For the past several years, industrial networking has dominated searched topics on the www.automationworld.com website. This stands to reason considering all the interest in the Industrial Internet of Things (IIoT), convergence of operational technology and IT, remote connectivity, mobile device use, and the general trend toward higher levels of connectivity across industry.
While industrial networking technologies have certainly become more friendly over the years with drag-and-drop network configuration, more easily understood and managed cybersecurity platforms, and more intuitive user interfaces through which to diagnose and troubleshoot network issues, industrial networking still requires a good bit of in-house expertise to properly manage. This is particularly true when using networking technology to establish remote access to devices or machines.
To further ease the establishment of remote access, Tosibox is promoting its method of automating the industrial networking process.
Launched in 2010 on the idea that secure remote access doesn’t have to be complicated, expensive, or time-consuming, Tosibox refers to its technology as the “new VPN standard for the IoT.” According to Tosibox, it offers a standard solution that replaces the currently available cloud-based connection methods and supplier-specific tailored remote connections with a secure, cost-efficient, plug-and-go solution that can be deployed by anyone in a few minutes. The Tosibox solution turns an internet connection between two devices into an encrypted and automatic end-to-end connection.
Tosibox's devices identify each other by cryptographic pairing (serialization), in which the devices must be paired with each other before use. This is achieved by connecting them together physically. In the serialization process, the key device (Key) is inserted into the USB port of the Lock device. The Lock and Key then exchange the public key of the keypair with each other to create a mutual trust relationship. The encryption key is stored in a closed memory location of the crypto processor on the Key device. It cannot be copied or tampered with. Establishing a connection is impossible without the correct encryption keys.
To learn more about the company’s technology, I spoke with Jerry Reeves, vice president of technology at Tosibox. Before discussing the security aspects of Tosibox’s serialization process, I sought more clarification about how the company’s method of connecting devices to create a network differs from other technologies on the market.
“The physical matching process of Tosibox is unique and patented,” said Reeves. “During the 10 seconds in which the Key is mated to the Lock, the security certificates of each device are exchanged and trust is created. In other systems, including traditional IT, this trust creation is the same with one significant caveat: The process is not automated. A certificate is often generated on each device, then manually installed on the partner device. This process can take minutes to hours, depending on the availability of the devices and the connections to test the trust. Finally, the trust matching of Tosibox is also registered in our Distributed Matchmaking [DMM] system. This system is what provides the real-time registration and control of all trust additions and modifications made by Tosibox devices globally. For prior technologies, this centralized trust control either was not possible, difficult to setup and maintain, or only available to users with extensive IT resources.”
As for how customers use Tosibox to create their networks, Reeves said that many customers will serialize their stock of Locks with their Master Key and deploy those Locks worldwide. "This can be done by shipping them, sending them with a technician, or even purchasing a Lock locally and having it serialized to the Master Key with our remote matching feature," he explained "Regardless of how the Lock reaches is destination, a serialized unit allows a company using Tosibox to create its own global local area network [GLAN].”
Reeves added that Tosibox’s process of creating networks removes the general construct of plants operating as separate entities with their own individual networks. “They can now be unified into a singular network infrastructure using Tosibox as the enabling technology,” he said. “This obviously could be done before with traditional IT, but at significant cost in terms of time and money. Tosibox allows this level of connectivity to be deployed and managed quickly and inexpensively down to the operational level.”
Prior to connecting with Reeves, I reviewed materials that seemed to indicate that Tosibox serialization allowed its devices to communicate around firewalls or network address translations (NATs). Reeves clarified this by explaining Tosibox technology does not circumvent a customer’s IT security, nor does the serialization process diminish the existing security provided by the customer's firewalls or routers. In fact, it allows those existing devices to be even more hardened versus other technologies by minimizing the public network exposure of their existing firewall.
He noted that Tosibox’s DMM system is how the Lock and Key nodes perform outbound communication.“Since the nodes sit behind a customer’s router and/or firewall, there is already a level of trust provided to the Tosibox node and outbound traffic is allowed,” he said.
To further explain this, Reeves provided an example of how anyone can browse the Tosibox webserver to download datasheets, find information, etc. “But my webserver cannot access their computer directly. This is because the user’s firewall allows their computer to reach out to my webserver while blocking my webserver’s request to connect to their computer,” he said. “With Tosibox, the Keys and Locks continuously ask the DMM, via outbound request, if there are any connections that need to be made. If the DMM says yes, it tells the Locks and Keys where to find each other on the internet so the Locks and Keys can then negotiate—again, via outbound requests—the direct tunnel between themselves.”