Skip to main content

Admin Documentation

Charmaker RAS - How it works

1. Overview

Earth Systems have implemented a Remote Access System (RAS) into each Charmaker as a means of providing technical remote support and enabling operators’ remote operation.  This technology has been implemented with a security-centered approach, giving careful consideration to each component of the system to ensure it remains secure and protected from cyber threats.  This paper discusses the technical elements of this system design and the controls implemented.

Concept

Charmakers are deployed in a global setting and therefore the Earth Systems RAS requirements vary considerably across each deployment.  The RAS has been designed to accommodate multi-type internet connections and varying security environments as determined by the client and deployment site.

Conceptually the RAS has been designed with a combination of hardware and software to enable convenience, technical support and remote operation using the latest technologies available.

The technical concept of the RAS includes the following elements:

  • Charmaker Control System – This includes a local network of PLC(s) and HMI(s) that operate over ethernet internally for technical operation of the Charmaker itself.  This consists of a network switch(es) combined with the electrical equipment (relays, sensors switches etc).
  • Teltonika RUTX Router – An industrial-grade router that supports 3G/4G or ethernet-handoff internet connections, local routing, firewall and runs the Tailscale software agent.
  • Teltonika Remote Management System – A cloud-hosted platform that enables deployment and configuration of the Teltonika routers remotely, deployed and maintained by Teltonika.
  • Tailscale VPN – A cloud-based mesh-VPN service that enables encrypted and secure communications between devices.
  • Azure Active Directory – A cloud-based authentication service to ensure users of the system authenticate securely.

2. How it works

Charmaker Control System

The Charmaker control system typically consists of a PLC (control computer) and HMI (interface panel) and often in multiple, depending upon the design of the Charmaker.  These devices communicate over ethernet with all communications handled internally via a Charmaker local network.  Sensors and other hardware in the Charmaker communicate directly with the PLC via a series of digital inputs and the HMI provides an operator interface that enables a GUI operation of the Charmaker.

Teltonika RUTX Router

Each RAS deployment consists of a Teltonika RUTX11 router than handles the functions of;

  • Internet connectivity – it supports dual SIMs, or any ethernet-handoff internet service (ADSL, VDSL, Fibre etc).
  • Router – it provides a router that enables connectivity from the inside of the Charmaker network to the internet.
  • Firewall – it provides a firewall at the WAN interface between the internet and Charmaker network.
  • DHCP – it hands out IP addresses for the Charmaker network for any locally connected devices (typically operator devices as PLCs and HMIs have static IP addresses).
  • Wireless Access Point – it enables a local wireless access point to be broadcast for the use by the operators onsite to control the HMI via a mobile/tablet app locally.
  • Tailscale subnet-router – The router has the Tailscale software installed and is configured to bridge the Charmaker network and present this to Tailscale.

Teltonika Remote Management System

The Teltonika Remote Management System provides a cloud-based platform for remote management and configuration of the Teltonika routers via a centrally controlled platform.  It is used in the RAS as a means of deploying configuration changes and updates to both the Teltonika router firmware and the Tailscale packages.  It enables secure remote management and monitoring by Earth Systems IT staff.

Tailscale VPN

Tailscale is a commercial VPN cloud-hosted service that enables a mesh-VPN as a means of establishing device-to-device communication over an encrypted network.  It enables devices on different networks (and behind multi-layers of firewalls) to communicate securely.  In the RAS, it allows secure communication between Earth Systems engineers and client operators, to the Charmaker control system through an encrypted and authenticated network.  It prevents the need for any exposed ports on the Teltonika router as it operates from its own interface, whilst creating a communication channel through Tailscale servers, through to the operator’s user-device.

The Teltonika router can be installed behind any existing internet connection with an existing firewall if desired by the client.  No additional port-forwarding or firewall exceptions are required for the RAS to operate successfully.  Alternatively, the 3G/4G modem can be used in the Teltonika router by inserting a SIM with an appropriate internet service.

Azure Active Directory

Microsoft Azure Active Directory (AD) is a cloud-based identity platform that provides secure authentication.  In the RAS, Azure AD acts as the identity provider for Tailscale.

3. Technical Controls

The RAS has been designed with security at the highest level and has been considered at each layer of technology. This section outlines each component of the system and how security controls have been implemented.

Charmaker Control System

The PLC(s) and HMI(s) are deployed in a local Charmaker network and are protected with local username and password authentication.  This prevents any changes to either component from being made without successful authentication from local devices on the same Charmaker network.   Additionally, proprietary software is required for changes to both the PLC(s) and HMI(s).

Typically, only operators of the Charmaker have connected devices as a means of controlling or monitoring the HMI via the app on their mobile/tablet devices.  This app is developed and maintained by Schneider Electric who are the manufacturer of the HMIs.

Relevant links to App:
https://www.se.com/au/en/work/support/mobile-apps/vijeo-design-air-plus-app.jsp

Teltonika RUTX Router

The Teltonika router is configured with several security controls, including:

  • Firewall enabled and configured to block all incoming traffic on all external interfaces (WAN).
  • Unique and non-default strong credentials are set for both the SSH CLI and web-gui.
  • Telnet access is disabled.
  • SSH CLI access is disabled on all external interfaces (WAN).
  • Web-gui access is disabled on all external interfaces (WAN).
  • Local Wifi - SSID name is unique and broadcasted on 2.4 & 5GHz frequencies.
  • Local Wifi - WPA2 passphrase is unique and strong.
  • Deployed to site with the current and stable version of Teltonika firmware.
  • Firmware updated regularly from Teltonika once tested by Earth Systems.

Relevant links to the Teltonika firmware:
https://wiki.teltonika-networks.com/view/RUTX11_Firmware_Downloads

Teltonika Remote Management System

The Teltonika Remote Management System (RMS) is maintained by Teltonika as part of the credits purchased for each Teltonika router.  Within the RMS, the following tasks are configured for maintenance of each Charmaker Teltonika router:

  • Tailscale update package deployment – this deploys the Tailscale agent to the Teltonika router and configures it for use.
  • Teltonika firmware update deployment – this deploys the Teltonika firmware for the router whilst retaining existing settings and configuration.

Relevant links to the Teltonika RMS:
https://teltonika-networks.com/resources/blogs/security-mechanism-of-teltonika-networks-remote-management-system

Tailscale VPN

The Tailscale VPN is a cloud-hosted commercial mesh service used as a means of communicating from user-devices through a secure channel to the HMI and PLC inside of the Charmaker network.  The software agent runs on the Teltonika router itself and functions as a ‘subnet router’.  This means the Charmaker network is presented to Tailscale. User-devices require the Tailscale app to be installed, have a user authenticated through Azure Active Directory, and have additional security measures set prior to gaining any network-level access. 

The user-device controls include:

  • Users need to authenticate using Microsoft Azure Active Directory authentication to login to the Tailscale app on the user-devices.  This requires 2FA to be set-up and an initial password change before they can login to Tailscale.
  • Once the user-device has authenticated with the Earth Systems ‘tailnet’ (the Tailscale network specifically setup for the Charmaker network), it requires a manual ‘approval’ by Earth Systems IT staff.
  • Once approved, the device is also assigned an access control tag, that defines which Charmaker network they can access.  This ensures total separation between different Charmaker networks and users.

The Teltonika router controls include:

  • The Tailscale agent runs on the Teltonika router as a ‘subnet-router’ that runs on its own local network interface ‘tailscale’.  
  • The firewall on the Teltonika is configured to only allow outgoing traffic from the Tailscale interface to the WAN interface.  All incoming traffic on the WAN is blocked through the Teltonika firewall.
  • Stateful connections from user-devices > Tailscale > Teltonika router > Charmaker network are allowed, although no initiated connections from the Charmaker network allows traffic through to Tailscale in the opposite direction.
  • The Tailscale package is updated frequently once tested by Earth Systems

Relevant links to Tailscale:
https://tailscale.com/kb/1151/what-is-tailscale/
https://tailscale.com/security/
https://tailscale.com/kb/1019/subnets/
https://tailscale.com/kb/1018/acls/

Azure Active Directory

Microsoft Azure Active Directory (AD), now called EntraID, provides authentication to Tailscale for all user access.  A dedicated Azure tenant has been configured for the RAS to keep it isolated from other systems.  A number of security controls have been implemented, including:

  • 2FA for all user accounts, including the administrative account managed by Earth Systems.
  • Strong password requirement for all user accounts.
  • An initial password change is required upon first-login.
  • Dedicated domain for all user accounts – charmaker.tech

Relevant links to Azure:
https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id

4. Conclusion

This paper outlined the extent to which security was designed into the Earth Systems Remote Access System.  Considering the current security context, Earth Systems have implemented a system that ensures risk is minimized of any security attacks.  Extensive continued development is undertaken at Earth Systems to ensure the system remains up-to-date and meets the current security best practices.