External access in ICS: A double-edged sword?

Posted date 17/08/2023

Autor

INCIBE (INCIBE)

Decorative image blog External access in ICS

In the industrial world, access to devices has always been a complex task, as they are usually located in places that are difficult to access or in extreme conditions that could harm the health of workers.

However, in recent years, significant progress has been made in accessing these devices remotely, since previously they could only be accessed by connecting directly with a cable, whereas today it is possible to access them remotely from any geographical location.

This type of access provides great convenience to workers, as it allows them to access from offices or from even more distant locations.

Advantages and disadvantages of external access

Being able to access devices externally has brought a number of advantages, for example:

Possibility to work from the office or other adapted workplace.
Savings in travel and management costs.
Increased worker security.
Reduced response time by suppliers to failures in their equipment deployed in the plant.
Machine software upgrades and updates performed remotely.

One of the best examples is when an external company is going to perform an audit or maintenance at the client company. Previously, they had to travel to the exact location of the company, but with remote access, sometimes it can be done from the same place of work of the external companies, as exemplified in the features detailed above.
As we have seen, external access has a number of benefits, but if it is not done correctly, it can cause a lot of problems, such as:

Failure in the connection between the device and the worker.
Infection of network devices by malware contained on the externally accessed computer.
Suffering an impersonation of the worker.
Suffering a Man in the Middle.
If the remote connection is not well secured, it can be a clear point of attack that any malicious entity can exploit to gain remote access to the system.

Due to the great problems that this technology can cause, it is very important to follow a series of steps to avoid or mitigate possible cyber-attacks.

Practices for remote connections

Below the most important needs that must be taken into account so that external access is as safe as possible:

Robust architecture: one of the most important aspects is to have a good network architecture, since external access cannot go directly to the desired asset but must pass through several levels in order to reach it, such as introducing a DMZ in the architecture. In this way, a cyber-attack could be prevented or detected more quickly. Several standards or guidelines can be followed to create a cybersecure architecture.

- Robust architecture; Source -

Access management: it is very important to be aware of all accesses to the company, both by the company's own employees and by other collaborating companies. Therefore, it is advisable to have a well-documented record by the person in charge of the company that is going to allow external accesses.
Role management: it is of great importance that users only have the necessary permissions to be able to perform their work correctly, for this it is advisable to follow the principle of minimum privileges.
User management: due to organizational changes where workers may move around the company, it is very important that they are kept up to date, which means that they are removed from the network when they no longer need any network assets, or that they are registered if they are new to the company, or that permissions are reviewed and revoked when they are no longer needed.
Secure protocols: For external access to a company device, it is advisable to use tunneling, such as TLS v1.2 or encrypted HTTPS or SSH protocols. In most cases it is advisable to use a VPN, as many industrial devices can only be accessed via unsecured protocols such as HTTP or Telnet.
Event control and review mechanisms: adding a monitoring center in the company will make access control much better, since you can record the time and place of access.
Authentication: it is advisable to have several ways to authenticate the user to increase the security of the company. For this purpose, MFA (Multifactor Authentication) should be used.

VPN

As mentioned above, one of the most widely used and also most secure methods is access to the different systems deployed via VPN (Virtual Private Network).

This remote access makes it possible to encrypt communications between the client (this could be a maintenance provider) and the end device or network (the industrial plant and its devices). Additionally, VPNs provide other additional features, such as location masking, since VPN servers act as proxy servers, i.e., they mask the physical location of the servers, preventing the exact demographic position from being obtained. In addition, these types of connections also enable two-factor authentication, which provides an extra layer of security when making secure connections to critical devices or networks.

- VPN Communications; Source -

Other types of secure access in industrial environments are described in more detail in the article 'Secure Remote Access in ICS'.

Event control and review mechanisms

Within this section, it is also worth mentioning the increasingly common appearance of OT SOCs (Operation Technology Security Operations Centers), which have made it possible to monitor, detect and respond to threats or events in industrial control systems.

Among these events are failed accesses to the different ICS equipment and networks. Monitoring this type of events can detect unauthorized access attempts, the use of brute force tools etc.

At present, the deployment of OT SOCs is very limited, but companies are beginning to integrate them because, as indicated in the article "OT SOC: The importance of advanced monitoring for industrial security", an OT SOC allows continuous monitoring and analysis of devices, networks and the aforementioned unauthorized access events.

Conclusion

External access is a technology that will be increasingly implemented in companies due to the benefits it produces, such as the convenience it offers to employees and the reduction of costs.

Even so, it should be noted that with this technology we must be very careful, as it can also cause different cybersecurity problems for the company, such as access by unwanted users or the theft of sensitive information, which is why the use of tools such as VPN connections or the implementation of dedicated monitoring equipment, such as SOC OT, are very important to ensure the security of remote access.

In order to avoid cybersecurity problems, it is advisable to take into account the best practices discussed in this article, such as network architecture and role management, as well as being updated and managed, since they are one of the points that suffer the most cyberattacks, which will increase in complexity and quantity.

Content produced in the framework of the Spanish Government's Recovery, Transformation and Resilience Plan financed by the European Union (Next Generation).

Etiquetas