Security vs Convenience and Acceptance

One of the key challenges with remote connections to industrial control systems is balancing the needs of an engineer or PLC technician with the mandate by the IT department to ensure network security, integrity and reliability. Finding a solution that is readily accepted by both business groups has been a challenge for many years and a source of frustration and inefficiency for all stakeholders.

eWON understood that maintaining network security was essential for IT acceptance. At the same time, eWON realized users will never use solutions that are complex, difficult or interrupt productivity. By balancing both the security and ease of use, eWON has created a best-in-class Remote Access solution that works for both end users and IT managers.

The eWON layered Security Approach

While ease of use is important, the security, integrity, and reliability of eWON's Talk2M cloud infrastructure and its customers' networks is eWON's first priority. Using a defense-in-depth approach based on guidelines set forth by ISO27002, IEC 62443-2-4 and NIST Cyber security Framework 1.0 and other publications, guidelines and industry best practices, eWON developped a managed, hybrid, layered cyber security approach to protect its devices, network and most importantly, its customers's industrial systems. From the Devices to the Policies & Procedures, discover how security is a core competency fully integrated at every level within the framework of our solution.

Talk2M - Security

TALK2M SECURITY EFFECTIVELY MANAGED

HMS is ISO27001:2013 certified for its Cloud Connectivity platform Talk2M. ISO27001 is a well-known and internationally recognized security standard that ensures the security management and continuous improvement on the long-term.

This certification validates a highly demanding Information Security Management System (ISMS) for Talk2M.
Practically, Talk2M ISMS is defined by fine-tuned, risk-driven, security processes and security controls. Those allow to keep pace with changes, identify vulnerabilities, predict security threats and, finally, limit business impacts in case of a security breach.

DOWNLOAD CERTIFICATE

Talk2M - ISO27001

TALK2M STAR CERTIFIED

STAR stands for Security Test Audit Report. Talk2M security environment is regularly tested to ensure a high security level to our platform, and so ensuring the strongest security posture to our customers. Admeritia GmbH has performed and completed tests on the remote connectivity service Talk2M, including all servers and services. As a result, Admeritia GmbH attributed the STAR Certificate to Talk2M.

DOWNLOAD CERTIFICATE

Talk2M - Security Audit Certificate

EWON HARDWARE DEVICES
Network segregation, local device authentication, physical switch for enabling/disabling access

The eWON units are typically installed in the machine control panel with the machine connected on one side(LAN) and the factory network on the other (WAN). When a connection needs to be established the eWON acts as the gatewaythrough which all traffic passes. When the eWON is first configured for VPN access, security settings on the device restrict traffic between its two network interfaces. This network segregation limits remote access to only those devices connected to the LAN of the eWON. Access to the rest of the network is prevented.

The eWONs themselves have user-level access rights separate from the Talk2M login. Only users with appropriate credentials and access rights can change the security settings or modify the data on the eWON. All of our devices feature a digital input. A switch can be connected to this input and the state of the switch can enable or disable the WAN port. This allows the end user to keep full local control of whether or not the device is remotely accessible.

The eWON needs the same type of settings as a PC connected to the same network (IP address, subnet mask and gateway, plus any optional proxy settings). Since the eWON can act as a DHCP client, it can be configured to receive those settings automatically. However, the eWON also can be set up to use a static IP address thatis assigned and controlled by the IT department if preferred.

CD + Cosy + Flexy

FIREWALL
IP, port, and protocol filtering/firewalling available. Restricted access based on user, group, site for all or single devices 

Within the eCatcher application, Talk2M account administrators can set filtering and firewalling rules about which devices behind the eWON are remotely accessible and even over which ports and with which protocols they are accessible. When combined with Talk2M’s user rights management, Talk2M administrators have the ability to tailor the remote access rights to fit their organizational structure.

Talk2M provides 4 different firewall setting rules, from least restricitve to most secure: Standard, High, Enforced, Ultra.

Those 4 firewall levels are based on declared devices IP, ports, gateways and eWON services (FTP server, HTTP server, etc.) access. Moreover, the requested configuration can be applied to a selected group of users.

Zoom_Firewall_Cosy

TRAFFIC ENCRYPTION
VPN sessions are end-to-end encrypted using SSL/TLS protocol

Communications between the remote user and the eWON are fully encrypted using the SSL/TLS protocol, thereby ensuring data authenticity, integrity & confidentiality. Indeed, all users and eWON units are authenticated using x509 SSL certificates and end-to-end traffic is encrypted using strong symmetric & asymmetric algorithms that are part of the SSL/TLS protocol cipher suite.

Security - Encryption

USER AND ACCESS MANAGEMENT
Unique user logins, configurable user rights to different devices, two-factor authentication, connection traceability

A Talk2M account may have an unlimited number of users. Administrators can create unique logins for every user who needs to access equipment remotely. These unique logins makes it easy to grant and revoke access privileges as needed. In addition, Talk2M account administrators can restrict which remote eWONs particular users can access, which sevices behind those eWON are accessible and even the ports on those devices and the communication protocols used. For instance, an administrator might permit remote users to reach the web services in a particular device for monitoring purposes but limit the ports used for making programing changes to only specific engineers.

In a world where 76% of all breaches involve weak or stolen password, eCatcher offers secure authentication mechanisms to re-inforce device access security. Password enforcement and two-factor authentication policy (a password and a confirmation code sent to your mobile phone) are available within eCatcher. Advanced configuration options (remember this PC, password expiration policy) are available for Talk2M Pro users.

Every remote connection is documented on the Talk2M Connection report. The Talk2M Connection report is a powerful IT auditing tool which allows account administrators to monitor which users are connected to which eWON and when and for how long they were connected.

eCatcher - Powerful User Access Control

NETWORK INFRASTRUCTURE
Globally redundant Tier 1 hosting partners, 24/7 monitoring, SOC 1/SSAE 16/ISAE 3402 Data Centers, ISO270001, CSA, SOC2

The Talk2M infrastructure is a critical integrated element in our remote access solution. It is a fully redundant network of distributed access servers, VPN servers, and other services that act as the secure meeting place for eWONs and users. To increase reliability, redundancy and reduce latency, eWON works with multiple industry leading Tier 1, 2 and 3 hosting partners throughout the world to ensure best in class service. Talk2M is hosted in SOC 1, SOC 2/SSAE 16 and ISO 27001:2005 certified data centers. The network of servers is monitored 24/7 to ensure maximum availability and security using intrusion detection systems (IDS), host intrusion prevention systems (HIPS) in addition to an array of alerting mechanisms.

Talk2M - VPN Connection Cosy

POLICY COMPLIANCE
The eWON/Talk2M solution enhances and is compatible with existing corporate security policies, firewall rules, and proxy server

eWON understands that its customer designed their corporate security policies carefully. The Talk2M remote access solution is designed to be compatible with customers’ existing security policies. By using outbound connections over commonly open ports (443 and 1194) and by being compatible to most proxy servers, the eWON is designed to be minimally intrusive on the network and work within the existing firewall rules. Within eCatcher, Talk2M account administrators can customize the password policies to force compliance to corporate password policies and can restrict which users can access which devices remotely. Talk2M account administrators can also view the Talk2M Connection report to see which users are connecting to which devices and when. This report can be a valuable tool to ensure that your corporate remote access policies are being followed. 

eCatcher - audit

We use cookies on this site to enhance your user experience

By clicking any link on this page you ar giving your consent for us to set cookies.

I want to find out more Yes, I agree