Zero Trust Remote Operations and Asset Management


Add Remote Operations Service, Profit

Water Control Automation, a system integrator, added a new wastewater remote operations service. This service proved more profitable than their existing time & materials support.
– charging based on value rather than cost-plus
– predictable long-term contracts lowered staffing challenges and costs

Water Control Automation discovered that by effectively resolving the issue of remote access for their customers, they were able to position themselves as the go-to solution for connectivity needs. They offered authentication and access services, which set them apart from competitors and enabled them to command higher prices while reducing concerns about competition.

Water Control Automation’s customers were pleased with the increased security, as well as the improved mean-time-to-repair.

Making Agilicus AnyX part of Water Control Automation’s new remote operations service unlocked high value in a short time, without increased security risk. Zero Trust Remote Operations and Asset Management was a win.


Water Control Automation Background

Water Control Automation (not their real name) is a full-service system integrator and engineering company. They have an in-house panel shop and expertise in Schneider Electric, Rockwell Automation’s Allen-Bradley Programmable Logic Controllers. A large part of their business is creating and supporting Human Machine Interfaces, using either VTScada or Ignition.

Historically Water Control’s business has grown in a project-based fashion. They would bid on projects, build, commission, and warranty their work, with ad-hoc support handled after the first year on a time and materials basis. This growth pattern, while ultimately successful for Water Control, has created a feast-or-famine problem. During some time periods there has been insufficient work, and, in others, they have had to defer new business being unable to fulfill it. Water Control sought to create an ongoing, subscription revenue stream that would allow them to create a more predictable business, scaling their team and capacity more linearly, with higher utilisation and efficiency yielding more billable hours per person.

Water Control Automation set out to create a new service offering that would include Remote Operations and Asset Management (ROAM). This Remote monitoring package would leverage Twilio, cloud-based monitoring and reporting, as well as on-call remote maintenance. In this case study we discuss some of the challenges found, and how Agilicus AnyX was used to overcome them, and some of the unexpected benefits to Water Control Automations customers.


Remote Operations and Water Plants

Water plants are notoriously complex for remote access. They typically use an air-gap style network architecture, blocking all inbound and outbound traffic. They do so since there is no internal security: all internal devices are wide open to each other with minimal or no authentication. In order to be simple to deploy, and, acceptable by the security staff of their customers, Water Control Automation will need to have a strong method of achieving remote access that works with all firewall types, ensuring that all traffic is both encrypted, and, simple to create firewall rules for.

The plant operator’s security policy typically requires non-shared accounts and multi-factor authentication. This rules out back-door type solutions using TeamViewer and Ewon.

VPNs are not an acceptable solution. From a Water Control Automation standpoint, they cannot install multiple VPN’s on each staff laptop. They need concurrent access to each customer, even though those customers have overlapping IP space (making routing impossible). From a customer standpoint, they do not allow a VPN since it would provide over-broad access into their customers netwok, increasing the risk.

In addition, some of the wastewater plants do not have public IP or inbound access possible: due to their remote nature, they use satellite or cellular connectivity.

Water Control Automation thus became aware that they had 6 primary challenges slowing their desire to launch a turnkey remote operations service.

Firewall Traversal

Firewall configuration is complex. Avoid requiring inbound access. Avoid requiring unknown or unfixed IP outbound.

All traffic must be HTTPS to go through firewall inspection systems.

Authentication

Shared accounts are a security risk. All users, customer, partner, must have unique, single-sign-on identities with strong authentication.

No new passwords: they get written down, breached, shared.

See “Eliminating the Business Risk of Shared Credentials” for more details.

Multi-Factor

All users must use multi-factor authentication. This cannot be shared.

It would be impractical for Water Control Automation to have a separate multi-factor setup for each customer: the users would not be able to operate efficiently.

VPN

A VPN is an all-or-nothing access. The wastewater plant operator has many resources internally, not all of them are required, or suitable, for Water Control to remotely operate. Some of the RTU are sensitive and yet not segmented.

Overlapping IP

All wastewater plants use private IP (RFC 1918) address internally. A VPN would require routing rules, and, would pervent Water Control from managing multiple customers concurrently.

It would be impractical to change the subnets on Water Control’s laptops for each customer they connect to.

SSL Certificate Twilio

Water Control has chosen to partner with Twilio owing to their tight integration to VTScada.

Twilio requires inbound public hostname access via SSL, and, that the name match the properly issued certificate.


Agilicus AnyX: Zero Trust Enables Remote Operations and Asset Management

multi-factor-authentication

Authentication

Trust starts with identity. Instead of relying on shared passwords, Agilicus AnyX uses federated authentication, from existing identity providers (Microsoft Entra, Okta, Google Workplace, on-site Microsoft Active Directory, etc). This allows users like “jane@manufacturer.domain” to securely access the system without compromising security.

authorisation

Authorisation

With Agilicus AnyX, system access isn’t binary. You can specify user roles at granular levels, ensuring that users only access what they are supposed to. Moreover, every action is logged for meticulous audit trails. Fine-grained authorisation is necessary for cybersecurity in Industrial Control Systems for Public Water Infrastructure.

access

Access

Agilicus AnyX is designed for the modern world, offering seamless integration with existing firewalls. It uses an outbound-only connection, compatible with NAT systems and non-public IPs, ensuring any user can access any application without the need for a VPN, without inbound ports.


Simple User, Simple Admin, Secure Data Flow

Using Group-Based and Role-Based authorisation means simple config for Control Water Automation: 1 step to add the user, and all rules flow automatically.

Control Water Automation’s customers demanded that there be no inbound port-forward, no DMZ. The Agilicus AnyX Connector, with its outbound-only data flow, all on port 443 to a fixed IP, and inspectible by a next-generation firewall gave the customers the comfort they needed to deploy.

From an end-user perspective (whether Control Water Automation’s team, or, each of their customer’s teams), the system proved very simple to use. All devices, regardless of operating-system or form-factor, support a browser, the only tool they need for the HMI access (VNC, Ignition, VTScada). For Control Water Automation’s team, they use their familiar PLC programming software. No VPN, no worry about overlapping IP, they can work on two customers simultaneously from the same laptop.

For the single-sign-on, each user uses their existing, native, corporate credentials. Typically this means no sign in is needed, even for the users with the on-premise Active Directory: it behaves similarly to signing into Office 365.

Green Check
Green Check
Green Check
Green Check
Green Check
Green Check

Profitable, Differentiated Service

By integrating Agilicus AnyX into their remote operations service, Control Water Automation achieved these objectives:

  1. Increased profit. Subscription based high-margin service with value-based pricing
  2. Stronger business scaling due to predictable staffing, lower cost due to higher utilisation
  3. Increased differentiation. Adding end-customer authentication and access proved both popular and unique as well as complex for competitors to replicate
  4. Lower staff complexity. No overlapping IP to reconfigure. no multiple VPN to install. Simple web-based, no client allowed on-the-go via tablet or phone access as needed
  5. Pre-packaged service provided easier to train sales staff on, and be simpler to market and sell

Control Water Automation’s customer’s achieved their objectives:

  1. Decreased mean-time-to-repair. No truck and scheduling time.
  2. Increasd security and compliance. Single-sign-on, multi-factor, no shared passwords, no concern over previous staff remaining with access
  3. Aligned interest with Control Water Automation: rather than time & materials pricing, both parties are now incented to maximum uptime, minimum interactions

Zero Trust Remote Operations and Asset Management proved to be non zero-sum: all parties win, all parties profit.

Ready To Learn More?

Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.

9f758437 agilicus logo horizonta

info@agilicus.com, +1 ‪519 953-4332‬

300-87 King St W, Kitchener, ON, Canada. N2G 1A7

partner

info@partner.com, +1 ‪555 555-5555

1 Main Street, Townsville, ON, Canada. POST-CODE