A question many industrial operational technology companies have is: How can you maintain security while transitioning to a remote workforce?
Thought leadership focusing on individuals working remotely has increased, but there are benefits for those working in both Information Technology (IT) and Operational Technology (OT).
Our team champions remote work, and we understand the benefits of transitioning to a remote environment while remaining secure. This post will cover:
Let’s take a look at how to keep your OT and IT team productive and secure while working remotely:
Don’t leave sensitive documents out on your desk—make sure they are locked up in a filing cabinet and stored securely, and require employees to do the same. If you’re using a BYOD policy, ensure devices carry full disk encryption and install anti-virus software on all computers.
To promote productivity, encourage employees to create workspaces at home that are separate from their personal space. If work takes place outside of the home, ensure employees utilize an encrypted connection method when connecting to public Wi-Fi or use cellular hotspots when applicable.
Many industrial operational technology workers may need access to equipment without heading to the work site and risking infection. That’s where remote access comes in. Out of necessity, companies often piece together jump hosts and VPNs to solve this problem, but they sacrifice efficiency and security in this process.
If you are committed to using your current VPN, consider whether or not it’s patched. Updating VPNs takes IT time. If unpatched, this can mean a compromise to your network. While looking into VPN security, consider modern alternatives, such as a Moving Target Defense (MTD) network to up your security game. Not only is MTD fast, but it’s more secure than a traditional static VPN and easy to implement.
Examples of VPN breaches:
Ideally, you want users to access your network from trusted devices. From a remote perspective, there are two ways to go about doing this. The first method is to send employees home with company-purchased laptops, equipped with endpoint security software pre-installed. Another method is to provide virtual desktops that employees can access from their own devices.
If you don’t have an inventory of laptops on hand, you should be using a virtual desktop schema. Virtual desktops protect your systems by allowing users to access equipment securely, even if they’re not on trusted devices. Virtual desktops serve as an intermediary step to protect against malware and can offer full session recording of a user’s interactions with your internal systems. For best-in-class security, use disposable virtual desktops that cycle on a daily basis with fresh updates and security patches automatically applied.
For industrial operational technology specifically, some regulations require remote access to ICS through an intermediary server. These include:
NERC-CIP:
NIST 800-82:
As a best practice, all user access should require Multi-Factor Authentication (MFA) when logging in. Temporary one-time passwords and modern hardware tokens are standard methods of MFA and are recommended for logging in. If your industry releases compliance regulations, MFA is often required as part of audibility and necessary to include.
Additionally, all remote connections should be encrypted with the highest level of protection, with at least AES-256.
Compliance regulations that recommend MFA include:
NERC-CIP:
NIST 800-82:
CMMC:
Segment IT and industrial operational technology teams. The last thing you need is for an adversary to traverse your IT network to gain access to your OT network. There’s no need for your marketing department to have access to your OT network. In fact, OT employees should have a remote access pathway that is independent and fully segmented from the standard IT access pathway.
In practice, this can be accomplished by building two separate VPN networks, one for your OT and one for IT. As VPN concentrators can be quite expensive and tedious to set up, you may also consider moving target defense networks as a more secure and cost-effective alternative.
Enable whitelisting on both IT and OT networks to grant users appropriate access. Maintain the principle of Least Privilege and make sure remote employees only have access to resources they need access to. Consider implementing a time-based access strategy so that you can more quickly flag out-of-band activity within your industrial operational technology environment.
A common remote access technique allows direct access to a target or server through a process known as UDP Hole Punching. Although UDP Hole Punching grants convenient, fast access, it creates another threat surface that could put your control systems at risk. Then multiply that surface by the number of endpoints you want to grant access to. UDP Hole Punching works by allowing a remote user to fully bypass most, if not all, of an IT or OT network's local security in order to directly interact with a control system. Given how risky this maneuver is, look for a tool that offers both speed and security instead.
If you’re concerned about how operators and vendors are interacting with your critical systems, use session recording. Virtual desktop platforms can offer session recording, to monitor users—both operators and third parties—and prevent inadvertent malware spread. Recording all actions can help you ensure your equipment is handled correctly, identify interesting training insights, and keep your workers/vendors accountable for their billing hours.
If your industry requires compliance with particular regulations, you must use monitoring and logging techniques to adhere to these standards. Compliance regulations that discuss recording remote sessions include:
NERC-CIP
NIST 800-82
CMMC:
We know this won’t last forever. A lot of these users who need to work remotely now will return to their jobs in a few months’ time. Look for a solution that is easy to implement initially, can scale quickly to meet this surge in demand, and can scale back down once this crisis is over (without costing you multi-year per-user contracts in the meantime).
Ready to take your IT and OT security framework to the next level? Look no further than Dispel. Our team of cybersecurity experts can assist in deploying a reliable zero-trust network to support all areas of your environment. Connect with an expert from our team to learn more.
Invest in reliable remote access that works for your team and doesn’t require compromising security. Tell us about your unique OT needs, and get a quote in your first meeting.
Get your demo at https://dispel.io