Industrial remote access – 3 zones requiring network security

Now we have a good understanding of what Secure Remote Access (SRA) is and why organizations may choose to enable it for their OT environments. We also know that securing IT-OT collaboration, leveraging guidance from best practice frameworks, and using an automated solution can help organizations implement this type of access. Even so, we still don’t have a detailed view on how to implement industrial remote access in practice.

SRA throughout the industrial environment

It is not possible for organizations to provide secure remote access across their industrial environments in a single step. Effective industrial remote access requires organizations to incorporate security measures into three areas of their OT environments: the machine area, the enterprise area, and the outdoor area. We’ll use ProSoft to explore this below.

Machine area

The machine area is a section of an organization’s industrial environments that consists of machine control equipment, the network connecting these pieces of machinery, and remote access modules (if deployed). Many large organizations have different machine zones to separate the different areas of their industrial processes. When combined, these zones create the Vegetation Zone.

It may be tempting to simply use a PC with a remote desktop connection to allow remote access to a machine area. But this creates three problems. First, a malicious actor could use the PC’s advanced networking capabilities to bypass the organization’s DMZ if they were successful in compromising the device. They could then access parts of the network that would otherwise be off limits and then leverage that access to launch digital attacks.

Second, the PC comes with a complete operating system whose components will suffer from vulnerabilities in the future. The problem is that the machine builder or system integrator is often responsible for delivering that device, which means it may not fall under the IT department’s patch management strategy. Without these patches, digital attackers could use these vulnerabilities to gain access to the network.

Third, traditional PCs lack the components needed to manage industrial control equipment. Organizations must therefore purchase licenses for this software, thereby creating more programs for security personnel to monitor.

A dedicated remote access gateway does not suffer from the shortcomings identified above. It connects directly to the local machine network and the wide area cellular network, thus preventing access to sensitive parts of the organization’s industrial environment. The Remote Access Gateway also does not offer all the functionality of a PC; malicious individuals therefore cannot use it as a platform to launch digital attacks. Finally, these types of solutions could be subject to continuous penetration testing and regular vulnerability scans that help eliminate security vulnerabilities depending on their vendor.

Company space

The enterprise area tends to be more complicated than the machine area. This section contains personal computers, email systems, customer databases, and other computer assets of the organization. As such, it usually contains security solutions as a means of defending these IT assets from instances of malicious access.

Organizations could theoretically use a corporate VPN or a dedicated vendor portal to protect these resources. But a guest VPN tool could give a remote user more access than they need. This could threaten organization data if an attacker manages to compromise the remote user’s account. In addition, engineers will need to create a new connection between the enterprise zone and the machine zone. They could inadvertently expose some of the company’s assets to attack.

Unlike a VPN, a remote access getaway allows remote access only to the machine’s network and does not grant them too much visibility into the corporate area. It also uses encryption to connect the machine to the Internet, while helping to separate the machine and the corporate network from the enterprise.

Outdoor area

Finally, organizations must take the necessary measures to protect the outdoor area. This segment of the industrial environment includes the remote user’s computer, cloud connectivity service, and other communication infrastructure. In other words, it consists of key elements that exist outside of the enterprise area.

Some remote access solutions only work if remote users install the corresponding software on their PC. However, this scenario presents some security risks. Malicious actors may attempt to trick this remote user into installing a bogus or trojanized version of this software on their machine, for example. During this time, the IT department cannot be sure that the remote user regularly keeps this software up to date.

Engineers can also consider providing secure remote access by installing free VPN tools on a server with a static public IP address instead of using 2FA. It would create more work for them. They will need to be extremely careful with their setups so that they can mitigate all the different attack vectors that malicious actors could exploit to abuse VPN software. They will also need to constantly check for vulnerability and security updates.

All of this is a lot more work than a remote access gateway could require. For example, many of these types of solutions do not require user-installed software. They also typically rely on containers that only run the microservice components needed by the application. In this type of deployment, a security flaw in one component of the operating system is less likely to compromise service more broadly.

Implementing Secure Remote Access in Your Organization

As noted above, remote access gateways offer clear benefits to organizations looking to implement SRA in their industrial environments. Organizations just need to make sure they are working with a reliable and experienced solution provider if they decide to go this route.

Tripwire understands this fact. That’s why it decided to partner with ProSoft to resell ProSoft Secure Remote Access (SRA) solutions. These solutions dialogue directly with the automation devices. In doing so, they allow customers to configure two types of remote access connections, secure remote access (SRA) on-demand for a specific purpose and an always-on persistent data network (PDN), while respecting fundamental security controls.

Kevin M. Risinger