If you're here, you're probably a operational technology manager or IT security reader based in Australia looking to enable remote access to your environment. It might be you're doing so for the very first time or looking to bring your organization into alignment with the the ACSC's guidance. Either way, what we'll do here is walk you through what the requirements are in the guidelines, and then how you can use Dispel to easily and automatically comply.
Dispel is a managed zero trust access (ZTA) platform designed specifically for OT/ICS environments. It combines multiple security modules around a secure access service edge (SASE) model to meet the cybersecurity control criteria. If you use Dispel, you'll automatically comply with most of the guidelines—a lot cheaper and certainly faster than having to buy several different products and put it together yourself.
What is the Australian Cyber Security Centre Remote Access to Operational Technology Environments guide?
The Australian Cyber Security Centre's Remote Access to Operational
Technology Environments provides guidance for how critical infrastructure should protect their Operational Technology Environments (OTE). First published in May 2020, the guide was recently updated in March 2023. Written for small & medium businesses, large organizations & infrastructure, and government the guide is applicable for anyone running industrial control systems in their organization.
The guide is divided into two general focus areas:
General remote access guidance; and,
Remote access in Operational Technology Environments
Why is the ACSC putting this out?
Industrial automation and control system (IACS) organizations increasingly use commercial off-the-shelf (COTS) networked devices that are inexpensive, efficient, and highly automated. Control systems are also increasingly interconnected with non-IACS networks for valid business reasons. These devices, open networking technologies, and increased connectivity elevate the theoretical cyber risk of control system hardware and software. This, in turn, has raised concerns over Health, Safety and Environmental (HSE), financial, and/or reputational consequences from cyberattacks on deployed control systems.
The ACSC ICS Remote Access Protocol is not a prescriptive guide. The goal of the document is to provide a flexible framework that facilitates addressing current and future vulnerabilities in IACSs and applying necessary mitigations in a systematic, defensible manner.
How Dispel's ZTA architecture works in this model
Next we'll go through a brief architecture overview of Dispel Remote Access, then details how Dispel’s zero trust remote access solution meets and exceeds each design guideline put forth by the ACSC ICS Remote Access Protocol.
Purdue Model Diagram of Dispel Deployment
Components
Dispel Wicket ESI
Bottom third of diagram, Layer 3.5 of Purdue Model (OT DMZ)
The Dispel Wicket ESI is an on-premises remote access gateway that can be deployed as either hardware or a virtual appliance. It contains two network interface cards: North, and South. North connects outbound-only through a single port to a single IP to establish a remote access pathway through the SD-WAN, and South is given routability to devices on the OT network. On-premise firewalls can control the North and South sides independently to maintain strict need-based access and network segmentation. The Wicket ESI is the only on-premise installation required, and enables secure remote access to any device permitted on the South side network.
Dispel SD-WANs
Grey box on upper left, cloud-based core network
The Dispel SD-WAN is the main bridge enabling remote access. The Wicket ESI proactively connects from one side of the SD-WAN, and on the other side, the Virtual Desktops are automatically networked in. Each Dispel SD-WAN is single-tenant to each customer, meaning your traffic and another customer’s traffic will never traverse the same infrastructure. Additionally, Dispel SD-WANs are built with Moving Target Defense technology, enabling a shifting topology and increased resiliency.
Dispel VDIs (Virtual Desktops)
Top of diagram, cloud-based workstations
Dispel Virtual Desktops (VDIs) are single-use, time-limited workstations that users connect through to access the ICS network. Virtual desktops can be set to automatically cycle on an administrator-defined schedule. This ensures that each desktop is never used for more than 12 hours, and all valid credentials for remote access are cycled every 24 hours. Virtual desktops that connect to your ICS network will never connect to another network or another country. Lastly, virtual desktops will automatically build with the latest updates and patches to the day, and can be customized and imaged with your desired applications and security policies.
Dispel Logging and Recording
Blue boxes on the upper right, cloud-based add-ons
All access performed through Dispel is recorded in two ways:
Syslog traffic packets which contain the user, timestamp, what devices the user accessed, and through which protocol. Dispel can provide an integrated server to store these logs as part of the managed deployment, or the traffic can be forwarded to a customer’s existing SIEM (eg. Splunk).
Full video screen recordings of each Virtual Desktop session. Recordings can be watched in real-time, and are saved for playback. Videos can be retained for an administrator-defined period of time, stored permanently, or exported. Dispel can provide a recording storage server to enable this functionality with no additional hardware needed from the customer.
Point-by-Point Guideline Mapping
{% module_block module "widget_1683145482243" %}{% module_attribute "label" %}advanced-table{% end_module_attribute %}{% module_attribute "path" %}/Dispel_December_2022/modules/advanced-table{% end_module_attribute %}{% module_attribute "module_id" %}94723167896{% end_module_attribute %}{% module_attribute "schema_version" %}2{% end_module_attribute %}{% module_attribute "tag" %}module{% end_module_attribute %}{% module_attribute "no_wrapper" %}false{% end_module_attribute %}{% module_attribute "features" %}[{"heading":"Point-by-Point Guideline Mapping","feature_row":[{"show_row_title":true,"sub_heading":"By default, there should be no communication between the vendor and the critical infrastructure control system.","left_title":"Network segmentation and segregation","right_content":"By default, there is no communication possibility between the vendor and critical infrastructure. Access credentials are refreshed from session to session, ensuring the prevention of lingering or unwanted communication is. This is enforced at multiple levels:
\n
\n
No direct access. All connections must go through a hardened virtual desktop acting as an intermediary.
\n
Vendors start from a suspended-by-default state, and must complete a “Request Access Form” for their ac-count to gain access to a single-tenant, locked-to-them virtual desktop. Access is granted only for the time window al-lowed by the administrator.
\n
The remote access network may be destroyed when not in use.
\n
","show_box_content":true,"box_content":{"title":"This allows you to align with:","tags":[{"tag":"Control: ISM-1181; Revision: 5; Updated: Mar-22; Applicability: All.","theme_color":"c-security-table__pill--blue"},{"tag":"Control: ISM-1577; Revision: 1; Updated: Mar-22; Applicability: All.","theme_color":"c-security-table__pill--blue"}]}}],"table_id":""}]{% end_module_attribute %}{% module_attribute "css" %}{}{% end_module_attribute %}{% module_attribute "child_css" %}{}{% end_module_attribute %}{% end_module_block %}
