SECURITY vs Convenience and Acceptance

One of the key challenges with remote connections to industrial control systems is balancing the needs of an engineer or PLC technician with the mandate by the IT department to ensure network security, integrity and reliability. Finding a solution that is readily accepted by both business groups has been a challenge for many years and a source of frustration and inefficiency for all stakeholders. eWON understood that maintaining network security was essential for IT acceptance. At the same time, eWON realized users will never use solutions that are complex, difficult or interrupt productivity. By balancing both the security and ease of use, eWON has created a best-in-class Remote Access solution that works for both end users and IT managers.

eWON layered Security Approach - Defense-in-depth Approach


The eWON layered Security Approach

While ease of use is important, the security, integrity, and reliability of eWON's Talk2M cloud infrastructure and its customers' networks is eWON's first priority. Using a defense-in-depth approach based on guidelines set forth by ISO27002, IEC 62443-2-4 and NIST Cyber security Framework 1.0 and other publications, guidelines and industry best practices, eWON developped a managed, hybrid, layered cyber security approach to protect its devices, network and most importantly, its customers's industrial systems. From the Devices to the Policies & Procedures, discover how security is a core competency fully integrated at every level within the framework of our solution.

eWON Hardware Devices

Network segregation, local device authentication, physical switch for enabling/disabling access

The eWON units are typically installed in the machine control panel with the machine connected on one side(LAN) and the factory network on the other (WAN). When a connection needs to be established the eWON acts as the gatewaythrough which all traffic passes. When the eWON is first configured for VPN access, security settings on the device restrict traffic between its two network interfaces. This network segregation limits remote access to only those devices connected to the LAN of the eWON. Access to the rest of the network is prevented.

The eWONs themselves have user-level access rights separate from the Talk2M login. Only users with appropriate credentials and access rights can change the security settings or modify the data on the eWON. All of our devices feature a digital input. A switch can be connected to this input and the state of the switch can enable or disable the WAN port. This allows the end user to keep full local control of whether or not the device is remotely accessible.

The eWON needs the same type of settings as a PC connected to the same network (IP address, subnet mask and gateway, plus any optional proxy settings). Since the eWON can act as a DHCP client, it can be configured to receive those settings automatically. However, the eWON also can be set up to use a static IP address thatis assigned and controlled by the IT department if preferred.

Application

IP, port, and protocol filtering/firewalling available. Restricted access based on user, group, site for all or single devices 

Within the eCatcher application, Talk2M account administrators can set filtering and firewalling rules about which devices behind the eWON are remotely accessible and even over which ports and with which protocols they are accessible. When combined with Talk2M’s user rights management discussed below, Talk2M administrators have the ability to tailor the remote access rights to fit their organizational structure.

In a world where 76% of all breaches involve weak or stolen password, eCatcher offers secure authentication mechanisms to re-inforce device access security. Password enforcement and two-factor authentication policy (a password and a confirmation code sent to your mobile phone) are available within eCatcher. Advanced configuration options (remember this PC, password expiration policy) are available for Talk2M Pro users.

Encryption

VPN sessions are end-to-end encrypted using SSL/TLS protocol

Communications between the remote user and the eWON are fully encrypted using the SSL/TLS protocol, thereby ensuring data authenticity, integrity & confidentiality. Indeed, all users and eWON units are authenticated using x509 SSL certificates and end-to-end traffic is encrypted using strong symmetric & asymmetric algorithms that are part of the SSL/TLS protocol cipher suite.

Management & Accountability

Unique user logins, configurable user rights to different devices, connection traceability

A Talk2M account may have an unlimited number of users. Administrators can create unique logins for every user who needs to access equipment remotely. These unique logins makes it easy to grant and revoke access privileges as needed. In addition, Talk2M account administrators can restrict which remote eWONs particular users can access, which sevices behind those eWON are accessible and even the ports on those devices and the communication protocols used. For instance, an administrator might permit remote users to reach the web services in a particular device for monitoring purposes but limit the ports used for making programing changes to only specific engineers.

Every remote connection is documented on the Talk2M Connection report. The Talk2M Connection report is a powerful IT auditing tool which allows account administrators to monitor which users are connected to which eWON and when and for how long they were connected.

Network Infrastructure

Globally redundant Tier 1 hosting partners, 24/7 monitoring, SOC 1/SSAE 16/ISAE 3402 Data Centers, ISO270001, CSA, SOC2

The Talk2M infrastructure is a critical integrated element in our remote access solution. It is a fully redundant network of distributed access servers, VPN servers, and other services that act as the secure meeting place for eWONs and users. To increase reliability, redundancy and reduce latency, eWON works with multiple industry leading Tier 1, 2 and 3 hosting partners throughout the world to ensure best in class service. Talk2M is hosted in SOC 1, SOC 2/SSAE 16 and ISO 27001:2005 certified data centers. The network of servers is monitored 24/7 to ensure maximum availability and security using intrusion detection systems (IDS), host intrusion prevention systems (HIPS) in addition to an array of alerting mechanisms.

Policies & Procedures

The eWON/Talk2M solution enhances and is compatible with existing corporate security policies, firewall rules, and proxy server

eWON understands that its customer designed their corporate security policies carefully. The Talk2M remote access solution is designed to be compatible with customers’ existing security policies. By using outbound connections over commonly open ports (443 and 1194) and by being compatible to most proxy servers, the eWON is designed to be minimally intrusive on the network and work within the existing firewall rules. Within eCatcher, Talk2M account administrators can customize the password policies to force compliance to corporate password policies and can restrict which users can access which devices remotely. Talk2M account administrators can also view the Talk2M Connection report to see which users are connecting to which devices and when. This report can be a valuable tool to ensure that your corporate remote access policies are being followed.