- October 19, 2016
By Shmulik Aran, NextNine
The third in a series of four articles on OT security management for manufacturing enterprises, this article further discusses the merger of information technology networks and operational technology infrastructure.
By Shmulik Aran, CEO, NextNine
The manufacturing industry is constantly benefiting from the application of new technologies and innovations. This is certainly the case with merger of information technology networks and operational technology infrastructure. The convergence of IT and OT is benefiting manufacturing enterprises with better control of operational processes that is improving overall reliability, safety and profitability. At the same time, connecting IT and OT networks exposes a manufacturer and its operations to a new set of cybersecurity vulnerabilities.
As part of an overall corporate strategy to address the cybersecurity risks of connected operations, full visibility of all operational assets and secure connectivity among these operational devices and equipment is required.
The Need for Secure Connectivity
In order to maintain high levels of safety, reliability and availability, a manufacturer’s equipment must be monitored and accessed remotely. Routine maintenance tasks that are performed remotely include patching, hardening and log collection. Remote access is also needed for fast responses to incidents, such as a plant team noticing a production yield that requires remote expert to have immediate access to support the onsite team and find a solution.
These remote activities typically involve two functions. The first is remote access (RDP, SSH, HTTP) and the second is data transfer to a remote machine or from the machine to the control center. Some activities performed remotely are machine-to-machine (M2M), which can be completely automated without human intervention or supervision.
While these remotely performed activities are often critical to plant safety and reliability, having connectivity from the outside and allowing various remote access processes, especially by third parties, increases the ICS attack surface. This connectivity is often targeted by hackers with malicious intentions behind gaining unauthorized access to a manufacturer’s industrial infrastructure.
It is a complex task to control the remote access of multiple vendors, first and third party workers, and machines—all of which are establishing numerous connections to various plants and assets. Access must be given in a way that ensures that only authorized and authenticated users have access to only their specific systems, in adherence with granular policies determined by the plant operator.
Problematic Existing Practices
Today, the most prominent method used for remote access, monitoring and data transfer is a virtual private network (VPN). A VPN is designed to provide a secure encrypted tunnel in which to transmit the data between the remote user and the manufacturer’s network.
There are several shortcomings to using VPNs for remote access. For instance, each party needing remote access has its own VPN. This can create a management headache for the network and security administrators, who must now manage multiple VPNs and corresponding openings in the firewall. The remote users coming in through their VPNs may have excessive privileges on the plant LAN, allowing them to see or access assets for which they have no authorization. Also, a VPN provides a two-way communication in that the connection can be established from the outside as well as from the inside. As a result, an attacker that seizes a third party vendor's VPN connection can initiate communication that sends malware or malicious commands to the internal asset.
Instead of VPNs, some enterprises have a physical network connection, like fiber running between the head office and the plant, although because this is expensive it is not utilized often.
Another much more common scenario is for a vendor to have its own remote access solution that is certified by the manufacturer that has deployed the vendor's machines. The downside of this approach is that each production facility has numerous vendors and the operation team needs to punch another hole in the air gap for each vendor. In addition, such access is typically not visible to the plant's corporate security team.
Whether vendors are using their own remote access tools or the VPNs provided by the manufacturer, the resulting situation is a spaghetti bowl of multiple lines coming in from all of the vendors to all of the assets across all of the sites. These practices are difficult to manage and expose the manufacturer to unnecessary risks.
Best Practices for Securing Remote Access to Assets
The following best practices are recommended for a manufacturing enterprise that need to provide remote access to ensure high availability, reliability and safety without compromising the security of its production facility.
- Implement top-down control - all third party remote access to the industrial network must be funneled and authenticated through a single location. This eliminates the proprietary end-runs around security controls and straight into the industrial assets as well as the difficulty to manage VPN connections. Consolidating all the remote connections through a single point makes for fewer connections and a more secure access arrangement.
- Protect asset credentials - provide remote user privileged access without sharing assets' credentials. This should be done with a password vault, which enables the access without sharing the actual password. This helps to prevent compromise of credentials through keylogging and risky password management, and eases the management of password expirations and renewals. Additionally, in a time of crisis, the third party can gain fast access without the risk of forgetting a unique password.
- Enforce accountability and monitoring - all users' activities should be monitored and audited with IT and OT being able to approve, deny or terminate a session as necessary. Here, network monitoring can examine the traffic passing through these connections and alert on anomalies.
- Use a policy for access - set all user access to "least privilege" mode and provide exceptions to the policy on an individual basis. Use a flexible rule engine to define access granularity, such as who can access which asset(s), when, from where, using which protocols, and doing which activities.
- Allow data and file transfer - provide a secure means to send files to the ICS, such as Patch, and send files, such as Log and alert from the ICS to the center.
Authentication, privileges management and accountability are the business logic behind a strong remote access control infrastructure, which should include all of the following -
- The connections between the remote users and industrial assets should be highly secured. For instance, single outbound port for all simultaneous connections to the industrial facility rather than multiple VPNs should be used. All traffic should be funneled through this port, which is controlled and monitored by both the IT and OT security teams.
- Use standard secure communication protocols, such as TLS, to encrypt all communications.
- Multiple protocols must be supported due to the uniqueness and diversity of vendor and purpose-built systems.
- There should be the ability to connect to existing IT solutions such as SIEM, LDAP and Jump servers.
Remote access to industrial assets is essential for high availability, reliability and safety. Controlling the remote access of multiple first and third parties to a distributed industrial environment is a complex task. A manufacturer that needs to allow remote access, but control and secure it using an arrangement that allows authentication, privileges management and accountability, running on top of a strong and secure infrastructure. This will position a manufacturer to improve its overall security posture and better manage the security of its OT operation.
This article is the third in a series of four articles on OT security management for manufacturing enterprises. The first article presented an overview of the OT security challenges faced by manufacturers connecting their IT and OT operations and offered three recommendations for improving the security posture of a connected manufacturing environment. The second article looked at the importance of network visibility and industrial asset inventory and the final article will offer a strategy for a top-down approach to OT security management.
About the Author
Shmulik Aran is the CEO of NextNine, a provider of security management solutions for connected industrial control system environments.Learn More
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe