Manufacturers are often in need of help when it comes to deploying a new automation project or managing and maintaining existing machines on the plant floor. As a result, they’ll turn to technology suppliers, OEMs and system integrators for support. But that means these third parties need to be able to access the equipment remotely, which creates a potential open access point on the network that could create a cybersecurity vulnerability.
From a remote access risk management standpoint, “Don’t trust anybody,” said Brandon Bohle, a control systems and cybersecurity analyst for Interstates, an electrical engineering and systems integration firm. “Only allow things into your network that you know and trust. Go through the vetting process before allowing others into your organization.”
Bohle, who was speaking at the Automation World Conference & Expo in Chicago this week, also explained that remote access is often misunderstood. To that end, it isn’t always external partners trying to access the plant floor through the firewall. Sometimes it’s internal engineers taking a shortcut into a system, which opens the door to hackers, or an operator plugging a USB drive into a computer that, unbeknownst to them, has a virus on it.
As a cybersecurity analyst, Bohle goes into plants to help manufacturers implement projects, develop policies, review controls in place and provide advice on how to safely move forward with the project. Based on his experience, Bohle provided a list of challenges and considerations to incorporate when embarking on an automation project that requires remote access.
While there may be a DMZ between the enterprise and industrial networks, there needs to be a plan in place that protects the boundaries, which can be a challenge from an overall organizational standpoint.
“As a cybersecurity analyst, you’d be surprised how many times we go into a plant and [the manufacturer] will have an issue, need remote access, and will be willing to put something in place with no considerations. Or they don’t care about the risk because they need to get the process up and running. That might work in a pinch, but if you are building [cybersecurity] up from a holistic standpoint there are some issues to consider,” he said.
1.) Limit access from a supplier or OEM so that they only have contact with their technology or their machine. “We may trust that vendor, but what happens if they are compromised?” Bohle asked, reminding the audience that the Target cybersecurity breach a few years ago stemmed from an incident where network credentials were stolen from the company’s HVAC subcontractor. “Consider how the third party is getting access. A lot of times they hook up to systems from a mobile hotspot. It’s convenient for them, but at the same time, now there’s access back into the network that is circumventing all of the cybersecurity controls you put in place.” Also, make sure if an employee from your supplier or OEM leaves the company that they don’t still have access to your system.
2.) Local engineering resources are not necessarily malicious, but a lot of times unintentional things happen, so treat them like a third party. “They’ll take their engineering laptop, walk to the [factory] floor and plug it in. That’s a potential issue because they are bypassing all other controls that have been put in place around the perimeter,” Bohle said. “Those laptops could have potentially been exposed to the whole Internet.”
3.) Do remote access reviews of employees working for you, as they may move to another department and no longer need log-in credentials. “Generally we wouldn’t assume that employees will do something malicious, but if something happens to those credentials, that person would have access to everything the employee does,” Bohle said.
4.) Ownership of remote access. IT or OT? Determine responsibilities and risk management, and limit access to systems in areas that require access. “Define a corporate remote access policy. You want to get away from the wild west of remote access.”
5.) Enforce the policy — and make it easy. “Once you have a solution, you need to enforce it,” Bohle said. “If you have a convoluted remote access solution, employees will get tired of it and circumvent it to get around it. If you have an easy and simple solution, you’ll reduce those potential risks.”
6.) Work oversight and monitoring. “We commonly see someone on a WebEx allowing remote employees to take control of a screen and make changes. Who is watching what that person is actually doing? When implementing remote access, make sure to understand what changes have been done, what systems have been touched. … Have someone monitor that, and make sure it’s an ongoing process.”
And, in the future, take into consideration, as plant connectivity increases, how information will be routed. And, how mobile devices could increase the attack surface.
Bohle summarized by saying: “Whatever solution you put into place, it is truly guided by risk. … Make sure you can adapt to an ever-changing environment.”