Gregory Wilcox, Global Technology and Business Development Manager, Rockwell Automation
While widely adopted in enterprise systems, remote access in industrial automation and control systems (IACS) has long remained a challenge. Obstacles to adopting industrial remote access have included security concerns, insufficient connectivity and a lack of collaboration between IT and operations personnel.
These challenges are increasingly more manageable as more organizations adopt The Connected Enterprise approach. By converging IT and operations technology (OT) networks, and by supporting the adoption of standard networking technologies, The Connected Enterprise makes industrial remote access a very real possibility.
In fact, many manufacturers and industrial producers are already using it to help improve and even reimagine their operations.
Oil and gas operators are remotely monitoring their dispersed assets instead of requiring that workers be staffed onsite or travel between sites. Manufacturers are using remote access to connect their specialists with plants around the world. This instantaneous collaboration can speed up incident response times while also reducing travel costs.
Remote access also creates opportunities for companies to use vendor support and expertise in valuable, new ways.
A leading biotechnology company, for example, underwent a multi-year rebuild of its network infrastructure to integrate its manufacturing and enterprise systems. In doing so, the company leveraged a third-party vendor to provide remote support. Without the remote support, the company would need to be sure it had not only the staff but the expertise needed to maintain its connected and complex network architecture.
Easing the Process
A number of industry resources are available to help manufacturers, industrial operators and machine builders deploy secure remote access.
One such resource is the Converged Plantwide Ethernet (CPwE) architectures, which is jointly led by Cisco and Rockwell Automation.
The CPwE architectures include a number of documents that offer best practices for designing and deploying converged network infrastructures. The documents, which include tested and validated reference architectures with design and implementation guides, cover the key technologies, principles and use cases for making the most of these network infrastructures – including how best to enable remote access.
Key Security Controls for Remote Access
Security is a top concern for any industrial organization seeking to provide remote access through the internet. Access must be restricted to only authorized personnel, and even the actions of those personnel must be in alignment with approved policies and procedures.
A defense-in-depth security approach is recommended for every connected industrial operation, and is especially important for secure remote access. Defense-in-depth security is based on the idea that any one point of protection may, and likely will, be defeated. That’s why it uses multiple security layers and controls to protect against a variety of threats.
Some of the security controls that are essential to secure remote access include the following:
- A “three-legged” firewall deployment is a key concept in making industrial remote access possible. It prevents direct traffic flow between the industrial and enterprise zones. Instead, all traffic ends at the industrial demilitarized zone (IDMZ), which acts as a buffer and permits only authorized access to data and systems between the two zones.
- An intrusion prevention system (IPS) inspects traffic coming from both the enterprise and external networks, and can block traffic that it determines to be malicious.
- Virtual local area networks (VLANs) help segment the traffic of specific devices and ports in the industrial zone. In remote-access applications, VLANs help control the traffic being transmitted to and from remote-access servers.
- Identity services with downloadable access control lists (dACLs) use a list of ‘permit and deny’ statements that are applied to users, IP addresses and protocols. They can help prevent unauthorized users and traffic types from gaining access to a network architecture.
Implementing Secure Remote Access
By following eight key steps, industrial companies can effectively implement a defense-in-depth approach that uses the recommended security controls outlined above. The eight key steps are as follows:
- Use Standard, IT-Based Remote Access: Today, IPsec-based and SSL/TLS VPN are the most widely used remote-access technology. They require the use of identity services for authentication, authorization and accounting (AAA), which is a form of remote authentication dial-in user service (RADIUS). Identity services also provide network access control (NAC) to verify and posture the remote user’s system is running a certain level of code or has certain security precautions in place.
- Limit Access: With remote access to a company’s resources established, each remote user’s access must be appropriately managed. For example, a remote partner’s access policy should be explicitly limited, while a remote employee’s access policy will be defined by their corporate identity. Strict ACLs, based on identity services, should be established for a limited set of users, IP addresses and transport-layer port numbers to manage the access levels for these remote users.
- Use Secure Web Browsers: Remote users who are interacting with plant-floor data and applications should only be doing so with web browsers that support HTTPS. This important security feature is commonly used in internet applications, and supplies additional encryption and authentication.
- Establish SSL VPN Sessions: Even with secure browser connectivity in place, secure socket layer (SSL) VPN sessions should be established to provide an additional level of protection. These sessions use encryption to provide secure transactions between the remote user and the IDMZ firewall. The remote user authenticates to verify what service is required from the remote-access server, and the firewall confirms the remote user is authenticated and authorized to use that service.
- Implement IPS: When a remote session is established, the IPS has the critical task of inspecting traffic traveling into and out of the remote-access server. The system will stop any threats it detects, thus preventing them from impacting systems in either the IDMZ or the industrial zone.
- Use Remote Terminal Sessions: Only allowing remote-terminal protocols between the remote client and the IDMZ firewall can significantly reduce the potential for viruses and attacks from remote sessions. This can be done using any number of terminal-session technologies, such as remote desktop protocol (RDP), which is used by the ThinManager® platform.
- Address Application Security: IACS applications should be implemented on a dedicated and secure remote-access server. This allows plant personnel to control application versions, limit the actions that can be performed, and limit the devices that can be accessed.
- Segment and Inspect Traffic: Segment the remote access onto a dedicated VLAN to tightly control traffic to and from it. If multiple remote-access servers are used, they should be on separate VLANs. Each of those VLANs can then access a specific set of manufacturing VLANs, thereby limiting the remote user’s view of or access into the industrial zone. Inspect traffic between the remote-access servers and the IACS applications with an industrial firewall.
These steps will help in implementing secure remote access, but they only begin to touch on the many technical considerations that need to be addressed during the design, planning and implementation stages.
More security and design consideration information is available in several CPwE white papers and design and implementation guides that are available for download.