By now, we have a good understanding of what secure remote access (SRA) is and why organizations might choose to enable it for their OT environments. We also know that securing IT-OT collaboration, leveraging guidance from best practice frameworks and using an automated solution can help organizations to implement this type of access. Even so, we still don’t have a detailed view of how to implement industrial remote access in practice.
SRA Throughout the Industrial Environment
It’s not possible for organizations to ensure secure remote access across their industrial environments in just one step. Effective industrial remote access requires that organizations incorporate security measures into three zones of their OT environments: the machine zone, enterprise zone and outside zone. We’ll use ProSoft to investigate this below.
The machine zone is a section of an organization’s industrial environments that consists of the machine control equipment, the network connecting those pieces of machinery together and remote access modules (if deployed). Many larger organizations have different machine zones to keep different areas of their industrial processes separate. When combined together, these zones create the plant zone.
It might be tempting to simply use a PC with a remote desktop connection to enable remote access to a machine zone. But this creates three problems. First, a malicious actor could use the PC’s advanced networking capabilities to bypass the organization’s DMZ were they to succeed in compromising the device. They could then access parts of the network that would otherwise be off limits and subsequently leverage that access to launch digital attacks.
Second, the PC comes with a full operating system whose components will suffer from vulnerabilities in the future. The problem is that the machine builder or system integrator is oftentimes responsible for issuing this device, meaning that it might not fall under the IT department’s patch management strategy. In the absence of those fixes, digital attackers could use those vulnerabilities to gain access to the network.
Third, traditional PCs don’t come with the necessary components for managing industrial control equipment. Organizations must therefore purchase licenses for that software, thereby creating more programs that security personnel must monitor.
A dedicated remote access gateway doesn’t suffer from the shortcomings identified above. It connects directly to the local machine network and the cellular wide area network, thereby disallowing access to sensitive parts of the organization’s industrial environment. The remote access gateway also doesn’t come with all of a PC’s capabilities; nefarious individuals therefore can’t use it as a platform for launching digital attacks. Lastly, these types of solutions could be subject to ongoing penetration testing and regular vulnerability scans that help to eliminate security weaknesses depending on their provider.
The enterprise zone tends to be more complicated than the machine zone. This section contains the organization’s personal computers, email systems, customer databases and other IT assets. As such, it commonly contains security solutions as a means of defending those IT assets against instances of malicious access.
Organizations could theoretically use a corporate VPN or dedicated vendor portal to protect those resources. But a guest VPN tool could give a remote user more access than they need. This could threaten the organization’s data if an attacker were able to compromise the remote user’s account. Not only that, but engineers will need to create a new connection between the enterprise zone and the machine zone. They could inadvertently leave some of the organization’s enterprise assets open to attack by doing so.
In contrast to a VPN, a remote access getaway allows remote access only to the machine network and does not grant them too much visibility over the enterprise zone. It also uses encryption to connect the machine to the Internet, all while helping to keep the machine and the organization’s enterprise network separate.
Last but not least, organizations must take the necessary measures to protect the outside zone. This segment of the industrial environment includes the remote user’s computer, the cloud connectivity service and other communications infrastructure. In other words, it consists of key elements that exist outside of the enterprise zone.
Some solutions for remote access only work if remote users install corresponding software on their PC. This scenario presents a couple of security risks, however. Malicious actors can attempt to trick that remote user into installing a fake or trojanized version of that software onto their machine, for instance. Meanwhile, IT cannot be sure that the remote user is regularly keeping that software up to date.
Engineers might also think about providing secure remote access by installing free VPN tools on a server with a static public IP address instead of using 2FA. Doing so would create more work for them. They’ll need to be extremely careful with their configurations so that they can mitigate all of the various attack vectors that malicious actors could leverage to abuse the VPN software. They’ll also need to constantly check for vulnerability and security updates.
All of this amounts to much more work than what a remote access gateway might demand. Many of these types of solutions don’t require any user-installed software, for instance. They also commonly rely on containers that run only the microservice components that are needed by the application. In this type of deployment, it’s less feasible for a security flaw in an OS component to compromise the service more broadly.
Implementing Secure Remote Access in Your Organization
As indicated above, remote access gateways offer clear benefits to organizations that are looking to implement SRA in their industrial environments. Organizations just need to make sure that they work with a trusted and experienced solutions provider if they decide to go this route.
Tripwire understands this fact. That’s why it decided to partner with ProSoft to resell ProSoft Secure Remote Access (SRA) solutions. These solutions talk directly with automation devices. In doing so, they allow customers to set up two types of remote access connections, on-demand Secure Remote Access (SRA) that’s for a specific purpose and an always-on Persistent Data Network (PDN), all while upholding fundamental security controls.