Secure remote management for ICS

When performing security assessments for ICS (industrial control system) customers, it is often noticed that several different remote access paths for suppliers are used for remote management purposes. Most of these are established through a separate DSL line. Makes sense, right? A solution like this makes it easier for the vendor to provide remote maintenance. The setup is simple for the customer and the IT department can be bypassed. I disagree! Let me explain why this type of setup is worrysome, how it can be improved and why better designed remote access solutions are important. Security and maintenance There’s a reason that a security conscious IT department is usually very reluctant to set up remote access paths that bypass the regular network. Sometimes those DSL lines have their own security measures built in. But usually, they don’t have any at all. This leaves the burden of securing these lines with the IT department again. And with added security comes complexity and an increase in maintenance efforts – usually for both vendor and client. A vendor that has some operational responsibility over the installation, should be more concerned with the security of his devices. They are more easily accessible from insecure networks through the DSL. The vendor will have to put more effort into patching and updating them. A risk-aware IT department will usually add some extra security measures to the mix. A firewall and a VPN solution are the bare minimum. Those require maintenance, patching and monitoring. If those measures are not added, the alternative is usually to limit the window of opportunity by only enabling the DSL line when the vendor needs access. This adds to the responsibilities of IT staff: a strict procedure has to be followed. If not, lines may be kept open indefinitely, exposing critical ICS systems to the world! This happens more often than you would expect and it is something we definitely look for when scanning for security problems.. To avoid breaches, our client has to verify the security of their ICT infrastructure on a regular basis. This can be done using recurring penetration testing and system analysis. Every remote connection in use has to be tested, be it DSL line, leased line or modem connection. That’s a lot of work. If weaknesses are discovered, the lack of monitoring on these access points makes it hard to figure out whether an intrusion may have already occurred. A secure solution There IS a manageable solution to this problem that is also secure. A proper and secure remote management solution for process environments should be:

1. centralised
2. time based
3. source IP controlled
4. using strong user authentication
5. monitored and logged

Centralised: all remote maintenance connections are made to a central VPN infrastructure that is regularly tested on several security aspects. This infrastructure is managed by the company itself. From that infrastructure, secure tunnels are setup to the different components that need to be managed by the vendor. Time based: you don’t want to leave the connection open at all times. Connections can be granted access for a certain time (with a maximum) after which the connection is automatically closed. Source IP controlled: because you don’t want just anybody on the Internet to connect to your remote maintenance connection, you should control the source IP addresses inside the VPN connection. Strong authentication: every vendor that wants to have access should have their own set of user credentials to logon to the environment. Passwords have to follow company standards but using strong authentication devices (tokens) is very much preferred. Logged: all access to and from the remote management solution and to/from a hop station should be logged. Logs should tell you who connected, from where, what they did on which systems and how long the connection lasted. This way you are not only able to protect your environment from external threats, but it allows you to trace all actions in case something went wrong. ‘Jump stations’ should be mandatory as well to facilitate a good remote access solution for 3rd parties. The vendor logs onto a jump station and can access the right equipment from there, using the tools installed and ready for them. The use of jump stations allows you to further segregate your network and refine access. It becomes easier to close parts of your process environment to the individuals performing maintenance and limits the tools usable by the maintenance provider tot the ones made available on the jump station. The station can have user monitoring based on screenshots that allows you to see exactly what the support engineer is doing (or has done) on your environment. This enables tighter control at all times and full auditing capabilities after the fact.

* DISCLAIMER * This is a copy of my original blogpost posted on the Toreon website while I was still working there