared passwords, Agilicus AnyX uses federated authentication, from existing identity providers (Microsoft Entra, Okta, Google Workplace, on-site Microsoft Active Directory, etc). This allows users like “jane@manufacturer.domain” to securely access the system without compromising security.
Full Access Control and Visibility
Authorisation
With Agilicus AnyX, system access isn’t binary. You can specify user roles at granular levels, ensuring that users only access what they are supposed to. Moreover, every action is logged for meticulous audit trails. Fine-grained authorisation is necessary for cybersecurity in Industrial Control Systems for Public Water Infrastructure.
Invisible to the World
Access
Agilicus AnyX is designed for the modern world, offering seamless integration with existing firewalls. It uses an outbound-only connection, compatible with NAT systems and non-public IPs, ensuring any user can access any application without the need for a VPN, without inbound ports.
The How
Simple User, Simple Admin, Secure Data Flow
One of the core learnings for Control Water Automation was that their customers also wanted remote access, an unexpected benefit of the new remote operations service. And, the customers required single-sign-on using existing credentials coupled with multi-factor authentication for their security compliance. In some cases, existing credentials meant Azure Active Directory or Google Workplace, but in others, it was an on-premise Active Directory: behind the firewall. Agilicus AnyX solves this seamlessly, allowing both types to act as modern OpenID Connect Single-Sign-On (see Merging Local Identity With Online Identity)
Using Group-Based and Role-Based authorisation means simple config for Control Water Automation: 1 step to add the user, and all rules flow automatically.
Control Water Automation’s customers demanded that there be no inbound port-forward, no DMZ. The Agilicus AnyX Connector, with its outbound-only data flow, all on port 443 to a fixed IP, and inspectible by a next-generation firewall gave the customers the comfort they needed to deploy.
From an end-user perspective (whether Control Water Automation’s team, or, each of their customer’s teams), the system proved very simple to use. All devices, regardless of operating-system or form-factor, support a browser, the only tool they need for the HMI access (VNC, Ignition, VTScada). For Control Water Automation’s team, they use their familiar PLC programming software. No VPN, no worry about overlapping IP, they can work on two customers simultaneously from the same laptop.
For the single-sign-on, each user uses their existing, native, corporate credentials. Typically this means no sign in is needed, even for the users with the on-premise Active Directory: it behaves similarly to signing into Office 365.
Use Cases: Zero Trust Remote Operations and Asset Management
Real-World Applications of Agilicus AnyX For Public Water Systems
Remote HMI Access
Technicians can access HMI remotely, leading to quicker repairs and lesser downtimes.
Shared Diagnostics
Share the SCADA workstation between vendor and customer, in real time. No client to install, open the browser and see the shared session.
Unified Authentication
Single-sign-on, no shared passwords, for manufacturer, integrator, and operator, each with their natural credentials.
Remote PLC Program
Technicians can remotely use e.g. Rockwell studio 5000 to diagnose tags, update firmware.
Real-time Log Files
Performance metrics, diagnostic logs, asset inventory. Reach a Share deep inside the plant in a safe fashion, from anywhere.
Remote Alarms
Twilio SMS alarms, SMTP email alarms, both with no inbound port-forward through firewall
The Conclusion
Profitable, Differentiated Service
By integrating Agilicus AnyX into their remote operations service, Control Water Automation achieved these objectives:
- Increased profit. Subscription based high-margin service with value-based pricing
- Stronger business scaling due to predictable staffing, lower cost due to higher utilisation
- Increased differentiation. Adding end-customer authentication and access proved both popular and unique as well as complex for competitors to replicate
- Lower staff complexity. No overlapping IP to reconfigure. no multiple VPN to install. Simple web-based, no client allowed on-the-go via tablet or phone access as needed
- Pre-packaged service provided easier to train sales staff on, and be simpler to market and sell
Control Water Automation’s customer’s achieved their objectives:
- Decreased mean-time-to-repair. No truck and scheduling time.
- Increasd security and compliance. Single-sign-on, multi-factor, no shared passwords, no concern over previous staff remaining with access
- Aligned interest with Control Water Automation: rather than time & materials pricing, both parties are now incented to maximum uptime, minimum interactions
Zero Trust Remote Operations and Asset Management proved to be non zero-sum: all parties win, all parties profit.
Get In Touch
Ready To Learn More?
Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic control, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.
CONTACT
info@agilicus.com, +1 519 953-4332
300-87 King St W, Kitchener, ON, Canada. N2G 1A7
info@partner.com, +1 555 555-5555
1 Main Street, Townsville, ON, Canada. POST-CODE