Remote Access for ICS - Part 1

Remote Access for Industrial Control Systems (ICS). I've seen a ton of posts on this topic, especially during the COVID-19 pandemic, and now I guess I'm adding to it. We have a lot of history with various solutions in this space, ranging from "traditional VPN" (think Cisco, Palo, Checkpoint, etc.) to industrial solutions mostly targeting OEMs/machine builders (Secomea, eWON, etc.), and lately I've seen another run of new(ish?) ones, each with something unique to bring to the table. Most of these categories, if not solutions, have their differentiators: having no exposed ports at the customer site and leveraging outbound connections only, adding industrial protocol-specific Deep Packet Inspection (DPI), clever application of security through obscurity, and so on. 

The good news is we like a lot of them, and the capabilities have come a long way in just the last 10 years. I say this specifically deploying the increasing and various options available and watching the project success rate and value to the customer steadily climb over that time. However, NONE are the answer for EVERY customer or application. They each have pros and cons and should be evaluated customer by customer or application by application. What one customer appreciates about solution A, customer B might consider an annoyance or perhaps a weakness. Every customer has a different security posture, tolerance for risk, technical capability in-house for administration, budget, etc., and these have to be measured as part of a proper selection process.

If you'd like to discuss the nuances between various industrial remote access solutions and find the right fit for you, drop us a line.