If you're here, you're probably a operational technology manager or IT security reader based in Australia looking to enable remote access to your environment while complying with the Australian Cyber Security Centre's (ACSC) cybersecurity protocols. It might be you're doing so for the very first time or looking to bring your organization into alignment with the the ACSC's guidance. Either way, what we'll do here is walk you through what the requirements are in the guidelines, and then how you can use Dispel to easily and automatically comply.
Dispel is a managed zero trust access (ZTA) platform designed specifically for OT/ICS environments. It combines multiple security modules around a secure access service edge (SASE) model to meet the cybersecurity control criteria. If you use Dispel, you'll automatically comply with most of the guidelines—a lot cheaper and certainly faster than having to buy several different products and put it together yourself.
The Australian Cyber Security Centre's Industrial Control Systems Remote Access Protocol provides guidance for how critical infrastructure should enable remote access to their Operational Technology Environments (OTE).
Industrial automation and control system (IACS) organizations increasingly use commercial off-the-shelf (COTS) networked devices that are inexpensive, efficient, and highly automated. Control systems are also increasingly interconnected with non-IACS networks for valid business reasons. These devices, open networking technologies, and increased connectivity elevate the theoretical cyber risk of control system hardware and software. This, in turn, has raised concerns over Health, Safety and Environmental (HSE), financial, and/or reputational consequences from cyberattacks on deployed control systems.
The ACSC ICS Remote Access Protocol is not a prescriptive guide. The goal of the document is to provide a flexible framework that facilitates addressing current and future vulnerabilities in IACSs and applying necessary mitigations in a systematic, defensible manner.
Next we'll go through a brief architecture overview of Dispel Remote Access, then details how Dispel’s zero trust remote access solution meets and exceeds each design guideline put forth by the ACSC ICS Remote Access Protocol.
Purdue Model Diagram of Dispel Deployment
Bottom third of diagram, Layer 3.5 of Purdue Model (OT DMZ)
The Dispel Wicket ESI is an on-premises remote access gateway that can be deployed as either hardware or a virtual appliance. It contains two network interface cards: North, and South. North connects outbound-only through a single port to a single IP to establish a remote access pathway through the SD-WAN, and South is given routability to devices on the OT network. On-premise firewalls can control the North and South sides independently to maintain strict need-based access and network segmentation. The Wicket ESI is the only on-premise installation required, and enables secure remote access to any device permitted on the South side network.
Grey box on upper left, cloud-based core network
The Dispel SD-WAN is the main bridge enabling remote access. The Wicket ESI proactively connects from one side of the SD-WAN, and on the other side, the Virtual Desktops are automatically networked in. Each Dispel SD-WAN is single-tenant to each customer, meaning your traffic and another customer’s traffic will never traverse the same infrastructure. Additionally, Dispel SD-WANs are built with Moving Target Defense technology, enabling a shifting topology and increased resiliency.
Top of diagram, cloud-based workstations
Dispel Virtual Desktops (VDIs) are single-use, time-limited workstations that users connect through to access the ICS network. Virtual desktops can be set to automatically cycle on an administrator-defined schedule. This ensures that each desktop is never used for more than 12 hours, and all valid credentials for remote access are cycled every 24 hours. Virtual desktops that connect to your ICS network will never connect to another network or another country. Lastly, virtual desktops will automatically build with the latest updates and patches to the day, and can be customized and imaged with your desired applications and security policies.
Blue boxes on the upper right, cloud-based add-ons
All access performed through Dispel is recorded in two ways:
Syslog traffic packets which contain the user, timestamp, what devices the user accessed, and through which protocol. Dispel can provide an integrated server to store these logs as part of the managed deployment, or the traffic can be forwarded to a customer’s existing SIEM (eg. Splunk).
Full video screen recordings of each Virtual Desktop session. Recordings can be watched in real-time, and are saved for playback. Videos can be retained for an administrator-defined period of time, stored permanently, or exported. Dispel can provide a recording storage server to enable this functionality with no additional hardware needed from the customer.
“If you are looking for a robust product for accessing OT assets securely and reliably, this is it.”
Book a demo with our team today to get yourself aligned with the ACSC's Industrial Control System Remote Access Protocol: