Many energy suppliers are already benefiting from connected operations and many more currently considering making the move. By merging operational technology infrastructure with its information technology networks, an energy supply company can gain better control of its operational processes and improve the reliability, safety and profitability of its operations and overall business. Along with these benefits are a many cybersecurity vulnerabilities and risks associated with connecting OT and IT networks that threaten an energy supply company making this transition.
An essential element of an effective corporate plan to deal with the cybersecurity risks of connected operations requires full visibility of all operational assets and secure connectivity among these operational devices and equipment.
Secure Connectivity is an Operational Requirement
Like in many industrial fields, the operational equipment used by an energy supplier must be monitored and accessed remotely in order to maintain high levels of safety, reliability and availability. There are many routine tasks, such as patching, hardening and log collection, which are regularly performed by accessing operational equipment remotely. There is also the need to access operational equipment remotely to provide fast responses to incidents. For instance, the production yield of a certain piece of operational equipment may have suddenly dropped and remote experts be given immediate access to support the onsite staff resolving the problem.
There are two main communications functions involved with remote access. The first function is the remote access itself (RDP, SSH, HTTP) and the second function is the data transfer between the remote equipment and the control center. Some of these remote activities can be automated by machine-to-machine (M2M) communications without any human involvement or supervision.
These remotely performed activities are clearly essential for a plant’s safety and reliability. However, providing connectivity from the outside and permitting remote access processes, especially by third parties, exposes an energy supply company to many cybersecurity vulnerabilities and drastically increases the ICS attack surface. Hackers and cyberterrorists with malicious intentions often target this the remote connectivity point to gain unauthorized access in order to attack operational infrastructure.
Managing and controlling remote access is a complex task. There are multiple vendors, first party workers and machines all of which need to establish numerous connections to various plants and operational assets. Clearly, remote access must be permitted to only authorized and authenticated users according the granular policies of the plant operator.
Current Remote Connectivity Practices are Problematic
Currently, virtual private network (VPN) connectivity is the most common method used for remote access, monitoring and data transfer. A VPN is intended to create a secure encrypted tunnel for transmitting data between a remote user and the operational network.
The practice of using VPNs for remote access has several drawbacks. To start with, each party requiring remote access must have its own VPN. For network and security administrators, managing multiple VPN connections and the openings that they create in the firewall is an extremely difficult situation. At the same time, remote users that access the plant LAN with their own VPN may have excessive privileges and be able to access operational equipment for which they have no need or authorization. Also, the two-way communication of VPNs, which provides the connection from both outside and inside the organization, are targeted by attackers with the intention of sending malware or malicious commands to operational equipment.
A physical network connection, such as fiber running between the head office and remote plants, is an alternative to VPNs, although the costs involved are high and, as such, is not used often.
Vendors using their own remote access solutions that are certified by the energy supply company is a common alternative to VPNs. However, the drawback here is that each vendor accessing each remote facility creates another hole in the industrial network. Also, this type of access is generally not visible to the corporate security team at the head office.
Regardless of whether remote access is provided by VPN connections or the remote access tools used by vendors, the result is a complex combination of multiple lines entering the operational network at different locations. These practices are difficult to manage and create unnecessary cybersecurity risks.
Recommendations for Secure Remote Access Connectivity
In order to ensure high availability, reliability and safety without compromising the security of its operational and production facilities, the following recommendations should be implemented by any energy supplier that needs to provide remote access. These recommendations can be considered best practice guidelines and apply to not only energy supply companies, but also any industrial enterprise.
· Implement top-down control – all third party remote access to the operational network should be funnelled and authenticated through a single location. Consolidating all the remote connections through a single point makes for fewer connections and a more secure access framework.
· Protect asset credentials – provide remote user privileged access without sharing the credentials of the assets. For this, a password vault is recommended, which enables access without sharing the actual password. This helps to prevent compromise of credentials through keylogging and risky password management, while easing the management of password expirations and renewals. In a time of crisis, the third party can gain fast access without the risk of forgetting a unique password.
· Enforce accountability and monitoring – all user activities must be monitored and audited. IT and OT departments should be able to approve, deny or terminate a session as necessary. Network monitoring should be used to look at the traffic passing through these connections and alert on any anomalies.
· Use a policy for access – configure all user access to the “least privilege” mode and create exceptions to the policy on an individual basis. A flexible rule engine for defining access granularity, such as who can access which asset(s), when, from where, using which protocols, and doing which activities, should be used.
· Allow data and file transfer – create a secure method to send files, such as transferring patches, logs and alerts from the ICS to the control center.
In addition, the following recommendations will establish a strong remote access control infrastructure, which should include –
· The connections between the remote users and operational assets should be highly secured. As an example, the single outbound port for all simultaneous connections to the industrial facility rather than multiple VPNs should be used. All traffic should be funneled through this port, which is controlled and monitored by both the IT and OT security teams.
· Use standard secure communication protocols, such as TLS, to encrypt all communications.
· Multiple protocols must be supported due to the uniqueness and diversity of vendor and purpose-built systems.
· There should be the ability to connect to existing IT solutions such as SIEM, LDAP and Jump servers.
Benefits of Strong and Secure Remote Access Framework
Remote access to operational assets is essential for high availability, reliability and safety. Controlling the remote access of multiple external parties to a distributed operational environment is a complex task.
An energy supply company that needs to allow remote access, but control and secure it should rely on an arrangement that allows authentication, privileges management and accountability, running on top of a strong and secure infrastructure. This will position the energy supplier to improve its overall security posture and better manage the security of its OT operation.
This article is the third in a series of four articles on OT security management for the energy supply industry. The first article presented an overview of the OT security challenges faced by energy suppliers connecting their IT and OT operations and offered three recommendations for improving the security posture of a connected manufacturing environment. The second article looked at the importance of network visibility and industrial asset inventory and the final article will offer a strategy for a top-down approach to OT security management.
About the author: Shmulik Aran is the CEO of NextNine, a provider of security management solutions for connected industrial control system environments.