Machine Remote Access and Network Security Utilizing ewon by Mike Wojda mwojda@vcail.com Vision Control and Automation, division of Standard Electric 1. Overview of ewon Technology Today, most modern production equipment utilizes programmable devices (PLCs, HMIs, VFDs, etc.) to efficiently control a machine or process. When trouble occurs or minor changes need to be made, remote access to the machine can significantly improve response time and minimize the costs required to resolve issues that may occur. Your equipment supplier or equipment support team can utilize an ewon, which provides a very easy implementation of creating an encrypted network connection allowing for direct communication exclusively with the designated machine LAN subnet. This connection provides secure control and appropriate firewalls against unauthorized access. Local site concerns of allowing access anytime to a machine can be under the direct control of the end user. DIRECT Encrypted Access to ONLY Machine LAN ewon Security 3_2014 rev. e Page 1
2. Secure Tunneling over the Internet When utilizing an ewon, many of current security and industrial networking design principles are embraced, including: Encrypted connections Network layer zoning or tunneling to a unique machine layer LAN or zone Firewall protection for both local and public access Required authentication, name and password with Group Access control Activity access logging and reporting The ewon utilizes cloud based server(s) (Talk2M) that maintain and manage all ewon remote connections. One of the unique features of the ewon unit is that implementation is both easy and secure. The ewon does not require any special ports or firewall modifications to be made by the user site. If internet access exists for a DHCP server, the ewon is typically plug and go. The ewon utilizes port 80 (general Internet access) and either UDP port 1194 or TCP/IP Port 443 for establishing an SSL layer connection (https:) to the Talk2M server. The encryption method utilized is the open-vpn protocol. Because SSL (Open VPN) operates at the application layer, it is possible to provide controlled access to specific devices instead of access to the entire corporate LAN network by utilizing a common network path. The connection is initiated and maintained by the ewon unit itself from inside the remote site. Each ewon is identified by a unique 36-digit encryption key and serial number and is accessed by ONLY one Talk2M account. While the Talk2M Server itself has a public IP address, access to it is only allowed with the ecatcher management software from a Windows-based PC and with proper authentication. Each account is identified by a defined ACCOUNT NAME, and logging in requires a valid USER NAME and PASSWORD for authentication. Unlimited USER NAME and PASSWORDS are supported. Each USER NAME access is logged and locked to the specific MAC ID address that was last used at log in. This prevents immediate USER NAME and PASSWORD sharing among several users to access the Talk2M server. Group Access Control designates which ewon(s) are accessible by each user. In the representation of the ewon layout (page 1), the local network (Factory LAN) is used for internet access only, and the encrypted connection data path is shown in green from the remote programing PC to the ewon s designated machine LAN or ZONE. No access to other IP Zones at the site is allowed. Access to the ewon itself (for configuration changes) is controlled with a separate unique USER NAME and PASSWORD with access level control. An ewon unit will ONLY respond to the Talk2M server. For ewon systems that utilize an optional cellular (GSM) connection, there is no direct path to anything other than the machine LAN Zone. Protection is provided by same topology in that an ewon will ONLY respond to the Talk2M server. Direct access from cellular network IP is by default disabled and NOT ALLOWED. ewon Security 3_2014 rev. e Page 2
3. Local Control and Access Tracking When using an ewon for remote access, local site concerns of allowing access anytime to a machine can be under the direct control of the end user. Several ways to control access are: 1. Key-Switch control (digital input enable) 2. Tag value control from PLC or HMI 3. Physical removal of internet connection (User un-plugs WAN port) 4. Static IP address control (User site IT managed) 5. VLAN internet Access (User site IT managed) 6. Proxy Server (User site IT managed) Additional site security features of the ewon are: ewon units are not pingable and will ONLY respond to Talk2M server requests ewon does not require a static IP address. In fact, knowing what the ewon s assigned address has no value for remote access. Local access to Machine LAN Zone from Factory LAN Zone is NOT ALLOWED by default Access to IP addresses or other Zones (such as Factory LAN) thru remote connection NOT ALLOWED ewon devices requires valid user NAME and PASSWORD to make any configuration changes. Optional requesting IP address security can be implemented on the ewon (login must be from specific machine IP) for greater security in addition to USER NAME and PASSWORD for configuration changes Unlike many other VPN schemes, all connections are monitored and reports can be generated by the Talk2M account manager that shows who made a connection to each device, for how long and how much data was transferred. Individual ewon access is controlled by the Talk2M account administrator(s). Below is a sample report initiated by the Talk2M account administrator. SAMPLE REPORT of ewon Access ewon Security 3_2014 rev. e Page 3
4. INDUSTRIAL NETWORKING DESIGN Early adopters of Ethernet implantation in industrial control and smaller factory systems may have started with and continue to use a single IP subnet address range that all equipment was/is tied to (referred to as a Flat Network ). While this made it easy to access any device within the facility from a single connection, severe security and virus spreading concerns are now a reality as anyone or any device with access to this network (including outside breach of network or other remote access schemes such as PC remote viewers) may have unintended access to everything in the facility. Current industrial Ethernet design refers to industry standards such as ANSI/ISA-99.02.01 and IEC-63443. These standards recommend zone-based network segmentation and secure conduits. The ewon by design REQUIRES that the Machine LAN or Zone (local ewon LAN IP range) and the Factory LAN (or LAN used to access the internet) be a different IP subnet range. This requires even the facilities with a Flat Network, to start the process of limited access and Machine LAN Zoning. The ewon creates an Encrypted and Secure Conduit from the Talk2M Server direct to the designated Machine LAN or Zone. Access to other devices or networks within the facility from the ewon remote connection is NOT ALLOWED. (Refer to system diagram on page 1.) If secured local Factory LAN access to the Machine LAN is required (Short Haul or southbound traffic), the ewon s local firewall can be disabled, and several routing options exist to use the ewon as a host or as a local gateway. Access to other devices on the Factory LAN remains blocked from the ewon s remote connection. More complex networking layouts work with ewon as well. Creating special encrypted tunnels or conduit from the public zone direct to the designated zone level using VLAN s, while not necessary, can be optionally utilized for additional segmentation of network access. 5. Additional Access Control and Security. With the ewon for Remote Access and the release of ecatcher 4 (the Talk2M Client software), many additional features have been added related to the security and access to remote devices. Extended Password Syntax. In ecatcher 4, password character length, special character requirements and expiration time (number of days before password expires) can be optionally set by the Talk2M account administrator(s). This gives flexibility to comply with specific password policies that may be required. Enhanced Firewall Capabilities. Prior to ecatcher 4, ALL devices connected to the ewon LAN (Machine Sub-Net) were reachable by a connected Talk2M user. Now it is possible to allow connections to specific LAN devices (IP addresses) and on specific ports. In addition, each LAN device can be restricted to a specific protocol. Security levels can also be assigned on each ewon LAN for level of firewall access from all devices on the LAN to declared LAN devices only. Also, specific protocols (HTTP,FTP, SNMP, etc.) can be declared as well by device. LAN Devices Display. For easier linking to specific devices (defined with the firewall), each LAN device can be named and displayed on the ecatcher access page and optionally on the M2Web page for directed access to specific devices. ewon Security 3_2014 rev. e Page 4
6. Summary and Review In summary, when an ewon is utilized for remote access, many of the principles for both modern industrial Ethernet design and remote access security are implemented. Easy to implement and secure Access is directed to ONLY the Machine LAN. Some of the highlights are: Special software required for Talk2M Server access (ecatcher) Encrypted (Open VPN) Connection Authentication required. Each user has unique user USER NAME and PASSWORD Site-side implementation REQUIRES separate Machine LAN or ZONE ewon setup or configuration changes requires an additional device user NAME and PASSWORD ewon only responds to requests from Talk2M server (not pingable) Talk2M utilization reports for ALL activity If we were to review what would be required to breach an ewon implementation at a site, several layers of protection exist, such as: Access to Talk2M by unauthorized personnel: DENIED requires both ecatcher software and a valid USER NAME, PASWORD and ACCOUNT NAME for Talk2M access. Access to ewon from other valid Talk2M account login: DENIED only the Talk2M account that the ewon is registered to has access. Access to ewon directly from OUTSIDE site: DENIED in addition to local firewalls, ewon is NOT pingable and will not respond to anything but Talk2M server. Access to ewon directly from INSIDE site: DENIED ewon is NOT pingable and will not respond to anything but Talk2M server. Unauthorized changes to ewon device: DENIED proper user NAME and PASSWORD and ACCESS Level permissions (ewon has 10 levels of ACCESS) required to make changes. Access to ALL devices on the ewon LAN: DENIED if optional device firewall(s) and access levels are set by the Talk2M administrator. Additional questions and comments about the ewon can be directed to our engineering support team www.standardelectricsupply.com/support or call 1-800-318-4618. ewon Security 3_2014 rev. e Page 5