eWON Security model
Policies & Procedures
Talk2M NetworkInfrastructure
User Management & Accountability
Encryption
Application
eWON Device
• Security is one of the cornerstones of our business
• Defense-in-depth approach
• Security approach based on guidelines set forth by ISO27002, IEC 62443-2-4, NIST Cyber security Framework 1.0 and others
eWON Device
eWON Device: Network segregation, local device authentication, physical switch for enabling/disabling access.
Application
eWON Device
Application: IP, port, and protocol filtering/firewalling available. Restricted access based on user, group, site for all or single devices or specific port.
Encryption
Application
eWON Device
Encryption: VPN sessions are end-to-end encrypted using SSL/TLS for session authentication and IP SEC ESP protocol for tunnel transport over UDP and TCP/IP. Supports X509 PKI, TLS key exchange, cipher-independent EVP interface for encryption, HMAC-SHA1 for authenticating tunnel data
User Management & Accountability
Encryption
Application
eWON Device
Management & Accountability:Unique user logins, configurable user rights to different devices. Connection audit trail.
Talk2M Network Infrastructure
User Management & Accountability
Encryption
Application
eWON Device
Talk2M Network Infrastructure: Globally redundant Tier 1 hosting partners, 24/7 monitoring, SOC 1/SSAE 16/ISAE 3402 Data Centers, ISO270001, CSA
Policies & Procedures
Talk2M Network Infrastructure
User Management & Accountability
Encryption
Application
eWON Device
Policies & Procedures: eWON/Talk2M solution enhances and is compatible with existing corporate security policies, firewall rules, and proxy servers.
Security
• Assets inventory & security perimeter• Security awareness trainings for all employees• Continuous technical assessments• Security in products• Various corporate policies & procedures• ISO 27001 guidelines• Relations with large customers• …
A Corporate Goal
Talk2M Security Policy
Password Policy
• Free+ : • Standard: Min 8 characters, min one non-letter• Enforced: Min 8 characters, letters, digits and symbols
• Pro: • Min # characters, letters, digits, special characters: Take your pick!• Total flexibility (with minimum requirements)
• Additional features:• Password expiration• Mandatory password change
Account Settings
Talk2M Security Policy
2-Factor Authentication
• Principle:• Something you know (your password) - Something you own (your cell phone)• SMS used to logins
• Remember me option• Authentication SMS are free!
• Available for Free+ and for Pro
• Enabled on a per-user basis• Easier to test• Easier transition• Back-up phone number (best significant one, account admin,…)
Account Settings
Talk2M Security Policy
eCatcher Connection Log
• All connections are listed• eWONs (online/offline)• User logins• User connections to eWONs• (User messages)
• Do you wonder which users connect? Just check the log!• Do you have a doubt? Just check the log!
Audit Trail
● With Talk2M the connected user has access to the LAN network behind the eWON.
● By default, all devices on the LAN side can be reached● You can limit the access to some devices only Configure the Talk2M
firewall
● Talk2M offers 4 different levels of internal firewall● Standard● High● Enforced (Pro Only)● Ultra (Pro Only)
Talk2M LAN Devices and FirewallGeneral Principles
The Firewall level starts at “Standard” because only logged users of the Talk2M account can reach the LAN network.
WANInternet LAN
SerialSerial
Eth. PC
Eth. HMI
Eth. PLC
Serial PLC
192.168.120.61
192.168.120.62
192.168.120.63eWON LAN IP
192.168.120.53
10.10.0.40eWON WAN IP
User Logged inTalk2M
VPN-Server
Standard
Open padlock logged user has access to all devices connected to eWON.
WANInternet LAN
SerialSerial
Eth. PC
Eth. HMI
Eth. PLC
Serial PLC
192.168.120.61
192.168.120.62
192.168.120.63eWON LAN IP
192.168.120.53
10.10.0.40eWON WAN IP
User Logged inTalk2M
VPN-Server
High
LAN
Serial
WANInternet
Serial
Eth. PC
Eth. HMI
Eth. PLC
Serial PLC
192.168.120.61
192.168.120.62
192.168.120.63eWON LAN IP
192.168.120.53
10.10.0.40eWON WAN IP
User Logged inTalk2M
VPN-Server
Closed padlock logged user has access only to declared devices
High + port restrictions
LAN
Serial
WANInternet
Serial
Eth. PC
Eth. HMI
Eth. PLC
Serial PLC
192.168.120.61
192.168.120.62Port UDP 5001eWON LAN IP
192.168.120.53
10.10.0.40eWON WAN IP
User Logged inTalk2M
VPN-Server
Closed padlock logged user has access only
to declared devicesPort specified behind IP Only this port is allowed
Talk2M Pro – User Permissions
LAN
Serial
WANInternet
Serial
Eth. PC
Eth. HMI
Eth. PLC
Serial PLC
192.168.120.61
192.168.120.62
192.168.120.63eWON LAN IP
192.168.120.53
10.10.0.40eWON WAN IP
User Logged inTalk2M
VPN-Server
Talk2M Pro allows to limit device access to certain users only.Example: - Maintenance Engineer has access to all devices- Production manager has access only to HMI device
Enforced and Ultra(Talk2M Pro only)
LAN
Serial
WANInternet
Serial
Eth. PC
Eth. HMI
Eth. PLC
Serial PLC
192.168.120.61
192.168.120.62Port UDP 5001eWON LAN IP
192.168.120.53
10.10.0.40eWON WAN IP
User Logged inTalk2M
VPN-Server
192.168.120.63
Talk2M Pro features 2 higher firewall levels:
- Enforced Limit access to the Serial Gateway of eWON- Ultra Limit access to the eWON itself (HTTP, FTP, SNMP)
Best Practices
• Protect your passwords• Do not send your password to technical support!
• Do not keep default passwords• adm/adm
• Use 2-Factor Authentication
• Unique logins for every user
• Use firewall/filtering rules to minimize attack surface
Security
Tools to advertise security to end users• Defense in depth (available from our website)• eWON Security Questionnaire (intended to large accounts)
• Document intended to Security Managers• Work in progress
• Security features• Large end users may have their own Talk2M Pro accounts
• They are in control of remote access security