Industrial-Grade Secure Remote Access in a World of Physical Risks

“Global risk factors for an industrial enterprise, whether health pandemics or cyberattacks, are placing an urgent emphasis on the need for flexible control and management of operational assets and processes. Maintaining business continuity with secure remote access and operations is a strategic imperative, as complexities and uncertainties continue to grow worldwide, according to Jeff Zindel, Vice President and General Manager, Honeywell Connected Enterprise, Cybersecurity.” Jeff Zindel, Vice President and General Manager, Honeywell Connected Enterprise, Cybersecurity   A March 2020 Forrester report notes that provisioning employees with remote access technologies is a key continuity strategy at 88 percent of organizations surveyed, while Gartner recommends to “accelerate the development of a technology infrastructure that can support alternative types of working.” In the same timeframe, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory to critical infrastructure companies to prepare for remote work scenarios in light of the Covid-19 health pandemic. While some office personnel have the ability to work remotely, manufacturing and industrial operations must keep the lights on. This includes a reliance on highly specialized technicians to monitor, diagnose and regularly operate capital-intensive assets, whether turbines, pulp machinery or gas and water pumps. Such privileged access is critical to keep operations running and requires a specialized approach. Fortunately, industrial software innovations have increased in pace and scale. More options exist today for how and where an industrial enterprise runs and services its operations remotely, together with updated security controls. By designing and implementing robust digital operations, with the proper safeguards in place, industrial enterprises can manage through unplanned downtime and even increase efficiencies and performance. Specific to the needs of industrial operators, advanced secure remote access technologies go beyond the scope of traditional IT VPN requirements to enable a safer and more controlled approach to running and maintaining processes from a distance. Although a part of disaster planning and recovery in increasing resilience, industrial-grade secure remote access also represents a strategic investment that can help grow a company’s operational excellence and capabilities.   IT AND OT REMOTE ACCESS REQUIREMENTS ARE NOT THE SAME A critical starting point in approaching remote operations is to recognize the major considerations unique to industrial environments that rely on operational technologies (OT). A common mistake at the business level is to assume that assets are not differentiated – yet an IT business PC is a far cry from an engineering workstation PC, let alone a station that is tied to multiple critical operational processes. These stations may control processes that impact furnace temperatures, flow settings, and other physical attributes. Any disregard for verified OS patches, critical infrastructure hardening per Center for Internet Security standards, or other customized configurations and systems can result in the loss of human life, irreversible environmental impact and other serious physical dangers. This is easier said than done, especially in times of crisis when top-down decisions can be made under pressure and amidst false or changing information. Before deploying any remote access solutions, it is essential to ensure careful review by operational leaders and specialists, including any OT technical provider partners.   In this OT context, remote connectivity may be best described as secure machine to- person communication and access, rather than person-to-person. IT solutions are not typically the safest option in machine-to-person remote access situations, focused more on protecting data alone than ensuring industrial process integrity. The technical requirements list to determine safe remote access for industrial operations may include specific items to protect uptime and process integrity, such as:

• Understanding of industrial-specific protocols, some of which
• A vendor-agnostic solution to ensure mixed vintage and mixed provider assets can be managed.
• Governance controls for flexibility based on the site specifics, such as allowing the local plant manager to authorize or deny remote access requests or establish thresholds for the time duration of each remote access session.
• Ability to connect to a remote asset without requiring the endpoint asset to install any agents or local software.
• Ability to terminate, record and playback remote sessions, including any actions taken by the operator to troubleshoot or maintain the system.

may be greater than 20 years old or unique to a set of assets which are critical to operations.

Such unverified agents can represent risk of disruption, not limited to freezing the asset, causing a reboot, or otherwise interfering with a process driven by that asset.

Exploitation of Connectivity

Cybersecurity is an on-going concern that affects remote operations as malicious actors leverage unmanaged or poorly monitored connection points. Secure remote access solutions that centralize and control activities at a granular level can help mitigate risk of this exploitation. Closely controlling and monitoring connections, together with logs and recorded sessions, can help with cybersecurity threat mitigation as well as compliance. Particularly in times of crisis, hackers’ prey on panic and human emotions. They deploy social engineering efforts and other scams that trick employees into allowing access or otherwise breaking security policies.

Policies established and enforced through a secure remote access solution can raise alerts and automate actions to rapidly act on discovered threats or attempts at exploitation. Establishing secure remote access can also positively influence network segmentation, and related privileged access rights assigned to specific personnel. Together with solutions such as threat monitoring, these safeguards can increase the OT network’s resilience both short term and long term.

Centralized Operations

A common use case for industrial grade secure remote access includes situations where operations have already been centralized across multiple sites, to improve cost efficiencies or offset the challenges of staffing offshore or isolated physical locations. In these cases, centralized solutions can help standardize how secure remote connections are managed across assets at any number of locations. Considering there could be dozens of technicians from multiple vendors maintaining a globally distributed OT environment on any given day, a centralized view into all connectivity helps tighten control and reduce inefficiencies.

All requests are funneled through the same secure tunnel, including verification of the technician, session authorization by the local plant owner/operator, and logging of the recorded session for oversight and staff training purposes. Rather than allowing the risky conditions of disparate and ad hoc verification of important plant connectivity, operational leaders can unify and simplify oversight of remote connections. In the case of a pulp and paper company, as one example, more than 80 non-standard solutions were consolidated down to a single remote access solution for over 140 sites.

To learn more about Secure Remote Access, please contact Honeywell Cybersecurity Team by visiting www.becybersecure.com .