For the past several years, industrial networking has dominated searched topics on the www.automationworld.comĀ website. This stands to reason considering all the interest in the Industrial Internet of Things (IIoT), convergence of operational technology and IT, remote connectivity, mobile device use, and the general trend toward higher levels of connectivity across industry.
While industrial networking technologies have certainly become more friendly over the yearsĀ with drag-and-drop network configuration, more easily understood and managed cybersecurity platforms, and more intuitive user interfaces through which to diagnose and troubleshoot network issues, industrial networking still requires a good bit of in-house expertise to properly manage. This is particularly true when using networking technology to establish remote access to devices or machines.
To further ease the establishment of remote access, Tosibox is promoting its method of automating the industrial networking process.
Launched in 2010 on the idea that secure remote access doesnāt have to be complicated, expensive, or time-consuming, Tosibox refers to its technology as the ānew VPN standard for the IoT.ā According to Tosibox, it offers a standard solution that replaces the currently available cloud-based connection methods and supplier-specific tailored remote connections with a secure, cost-efficient,Ā plug-and-go solution that can be deployed by anyone in a few minutes. The Tosibox solution turns an internet connection between two devices into an encrypted and automatic end-to-end connection.
Tosibox's devices identify each other by cryptographic pairing (serialization), in which the devices must be paired with each other before use. This is achieved by connecting them together physically. In the serialization process, the key device (Key) is inserted into the USB port of the Lock device. The Lock and Key then exchange the public key of the keypair with each other to create a mutual trust relationship. The encryption key is stored in a closed memory location of the crypto processor on the Key device. It cannot be copied or tampered with. Establishing a connection is impossible without the correct encryption keys.
To learn more about the companyās technology, I spoke with Jerry Reeves, vice president of technology at Tosibox. Before discussing the security aspects of Tosiboxās serialization process, I sought more clarification about how the companyās method of connecting devices to create a network differs from other technologies on the market.
āThe physical matching process of Tosibox is unique and patented,ā said Reeves. āDuring the 10 seconds in which the Key is mated to the Lock, the security certificates of each deviceĀ are exchanged and trust is created. In other systems, including traditional IT, this trust creation is the same with one significant caveat: The process is not automated. A certificate is often generated on each device, then manually installed on the partner device. This process can take minutes to hours, depending on the availability of the devices and the connections to test the trust. Finally, the trust matching of Tosibox is also registered in our Distributed Matchmaking [DMM] system. This system is what provides the real-time registration and control of all trust additions and modifications made by Tosibox devices globally. For prior technologies, this centralized trust control either was not possible, difficult to setup and maintain, or only available to users with extensive IT resources.ā
As for how customers use Tosibox to create their networks, Reeves said that many customers will serialize their stock of Locks with their Master Key and deploy those Locks worldwide. "This can be done by shipping them, sending them with a technician, or even purchasing a Lock locally and having it serialized to the Master Key with our remote matching feature," he explained "Regardless of how the Lock reaches is destination, a serialized unit allows a company using Tosibox to create its own global local area network [GLAN].ā
Reeves added that Tosiboxās process of creating networks removes the general construct of plants operating as separate entities with their own individual networks. āThey can now be unified into a singular network infrastructure using Tosibox as the enabling technology,ā he said. āThis obviously could be done before with traditional IT, but at significant cost in terms of time and money. Tosibox allows this level of connectivity to be deployed and managed quickly and inexpensively down to the operational level.ā
Prior to connecting with Reeves, I reviewed materials that seemed to indicate that Tosibox serialization allowed its devices to communicate around firewalls or network address translations (NATs). Reeves clarified this by explaining Tosibox technology does not circumvent a customerās IT security, nor does the serialization process diminish the existing security provided by the customer's firewalls or routers. In fact, it allows those existing devices to be even more hardened versus other technologies by minimizing the public network exposure of their existing firewall.
He noted that Tosiboxās DMM system is how the Lock and Key nodes perform outbound communication.āSince the nodes sit behind a customerās router and/or firewall, there is already a level of trust provided to the Tosibox node and outbound traffic is allowed,ā he said.
To further explain this, Reeves provided an example of how anyone can browse the Tosibox webserver to download datasheets, find information, etc. āBut my webserver cannot access their computer directly. This is because the userās firewall allows their computer to reach out to my webserver while blocking my webserverās request to connect to their computer,ā he said. āWith Tosibox, the Keys and Locks continuously ask the DMM, via outbound request, if there are any connections that need to be made. If the DMM says yes, it tells the Locks and Keys where to find each other on the internet so the Locks and Keys can then negotiateāagain, via outbound requestsāthe direct tunnel between themselves.ā