Secure remote connections with cloud technologies
Mobile technology has advanced to touch many aspects of modern life. People expect and demand digital access to almost anything technology-based, often through mobile devices. Because of this expectation, contemporary devices are designed with such connectivity built in.
However, there are certain applications, such as remote and mobile monitoring of industrial control applications, arriving a little late to the party. Industrial automation, historically, lags behind the latest consumer technologies due to its specialized needs. Automation hardware and software platforms must operate continuously for years or decades. Any failures directly and negatively impact costly equipment and products. Therefore, these platforms have often remained somewhat isolated at an end user’s site.
These rigorous requirements are the primary focus for industrial automation platforms. Any form of remote access was a secondary consideration at best, and was often viewed as a potential way to compromise cybersecurity. Even as commercial networking, PC and internet cloud technologies enabled far easier access to automation platforms, each of these aspects has intensified cybersecurity concerns.
Today’s always-connected end users demand remote access from their automation platforms because it adds value by reducing downtime. They can visualize a system’s performance, operate more efficiently and diagnose problems remotely. Establishing secure remote connections with confidence requires careful attention at many levels of hardware, software and networking.
A solid cloud foundation
Some end users with a strong information technology (IT) skillset can create and maintain their own remote connectivity solutions to the plant floor operations technology (OT) side of the operation. Executed properly, these can provide satisfactory results. Usually, the work includes establishing a virtual private network (VPN) so internet-connected devices can communicate through the site firewall and reach the desired OT targets.
A virtual private network (VPN) can be difficult and expensive to establish and maintain due to the coordination required between IT and OT groups. Even when a VPN is in place, there must be mobile applications or other software for end users to remotely connect. This task can be challenging unless the end user has all the required specialized hardware, software and requisite experience.
More troubling is the discussion about how a home-brewed remote connectivity technology should be tested initially and over time to ensure good cybersecurity exists. A proper security management model is based on the triad of confidentiality, integrity and availability (CIA) of information. Many end users may not be able to create and maintain such a security model.
For these reasons, many end users are turning to established cloud-based solutions to implement remote connectivity with the security they need. Cloud-based platforms are already specialized for the remote connectivity task. Providers can offer economies of scale and other technical benefits.
Before addressing security, it is important to understand the technical features cloud software can offer compared to a homemade configuration.
One significant difference cloud-based software can deliver is improved availability because they operate using servers in the same types of data centers handling other critical computing and data storage activities. Such an expandable architecture can truly be planet-scale and provide improved availability through redundancy. A network of VPN servers located in data centers can use the best server for low latency. It also allows other servers to take over if a connection fails. Some cloud services may use modern computing architectures like Kubernetes clusters, which optimize the operation and management of microservices. [Kubernetes is open-source software to automate deployment, scaling, and management of containerized applications.]
Most cloud solutions also offer application programming interface (API) services for key computing processes, which provides a consistent way for programs to connect. For Industrial Internet of Things (IIoT) applications, a protocol called message queueing telemetry transport (MQTT) is often supported. MQTT is ideal for IIoT communications as it is efficient and secure when paired with transport layer security (TLS). The API and MQTT features allow cloud software to provide more than basic connectivity because these technologies allow data to be stored and accessed through the cloud.
Any industrial cloud solution also must be suitable for handling three types of databases:
- Relational: Such as configuration information
- Non-relational: Such as events, alarms and logs
- Time series: Such as continually arriving timestamped analog process data.
Each database has specific characteristics important for industrial applications. Cloud solutions incorporating all three are a good fit so long as security is ensured.
Five cybersecurity issues to address
The unfortunate lack of cybersecurity is a complex topic that surfaces in the news all too often. Knowing this, many end users are rightfully concerned with how to ensure the security of any internally developed remote connectivity solution.
Best practice for any provider of remote connectivity or cloud-based solutions would be on-going adherence to a comprehensive information security management system (ISMS) following requirements set forth by the ISO 27001 standard and undergoing qualified third-party audits.
There are five top issues that must be addressed:
- Encrypted connections: All connections to and between cloud services must be encrypted using HTTPS with TLS 1.2 or higher to prevent unauthorized access.
- Centralized monitoring, logging, and analysis: Automated detection of critical events and anomalies help providers identify and react to any performance issues or unexpected activity.
- Vulnerability management: Ongoing third-party audits should provide early detection of vulnerabilities or weaknesses before they are exploited.
- Access control: Any cloud-based platform requires developer access, but it should be controlled to a limited number of people with strong access keys and thorough monitoring.
- Software development life cycle: Software changes should always be peer reviewed, follow a rigorous versioning management system, and be tested using manual and automated methods.
If end users are not prepared to perform these activities, they should consider using a cloud-based software provided by a company in compliance with these ISMS directives.
Even the best cloud-based software can be compromised by weak on-premises security. Unfortunately, most OT technologies at manufacturing sites were not designed with security in mind and many are rarely updated. Connecting these legacy technologies to newer cloud-based platforms can lead to trouble unless precautions are taken.
The most fundamental step is ensuring the machine local area network (LAN) is isolated from the wide area network (WAN) and internet using a router with a properly configured firewall. By default, this blocks all traffic between the two, denying any communications initiated on the WAN from reaching the LAN unless it’s configured to do so.
However, it is often acceptable for LANs to generate trusted outbound communications to the WAN or the internet. This is the preferred way for OT systems to integrate with IT cloud platforms without involving more complex IT solutions. Any OT/IT remote connectivity solution needs to be coordinated with site security access restrictions.
One other point is many OT operations are located where internet connectivity may be less than ideal. For these cases, end users may want to look for routers capable of failing over from a preferred internet connection to 4G mobile networks. For applications with data logging, it is also recommended the router can buffer data for days at a time until a connection is restored.
Browser and app security
Having looked at the site conditions and cloud requirements, the final remote connectivity step is the end user interface. This could be browser-based or a mobile-based application. Unfortunately, this interface can be a prime target for outside attackers.
As most users know from their personal email, banking and other computer-based accounts, login security is paramount. In addition to a unique and long password, users should consider using systems that allow two-factor authentication (2FA) as an additional layer of protection. Most often, users open another authenticator app on their mobile device to obtain a one-time passcode as they log in.
Administrators of cloud-based connectivity system must carefully assign and control user privileges. Common sense dictates users should be granted just enough privilege to perform their tasks, and no more. This minimizes the affect a successful attacker can cause to a system.
A final point is when apps are available, they are more convenient for end users than web browser access. This is because they are preconfigured for mobile screen size and tailored to offer the most typical information and functionality needed while requiring far less specialized development effort by end users.
Confident cloud connections
Remote monitoring and control, especially via mobile devices, is considered a must-have feature for many industrial automation users. It may be possible for some users to develop their own connectivity software, but the cybersecurity risk is significant and demands extensive effort for mitigation.
This is one of the main reasons many users are finding cloud-based remote connectivity and data logging platforms are an ideal answer. The best cloud platforms offer better technical solutions, such as redundant servers and backup data connections, than homemade systems. They follow the latest industry security standards, are continually audited and offer mobile apps to help end users get running quickly, with minimal maintenance required throughout the lifecycle.
Jonathan Griffith is product manager for industrial communications and power supplies at AutomationDirect. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, email@example.com.
Keywords: cybersecurity, cloud-based access, remote connectivity
Mobile and remote connections are becoming popular, but they often lack the proper cybersecurity tools.
Proper security management is based on the triad of confidentiality, integrity and availability (CIA) of information.
Good cloud-based remote connectivity offer strong technical solutions and follow the latest cybersecurity standards.
What applications in your facility would benefit the most from cloud-based remote connectivity and why?