Security Overview
Breakwater is built with OT/ICS security principles at its core. Industrial environments have unique requirements — safety-critical operations, legacy systems, air-gap compatibility — and our security model reflects that.
Design Principles
Zero Inbound Ports
Customer sites never expose ports to the internet. All connections (Collector telemetry, encrypted tunnels) are initiated outbound from the site.
Passive Monitoring Only
Coastal IDS operates in passive/monitoring mode only. Breakwater never injects traffic or blocks communications on OT networks. This is a fundamental safety principle — we observe, we don't interfere.
Defense in Depth
- Network layer: Encrypted tunnel (ChaCha20-Poly1305)
- Transport layer: TLS 1.3 for all API traffic
- Application layer: Clerk authentication with MFA
- Access layer: RBAC with device-level policies
- Audit layer: Immutable session recording and logging
Least Privilege
- Users access only assigned sites and devices
- Protocols are restricted per-device
- Time-based access windows limit exposure
- Vendor access requires explicit approval
Encryption
| Layer | Technology | Purpose |
|---|---|---|
| API traffic | TLS 1.3 | HTTPS for all browser and API communication |
| Encrypted tunnel | ChaCha20-Poly1305 | Encrypted remote access channel |
| Database | PostgreSQL with access controls | Device data, session records |
| Session recordings | AES-256 at rest | Stored recordings encrypted |
| Secrets | TPM 2.0 (where available) | Tunnel private keys on Gateway |
Incident Response
If you discover a security vulnerability in Breakwater, please report it to:
We take all reports seriously and will respond within 48 hours.