Zero Trust
VTScada Twilio Alerts
The power of VTScada Twilio SMS and voice alerts
The security of an airgap
No firewall reconfiguration
No public IP address
The Challenge
Twilio Appears To Require Public Inbound Access to VTScada, No VPN
Would putting your SCADA system on the public Internet keep you up at night? Are you posed the challenge: that, or no proactive monitoring? Want to use Twilio to get push alerts, but can’t in good conscience make SCADA meet Internet?
Twilio is a simple, reliable service allowing sending and receiving SMS, Voice calls from your VTScada system. Twilio is well integrated to VTScada, powerful, convenient.
Nonetheless, this powerful integration appears to require exposing your VTScada to the public Internet. This is at odds with your plant security regime. How can it be both air-gapped and accessible without VPN or firewall? Can this be achieved?
Three of the key VTScada Twilio integration challenges solved by Agilicus AnyX are:
The Solution
Agilicus AnyX: Zero Trust Advanced Web Application Firewall
Agilicus AnyX provides a unique Zero Trust architecture which is ideal for VTScada integration. Whether its giving an end-user access to the HMI from a tablet (with Single-Sign-On, with multifactor authentication, without a VPN), or allowing a service-account-based system like Twilio the access it needs, the Agilicus AnyX Identity-Aware Web Application Firewall makes a complex task secure and simple.
Agilicus AnyX creates a unique hostname, with a unique, properly-signed, managed, rotated SSL certificate. The AnyX firewall rules match on the Twilio authentication, the VTScada installation GUUID, as well as on HTTP path, method, parameters.
You get a perfect audit trail, a system that sees no network traffic except for what is allowed. And, no change to the site-firewall (allow outbound, deny inbound: no port-forward, no DMZ, no public IP).
The Highlights
Agilicus AnyX Key Features
Stop the truck, pull over, pull out tablet, 1 click sign in, solve the issue.
Any browser means any device, whether BYOD or managed, owned or partner.
Data Flow
Twilio to VTScada Theory of Operation
The Agilicus Connector runs inside the network where it has access to the VTScada Server. In some cases this means running on the same machine (in which case you can entirely block access locally). In others a switch is used to facilitate micro-segmentation. This Connector makes an outbound connection using HTTPS to the Agilicus AnyX cloud.
Twilio makes an outbound (inbound to VTScada) HTTPS GET/POST request. It is to a specific endpoint (/realm/GUUID) and uses an API Key (authentication) you have set up. Twilio does this to a hostname provided by Agilicus AnyX (using your domain, e,g. my-site-vtscada.mydomain). Agilicus AnyX responds with a well-formed SSL certificate: no self-signed, these are properly attested and rotated. The Firewall then decides if it is really Twilio, and, to a proper VTScada endpoint. If so, it is then forwarded transparently to the VTScada, else it is rejected.
Transparent to Twilio, transparent to VTScada, simple to configure.
The data flow for VNC is shown below, this is similar in nature.
The detailed Product Config walks you through the specific setup in the Agilicus AnyX platform
Would You Like To Learn More?
Agilicus Has The Expertise
The Agilicus team has the expertise, and loves to discuss Zero Trust implementations.
The Chat button on the lower left goes directly to the team, and, we invite you to speak with us.