IT/OT convergence changes the security landscape
IT/OT convergence is one of the megatrends in operational technology (OT) and industrial automation. It affects businesses in Internet of Things (IoT), Industrial Internet of Things (IIoT), and Industrie 4.0 in a fundamental way. The once highly guarded on-site security perimeters are disappearing, and critical OT targets are accessed remotely and off-site from various geographical locations as well as by external contractors.
We've already discusses how traditional tools like VPNs, firewalls or simple Secure Remote Access (SRA) are often insufficient in this changing landscape. Read more about the topic in Why the manufacturing industry should get serious about Zero Trust and Just-in-Time access.
But let's take a look at some of the other aspects of access management that are unique to the OT space.
Traditional security boundaries no longer apply in securing access to production sites
In the past, you sent a maintenance engineer on-site to adjust or maintain critical production site components. Examples include repairing paper or thick fiberboard machinery in pulp and paper mills, adjusting chemical levels in water facilities, or upgrading power grid control points.
The expert carrying out the maintenance task was identified and verified at the gate, was always escorted to the site, and the tasks were completed by using physical tools.
The next step in evolution was to send the said maintenance engineer on-site to upgrade the software on critical machinery, also escorted and identified as before.
Steps one and two are still relevant. But many of the critical upgrade or adjustment tasks are now performed remotely, from an off-site location that can be anywhere in the world and using digital tools. The person doing the maintenance job can be a third party of a third party.
It would be unacceptable for any self-respecting company to allow an unidentified person physical entry to their production site or leave the person unescorted when they are adjusting critical machinery.
But when digital tools and remote maintenance tasks come into play with the emergence of IT/OT convergence, many companies can no longer answer the following questions:
- Can you be sure that you always identify the off-site engineer doing remote maintenance?
- Can you provide a solid audit trail of access for each session?
- Do you know how many digital doors are there altogether to your production sites and machinery?
- Are you in control of the credentials used to access your environment?
- Are you able to reliably revoke all access without leaving critical credentials behind?
- Do you know how many different tools in-house and external engineers use for access and how secure they are?
- Can you enforce security policies on third parties by restricting access to the level that is minimal to the task at hand?
Let’s explore why this is the case.
Industrial targets require a mix of IT, OT, legacy, and modern technology
Industrial Control System (ICS) assets are located at geographically distributed sites, and the only way to repair, maintain, or upgrade them is by using digital tools. Since the maintenance engineers with the required skills are geographically distributed as well, the only realistic way to maintain the ICS assets is to grant secure remote access to them.
Using strong authentication, access controls, and encrypted connections are some of the basic requirements to protect against unauthorized access and risk of breach.
The IT/OT convergence is a gradual process. OT networks include host a lot of modern technology but quite often there are also legacy elements in play.
OT targets vary from traditional servers to control logics, Human-Machine Interfaces (HMI), Supervisory Control and Data Acquisition (SCADA) servers, or remote-control software used in factories, paper mills, cranes, ships, etc.
This creates a truly hybrid environment where legacy and modern elements meet. To illustrate the point, let’s look at just the number of protocols used in operation technology.
Standard, custom, and proprietary protocols intermixed
As more and more IT elements are introduced to OT production sites, you’re managing access to traditional IT resources (like servers, applications, network devices) using traditional IT protocols like SSH, RDP, HTTPS, or VNC.
This type of access can often be managed with traditional IT security controls, like legacy Privileged Access Management (PAM) or secure remote access solutions.
But OT applications often use a mix of vendor-specific protocols which might not have the required security controls (like encryption) built-in.
Examples include:
- Profibus
- Modbus
- Interbus
- ProfiNet
- DeviceNet
- RAPIENet
- EtherCAT
And there are dozens more.
Legacy IT solutions don’t support these protocols. Making them somehow compatible involves a lot of manual configurations and workarounds. This in turn makes providing robust secure remote access complex, time-consuming, vulnerable to potential human errors, and next to impossible to maintain.
Be that as it may, critical OT machinery requires maintenance, adjustments, and upgrades without the fear of operational downtime caused by complex access management challenges, misconfigurations, insufficient tools, or lack of IT/OT skills by the workforce.
What’s more, the maintenance engineers and software administrators performing critical tasks should always be identified - as if they were on site. Granting access to the right target for the right person at the right time with the right level of privilege should happen fast, but in a secure manner to avoid costly disruptions.
Centralized, secure, and protocol-agnostic access to Industrial Control Systems (ICS)
We at SSH launched our PrivX OT Edition early Autumn last year. It’s a full-scale secure remote access management solution purpose-built for businesses in industrial automation and operational technology.
PrivX OT Edition has evolved to support different types of environments, giving our customers the flexibility they need to cope with different types of scenarios.
1. Accessing targets supporting traditional IT protocol
PrivX has supported protocols like Secure Shell (SSH), Remote Desktop Protocol (RDP), Hypertext Transfer Protocol Secure (HTTPS), or Virtual Network Computing (VNC) for access for a long time. With IT/OT convergence, they’re all more commonplace in OT environments as well.
For these connections, PrivX provides Role-Based Access Control (RBAC) with session recording and audit events. With RBAC, PrivX automatically assigns the right identity to the right role, which ensures that authorizations and their entitlements are always aligned and privileges appropriate to the task at hand.
Also, the built-in workflow/approval process helps ensure that the maintenance engineer follows the due process and your security policies. Access is always granted just-in-time (JIT) at the time of need, eliminating always-on authorization and making the solution responsive to sudden, ad-hoc or emergency needs.
2. Leveraging IT protocols to access non-standard and proprietary OT targets
In OT, there are a host of client applications that don’t support traditional IT protocols. One solution is to run the application on a server through a jump host/Virtual Desktop Infrastructure (VDI) and use PrivX to manage access to the server running that client application (using e.g. SSH or RDP).
This way, RBAC is still run through PrivX and you will have session recording and audit events available. This method can be used, for example, to access database tools, service and maintenance software, control logics, to name a few.
3. Network-level access
In many cases, there’s a need to run a client software using a proprietary protocol on a client (like PC). Examples of this are Simatic STEP 7/TIA Portal and Studio 5000 for programming PLCs (Programmable Logic Controllers.
The access control in this scenario is often managed with VPN/Firewall solutions. But the VPN/Firewall approach doesn’t provide the needed granularity and is quite often complex to manage, configure, and maintain, since it requires configurations at the target and access is granted per individual instead of roles.
PrivX OT Edition enhances the existing access management capabilities with the possibility to control access to targets on a network level. The main benefit of this feature is that its protocol- and target-agnostic: the network target can be a service, system, or subnet and it can be accessed with any arbitrary Transmission Control Protocol/Internet Protocol (TCP/IP) that are prevalent in industrial automation.
As always, the convenient RBAC controls apply for easy management, as well as granular access controls.
Improve VPN/Firewall and legacy environment access controls with PrivX Router
PrivX OT Edition introduces a new PrivX Router component. It provides RBAC to a specific IP or IP range or even on a port or port range level. You can also limit the used protocol to TCP or User Datagram Protocol (UDP).
As an extension to an existing VPN/Firewall solution, PrivX controls access based on the user's roles and location within the network by configuring external router/firewall components to allow/deny access on layer 3/4.
With this setup, you can take a layered security approach. In addition to a VPN connection, which typicall grant access to large segment of your network, users will establish network access sessions to specific network targets through PrivX.
Here’s how it works:
- Users can easily select the available network targets from the PrivX UI. The available targets are visible and restricted based on the user’s current role.
- As an example, the user can make a connection to a specific IP/port only if a specific VPN connection exists and has a valid role for the network target connection.
- Users can request a role with a built-in workflow and approval process
- Admins can inspect user sessions via audit events and terminate network access sessions when necessary.
- Audit events are generated when network access sessions are opened and closed, and when changes are made to the network target configuration.
- Each network access session is also stored as a connection to the connection manager. This allows admins to inspect detailed metadata of ongoing and past network access sessions, and to request ongoing network access sessions to be terminated.
Network targets are configured in PrivX UI by defining:
- The roles that can access the network targets
- The instructions that are displayed to the user when the network access session is opened
- The destination IP address range (IPv4/IPv6)
- The destination port range (optional)
- The traffic selectors for allowed TCP/IP traffic (optional)
- Destination Network Address Translation (DNAT) parameters (optional)
- Source Network Address Translation (NAT) can be enabled/disabled per network target
- Exclusivity, meaning that users cannot open a concurrent session to this network target
Support for non-tunneled VNC connections
We recommend tunneling the VNC connections over SSH. In some cases, the destination cannot run an SSH server and plain text VNC is the only option. Now, it’s possible to configure PrivX to allow plain text VNC connections.
We recommend to make sure that the network between PrivX and target hosts is secured by other means if you allow this type of access. This feature is disabled by default.
ICAP antivirus integration for RDP-proxy and Web file transfers
Malware can spread through file transfers. When Internet Content Adaptation Protocol (ICAP) is enabled for RDP connections, all user file uploads and downloads are scanned.
Uploaded files are scanned before they are sent to target hosts whereas downloads are scanned before they travel from the shared directory to the user machines. Files that don’t comply with the corporate policy are blocked.
PrivX OT Edition supports file scanning for RDP and HTTPS with support for other protocols coming later.
PrivX OT – your comprehensive secure remote access gateway to OT targets
Whether you’re doing business in manufacturing, oil & gas, power and utilities, water treatment, transportation, or pulp & paper industries, we can make it easy and safe for your maintenance crew to securely connect to OT, IoT, and IIoT assets in your industrial network.
Troubleshooting, maintenance, upgrading ICSs should take place without operational downtime and risk of costly breaches. In the worst-case scenario, make sure your mean time-to-respond (MTTR) is at the top level. PrivX OT Edition is the solution to make that happen.
The PrivX project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 881221.
Learn how a leading manufacturing company operating in the field of industrial equipment streamlined their access management, introduced workflow approvals for maintenance tasks, increased the granularity of auditing and privilege restrictions. Just click the banner below.
