By Larry Grate: Director of Technology at PREMIER System Integrators
April 21, 2020
The need for business to become more efficient by leveraging the data available in their manufacturing networks, already had us on a high-speed chase to connect those systems. Now with the current COVID-19 pandemic, manufacturers are racing to make those systems available remotely to support work-from-home for configuration and troubleshooting. The challenge, as we all know, is that those systems were never designed with security in mind. Even without unanticipated vulnerabilities, the protocols already operate largely unauthenticated and unencrypted. So how do you keep systems secure when time is of the essence? Several of our customers have started working to implement one or more of the following approaches. One straightforward solution is to leverage existing virtual environments (if you have one) and spin up engineering servers so you can keep all that vulnerable traffic home. Then, if possible, we put jump hosts in a DMZ and provide a secure way to get to that engineering server. Solutions like MS RDG, or VMWare View work well for this method. Alternate solutions include installing devices with outbound only connections to cloud servers and allowing the connections to occur in the cloud, preferably coming back to an on-premise engineering server in a DMZ but, if that’s not possible then allowing direct access to equipment. A third option is allowing VPN directly into their manufacturing networks, with the obvious corollary requirement of validating the security of those connections, if a secure VPN solution was not already in place. A fourth method we’re seeing is allowing a temporary internet connection to an engineering server and using a tool such as WebEx for remote control of that asset by a support person. What has concerned me is the number of companies implementing solutions that allow connection directly into the ICS trusted environment from potentially untrusted locations. When you are in the middle of a crisis, the last thing you need is to be fighting unwanted malware with reduced staffs. I understand the need to provide remote support and allow remote work, but I encourage you to consider the risks created by your choice of methods and technologies, and document everything. Make informed decisions to allow these connections in an appropriate manner. If you are unsure what that looks like, or you want more details on some of the secure options listed, then reach out to your local CS2AI chapters. Whatever you do, consider the risk, and don’t forget you have done it when this is all over. As a side note, if possible, monitor what you have done ideally using technical controls. Especially if you are using administrative controls to disconnect your solution when it is not needed. Unfortunately, you never know who may find that connection.