As employees increasingly work from home, on the road, or from a plane, the days of air-gapped networks and on-site workers are long gone. Yesterday was the day of optimization, partially distributed work forces, road warriors, overhead cost reduction, and increasingly connected systems. Today, we face an unprecedented situation where businesses fight to remain viable, effective, and operational amidst the chaos.
Remote access and remote work are here to stay
Overall adoption of WFH (work from home) policies will increase out of necessity, but it is not applicable for all types of work. It will, however, exacerbate previously known issues and risks, especially for cyber security. Remote work was already commonplace for some, but for operating technology (OT) environments, the biggest adjustment will be to secure it properly throughout its lifecycle.
The emergence of “always-on” technology and digital transformation in manufacturing brought convenience and accessibility to remote locations, where operators no longer have to configure devices in person.
With increased automation, less reliance on manual resources and assets, particularly where increased profitability is desired, remote access makes sense for many organizations to retain employees, reduce cost and ease system accessibility. While the global pandemic forced our hand to work remotely, these drivers may have eventually pushed us this direction anyway (just like IT OT convergence).
Remotely manage OT systems
Regardless of whether your organization will continue to offer remote work or trickle back to staffing a physical office, two questions to remotely manage OT systems remain:
- If remote work is possible (e.g., physical interactions are not required), how do I as an organization deploy this functionality? Do I ensure security from the beginning when creating remote activity capabilities?
- If I deploy this functionality, how do I decrease risk exposure to be adequately protected (which is absolutely required for OT and ICS systems)?
The first question is acknowledging positions where OT systems management requires an immediate and physical presence. It excludes the specific technologies (e.g., modems, LTE gateways, VPNs etc.) themselves, but reinforces organizational requirements:
- Determine compliance requirements/efforts to legislation
- Define governance and policy updates for acceptable use and remote access
- Define and deploy user access and device control, especially where integrations into current infrastructure are expected
- Select and deploy remote access/VPN technology
- Define and develop tech support and documentation for usage
Security as an element of OT cyber security programs
Security is ignored for the moment because it is assumed the organization already decided that remote access is a business enabler and therefore, it will look to add this capability to its portfolio.
Security should absolutely be factored in as a required element to any cyber security solution, system, or component, and would likely have requirements that state (not exhaustively):
- All systems under the control of the organization must abide to corporate policies
- All systems shall be inventoried, and controlled as part of the organizations asset management and vulnerability management programs
- Entry points, endpoints, remote devices, laptops, mobile devices, and any mechanism to communicate from them to the corporate network must be properly secured
- All network communications will be monitored for anomalies, malicious activities, insider threats, and accidental misuse
- End users must ensure each OT system intended to be used for remote access is up-to-date, secure, used only for specific work duties, and used in a location consistent with organizational expectations (e.g., no confidential calls in a coffee shop)
- Activities over remote access will be recorded and functionality such as copy/paste disabled
- All users must be controlled, monitored, and given access rights that authorize them to access only the designated/allowed resources as per assigned roles
- Endpoints shall be adequately secured as per industry recommendations
- All users shall be trained, cyber security aware, and report all potential cyber events (confirmed or otherwise)
- Security teams shall be trained and have appropriate policies, procedures, and technology in place to secure remote access should an event occur
Tons of requirements can be devised from the NIST guidelines (user BYOD, enterprise BYOD/remote access), but in the second question, an organization must include the right stakeholders to properly ascertain the threats and risks posed by remote access. That’s not to say that data theft and ransomware for the purpose for extortion or ransom isn’t important, but in OT environments, compromised remote access should be designed and implemented in a way where Safety-Reliability-Productivity (SRP) are not negatively affected.
For example:
Imagine having a site where you recently performed a number of security enhancement projects to raise the target security level (SL-T) to a medium level so attackers would have to expend a solid amount of effort to fully compromise your network. This includes controls on OT systems, policies and procedures updates, infrastructure changes, and enforcement of controls on network zones and conduits.
And along comes the organization stating they want to allow users to remote desktop into any system required for their job using their personal device (if allowed by way of legislation).
Decrease risk exposure in OT environments
That example has a lot of potential risks, some of which can expose other risks for exploitation. To answer the second question above, here is a good guideline into looking at those risks at a minimum:
- Gather and enlist stakeholders responsible for risk, security, and operations
- Determine if extra compliance and legislative activities are required
- Define a list of general activities by role, site and business unit
- Determine if those activities can be performed remotely, and what would happen if connectivity would be lost/denied
- Determine organizational risk appetite and cybersecurity thresholds
- Assess the risks that could arise from implementing remote access technologies with operations and security experts – ideally from within your organization so there is knowledge of the systems, applications and functions for remote access to an OT site
- Determine what a secure architecture would look like, select the technologies, and design a solution that reflects organizational needs and risk appetite
- Test and deploy the solution iteratively while developing simultaneously controls for managing an incident or event that involves remote access and/or related infrastructure
- Validate and ensure security targets/requirements are achieved
- Roll out initial validated instances slowly through championing, and onboarding of assets/users
- Ensure systems accessed and/or used by remote access have appropriate security controls installed, active and are hardened appropriately
- Ensure access controls limit access to the appropriate network zones, conduits, data, and applications
- Ensure user access and credentials are sufficiently secure (e.g., certificates, tokens, etc.)
- Ensure every system/systems and user is secured, inventoried, and covered by asset management & vulnerability management programs
- All assets have appropriate end-to-end monitoring (use case development, collection of logs, rules to alert, alert functionality, response orchestration, and actual activities post initial event triage)
- Event response mechanisms, policies and teams are ready for action (testing of processes, systems, and controls)
- Recovery mechanisms are concrete, tested, and continually reviewed
- Auditing and third-party risk are scheduled for periodic review (and/or by trigger)
- Ensure updated Disaster Recovery Procedures (DRP) are appropriately
- Employees are continually trained and informed
- Ensure process control safety and reliability cannot be negatively impacted by any of the above in ANY step nor add unreasonable burden to resources.
These remote access points are similar to previous discussions around third-party or OT cyber risk. Often third-parties, contractors, and outsourced organizations (especially integrators or vendors in OT) use some sort of remote access. The trick to doing it effectively and securely is to ensure any barriers of use are not sufficiently obstructive, so authorized users resort to create and non-compliant activities. Examples would be installing TeamViewers because of their dislike of Citrix or adding an LTE gateway to completely bypass controls for their own access.
Everyone still needs to be accountable, secure, controlled, and monitored, but remote access is here to stay. It represents a large vector to be exploited in your organization while increasing your risk surface/exposure.
I recognize most companies are in the business of making money, but whether or not remote access is deployed, a similar set of activities should be periodically (even continuously) occurring as part of necessary asset ownership. If you have a reasonable level of trust that an OT system or user is safe, hold them to it, but continue to prevent them from causing unintentional harm.
A vehicle should not be owned or driven if it is not sufficiently maintained for the road. That same principle applies for cyber hygiene if goals, objectives and expectations are kept realistic, security can effectively reduce risks.
Consider how you can secure OT systems and prevent cyber risk resulting from increased remote access.