- By Damon Purvis
Use layered defenses to provide cybersecurity for remote OT assets.
Industrial remote access security is never achieved with a single plug-in appliance; instead it relies on layers of hardware, software, and procedural defenses.
An oxymoron is a figure of speech combining two contradictory terms. When bidding a project, have you ever tried to create an “accurate estimate,” or did your time off ever turn into a “working vacation”? In the context of secure remote access for industrial automation systems, some oxymorons like “friendly defense” or “open security” may come to mind.
Manufacturers and operating companies would like convenient access to their digital systems and production data, but they must take steps to mitigate the risk of cyberattackers stealing their data or disrupting operations. There are many complex technical steps and cumbersome procedural requirements these organizations can enact to secure their systems, but if these steps make gaining remote access impractical, then it will be impossible to realize value. Another issue arises for smaller organizations, especially those solely focused on their core competencies, that do not have enough resources for researching and applying cybersecurity measures.
In search of an answer, many companies hear and like the term “defense-in-depth,” defined by the National Institute of Standards and Technology as an “information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.” But what does this mean for original equipment manufacturers, systems integrators, and end users looking for workable ways to implement secure remote access to their industrial systems?
Remote access, from a want to a need
Remote access for industrial automation systems generally involves connecting on-site operations technology (OT) assets like programmable logic controllers (PLCs) and human-machine interfaces (HMIs) to enterprise and information technology (IT) computing systems that are on site or in the cloud. This remote access can take on one or more forms:
- performing basic data transmission to a database or historian
- enabling remote and mobile visualization, which can include accessing a local HMI or populating data for a web-based dashboard, viewable on a PC or mobile device
- allowing operators to make set point and alarm limit changes
- supporting the upload/download of PLC programs, HMI configurations, and other network maintenance
- transmitting alarms and notifications, usually via text or email, and providing an acknowledgement method
- connecting with manufacturing execution systems and/or enterprise resource planning applications.
For many years, users wanted these features mostly for their convenience in the operation, optimization, and maintenance of their automated systems. Unfortunately, many types of automated equipment, especially smaller standalone systems, were “air-gapped” and not connected to any type of networking, so implementing remote access required a lot of custom engineering effort. Even when a system could be networked, many users simply did not have the expertise to establish remote connectivity, or if they did, they were rightfully concerned about cybersecurity.
However, the reality today—especially considering the COVID-19 pandemic—is that all types of users now require remote connectivity to fully engage their production, engineering, and maintenance teams, regardless of where they are located. Of course, an increasing prevalence of connected systems means that digitally controlled production environments become vulnerable to new risks, many of them directly associated with human error, negligence, or retaliation. There is no choice but to overcome both technical and security challenges to provide the remote accesses needed, but in a practical manner.
Defense-in-depth refers to a layered cybersecurity approach meant to defend against vulnerabilities that are inherent to digital and physical assets and the people who use them. Typical IT departments already have systems and policies in place incorporating these requirements. OT departments, on the other hand, are less likely to follow this approach, because OT products have typically offered few cybersecurity features, and cybersecurity was not a key focus for industrial systems until the rise of connectivity options in recent years.
With this in mind, what topics should be considered as an organization develops a defense-in-depth strategy for remote access of industrial automation assets? Following are key concepts for properly applying security measures that will satisfy both OT and IT.
As industrial automation hardware and software have been adapting commercial networking technologies to a greater extent, instead of using dedicated or proprietary methods, the OT and IT domains have been converging. OT houses the source assets requiring connectivity, but IT is almost always required to establish connectivity to on-site networking and the Internet. Even if a cellular or satellite technology is used, the IT group typically will be called upon to apply its security policies.
Many IT groups warily view the OT arena as the “Wild West,” where keeping things up and running is paramount, regardless of policies and procedures. Conversely, OT groups have found that IT personnel can be overly restrictive and even paranoid in their pursuit of comprehensive security. Therefore, it is essential for success that both OT and IT groups work together consistently, and not just to tie up loose ends at the conclusion of a project (figure 1). Cybersecurity must instead be designed and built in from cradle to production, with shortcuts or bypasses strictly avoided.
Working cooperatively, OT personnel should consider the remote access technologies that IT recommends, supports, and recognizes as secure. The number one answer is typically a virtual private network (VPN) solution. VPNs extend a protected network connection between two or more endpoints over open or public networks. VPNs encrypt all traffic and obfuscate device IP addresses, making it difficult for third parties to access or interfere with the data.
Most IT departments will accept VPN technology, but more rigorous organizations may require the OT group and/or a VPN provider to complete a checklist before implementation. Reputable VPN hardware, software, and services providers will help with this process. Users are advised to avoid providers that fail to supply clear responses, or those lacking verifiable documentation and certifications.
User management and authentication
Most IT groups employ user authentication controls to manage user access. Authentication confirms that users who log in—whether locally or via a public network—are who they say they are, and authentication in turn provides a way of granting appropriate access (figure 2). Traditional OT systems most often provided open access, because older technologies did not include significant security features, and in any case the industrial user was typically most concerned with availability, at the expense of confidentiality and integrity.
Modern OT products are now more likely to incorporate authentication provisions compatible with and acceptable to the IT infrastructure. Single sign-on (SSO) is an example of a technology that seamlessly integrates with Microsoft Azure Active Directory and Google’s OAuth 2.0 application programming interfaces (APIs). The IT group may take additional steps, such as enabling multifactor authentication—which requires additional user input such as a PIN code, possession of a security USB stick, or use of an authenticator app—for an additional layer of protection.
A trustworthy VPN and cybersecurity service provider, whether it is OT- or IT-centric, should be able to provide documentation about the architecture, so all parties can make informed decisions about the implementation. There are usually on-premise, cloud, and hybrid options and aspects for architectures (figure 3). Servers, firewalls, and other devices are needed, so all parties need to understand where these will be physically located, and who will manage and maintain them.
Some solutions rely on external resources delivered as infrastructure-, platform-, and/or software as a service (IaaS, PaaS, SaaS), and each of these resources needs to be vetted. Any solution using the cloud will likely be associated with one or more cloud providers, each of which must be examined for digital and even physical security.
As part of this vetting process, these and other questions must be answered satisfactorily:
- Are data centers local or international, and are they located strategically to provide minimum latency and maximum uptime?
- Does the provider offer a service level agreement, so that end users can be assured of the quality and availability of the connection?
- What OT and IT assets, such as firewalls, will need to be configured to integrate within the architecture? How do you securely configure these to be as strict as possible?
- Is the provider familiar with the OT assets providing the data, and the IT tools required to ensure cybersecurity and compliance?
- How much customization is required for a working solution? Does the customization comprise the overall security of the solution?
Once these questions have been answered, it is time to proceed to the next step.
Implementing a complete and secure remote access system
The preceding sections might seem to raise more questions than answers, which is understandable because implementing a complete and secure remote access system is not as simple as buying an appliance and plugging it in. Some OT and IT groups may be able to create such a system from scratch, or using various products, but creating a comprehensive, demonstrably secure, and maintainable solution is a complex challenge.
A better approach is to build on an established commercial off-the-shelf solution backed by an experienced industry supplier. A dependable provider will have educational and specification assets in the form of white papers, network architecture drawings, videos, and other online support resources. The provider will include free phone support, along with assistance for addressing all OT and IT security concerns.
VPN solutions will integrate OT assets with IT infrastructure, using SSO and other technologies. Cloud resources will consist of dozens of servers distributed worldwide—for segmentation and stability reasons—with endpoints close to user locations and 24/7 security monitoring. Last but not least, users should look for solutions certified according to ISO 27001, which addresses information security management, to verify the highest standards are upheld.
Suppliers offering these types of services will provide the assistance required for organizations to implement and support secure remote access. In most cases, the cost of engaging competent suppliers is less than hiring and retaining sufficient internal staff, creating a mutually beneficial relationship that makes financial and technical sense.All figures courtesy of AutomationDirect
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.