Silverhawk: an operational technology gateway speeding up maintenance in the rail industry
Updated: Jun 30, 2022
Modux recently developed Silverhawk, an operational technology gateway which allows businesses to remotely and securely manage thousands of devices through one portal.
In this article, we’ll explain the features of Silverhawk and how it is being used by a major UK rail company to modernise their business and improve the running of their trains.
Northern Rail’s problem of managing multiple devices
Northern Rail is one of the UK’s largest train companies with a fleet of 500 trains and nearly 500 stations. Its infrastructure, safety and media systems are powered by thousands of operational technology devices.
With over 2,500 services each day, carrying over 100 million passengers a year, it’s critical that any fault with these operational technology devices needs to be resolved as quickly as possible.
Prior to Silverhawk, each of these devices was provided and maintained by a different third-party vendor and each device had different access requirements and working practices. The process for fixing a fault with one of these devices was time-consuming, expensive and inefficient. A train would have to be pulled out of service, taken to a depot and seen by an engineer. This led to unnecessary delays and frustrated rail passengers.
Northern Rail needed a way to centrally manage their on-board train equipment that would speed up maintenance.
Silverhawk: a secure gateway for managing operational devices
Modux worked alongside Northern Rail to develop Silverhawk, a gateway which sits between the company’s system administrators and its operational technology.
Since being enrolled into Silverhawk, all of Northern Rail’s devices can now be accessed from this one central gateway. This provides rapid access into operational trains, removing the requirement for hundreds of physical visits.
The management of thousands of devices has become not only much more efficient, but also more secure as Silverhawk incorporates features such as multi-factor authentication, password vaults and brokered authentication. Users never have access to device credentials or the network because VPN tunnels and SSH tunnels are used to get into the device.
Rapid and secure access to devices
Let’s look at how Silverhawk is used in practice. Previously, a train engineer would have needed to travel to the train and plug in a laptop in order to fix a fault. Using Silverhawk, the process is much quicker. The train engineer can log in remotely, select the device that manages the train and fix the issue. Here are the steps an engineer goes through when using Silverhawk:
1.Search function. The engineer can see a list of the devices they have been granted access to and can filter and find any device they want to manage through the search function.
2. Assigned access. The train engineer will be granted access to a specific device or set of devices by a super-admin. This access can be time-restricted. In this case, the engineer might need access for 2 hours to fix a fault.
3. Authentication. The train engineer can click a device they want to connect to without passwords for each device. Silverhawk sets up the authentication, so the engineer never has access to the password of a device. Silverhawk logs into chosen device, then hands off that authenticated session to the engineer.
4. Remote access to devices. Once connected, the engineer can start an interactive session with the remote device using their mouse and keyboard, just like having a direct connection. The engineer is able to copy and paste between their own computer and the remote device.
Silverhawk has a number of features which make it an invaluable management tool:
Security across all devices. Silverhawk enables modern security features across thousands of operational technology devices, including a company’s forgotten devices that are not backed by remote authentication like Active Directory or RADIUS. With Silverhawk, it’s possible to add in-depth logging, multi-factor authentication and attack detection to new equipment that would be otherwise unsecure out of the box.
Ultimate control over access to devices. Silverhawk provides granular access to single devices or groups of devices and removes the need for direct network access. Individual device connections are assigned to teams meaning that devices are only accessed by those with permission to find and access the device. Access to equipment through embedded HTTP web applications, SSH and RDP can be tightly controlled and restricted to specific users and groups. Access can be given and revoked on demand.
In-depth audit logging. Any changes that users make to a device is logged. Silverhawk can monitor every configuration change, every click and every command.
Agentless. The Silverhawk OT Gateway only requires network access in order to provide Privileged Access Management to equipment. Network routes through VPN and jump hosts can be spun up instantly when connecting to remote devices.
Automated backup and updates. Common functions such as device backup, firmware updates and password cycling can be automated across the estate, removing the need to update each device individually.
Faster loading times. Application files such as CSS, JS and images can be cached to speed load times of interfaces of devices in remote areas.
Platform agnostic. Silverhawk can run on any computer operating system and can support almost any device.
Improved security and control
As well as improving the security of remote management for Northern, Silverhawk has really shown its worth with the operational benefits, as it allows for rapid collaboration across technical teams during fault diagnosis and change management actions. As engineers no longer have to drive or fly to diagnose faults, the company has saved on thousands of hours of travel from vendors working remotely.
“Silverhawk allows us to quickly provide secure access for engineering teams. We’ve been able to keep trains in service and have saved hours of international travel.”
March Silverwood, Digital Trains, Northern.