Strategies for Evaluating Secure Remote Access Solutions for OT/ICS Networks
Over the past decade, the number of employees in the U.S. working from home half-time or more has risen to an estimated five million, according to Global Workplace Analytics. However, those numbers now pale in comparison to today’s reality of businesses everywhere encouraging as many workers as possible to work from home.
As the size of the remote workforce surges, network administrators of operational technology (OT) networks find themselves on the front lines of enablement. They need to provide online connectivity to users who typically access industrial control systems physically, while remaining confident that security isn’t compromised. The task is significant as every company in the world relies on these networks. For nearly half of the Fortune 2000 – in industries including oil and gas, energy, utilities, manufacturing, pharmaceuticals, and food and beverage – these networks are critical components to their business. While the rest rely on OT networks to run their office infrastructure – lights, elevators, and datacenter infrastructure.
Who are the users who need remote access to OT environments and why? They generally fall into the following categories:
• Equipment manufacturers – In most cases, at the time of purchase, the industrial control systems that comprise these networks include a contract for remote maintenance by the manufacturers themselves. Network administrators are accustomed to supporting these users to service existing machinery, including providing updates, error fixing and performance readings, so this is not a new requirement.
• Remote workers – However, the challenge escalates when you look at this group of users. In today’s business climate this could mean providing any employee who previously worked onsite but is now working outside the facility, with online access so they can continue to do their jobs. For example, making changes to production lines and manufacturing processes.
• Third-party contractors – Finally, many businesses outsource services to companies that specialize in specific operational areas, such as production optimization. Contractors who previously provided these services physically, now need remote access to relevant equipment to support their contract and keep production lines running smoothly. These services can become even more mission critical during times of disruption, depending on the industry and products and services provided.
Allowing for various types of users, systems, access levels, and functions is a complex connectivity challenge. Yet, standard access paths provided by the IT department often don’t match the specific use cases we see in the OT environment.
In times like these, where every organization is reducing staff on site, the need for secure remote access is increased. Whether your company is assessing your existing capability to provide secure connectivity to your OT environment and assets, or considering new solutions, these three questions can help guide your evaluation:
1. Do you have granular privileged access control? A maintenance person from a manufacturer of a control system for example, likely only needs to access a specific controller for a specific task for a limited time. To mitigate risk, you need to be able to extend access for that specific user only to necessary assets for a set time window with a few simple clicks.
2. Can you proactively monitor, prevent, and audit access? You need visibility and control over third-party and employee access before, during, and after a remote session takes place. This includes the ability to observe activity in real time and terminate the session if needed, as well as view recordings in retrospect for auditing and forensic purposes.
3. Are workflows and processes secure? Instead of relying on third parties for password hygiene, many of whom share passwords among multiple individuals, you need the ability to centrally manage user credentials with a password vault and validate each user with multi-factor authentication. Additionally, many times the nature of the work involves installing a new file. To ensure file integrity you also need to provide secure file transfer.
Remote access can increase your level of exposure and jeopardize maintenance and production. Thankfully by ensuring you have granularity of control, the ability to audit access, and additional levels of security, such as password vaulting and secure file transfer, you can mitigate that risk. And, importantly, give those on the front lines – network administrators of OT networks – confidence in their ability to address the surge in requests for greater connectivity to these critical environments, without compromising security.
Related: Learn more at SecurityWeek’s ICS Cyber Security Conference