10 Tips for Secure Remote Access to Control Systems

By HMS Networks

Remote access provides the ability to remotely connect to intelligent devices such as programmable logic controllers (PLCs), human-machine interfaces (HMls) or robots, with similar functionality as if being on-site with those devices. The resulting cost savings, and ability to act immediately when a machine fails, verifies that machines are working at their maximum level of productivity.

Here are 10 tips for establishing secure remote access to a control system. Consult your automation suppliers to fully understand the intrinsic security of your system.

1. Remote Access Should be Granted For Machine Service, But Segregated From the Plant Network

OEMs should only reach the machines under their responsibility in the plant. To achieve this, the system must be configurable to segregate the machine network from the rest of the network. Once completed, the machine network nodes aren’t directly connected to the site network and must be configured with different IP addresses.

2. Separate VPN Access from Machine Control to Verify Performance In Event of a Cybersecurity Incident

Using machine control equipment, such as a PC, HMI or PLC, as a VPN host may reduce its resources and degrade performance. To achieve the control system’s availability, it must provide the resources to operate in a degraded mode during a denial-of-service (DoS) event.

An external router will act as boundary to filter certain types of packets to protect control systems from being directly affected by DoS events, thus avoiding any external attack affecting the control system and stopping the machine.

3. Avoid Internet or Public-Facing IP Addresses on VPN Routers

Router IP address must be hidden from the public to prohibit hackers from easily scanning for potential targets. So, use only private VPN addresses to connect to the router instead of public IP addresses.

However, the router will still have a hidden IP address accessible through the Internet. If the router is configured to use Internet access through a cellular modem, then the WAN connection is equivalent to the cellular connection, thus putting the public IP address out on the Internet.

4. Allow Only Outgoing Connections from Trusted to Untrusted Zones

No inbound firewall ports must be exposed on the Internet, and no static Internet IP addresses should be required.

The industrial router initiates an outbound secured VPN tunnel point-to-point with a specific account in the cloud. This tunnel is authenticated and encrypted via HTTPs and goes over the corporate network and through the firewall (outbound only). Once online, it travels to the cloud network along with remote access services.

5. All Traffic Must Be Encrypted

Remote support users connecting over the Internet should use a strongly encrypted protocol, such as running a VPN connection client, application server or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi­factor authentication scheme.

For encryption, public certifications from commonly accepted standards and guidelines must be used, such as the Internet Engineering Task Force (IETF) Request for Comment (RFC) 3647 for X.509-based PKI (Public Key Infrastructure of 2048 bits).

6. Update Devices with the Latest Official Firmware and Security PatchesThis is in accordance with the device manufacturer recommendations. Also, you can be notified by the ICS­CERT (Industrial Control Systems Cyber Emergency) about vulnerabilities found in industrial automation equipment and receive recommendations of required patching as well.

Because the systems included in a remote access solution — router and cloud services — aren’t always critical and are most of the time disconnected, it’s not necessary to follow specific system upgrade policies other than those recommended by the manufacturer. For example, the upgrade can be done at any moment the remote access is not being used, as it will not affect the availability of the machine in any case.

7. Be Able to Fully Reset to Factory Settings

Your router must be ready to accept a reset to the factory settings, including password, device identification, user Web site, LAN IP address+ mask, Internet access, Modem/WiFi settings, and cloud and Proxy access configuration. In cases where strange behavior is detected, the device must be fully restored to factory settings.

8. Use Multifactor Authentication (MFA) Whenever Possible

Multifactor authentication should be considered among the best practices in remote access, because it provides an added layer of security.

Passwords can be discovered or stolen. If the system requires us to enter a second code of single-use from an SMS sent to our mobile phone, the stolen password itself becomes worthless (unless our cellphone also has been stolen and has no protection code, in which case the system administrator should change the credentials immediately).

9. Firewall and Filter at Higher Level

Access to a device’s IP address and ports should be restricted by configuration. This includes limiting a user's access to both Ethernet and gateway services. This filtering should happen outside the router itself.

10. The Connections and Changes Must be Auditable

The system must be capable of logging events on access control, errors, operating system, control system, backup and restore, configuration changes, potential reconnaissance activity and audit log.