Virgin Hyperloop Enables Secure, User-friendly Access to its IT/OT Environment Using OneLogin for Remote Desktop Gateway

About
Virgin Hyperloop is the only company in the world that has successfully tested its hyperloop technology at scale, launching the first new mode of mass transportation in more than 100 years. In a hyperloop system, which uses magnetic levitation to allow near-silent travel, a trip between New York and Washington would take just 30 minutes. That would be twice as fast as a commercial jet flight and four times faster than a high-speed train.
 
In November 2020, Virgin Hyperloop successfully and safely transported passengers in a hyperloop vehicle. The company made this transportation history at its research and development facility site (DevLoop) near Las Vegas, Nevada.
 
Challenges
On any given day, 50 to 100 engineers, test technicians, assembly technicians, and support staff work at the DevLoop test facility. As soon as COVID hit, all employees shifted to working from home. When Virgin Hyperloop reopened its Nevada site, it moved to a hybrid model with some engineers on site and others remote. As the development effort ramped back up, the company began building a new network to support the next phase of testing.
 
At DevLoop, hundreds of sensors gather data as a pressurized pod travels down a 500-meter test track. Various valves, gauges, and other industrial devices enable the finely tuned environment in the tube-like track. Those sensors and devices – categorized as operational technology (OT) – feed data to engineers on site and in Los Angeles, as well as to the cloud for processing.
 
In this highly sophisticated space, Virgin Hyperloop relies on integration between its IT network and OT industrial environments. While the IT network adheres to industry best practices for security, the OT setup is configured and controlled by engineers in a fast-moving development environment. “Engineers want to set up OT environments quickly and have them functional 24/7. That leads to an open environment with few security controls,” explains Ryan Bittner, ‎Senior System Administrator for Virgin Hyperloop.
 
Virgin Hyperloop tries to keep the IT network as segmented as possible, but the convergence of IT and OT introduces the need for different security measures – especially in a hybrid work environment. When everyone was working on premise, Virgin Hyperloop secured access to the industrial environment using network segmentation and air-gapping. It became more challenging to enforce strict access control, with people needing to access that environment remotely.
 
“We relied on a VPN when COVID first hit. Setting up for our next big test iteration introduced a great opportunity to implement robust security standards from the start,” says Ryan.
 
Solutions
Ryan’s goal was to isolate new OT environments as much as possible, while making them accessible from the corporate network with separate credentials. “Like everyone, we have seen a rise in hacking and phishing attempts. We take cybersecurity seriously and take all necessary measures to protect our digital and physical IP,” explains Dawn Armstrong, Vice President for Information Technology at Virgin Hyperloop.
 
As part of his standard due diligence, Ryan assessed Microsoft Azure, along with OneLogin, for Microsoft Remote Desktop Gateway (RDG). Virgin Hyperloop already uses OneLogin MFA, with OneLogin Protect on every mobile phone, so OneLogin was a natural fit. “All of our users are familiar with OneLogin. It would have taken significant time to train all who need access to the new environment on a new solution,” says Ryan.
 
Ryan appreciates that OneLogin has always been responsive and collaborates with Virgin Hyperloop to address any issues. “The OneLogin relationship gives us faith we can get anything working and meet our needs,” he adds.
 
To that end, Ryan liked that OneLogin supported his vision of putting MFA in front of every remote desktop connection: “I envisioned we would build ‘jump boxes’ of virtual machines that users would securely access before hopping into the OT environment. This would mean MFA was in front of everything that users were trying to access.”
 
Ryan found the initial setup relatively easy. He planned to pair each virtual machine with its own OneLogin for Microsoft RDG app. However, he found that the number of users needing jump boxes exceeded what a single virtual machine (VM) could handle. “The management effort of assigning a VM to each engineer or assigning two engineers per VM was daunting,” says Ryan.
 
Instead, he took advantage of Microsoft Remote Desktop Gateway’s support for creating a session collection, which is a pool of interchangeable VMs. When a user connects to the session collection, they are automatically load balanced between multiple VMs.
 
“We currently have four VMs, but we can easily add additional ones if more people require access to the OT environment. We just build a VM and connect it via the OneLogin app, making it very simple for us to manage and scale,” Ryan explains.
 
Adds Dawn, “OneLogin for Microsoft RDG provided us a more elastic environment with less management overhead. That’s important in any IT organization with resource constraints.”
 
 
Results
With OneLogin for Microsoft RDG in place, authorized employees can securely access the OT environment. The setup is secure enough so that Virgin Hyperloop can extend access to contractors who work closely with the company’s engineers.

According to Ryan, OneLogin empowered Virgin Hyperloop to layer tight IT security controls onto its OT environment. To complement its network segmentation, the company now provides a single entry point into the OT environment.
 
“We can now control access to this environment through Active Directory groups and OneLogin roles. We get the security and auditing we want, while allowing the OT environment to function as it should,” he says.
 
The new setup also frees IT from producing reports for engineers. All data from sensors is aggregated and uploaded to test rigs, which are Windows machines connected to National Instruments hardware. Different test rigs compile data for various engineering functions. “Because OneLogin for Microsoft RDG allowed us to give engineers direct access to the test rigs, they can produce their own reports,” says Ryan.
 
Since implementing OneLogin for Microsoft RDG, Virgin Hyperloop engineers have expressed a need for access to physical desktops connected to sensors. To simplify that access, Ryan created a dedicated OneLogin app connector for each desktop. “This allows us to provide general jumpbox access, while separately controlling who has access to which test rigs using role-based access. We can mix and match access rights following the principle of least privilege,” he continues.
 
From Ryan’s perspective, the OneLogin plug-in enhances the Windows RD gateway. With the two coupled, Virgin Hyperloop can audit access via OneLogin events and see who logs in and when. At the same time, Microsoft RDG allows the company to control active sessions. “If someone shouldn't have access, we can disconnect them,” Ryan explains. “So by combining OneLogin with the Microsoft RDG, we can ensure that only those who need access, have it.”
 
As Dawn underscores, COVID has forever changed the world. “We will work in a hybrid environment from now on. That means adapting to allowing more people to work remotely and securing that access. But we always need to balance security with ease of use, so people aren’t prompted to find workarounds,” she explains. “With OneLogin for RDG, we gain tight security controls that enable secure access balanced with usability.”