Remote access to machines brings clear advantages for manufacturing. According to ARC, 63% of the maintenance work on a machine is either for a routine check, or they discover that there is simply no problem. Furthermore, 30% or more of these repairs can be made remotely by modifying parameters over the Internet or with minor assistance by an onsite person. Considering that unplanned downtime can cost up to 500,000€ per hour, remote access brings huge savings to OEMs and asset owners.
There are important differences between how Industrial Control Systems (ICS) work compared to Information Technology (IT) systems.
ICS have been designed to be efficient for high speed data transmission and for deterministic processes, but not for security. Availability is of utmost importance when it comes to ICS. Contrast that to IT systems, which prioritize security and confidentiality above all else, with less of a focus on determinism. Furthermore, while a Risk Analysis for IT would consider the impact on possible data loss or business operations failure, Industrial Control Systems consider first the risk of life, equipment, or product loss.
Below are our recommendations that end-users and asset owners should enforce when selecting and implementing a robust, scalable industrial remote access solution.
Every user must have a unique identification and authentication. In case the access of a user needs to be revoked (for instance, because of leaving the company), it should be possible to do it directly on the account.
Default passwords are well-known by the industrial automation community, they can be easily found in internet or any instructions manual. Don’t forget to change the password of the device/application when configuring it for the first time.
Multi-factor authentication should be considered among the best practices in remote access to industrial machines as it provides an added layer of security.
A centralized management of the rights to access the machines at server level offers an additional security-layer to the user permission management. Every user must belong to a group who has assigned roles (permissions) to access every of the routers or groups of them.
The system shall provide the capability to support the management of all accounts by authorized users, including adding, activating, modifying, disabling and removing accounts.
The system must be capable of logging events on access control, errors, operating system, control system, backup and restore, configuration changes, potential reconnaissance activity and audit log. Individual audit records should include the timestamp, source, category, type, event ID and event result.
Vendors will usually require remote access for two reasons: emergency operational support and system maintenance. System maintenance can normally be scheduled and protocols for remote access connections can be established and monitored.
Therefore, to provide additional security and control, the VPN and/or internet access should be enabled/disabled via a mechanical signal, such as a key switch. This allows the asset owner to disable vendor remote connectivity until it’s required. Once the tasks is completed, the asset owner can disable the vendor remote connectivity once again.
Remote support personnel connecting over the Internet should use an encrypted protocol, such as running a VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme.
Machine vendor should only reach the machines under his responsibility for support and maintenance in the plant. So, the system must be configurable to segregate the machine network segment or zone from the rest of the network.
Using any equipment that is a part of the machine control (such as a PC, HMI or a PLC) as a VPN host might reduce its resources and thus its performance for its main task, which is the control itself. In order to ensure the availability of the control system, it has also to provide the capability to operate in a degraded mode during a DoS event. Therefore, an external router will act as a boundary protection device to filter certain types of packets to protect control systems from being directly affected by DoS events, thus avoiding any external attack to affect directly the control system and stopping the machine.
No inbound firewall ports should be opened or exposed to the Internet and no static Internet IP addresses should be required.
The industrial router should initiate an outbound secure VPN tunnel point-to-point connection with a specific account in the cloud. This tunnel is authenticated and encrypted with HTTPs, and goes over the corporate network and through the firewall (outbound only).
In accordance to the device’s manufacturer recommendations. Moreover, you can be notified by the ICS-CERT (Industrial Control Systems Cyber Emergency) about vulnerabilities found in industrial automation equipment and receive recommendations of required patching as well.
The systems included in a remote access solution (router and cloud services) are not always critical and are most of the time are disconnected. Therefore, it is not necessary to follow specific policies for the upgrade of the system other than those recommended by the manufacturer. The asset owner should standardize and maintain how and when to receive the latest security patch.
Whenever remote access support is needed for emergency operational support, remote service becomes critical for the availability of the machine. Thus, the service provider of the access must guarantee a high availability service of the cloud service with an SLA (Service Level Agreement) and this SLA must be reinforced by several actions and control objectives.
These are just some of our recommendations for all companies looking to standardize on a remote connectivity solution.
Want to learn more about industrial remote access? Download our free whitepaper now!