How to design secure remote-controlled operations

Six tips can help with cybersecurity and remote-controlled or remote-monitoring applications for industrial control systems (ICSs).

10/10/2018


Tom Gilbert is chief technology officer, Blue Ridge Networks. Courtesy: Blue Ridge NetworksProviding remote access to anyone—vendors, contractors or the most valued customers—can be very risky business, yet it's often promoted as a way to help shorten unplanned downtime with remote troubleshooting. One means of risk reduction is two-factor authentication technology, which is designed to enable secure connectivity and future-proof breach prevention across an organization.

For cybersecurity awareness, just ask the folks at Target, Sony and the U.S. Office of Personnel Management (OPM). They were breached as a result of the theft of credentials of an extranet user—earning their place on CSO's list of the biggest data breaches of the 21st century.

These types of attacks aren't contained to enterprises. The Wall Street Journal reported that when Russian hackers infiltrated the control rooms of U.S. utilities in 2017, blackouts were potentially caused after the networks of trusted vendors were penetrated.

Yet, in an industrial environment, with systems located remotely or spread across multiple organizations' responsibilities, maintaining mission-critical operations depends on providing extranet access. Gaps in security infrastructures arise when companies prioritize productivity over security and are reluctant to add security measures as they'll make individuals jump through hoops to get to the needed information.

However, when it's impossible to control all components involved in a connection, this provides an open invitation for attackers to steal credentials, often through malware techniques on a machine that does not belong to the hosting organization. 

Remote access, a double-edged sword

Many remote access situations are unplanned such as when a piece of equipment fails and the technician is out of town, which requires the company to bring in a trusted third party for repairs. This urgency for immediate, unplanned access heightens the cybersecurity risk. Perhaps credentials are provided over the phone ("Your password is 'password1'"), which is creating an open invitation for a hacker to gain access.

Remote access can be a double-edged sword: a necessity to keep productivity high, but also a low cost, easy entry point for hackers. The challenge is many of the leading market options to authenticate user logins, such as RSA SecurID and smart cards, have never found much traction among extranet users. Not only were they largely designed for enterprises, but they are quite costly, challenging to support and put too much burden on end users. 

Two-factor authentication is needed

Best practices, including U.S. National Institute of Standards and Technology (NIST) recommendations, advise using strong authentication for all industrial control systems (ICSs). Many people think communication encryption mitigates the security risk, but even before the connection is made, credential exposure is the starting point and creates the vulnerability. Plus, practicalities and costs often get in the way.

Leaving authentication in the hands of the user is a surefire way for mistakes to happen. An even a bigger challenge is authenticating third-party users who don't have the built-in foundation of a solid cryptographic virtual private network (VPN), which makes it impossible and impractical to authenticate. Without that level of credentialing, you may as well as be having a private conversation with a stranger.

To best secure remote access, public key cryptography, the gold standard for authentication, should be used. Some may dismiss it as complex and expensive, which is the case unless it's built into an application. Mutual public key authentication is the most effective technical solution for ensuring no malicious third party can intervene in a communication; only the two parties involved in the connection can exchange information.

Six remote-access checkboxes

To get on the road to secure remote access, look for technology that checks the following boxes: 

1. Built-in mandatory mutual authentication: No dependence on user discretion to access organization resources 2. Automatic creation of an end-to-end encrypted tunnel3. Operationally transparent to fit with existing cybersecurity systems: Provides an additional, not replacement, layer of security 4. Protocol independent to work with any combination of communications, whether WAN, LAN and any combination thereof 5. Responsive to unplanned deployment: Ability to be rapidly deployed to support secure connections 6. Software-free approach: Plug directly into network, without software or network configuration changes, using small hardware appliances.

Every business faces tough tradeoffs. When it comes to cybersecurity, it can be nearly impossible to measure the risk being introduced when unexpected remote access is urgently needed. Yet, as we've seen all too often, it only takes one unsecure point of entry for damage to be done. What's needed is built-on, two-factor authentication to enable secure connectivity and future-proof breach prevention across an organization.

Tom Gilbert is chief technology officer, Blue Ridge Networks, a CSIA member. The CSIA is a CFE Media content partner. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, mhoske@cfemedia.com.

MORE ANSWERS

Keywords: Remote control, cybersecurity

  • Cybersecurity for remote industrial monitoring, cybersecurity
  • Authentication and encryption help remote access
  • Work on breach prevention.

CONSIDER THIS

When you connect to automation or other systems remotely, are you aware of methods to lower risks?



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me