Unveiling the Essential Components for Achieving Secure Remote Access

Summary

As those of us within the Industrial Cybersecurity realm have seen, the frequency of cyber threats targeting operational technology (OT) systems has been increasing. These systems encompass industrial controls, manufacturing equipment and devices responsible for managing critical infrastructures and industrial environments. As recent events have demonstrated, the consequences of such threats can be catastrophic. 

Navigating the complexities of 'secure' remote access

The need for “Secure” Remote Access (SRA) is one that has grown across all areas of Operational Technology as well as Industrial IoT, Consumer IoT, Medical IoT and others. While getting access to resources safely, securely and efficiently is critical, organizations must weigh regulatory and technical challenges as well.

The oil and gas industry as an example, must not only meet regulatory challenges such as TSA SD2021-02C, NERC CIP, IEC 62443 and others but also geopolitical challenges as well. While the people I speak with know about the Colonial Pipeline attack many do not know that it was so crippling that the United States Federal Motor Carrier Safety Administration (FMCSA) declared a state of emergency in 18 states enabling them to help with shortages of gasoline, diesel, home heating oil and jet fuel. The geopolitical war in Ukraine is also causing these same shortages abroad.
 
The challenges above do not even include day-to-day technical challenges the industry faces of infrastructure located in the middle of deserts, oceans and hazardous production facilities, which require SRA resources to be designed to withstand harsh conditions and minimal bandwidth.
 
Additionally, the term “remote” has also taken on a new meaning. Many companies want their OT users to be within line of sight of an asset they are controlling but also at arms-length to add a higher level of secure controlled access. The same control is needed for IT crossing into the OT boundary and for remote third parties needing to access resources controlling critical systems within facilities. While secure encrypted access is critical, safety is the leading driver.

In the recently published “State of Industrial Secure Remote Access (I-SRA)” report, 75% of the respondents overwhelmingly acknowledged that overall threats to operational safety were their biggest concern when dealing with any form of Remote Access to an internal resource.

Another 59% were concerned about even trusted users with direct access to resources, misconfiguring Purdue Model lower-level (1 – 0) devices such as programmable logic controllers (PLCs), drives, sensors and Equipment Under Control (EUC), etc.

We must however not downplay the importance of Security as 67% of respondents feel that Advanced Persistent Threats (APTs) are a growing concern and 72% view third-party connections as leading the pack when it comes to their biggest risk with Remote Access.

And while Safety is leading the respondent’s concerns, Security is the driver when it comes to getting the budget dollars. In many cases, just seeing the term Ransomware in any audit, compliance or regulatory document has given OT staff the expanded budgets they need to fund SRA initiatives and improve their overall OT security perimeter.

However, while it is great budgets are growing for Secure Remote Access, organizations must understand the entire People, Process and Technology triad, and all regulatory requirements needed to ensure that both their Safety and Security concerns are met.

Securing industrial environments from a 'people' perspective

From a People perspective, effectively implementing Multi-Factor Authentication (MFA) for all accounts, including shared accounts, is a top priority. Surprisingly only 40% of the respondents in this survey and less than 20% in another panel discussion I was involved in, stated that they had implemented MFA or were on a path to doing so in the near term.

Bolstering security from a 'process' perspective

From a Process perspective, there are a plethora of control features that can be implemented such as session supervision, recording - just in time (jit), approved access, denying file upload/download, and being able to box a user to a single application/resource, etc.

Being able to effectively control “who” is allowed access, to “what” resources and from “where” (using geolocation as an example) and having auditable recordings of “how” users used the resources is critical to the success or any SRA implementation. Additionally, the ability to provide isolation/segmentation within the SRA deployment model was important to 48% of respondents.

Lastly, “Process” also must be established within organizations to ensure staff are trained on all policies, procedures and resource patching/maintaining processes enabled using Secure Remote Access.
 Strengthening Connections through a “Technology” Perspective

From a Technology perspective, the primary requirement is using end-to-end encryption protocols and tunneling (TLS/SSL) to ensure the information exchanged between the remote user and the asset/resource remains confidential and protected. And while encryption is critical, other technology considerations that should be considered are the ability to integrate with a Security Information and Event Management (SIEM) or IT Service Management (ITSM) platform to not only improve productivity but to also handle accounts and resources left accessible after a user no longer needs access (which is found continually during audits).
In conclusion, these concepts and actions alone will guarantee an event or incident will not happen, but they do give you a better overall defense in depth posture, which 55% of respondents stated was a concern as well.