Remote work means that you can do your work from home. Many think of it as office workers working in front of a computer in their own home, mainly using office applications and connecting with colleagues via video conferencing. However, remote work is more than just home office: mainly due to the consequences of COVID-19, many industrial workplaces have also been transferred to the private sector, for example, to remotely manage production equipment and critical infrastructure, such as OT networks.
When remotely accessing OT networks, companies should be particularly careful in four areas, although IT and OT networks have their differences: The basic rules and security measures apply equally, but with varying implementation.
The basic rules of secure remote access in OT networks
It's critical that organizations monitor all remote connections - even the seemingly unimportant ones. Ideally, they will be able to monitor remote sessions in real time, manage user access requests based on purpose, duration and frequency, and terminate sessions with the click of a mouse. This significantly reduces the risk of internal and external threats (third parties such as contractors are included here) without sacrificing productivity or even causing costly production disruptions.
In addition, as organizations rely more and more on remote connectivity, it is critical to define and enforce granular access permissions for remote users. This is especially true for those with privileged access. In the case of industrial enterprises, access rights in this regard should conform to a layered network defense model (such as the Perdue model). This makes lateral movements by an attacker much more difficult in the event of a compromise, and the most sensitive and critical areas are better protected.
Authentication: One of the biggest risks in the context of the rapid introduction of remote access is, above all, the sharing as well as the management of passwords. Especially the sharing of passwords with colleagues and partners is unfortunately common practice in this area. Wherever possible, companies should prevent, or at least significantly restrict, the use of credentials by third parties. This can be accomplished, for example, by requiring administrator approval for all remote access sessions. Password vaults and multi-factor authentication are also effective methods to protect against compromise.
Auditing and Compliance: Similar to the home office, remote access to industrial facilities and critical infrastructure will remain a dominant theme post-pandemic. Particularly with regard to remotely located production and operating sites, this will result in enormous advantages. But there are also risks: Attackers have an interesting attack vector at their disposal in this way, which they will probably use more and more in the future. And despite all security efforts, some will succeed. For this reason, organizations should be careful to capture and document all session activity and the use of credentials for remote access to meet compliance requirements and facilitate future forensic analysis.
The limits of the VPN for Secure Remote Support
As with access to IT networks, many companies still rely on VPNs in the OT area. Proven over many years, this technology is relatively user-friendly and offers some privacy and security features. And while they have evolved to some degree, they also carry certain risks. This is even more true for their use in OT infrastructures:
- VPNs provide a secure way to access a network, but they cannot fully control who can access what specific information within the network, how long access lasts, and what actions can be performed on the network. Once users are on a network using a VPN, the administering entity's control over their actions ends. At the same time, this means that it is easier for potential cybercriminals to penetrate the system. This problem can be largely offset by the Zero Trust approach; however, corresponding solutions are often only suitable for IT networks because they do not support all the use cases required for OT networks.
- VPN sessions are recorded in log files, but these contain minimal information and no details about the activities performed during the session. However, this is insufficient for auditing, compliance and forensic purposes.
- By increasing the attack surface, traditional VPNs offer a potential entry point for attackers. For example, stolen credentials of a legitimate user can provide a cybercriminal with an ideal launching pad for further dangerous activities.
New remote access solutions designed specifically for the requirements of OT networks go far beyond traditional VPN functionalities and follow a security-by-design approach. For example, some of these are built on a two-tier architecture that retains the Purdue model and minimizes the attack surface by protecting network components from direct access. The remote user only gets a rendered view of the asset in question - which is not perceptible or disruptive to them - while between them and the asset, the Secure Remote Access solution controls access and activity. They also often have locally stored, detailed audit trails that enable quick troubleshooting, and are deliberately simple in their user interface to minimize disruption to workflows. After all, security and secure remote access can only be ensured if solutions support employees rather than being seen as a hurdle.
With our VISULOX Remote Support Security solution you benefit from:
- ... efficient management of privileged access, which increases the security of your company.
- ... a fast implementation that allows you to protect your remote accesses after just a few hours and without massive financial outlay.
- ... a practical tool that allows you to better track, fix and prove errors in work in your infratructure.
Don't leave your company's security to chance, use VISULOX Remote Support, a tool that adapts to you and your individual situation.
In recent years, we have protected customers in a wide range of industries from criminal activities - from logistics to suppliers and IT companies to critical infrastructure. Convince yourself of our expertise and arrange a non-binding initial consultation
We look forward to meeting you and showing you how our Security Remote Support solution protects your sensitive data and access to your infrastructure.