Remote Access in Industrial Control Systems
Updated: Mar 27, 2020
Hey everybody…it’s Bill Medcalf with GPA…practicing a little social distancing today and working from home and I thought it might be a good time to have a discussion around remote access in industrial control systems. Now, unfortunately, the current state of events have done nothing to mitigate our risks. The consequences are still there, but if it hasn’t happened yet…it probably will be happening…that somebody is going to want to have the discussion about remote accessing our industrial control systems. So, there is some things that we can do to mitigate our risks associated with that. Obviously, if we’ve done due diligence that ideal scenario would be that we would have a firewall between the business network and the process network. We would have a DMZ between those 2 different networks where we could place a jump box or some type of remote access solution. There are a lot of commercial solutions out there so if you have the infrastructure in place this should be a pretty straight forward process to gain access into your control system.
However, let’s talk a little bit about those who don’t have that infrastructure in place. Maybe it’s an air gap system, maybe it’s where you don’t have a clearly defined network edge or segmentation, but there is an emergency need to access this industrial control system. So, we can take the concept of a jump box, and the jump box is nothing more than a PC that has internet access on one side and is connected to the industrial control system on the other side. What typically happens is the remote user will log into this machine and then using remote desktop or VNC, something like that, are able to access machines on their industrial control systems.
So, if we take that concept and we take a box, we want to make sure that this PC we are going to use as the jump box is patched and updated. After all, it is going to live in the business environment it is going to be exposed to the network. So, we want to sure our patches and updates are up to date. We want to make sure our antivirus is installed and up to date before we get started. Once we get started, we have a couple of options in how we remotely connect to this jump box. Probably the preferred method would be is, if we have VPN established for the business network, is to have a VPN account that logs in and has the capabilities to log into this machine which then gives us access into the industrial control systems. If we do not have a system like VPN through our business network one of the other things we may want to consider is would be using one of the commercial meeting products such as GoToMeeting, BlueJeans WebEx, any of those, they all have the ability to share screen, mouse and keyboard. So, this again would allow you to grant access into the system on a temporary basis let them do whatever they need to do, support or whatever, and then once completed turn off that access. Again, I think that is very important there are lots of programs like TeamViewer and things like that that allow for unattended access, and although they are great products, in this type of scenario it’s probably not the best fit. We don’t necessarily want 7 by 24 remote access; we just need to get an individual into our system for a short period of time to resolve the issue and then turn that access off.
Again…just throwing out some ideas thereof potential things that we can do. I always say when it comes to Cybersecurity, ask a question, start a discussion. The intent of this video is to do just exactly that. If you have questions, concerns or comments leave them down below. Will be happy to continue on the discussion. Just trying to put some information out there today. Everyone be safe!