Secure Remote Access: Combining Network & Endpoint Security

Remote access is here to stay, and while most people think of remote access as teleconferencing or SharePoint, remote access really should be compared to the technologies that allow employees to access assets and infrastructure as if they were at a physical site behind a desk.

While a great deal has already been said about operational technology (OT) cyber security and the death of the mighty “air gap” paradigm, remote access will be increasingly present.

In fact, remote access is a sparkling candidate use case for OT Systems Management (OTSM) because it typically requires a variety of systems and infrastructure to be secured and managed. Otherwise remote access adds new threat vectors or exacerbates previously identified cyber security threats and risks.

Secure Remote Access Does Not Replace Network & Endpoint Security (endpoints include VPN termination & routers)

To have remote access, there needs to be network connectivity, and connectivity means connection to the Internet or a completely private network (e.g., leased lines or self-owned cellular network).  In other words, for your remote workforce, third parties, outsourcing, and for your own needs – at least one network medium must be available that connects two points; A to B.

Traditionally, this A-to-B communication was favored and achieved through wired technology (e.g., dialup, fiber, cable, leased lines) due to stability and costs.  There are often multiple providers to choose from or to be used for redundancy should one not be available for whatever reason.

Two forms of wired networks:

• “Private” networks – No other entities except for the asset owner, or lessee should be able to use, access, or view network traffic. Conceptually, they are isolated and secured by the provider, and therefore “trusted”, but those are assumptions.
• Public networks – Anyone and everyone could potentially share the exterior network or raid your organization’s network traffic. This could also be true for anyone motivated enough to tap into your “private” network, so perhaps both should be considered nearly identical given suitable ubiquitous technologies exist.

Regardless of the version you choose, securing the network connecting the two points (also called a conduit as per ISA/IEC-62443) is mandatory in any case.

Three concepts for securing the network:

• Filtering network traffic to authorized ports, protocols, and IP addresses
• Encapsulating and encrypting inter device/network traffic
• Protecting OT endpoints through hardening, patching, isolation, and compensating controls

Filtering network traffic should be old hat these days, and the same with securing traffic between networks, but this is only the starting point in securing an organization.  Simultaneously, remote access enforces the necessity for networks and assets (remote, third-party, employee-owned, or onsite) to be secured, otherwise it all falls apart, especially when most cyber threats originate from a poorly secured endpoint.  After all, what good are walls around a castle and a tunnel to a remote outpost if you are compromised from a system within?

Securing Networks Goes Hand-in-Hand with Endpoint Protection

Historically, the ISA95/99 and Purdue models organized OT assets and functions into multiple layers for an organization’s network architecture. It is a logical model and assumes security is required at the perimeter, but typically it is not reflective of real-world implementations or security as a whole (e.g., the system can be attacked from within using a USB stick).

The reality is that network security requires systems management, systems management requires network and endpoint security and management regardless of the ISA95 layers or even a capability comparison.  It is an intrinsic relationship dependent on one another and any number of capabilities or compensating controls can be enacted today with relative ease through the Verve Security Center, assuming appropriate network architecture is in place.

To illustrate my point, below is a diagram of a wind farm example with various network devices, zones, endpoints, and even remote users.  Can you imagine trying to secure remote access if you do not secure your infrastructure, the systems connecting to it, and the assets inside of the perimeter? I certainly do not, and this example is representative of many OT sites where once access inside is obtained, I could jump from one insecure endpoint to another!

Figure 1: Reference OT site as a fictional, but representative example where VPN connectivity can bypass all controls and easily move to Level 1/0

Of course, to prevent hopping from one system to another, you would initially limit ingress and egress between networks and systems. This is achieved by applying access control lists (ACLs) by way of limiting access between zones and conduits using firewalls.

However, the real second step to ensure plant operations are secure is knowing this requires more than monitoring remote access and blocking network traffic. This is achieved with robust endpoint management of all applicable devices at the edge of the perimeter and within.

In other words, do secure networks require endpoint management? Absolutely, because remote access is enabled by infrastructure, it affects/reduces your perimeter security, and relies on securing all endpoints. This includes patching, secure configuration, user/role management, software, and other controls for all manner of devices – routers, switches, PLCs, servers, workstations etc.

Remote Access Extends Vulnerability Management and Requires Asset Control

Alright, I can hear you impatiently thinking enough with the talk about infrastructure, let us get on with endpoints.  Fine, but let us take a moment to emphasize a recent and very important trend to consider:

• Threat actors are focusing on attacking infrastructure that enables network connectivity and/or provides remote access.

This trend, specifically referring to attacker campaigns targeting routers or remote access infrastructure, is important in several different ways and extends my previous statement: Whatever the nature of the endpoint, they are likely to be targeted first as a launchpad for subsequent attacks.

While some may have turned a “blind eye” on these hosts in the past due to inaccessibility (e.g., air gapped, or islanded hosts), these endpoints are accessible and at risk today.

Therefore, remote access is an extension of the use case where assets utilize network connectivity for function, and increases endpoint-related security risks; the only difference is the from what/where a connection is originating from and how remote access weakens your perimeter further.

The same rigor historically applied to IT endpoints will also need to be applied to OT environments, even if remote connections are managed effectively. You can’t secure a handful of systems and skip others that are just as vulnerable.

To secure OT endpoints (remote, local, perimeter, VPN infrastructure, mobile, transient, and even within), this requires the following at a minimum:

• Prioritize perimeter network infrastructure and VPN technology for patch, vulnerability and configuration management.  This item does not get enough attention and organization’s should invest heavily in securing these investments while minimizing time to fix to nearly zero hours if possible.  They are high risk, high impact, and face frequent vulnerability disclosures.
• Have technological diversity if possible at the perimeter levels.  If one level gets breached by one set of vulnerabilities or credentials, ensure a second layer is present to increase your likelihood of an effective detection and response.  Aka, perimeter firewall of X brand, DMZ, and another firewall of Y brand before the PCN network.
• Securing remote assets/endpoints themselves (e.g., ensure prerequisites like antivirus definitions are updated before connecting)
• Limiting activities that can be performed over a remote connection through policy controls (e.g., limit file transfers or copy/paste)
• Performing OT systems management (OTSM) of all endpoints and infrastructure (e.g., patch/configuration management of routers, appliances, servers, applicable devices, and applications)
• Limiting access to endpoints/assets from available from termination (remote) points within the perimeter (e.g., limiting access to control room stations, when all they needed was to see an isolated dashboard)
• Monitoring and alerting for exceptions or anomalous events (e.g., set off an alert that X user is connecting and doing file transfers at 1 a.m. on a Sunday)

If you have made it this far, we probably both agree that remote access has a place in OT organizations, and can enable powerful capabilities. Unfortunately, remote access has a very high probability of compromise, but securing endpoints (remote and from within your perimeter) enables real risk reduction. Plus, Verve can help because a remote asset is merely another asset to be inventoried, and managed, therefore increasing the value of any security investments significantly.

Lastly, you may realize that I have excluded wireless connectivity and BYOD for now because most (and usually authorized) remote connectivity to a site occurs through perimeter infrastructure. I will touch more on this in a later article, but if you have remote access to a site by way of a cellular modem attached to a router, similar thought processes should be applied.