Secure Remote Access for ICS-OT-IIoT
Secure Remote Access for ICS – Utilities, manufacturing and other process-oriented organizations are struggling with the challenge of securely conducted remote maintenance for their Industrial Control Systems (ICS) / Operation technology (OT). When the operator or a plant engineer is detecting a problem, this triggers an instant need for a solution. Correctly operating appliances and control solutions are critical to the operating safety, reliability and productivity (SRP) of a plant, but remote connectivity, especially by third parties, increases exposure to cybersecurity risks. Consequently, the ability to connect remotely to a plant is often targeted by cyber attackers to obtain unauthorized access and launch an attack with a severe impact on the plant.
Controlling the remote access conducted by multiple vendors is a complex task and it requires well adapted Secured Remote Access (SRA) measures. The SRA may be granted only to authorized and authenticated users, and it should only allow access to the specific zones in the ICS, according to granular policies defined by the system owner. Human supervision of that SRA process is highly recommended.
The use of a Virtual Private Network (VPN) was the most common method for remote access. The VPN provides a secure encrypted tunnel between a remotely located computer of the service person and the ICS network. However, it is important to be aware of severe drawbacks caused by using the VPN technology.
Since the ICS must allow for more than one service organization to conduct remote VPN access, this is a complex task, as managing multiple VPNs into the ICS requires subsequent openings of multiple ports in your firewall. Consequently, if the firewall is not accurately configured, the connecting engineers might be granted higher privileges that allow them to access devices and computers without authorization.
Aiming to overcome the VPN weaknesses, some vendors deploy their own remote access agent, which is certified by the system owner. The drawbacks to this solution are similar to the VPN, because such SRA process must be allowed to all vendors and this requires the opening of multiple ports in the firewall.
Furthermore, it is important to emphasize that the VPN allows two-way communication. This means, that if the critical firewall is compromised, a connection can be established from an external entity to the ICS and from the ICS to the attacker, who may send malware code into the ICS and attack the critical device.
The SRA process
The following paragraphs define a properly deployed SRA process and it will help you to ensure the operating SRP goals. The outlined techniques are applicable for the majority of ICS type operations serving over a dozen industry types and result in better secured architectures.
- The remote access session to the ICS should always start with authenticating the connecting entity by relying on the organization’s updated Active Directory (AD). Upon completion of this step, the remotely connecting service person will be allowed granted access to designated sections in the ICS.
- By using a secured password vault, the remote access can be made without disclosing the secret credentials. It avoids compromising the ICS-related credentials through password manipulation. Furthermore, that process allows convenient and secured management of password renewals.
- All remotely connected users should be audited and if required, the cyber security team may block a suspicious remote session. The passively operating Network Intrusion Detection System (NIDS) installed in the ICS zone, performs traffic monitoring, may inspect the protocols, monitor the amount of data, the frequency of access and generate an alert on detected deviations from the normal baseline.
- All connecting users must be authorized according to Role Based Access (RBAC) principles and should be granted access rights based on Least Privilege principles. Prior to a remote session being authorized, the accurate authorization process shall define who can access the designated asset, at what time slot, from which computer, using predefined protocol and performing only specific actions.
- If the action requires transfer of data-files to the ICS, that secured process may be allowed for actions such as; operating system update, application program and production recipes updates, patch management and antivirus updates. The entire process must be accurately documented and the generated logs must be sent to the NIDS as well as the ICS control center.
- The conduit between the authorized remote service person’s computer and ICS must be strongly secured, and define that only a single port in the ICS architecture is opened. The traffic through that port should also be monitored by the IT and OT cyber security teams. This process is better secured than use of multiple VPNs, which require the opening of multiple ports.
SRA to the IIoT Ecosystem
In recent years we have seen a new trend of extending the ICS architectures with Industrial Internet of Things (IIoT) end-point devices. They communicate with cloud-based service providers for the purpose of optimizing operation processes, detecting malfunctions in the early stage and preventing mechanical damage.
- It is important to emphasize that in order to conduct an adapted process matching the specific ICS, the SRA process must by separately evaluated for the ICS architecture and for the IIoT architecture.
- Some of these IIoT ecosystems operate in a stand-alone structure, while other IIoT ecosystems can be logically and also physically linked with the ICS architecture. The important goal is performing the necessary service tasks without exposing the ICS and the IIoT ecosystem to an attacker.
Automated SRA processes
Conducting the SRA process is especially important nowadays during the COVID-19 era, when service engineers are unable to arrive at remote sites. But, as mentioned above, controlling the remote access of external parties to an ICS environment is a complex task. So, how can it be made easier?
- Several vendors have started offering an automated process for SRA sessions. In these architectures, the connecting service engineers authenticate themselves against a predefined website, receive access to a virtual computer and following that action they are allowed to reach the ICS zone.
- At the field site of the ICS network you may find a dedicated gateway, which provides the access to the designated equipment. Using such a predefined session, the SRA process can be automatically established while shortening the access time and expediting the technical solution.
Summary and Conclusions
Service teams conducting problem solving or periodic maintenance processes should be allowed to carry out their SRA tasks to both the ICS and IIoT architectures. Both processes must be strongly secured through encrypted sessions and conducting strong authentication. Adhering to these principles will assure the SRP goals are reached and improve the overall security posture of your organization.
Daniel Ehrenreich, BSc., is a consultant and lecturer acting at Secure Communications and Control Experts, periodically teaches in colleges and present at industry conferences topics on integration of cyber defense with ICS; Daniel has over 29 years of engineering experience with ICS/OT for: Electricity, water, oil and gas and power plants as part of his activities at Tadiran Electronics, Motorola Solutions, Siemens and Waterfall Security.
Secure Remote Access for ICS – OT – IIoT