1. How Security is ensured at the Production Facility
At the production facility, the SiteManager is installed. The SiteManager obtains an IP address via a DHCP server, just like a PC. The SiteManager typically uses the existing corporate infrastructure to reach the Internet to establish an AES encrypted connection to a central GateManager server via standard web ports (https/443), just as a web browser would do. At installation, the SiteManager is configured to connect to a specific GateManager (IP or DNS) and a specific customer domain on the GateManager.
The connection is based on TLS 1.2 and SHA256 and protected against man-in-the-middle attacks by letting every GateManager have a unique TLS certificate/key, to which the SiteManagers binds (aka ToFu “Trust-on-first-use). To remove the binding between a SiteManager and the GateManager, you will have to explicitly reconfigure the GateManager settings in the SiteManager. Since a man-in-the-middle cannot do that by just intercepting the connection, he cannot direct the SiteManager connection to another GateManager even if he had one.
In a normal setup, the SiteManager is connected permanently and makes keep-alive heartbeats to the GateManager every 10 minutes. But remote access to/from the SiteManager can additionally be controlled by the operator either by powering off the SiteManager when not used or by connecting an on/off switch to an input signal of the SiteManager, which opens and closes the GateManager connection.
In the SiteManager, you configure so-called Device Agents that will allow LinkManager users, which have been granted access to the agents, to connect with their LinkManager client to the equipment represented by the Device Agent. The LinkManager user cannot redirect a configured agent to other equipment unless he has been specifically granted access to reconfigure the SiteManager. If for instance an agent has been defined as “Siemens / Ethernet”, this agent will open ports only relevant to Siemens equipment. Or if you configure a PC agent for a Microsoft server, remote users can only access the Remote Desktop of that server, but none of the other services run by that server.
Some of our customers evaluate “Security” and “Safety” in the same process. The SiteManager is prepared for the different safety regulations subject to industrial communication, such as the “EN415 Safety of packaging machines” directive that, among other things, requires that machine builders must make sure that remote service access to machines is properly signaled to the operators. All SiteManagers support an output signal that can be linked with e.g. a warning light. which will inform local operators that remote access/maintenance is in progress, and they should be extra careful when operating or servicing the equipment.
2. How Security is ensured in the Production Facility’s Office Network
The SiteManager contains a stateful inspection firewall between the Uplink port that is used for GateManager access and the Device port that connects to the network with the industrial equipment. This means that no communication can be made from the corporate network to the device network and vice versa. The firewall is simply configured to block all communication except authorized and encrypted data sent between the SiteManager and the GateManager. Furthermore, the hardware SiteManager is based on a hardened operating system, which prevents hostile persons or programs to exploit the connection. This neutralizes both internal and external threats.
The SiteManager can be configured to connect to the GateManager via a secure Web Proxy (including NTLM) which enables the IT department to further control and monitor its access. The IT department can also decide to limit Internet access based on the SiteManager’s IP address or its MAC address, or alternatively limit its connection to another port (11444), which will enable the IT department to distinguish Internet traffic generated by the SiteManager from other users.
If IT corporate policies prevent any form of Internet access via the corporate network, you have the possibility of connecting the SiteManager via 2G/3G/4G. Even the SiteManager models without built-in broadband modems can access the Internet, simply by inserting a standard USB broadband modem into the SiteManager. This option is also ideal as a temporary solution in case the remote service of machines must start before the IT approval process can be finalized.
3. How Security is ensured at the Remote Client side
A LinkManager user logs into the GateManager portal from a web browser with TLS 1.2 and is authenticated based on username, password and a security certificate issued by the GateManager administrator. Optionally the administrator can select SMS validation instead of the certificate, or even as an extra validation in addition to the certificate.
The very first time the LinkManager user attempts to connect to a device to which the user is authorized, a small Windows software module called ”LinkManager” will be downloaded to the user’s PC. Administrator rights are required for the first-time installation, while any following connection attempts can be done with the ordinary Windows user account.
When logged in, the LinkManager user will see a list of sites and devices that the account is authorized to connect to. When connecting to a specific device, the Windows module will create a route entry on the PC that will allow access to the IP address and the specific ports of the device agent representing the device. The LinkManager user cannot reconfigure connections on the LinkManager, and the LinkManager Windows module will not function without the authentication and authorization made from the user’s login to the GateManager
If the user’s PC with the Security certificate got stolen, it would still require the password, which the user has created according to the password strength rules enforced on the GateManager, and if using SMS as validation, it would require the users cell phone also.
4. How Security is ensured on the central M2M Server
Central to the solution is the GateManager M2M server that besides controlling user authentication and authorization, functions as a secure proxy for the SiteManager and LinkManager data connections, based on the access definitions configured by the GateManager administrator.
GateManager is the only component in the solution that has ports exposed on the Internet, but only connections that can be validated as a proper TLS 1.2 session will be allowed.
Should someone be able to obtain access to the server where the GateManager is running, it would still not be possible to connect to any of the equipment managed by the central proxy, simply because connections are not statically open as known from VPN solution, but are only opened on request by a LinkManager user, and are only accessible from programs running on that LinkManager PC.
The most important features of the GateManager administrator portal GUI is to create LinkManager user accounts, organize SiteManagers and Device Agents into logical domains, and to grant access to specific LinkManager users to these domains. A key design goal has been to make this very intuitive in order to eliminate the risk of granting unintended access. It is all controlled by drag and drop, and with clear indication of who has access to what.
Most importantly the GateManager ensures that all events are logged. When a LinkManager established connection to a given device, when a configuration change is made on a SiteManager, when a SiteManager is rebooted, when a firmware is upgraded, when an alert email or SMS was triggered etc. All these events are logged with time stamp, description and the user that caused the event.
Generally, the Secomea solution has complete end-to-end security, ensuring that no one – and nothing – can access equipment without permission. This is further ensured by regular security audits performed by the German security organization ProtectEM GmbH.
NOTE: Secomea offers hosting of your account on our GateManager servers. Only authorized Secomea personal will have access to your account and will only access your account in relation to support questions initiated by the authorized customer representative. All actions performed by Secomea will be logged in the event log of your account.
If your IT policies dictate not to allow third parties access to your equipment or if you have a policy of not being dependent on a third party, you can decide to host your own GateManager. A GateManager is a Linux application that depends on very few applications on the hosting platform, and is well suited for installation in virtualized environments. The network specific part of the GateManager is isolated from the business logic, so the GateManager server installation can be maintained by an IT department while only authorized OT personal can login to the GateManager for access to the user and customer data. Likewise the external backups from the GateManager are encrypted.