eWON/Talk2M Security

Serge WAUTIER

eWON/Talk2M Security Model

eWON Security model

Policies & Procedures

Talk2M NetworkInfrastructure

User Management & Accountability

Encryption

Application

eWON Device

• Security is one of the cornerstones of our business

• Defense-in-depth approach

• Security approach based on guidelines set forth by ISO27002, IEC 62443-2-4, NIST Cyber security Framework 1.0 and others

eWON Device

eWON Device: Network segregation, local device authentication, physical switch for enabling/disabling access.

Application

eWON Device

Application: IP, port, and protocol filtering/firewalling available. Restricted access based on user, group, site for all or single devices or specific port.

Encryption

Application

eWON Device

Encryption: VPN sessions are end-to-end encrypted using SSL/TLS for session authentication and IP SEC ESP protocol for tunnel transport over UDP and TCP/IP. Supports X509 PKI, TLS key exchange, cipher-independent EVP interface for encryption, HMAC-SHA1 for authenticating tunnel data

User Management & Accountability

Encryption

Application

eWON Device

Management & Accountability:Unique user logins, configurable user rights to different devices. Connection audit trail.

Talk2M Network Infrastructure

User Management & Accountability

Encryption

Application

eWON Device

Talk2M Network Infrastructure: Globally redundant Tier 1 hosting partners, 24/7 monitoring, SOC 1/SSAE 16/ISAE 3402 Data Centers, ISO270001, CSA

Policies & Procedures

Talk2M Network Infrastructure

User Management & Accountability

Encryption

Application

eWON Device

Policies & Procedures: eWON/Talk2M solution enhances and is compatible with existing corporate security policies, firewall rules, and proxy servers.

Talk2M – Security in practice

Security Assessment

• Talk2M Security Assessment by a 3rd party Security Firm

SecurityA corporate goal

SecurityA corporate goal

G. GobertSecurity Manager

Security

• Assets inventory & security perimeter• Security awareness trainings for all employees• Continuous technical assessments• Security in products• Various corporate policies & procedures• ISO 27001 guidelines• Relations with large customers• …

A Corporate Goal

What can YOU do to improve your security?

Talk2M Security Policy

Password Policy

• Free+ : • Standard: Min 8 characters, min one non-letter• Enforced: Min 8 characters, letters, digits and symbols

• Pro: • Min # characters, letters, digits, special characters: Take your pick!• Total flexibility (with minimum requirements)

• Additional features:• Password expiration• Mandatory password change

Account Settings

Talk2M Security Policy

2-Factor Authentication

• Principle:• Something you know (your password) - Something you own (your cell phone)• SMS used to logins

• Remember me option• Authentication SMS are free!

• Available for Free+ and for Pro

• Enabled on a per-user basis• Easier to test• Easier transition• Back-up phone number (best significant one, account admin,…)

Account Settings

Talk2M Security Policy

eCatcher Connection Log

• All connections are listed• eWONs (online/offline)• User logins• User connections to eWONs• (User messages)

• Do you wonder which users connect? Just check the log!• Do you have a doubt? Just check the log!

Audit Trail

● With Talk2M the connected user has access to the LAN network behind the eWON.

● By default, all devices on the LAN side can be reached● You can limit the access to some devices only Configure the Talk2M

firewall

● Talk2M offers 4 different levels of internal firewall● Standard● High● Enforced (Pro Only)● Ultra (Pro Only)

Talk2M LAN Devices and FirewallGeneral Principles

The Firewall level starts at “Standard” because only logged users of the Talk2M account can reach the LAN network.

WANInternet LAN

SerialSerial

Eth. PC

Eth. HMI

Eth. PLC

Serial PLC

192.168.120.61

192.168.120.62

192.168.120.63eWON LAN IP

192.168.120.53

10.10.0.40eWON WAN IP

User Logged inTalk2M

VPN-Server

Standard

Open padlock logged user has access to all devices connected to eWON.

WANInternet LAN

SerialSerial

Eth. PC

Eth. HMI

Eth. PLC

Serial PLC

192.168.120.61

192.168.120.62

192.168.120.63eWON LAN IP

192.168.120.53

10.10.0.40eWON WAN IP

User Logged inTalk2M

VPN-Server

High

LAN

Serial

WANInternet

Serial

Eth. PC

Eth. HMI

Eth. PLC

Serial PLC

192.168.120.61

192.168.120.62

192.168.120.63eWON LAN IP

192.168.120.53

10.10.0.40eWON WAN IP

User Logged inTalk2M

VPN-Server

Closed padlock logged user has access only to declared devices

High + port restrictions

LAN

Serial

WANInternet

Serial

Eth. PC

Eth. HMI

Eth. PLC

Serial PLC

192.168.120.61

192.168.120.62Port UDP 5001eWON LAN IP

192.168.120.53

10.10.0.40eWON WAN IP

User Logged inTalk2M

VPN-Server

Closed padlock logged user has access only

to declared devicesPort specified behind IP Only this port is allowed

Talk2M Pro – User Permissions

LAN

Serial

WANInternet

Serial

Eth. PC

Eth. HMI

Eth. PLC

Serial PLC

192.168.120.61

192.168.120.62

192.168.120.63eWON LAN IP

192.168.120.53

10.10.0.40eWON WAN IP

User Logged inTalk2M

VPN-Server

Talk2M Pro allows to limit device access to certain users only.Example: - Maintenance Engineer has access to all devices- Production manager has access only to HMI device

Enforced and Ultra(Talk2M Pro only)

LAN

Serial

WANInternet

Serial

Eth. PC

Eth. HMI

Eth. PLC

Serial PLC

192.168.120.61

192.168.120.62Port UDP 5001eWON LAN IP

192.168.120.53

10.10.0.40eWON WAN IP

User Logged inTalk2M

VPN-Server

192.168.120.63

Talk2M Pro features 2 higher firewall levels:

- Enforced Limit access to the Serial Gateway of eWON- Ultra Limit access to the eWON itself (HTTP, FTP, SNMP)

Best Practices

• Protect your passwords• Do not send your password to technical support!

• Do not keep default passwords• adm/adm

• Use 2-Factor Authentication

• Unique logins for every user

• Use firewall/filtering rules to minimize attack surface

Security

Tools to advertise security to end users• Defense in depth (available from our website)• eWON Security Questionnaire (intended to large accounts)

• Document intended to Security Managers• Work in progress

• Security features• Large end users may have their own Talk2M Pro accounts

• They are in control of remote access security

Thank you!