What’s the difference between Dispel and a VPN?
For those of you out there that have been using a home-rolled way of getting access to your industrial systems, the modern world of access can be a bit jarring. Just in the last five years, the use of VPNs, jump hosts, and proxies as spartan functional tools to get into environments have all been outstripped. New NIST and IEC standards demand the tools be tightly integrated into other security systems. And the cost of doing it right yourself has skyrocketed--managing, auditing, certifying, and monitoring all add up.
We wrote this comparison document to get your team up to speed on what has really changed, and walk through what all the new pieces are that you need for control and visibility into your industrial control systems.
We will examine the various components needed for a complete zero trust access (ZTA) system—including Identity and Access Management (IAM), network encryption and tunneling, moving target defense, network segmentation, endpoint isolation, monitoring and analytics, asset management, and security operations center integrations.
This guide also grounds the components of a ZTA system within the context of security control criteria and standards surrounding industrial control system access. The ones we discuss here are NIST, IEC 62443, NERC-CIP Section 5, and WITAF 503. In short, by adhering to these guidelines organizations help ensure that their industrial control systems are protected against cyber threats that could cause significant damage. And, since you'd be following industry best practices, if there were an incident you'd be in a better position with your board and your insurance providers.
Let’s start by looking at the two items in question: Dispel Remote Access and a Virtual Private Network (VPN) (or any other tool like a jump host). The primary difference is that Dispel is an integrated platform while a VPN is a technology subset. In other words, Dispel is a laptop, while a VPN is a memory chip inside of that computer. VPNs perform functions that are part of a complete solution but cannot operate fully by themselves.
What is industrial control system Zero Trust Access (ZTA)?
A Zero Trust Access (ZTA) system is a security model that requires all users and devices to be authenticated and authorized before being granted access to an industrial control system. It assumes that all users and devices, even those inside the network, are potentially a security risk and should not be trusted by default.
A complete Zero Trust Access (ZTA) system for industrial control environments, such as those used to grant access to critical infrastructure, should follow guidelines from various reference frameworks, such as NIST CSF, 800-53, 800-82, and IEC 62443.
Mandatory Components of an Industrial Control System ZTA Platform
The constituent components needed to achieve a complete ZTA platform include:
Identity and Access Management (IAM): IAM is responsible for identifying and authenticating users and devices and authorizing them to access resources. IAM includes components such as time-based access windows, multi-factor authentication, identity federation, and role-based access control.
Network Encryption and Tunneling: Network encryption and tunneling secures traffic to and from the industrial control system over the public internet against intercepted data being read by unauthorized parties. In particular, a Virtual Private Network (VPN) or Software Defined-Wide Area Network (SD-WAN) can provide a secure and encrypted connection between multiple endpoints over a public network such as the internet.
Moving Target Defense: A moving target defense (MTD) tool prevents vulnerability exploitation and target analysis by attackers. MTD networks significantly increase the cost of targeting and attacking OT systems by rendering reconnaissance intelligence obsolete and useless in an hourly or daily basis. MTD networks are also critical for dealing with ransomware, since they can automatically patch their components.
Network Segmentation: Network segmentation is the process of dividing a network into smaller segments, each with its own security controls. Segmented networks limit the exposure of critical systems and reduce the risk of lateral movement by attackers.
Endpoint Isolation: Endpoint isolation involves securing devices and systems that are connected to the network, including computers and mobile devices. This disposable intermediate infrastructure, such as hardened, cycling virtual desktops.
Monitoring and Analytics: Monitoring and analytics tools provide visibility into network activity and detect anomalies and threats in real-time. This includes session recording, network activity logs, keystroke logging and integrations with tools such as Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA).
Asset Management: Asset management tools are responsible for registering and tracking all devices on the network. This includes assigning IP addresses, ports, and protocols permissible for network activity. Asset management tools give organizations visibility into their network, making it easier to identify and manage potential security risks. By tracking all devices on the network, organizations can ensure that only authorized devices are connected to the network, and that they are operating within the expected parameters. This helps to prevent unauthorized changes to the network and ensures that critical systems are protected from cyber threats.
Security Operations Center: A security operations center (SOC) is a centralized unit responsible for monitoring and responding to security incidents. The SOC is staffed by security professionals who use advanced tools and techniques to detect and respond to security incidents.
In summary, a ZTA system for industrial control environments should include IAM, network encryption and tunneling, moving target defense, network segmentation, endpoint isolation, monitoring and analytics, asset management, and a SOC. By following guidelines from various reference frameworks, organizations can ensure that their ZTA system is comprehensive and effective in protecting critical infrastructure.
Dispel Remote Access is Industrial Control System ZTA
Dispel Remote Access is a complete Zero Trust Access (ZTA) system designed for industrial control systems. It incorporates the components necessary to comply with security control criteria, including Identity and Access Management (IAM), network encryption and tunneling, moving target defense, network segmentation, endpoint isolation, monitoring and analytics, asset management, and integrations for security operations centers (SOC).
By providing a comprehensive ZTA platform, Dispel ensures that all users and devices are properly authenticated and authorized before being granted access to industrial control systems. Recordings and logs are made during the entire session. And then their access window is automatically closed, and the connection infrastructure destroyed. This is achieved by following guidelines from various reference frameworks, such as NIST CSF, 800-53, 800-82, and IEC 62443, to ensure that the ZTA system is effective in protecting critical infrastructure.
What then is a VPN?
A Virtual Private Network (VPN) is subcategory technology of Network Encryption and Tunneling. VPNs are software that creates a secure and encrypted connection between two endpoints over a public network such as the internet.
In the context of remote access to an industrial control system, a VPN provides a secure tunnel for data communication between the remote user and the industrial network. However, it is important to note that a VPN is just a piece of a larger system, like tires on a car.
Compare and Contrast
Efficiency & Security
Integrated OT ZTA Solutions Are Significantly Faster
Using a fully integrated OT ZTA system, like Dispel Remote Access, is significantly more efficient for operators and administrators because it provides a single, centralized platform for managing access security across the network. Instead of having to manually manage multiple disparate security tools and platforms, operators and administrators can use a single platform to automatically manage access, monitor network activity, and detect and respond to security incidents.
This saves time and reduces the likelihood of errors or oversights that can lead to security breaches. Dispel Remote Access improved incident response with clients by 97% and saved users over 365,000 FTE hours.
Security Standards Govern Access
When it comes to industrial control systems, remote access is a critical aspect that needs to be properly secured. Fortunately, there are various security guidelines and requirements that apply to industrial control systems, including those that address remote access. Some of the most important ones are NIST, IEC 62443, NERC-CIP Section 5, and WITAF 503. These guidelines and requirements provide recommendations and best practices for securing industrial control systems and protecting critical infrastructure against cyber threats. By following these guidelines and requirements, organizations can ensure that their industrial control systems are secure and protected against cyber threats that could cause significant damage.
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce responsible for developing and promoting measurement, standards, and technology. NIST provides cybersecurity guidance for organizations, including the Cybersecurity Framework (CSF) and various Special Publications (SPs). Among these SPs are 800-53 (Security and Privacy Controls for Information Systems and Organizations), 800-82 (Guide to Industrial Control Systems (ICS) Security), and 800-160 Volume 2 (Developing Cyber-Resilient Systems). These publications provide comprehensive guidelines for securing industrial control systems and protecting critical infrastructure against cyber threats.
IEC 62443 is an international standard that provides guidelines for developing a comprehensive cybersecurity management system for industrial automation and control systems (IACS). It includes a lifecycle model that helps organizations manage cybersecurity from the beginning of a project through to the end of the system's life, and includes guidelines for secure development, testing, and deployment of IACS.
NERC-CIP Section 5
NERC-CIP Section 5 is a set of cybersecurity standards that apply to the bulk power system in North America. Specifically, Section 5 addresses the security of the bulk electric system's cyber assets, including electronic security perimeters, access controls, and incident response plans. The standards were developed by the North American Electric Reliability Corporation (NERC) in response to the Energy Policy Act of 2005, which mandated the establishment of mandatory and enforceable reliability standards for the nation's bulk power system.
The American Water Works Association’s Process Control System Security Guidance for the Water Sector (WITAF 503) provides a guide for members of the water industry seeking voluntary adoption of the NIST CSF and adherence to Executive Order 13636 Improving Critical Infrastructure Cybersecurity. WITAF 503 includes recommendations for implementing security controls such as network segmentation, access controls, and monitoring and logging, as well as guidance for addressing common security threats such as phishing attacks and malware infections.
“If you are looking for a robust product for accessing OT assets securely and reliably, this is it.”
Dispel’s Secure Remote Access platform was specifically designed for reaching and managing industrial control systems in under 30 seconds, with less than 1 minute of administrative overhead, without cutting cyber security corners. What sets Dispel apart from other SRA vendors is not only that it is the only SRA offering on the market that hits US standards as a single product, but also that it is efficient to use at both micro and massive scales.
Book a demo today to get your systems protected: