Channel
Channel provides zero-trust secure remote access to OT/ICS assets through encrypted tunnels. No VPN, no inbound firewall rules, no exposed attack surface.
Features
Encrypted Tunnels
- Outbound-only connections from customer sites (UDP 51820)
- Per-gateway unique keypairs, auto-provisioned
- Full protocol support: HTTP, SSH, RDP, VNC, Modbus TCP, EtherNet/IP, Telnet
- End-to-end encryption (Noise protocol, ChaCha20-Poly1305)
In-Browser Sessions
- RDP/VNC: Full graphical desktop rendered in the browser via Apache Guacamole
- SSH/Telnet: Terminal emulator (xterm.js) in the browser
- HTTP: Proxied web UI with URL rewriting
- Zero client software required
Access Control
- Role-based: Admin, Engineer, Vendor, Auditor, Operator
- Device-level policies: Per-device protocol restrictions
- Time windows: Restrict access to business hours or maintenance windows
- Approval workflows: Vendors submit access requests, admins approve/deny
- MFA enforcement: Step-up authentication for sensitive devices
- Concurrent session limits: Prevent resource conflicts
Session Recording
| Protocol | Recording Method | Playback |
|---|---|---|
| RDP | Screen capture (Guacamole) | Video player |
| VNC | Screen capture (Guacamole) | Video player |
| SSH | Terminal recording (asciicast) | asciinema player |
| HTTP | Request/response logging | Log viewer |
| Modbus | Transaction log | Table viewer |
Audit Logging
- Every action logged: connections, disconnections, policy changes, approvals
- Searchable audit trail with user, device, timestamp, and action details
- Immutable log storage for compliance requirements
Gateway Deployment Options
Option A: Breakwater Gateway (Recommended)
DIN-rail mountable appliance built on the Bosch ctrlX CORE platform with Collector + Channel + Coastal IDS.
| Model | Platform | Target | Price |
|---|---|---|---|
| Gateway X3 | ctrlX CORE X3 Compact | Small/medium sites (up to 200 devices) | $1,699 |
| Gateway X5 | ctrlX CORE X5 Modular | Large/enterprise sites (200+ devices) | $4,599 |
Option B: Bring Your Own Device
Install on any x86 Linux system with 4GB+ RAM and 2+ NICs.
curl -fsSL https://breakwater.techgonecoastal.com/install.sh | sudo bash -s -- \
--site-token YOUR_TOKEN \
--mode gateway
Option C: Bosch ctrlX CORE
Deploy as a snap package on existing ctrlX CORE controllers. See ctrlX Deployment.
Setting Up Channel
1. Provision a Gateway
From the Channel module, click New Gateway and configure:
- Gateway name
- Hardware model (Gateway X3, Gateway X5, or BYOD)
- Linked site
The provisioning wizard generates:
- Tunnel configuration file
- Install script (one-liner)
- Gateway credentials
2. Deploy the Gateway
Copy the tunnel config to your gateway device and start the tunnel:
# Save config
sudo cp wg0.conf /etc/wireguard/
# Start tunnel
sudo wg-quick up wg0
# Enable on boot
sudo systemctl enable wg-quick@wg0
3. Register Devices
Add OT devices accessible through the gateway:
- Device name and IP address
- Allowed protocols (SSH, RDP, VNC, HTTP, etc.)
- Port overrides (if non-standard)
- Recording policy (mandatory/optional/disabled)
4. Configure Access Policies
Set who can access what:
- Assign roles to users
- Set time-based access windows
- Enable approval workflows for vendors
- Require MFA for sensitive devices
5. Connect
Click Connect on any registered device. The session opens in your browser — no client software needed.
IEC 62443 Compliance
Channel is designed to satisfy IEC 62443-3-3 security requirements:
| Requirement | Description | How Channel Addresses It |
|---|---|---|
| SR 1.1 | Human user identification | Clerk auth + MFA |
| SR 1.2 | Software process identification | Gateway certificates |
| SR 1.5 | Session lock | Configurable inactivity timeout |
| SR 1.13 | Access via untrusted networks | Encrypted tunnel |
| SR 2.8 | Auditable events | Full session recording + audit log |
| SR 5.1 | Network segmentation | Gateway enforces Purdue boundaries |
| SR 5.2 | Zone boundary protection | Proxy router restricts lateral movement |