The First Global Cyber Security Observatory

Innovation - Insight - Leadership

Leave a Comment

Secure Remote Access for ICS-OT-IIoT

Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE

Introduction

Secure Remote Access for ICS - Utilities, manufacturing and other process-oriented organizations are struggling with the challenge of securely conducted remote maintenance for their Industrial Control Systems (ICS) / Operation technology (OT). When the operator or a plant engineer is detecting a problem, this triggers an instant need for a solution. Correctly operating appliances and control solutions are critical to the operating safety, reliability and productivity (SRP) of a plant, but remote connectivity, especially by third parties, increases exposure to cybersecurity risks. Consequently, the ability to connect remotely to a plant is often targeted by cyber attackers to obtain unauthorized access and launch an attack with a severe impact on the plant.

Controlling the remote access conducted by multiple vendors is a complex task and it requires well adapted Secured Remote Access (SRA) measures. The SRA may be granted only to authorized and authenticated users, and it should only allow access to the specific zones in the ICS, according to granular policies defined by the system owner. Human supervision of that SRA process is highly recommended.

Traditional Process

The use of a Virtual Private Network (VPN) was the most common method for remote access. The VPN provides a secure encrypted tunnel between a remotely located computer of the service person and the ICS network. However, it is important to be aware of severe drawbacks caused by using the VPN technology.

Since the ICS must allow for more than one service organization to conduct remote VPN access, this is a complex task, as managing multiple VPNs into the ICS requires subsequent openings of multiple ports in your firewall. Consequently, if the firewall is not accurately configured, the connecting engineers might be granted higher privileges that allow them to access devices and computers without authorization.

Aiming to overcome the VPN weaknesses, some vendors deploy their own remote access agent, which is certified by the system owner. The drawbacks to this solution are similar to the VPN, because such SRA process must be allowed to all vendors and this requires the opening of multiple ports in the firewall.

Furthermore, it is important to emphasize that the VPN allows two-way communication. This means, that if the critical firewall is compromised, a connection can be established from an external entity to the ICS and from the ICS to the attacker, who may send malware code into the ICS and attack the critical device.

previous arrow
PLATINUM
Innovators
Innovators
PLATINUM
Innovators
Innovators
next arrow

 

The SRA process

The following paragraphs define a properly deployed SRA process and it will help you to ensure the operating SRP goals. The outlined techniques are applicable for the majority of ICS type operations serving over a dozen industry types and result in better secured architectures.

  • The remote access session to the ICS should always start with authenticating the connecting entity by relying on the organization’s updated Active Directory (AD). Upon completion of this step, the remotely connecting service person will be allowed granted access to designated sections in the ICS.
  • By using a secured password vault, the remote access can be made without disclosing the secret credentials. It avoids compromising the ICS-related credentials through password manipulation. Furthermore, that process allows convenient and secured management of password renewals.
  • All remotely connected users should be audited and if required, the cyber security team may block a suspicious remote session. The passively operating Network Intrusion Detection System (NIDS) installed in the ICS zone, performs traffic monitoring, may inspect the protocols, monitor the amount of data, the frequency of access and generate an alert on detected deviations from the normal baseline.
  • All connecting users must be authorized according to Role Based Access (RBAC) principles and should be granted access rights based on Least Privilege principles. Prior to a remote session being authorized, the accurate authorization process shall define who can access the designated asset, at what time slot, from which computer, using predefined protocol and performing only specific actions.
  • If the action requires transfer of data-files to the ICS, that secured process may be allowed for actions such as; operating system update, application program and production recipes updates, patch management and antivirus updates. The entire process must be accurately documented and the generated logs must be sent to the NIDS as well as the ICS control center.
  • The conduit between the authorized remote service person’s computer and ICS must be strongly secured, and define that only a single port in the ICS architecture is opened. The traffic through that port should also be monitored by the IT and OT cyber security teams. This process is better secured than use of multiple VPNs, which require the opening of multiple ports.

SRA to the IIoT Ecosystem

In recent years we have seen a new trend of extending the ICS architectures with Industrial Internet of Things (IIoT) end-point devices. They communicate with cloud-based service providers for the purpose of optimizing operation processes, detecting malfunctions in the early stage and preventing mechanical damage.

  • It is important to emphasize that in order to conduct an adapted process matching the specific ICS, the SRA process must by separately evaluated for the ICS architecture and for the IIoT architecture.
  • Some of these IIoT ecosystems operate in a stand-alone structure, while other IIoT ecosystems can be logically and also physically linked with the ICS architecture. The important goal is performing the necessary service tasks without exposing the ICS and the IIoT ecosystem to an attacker.

Automated SRA processes

Conducting the SRA process is especially important nowadays during the COVID-19 era, when service engineers are unable to arrive at remote sites. But, as mentioned above, controlling the remote access of external parties to an ICS environment is a complex task. So, how can it be made easier?

  • Several vendors have started offering an automated process for SRA sessions. In these architectures, the connecting service engineers authenticate themselves against a predefined website, receive access to a virtual computer and following that action they are allowed to reach the ICS zone.
  • At the field site of the ICS network you may find a dedicated gateway, which provides the access to the designated equipment. Using such a predefined session, the SRA process can be automatically established while shortening the access time and expediting the technical solution.

Summary and Conclusions

Service teams conducting problem solving or periodic maintenance processes should be allowed to carry out their SRA tasks to both the ICS and IIoT architectures. Both processes must be strongly secured through encrypted sessions and conducting strong authentication. Adhering to these principles will assure the SRP goals are reached and improve the overall security posture of your organization.

Daniel Ehrenreich, BSc., is a consultant and lecturer acting at Secure Communications and Control Experts, periodically teaches in colleges and present at industry conferences topics on integration of cyber defense with ICS; Daniel has over 29 years of engineering experience with ICS/OT for: Electricity, water, oil and gas and power plants as part of his activities at Tadiran Electronics, Motorola Solutions, Siemens and Waterfall Security.

previous arrow
PLATINUM
Innovators
Innovators
PLATINUM
Innovators
Innovators
next arrow

 

Follow Us

Secure Remote Access for ICS - OT - IIoT

LATEST INFOGRAPHICS - MEMBERS

Airbus Cybersecurity
Image is not available
REBLAZE
Image is not available
Airbus Cybersecurity
Image is not available
ENCODE
Image is not available
BLU5
Image is not available
previous arrow
next arrow

Latest Product Videos

Encode
Image is not available
IEC
Image is not available
IAI ELTA
Image is not available
SAFEBREACH
Image is not available
previous arrow
next arrow

Our Latest Infographics

RANSOMWARE CHALLENGE
Image is not available
AURORA VULNERABILITY
Image is not available
Cyber Ranges
Image is not available
Breach & Attack Simulation
Image is not available
NIST
Image is not available
DDoS Attacks
Image is not available
Securing IoT & IIoT Devices
Image is not available
previous arrow
next arrow

Latest Video Infographics

US CyberSlide
Image is not available
Potential Attacks on Connected Vehicles
Image is not available
Major Cybersecurity Threats in Healthcare
Image is not available
Cybersecurity Applications of AI in Financial Services
Image is not available
previous arrow
next arrow

All Infographics

Cyber Security Infographics Members Please find … Download...

All Product Videos

Cyber Security Product Videos Please find below our selection of cyber security … Download...

All Our Infographics

Cyber Security Infographics We are creating … Download...

All Video Infographics

Cyber Security Video Infographics We are glad to … Download...

Contact Us

Who We Are

Our Mission

Our Values

Legal Notice

Terms of Service

Privacy Policy

Cookie Policy

Acknowledgements

Collaboration

Follow Us

Responsible Disclosure

Hall of Thanks

Hall of Fame

 
>