Zero Trust

VTScada Twilio Alerts

Zero Trust VTScada Twilio Alerts
The power of VTScada Twilio SMS and voice alerts
The security of an airgap
No firewall reconfiguration
No public IP address


The Challenge

Twilio Appears To Require Public Inbound Access to VTScada, No VPN

Would putting your SCADA system on the public Internet keep you up at night? Are you posed the challenge: that, or no proactive monitoring? Want to use Twilio to get push alerts, but can’t in good conscience make SCADA meet Internet? The answer is Zero Trust VTScada Twilio Alerts

Twilio is a simple, reliable service allowing sending and receiving SMS, Voice calls from your VTScada system. Twilio is well integrated to VTScada, powerful, convenient.

Nonetheless, this powerful integration appears to require exposing your VTScada to the public Internet. This is at odds with your plant security regime. How can it be both air-gapped and accessible without VPN or firewall? Can this be achieved?

Three of the key VTScada Twilio integration challenges solved by Agilicus AnyX are:

No Public IP, DMZ, Inbound
Your site might be connected via SpaceX’ Starlink, via cellular, with no public IP possible. You may be forbidden from using a layer-4 DMZ or port-forwarding via policy. Agilicus AnyX achieves the direct-access objective compliant your security needs. Outbound-only HTTPS traffic.
No Firewall Changes
Allow outbound, deny inbound. No change needed. You can even lockdown to a specific hostname or IP, immutable, unchanging. No complex firewall reconfiguration or upgrades required.
Complex Remote Access
Cloud-based SaaS doesn’t use fixed IP, so configuring inbound allow/deny ACL on it will not be stable or reliable. Use stable, reliable properties such as VTScada GUUID realm, Twilio Authentication Key. No spoofing, no constant reconfiguration.

The Solution

Agilicus AnyX: Zero Trust VTScada Twilio Alerts

Agilicus AnyX provides a unique Zero Trust architecture which is ideal for VTScada integration. Whether its giving an end-user access to the HMI from a tablet (with Single-Sign-On, with multifactor authentication, without a VPN), or allowing a service-account-based system like Twilio the access it needs, the Agilicus AnyX Identity-Aware Web Application Firewall makes a complex task secure and simple.

Agilicus AnyX creates a unique hostname, with a unique, properly-signed, managed, rotated SSL certificate. The AnyX firewall rules match on the Twilio authentication, the VTScada installation GUUID, as well as on HTTP path, method, parameters. Zero Trust VTScada Twilio Alerts

You get a perfect audit trail, a system that sees no network traffic except for what is allowed. And, no change to the site-firewall (allow outbound, deny inbound: no port-forward, no DMZ, no public IP).

Zero Trust VTScada Twilio Alerts

The Highlights

Agilicus AnyX Key Features

No software to install. Works in any web browser. Tablet, Mobile. Desktop. Windows. Linux. Mac.
Stop the truck, pull over, pull out tablet, 1 click sign in, solve the issue.
No passwords to remember or share. No network addresses to disseminate. Each user sees an icon for each desktop they have permission to.
Operate on URL PATH, Method, Body. Match only Twilio, to only your VTScada Realm. Allow GET, POST as needed. Read-only access if desired.
Securely sign-in as you to do any enterprise application. Use code-based or biometric-based second factor authentication. Regardless of user type: multifactor for employees, contractors, vendor support.
No API keys, no HTTP Basic Authentication. Proper cryptographic access tokens. Full audit trail of each and all use.
Contractors and support staff can request access when needed, you will receive a push-notificaation to accept or reject.
No client to install or license. Works with any browser, no matter how locked down the device.
Any browser means any device, whether BYOD or managed, owned or partner.
All network traffic is HTTPS over WebSocket, with strong SSL/TLS encryption. Full compliance for your security controls. No self-signed certificates.

Data Flow

Twilio to VTScada Theory of Operation

The Agilicus Connector runs inside the network where it has access to the VTScada Server. In some cases this means running on the same machine (in which case you can entirely block access locally). In others a switch is used to facilitate micro-segmentation. This Connector makes an outbound connection using HTTPS to the Agilicus AnyX cloud.

Twilio makes an outbound (inbound to VTScada) HTTPS GET/POST request. It is to a specific endpoint (/realm/GUUID) and uses an API Key (authentication) you have set up. Twilio does this to a hostname provided by Agilicus AnyX (using your domain, e,g. my-site-vtscada.mydomain). Agilicus AnyX responds with a well-formed SSL certificate: no self-signed, these are properly attested and rotated. The Firewall then decides if it is really Twilio, and, to a proper VTScada endpoint. If so, it is then forwarded transparently to the VTScada, else it is rejected.

Transparent to Twilio, transparent to VTScada, simple to configure. Zero Trust VTScada Twilio Alerts.

The data flow for VNC is shown below, this is similar in nature.

VNC Remote Desktop Data Flow

The detailed Product Config walks you through the specific setup in the Agilicus AnyX platform for Zero Trust VTScada Twilio Alerts.

Would You Like To Learn More?

Agilicus Has The Expertise

The Agilicus team has the expertise, and loves to discuss Zero Trust implementations.

The Chat button on the lower left goes directly to the team, and, we invite you to speak with us.