Remote Access for ICS - Part 2
In Part 1, I mentioned nuances between different Industrial Control Systems (ICS) secure remote access solutions. I thought I'd share some questions to aid in the selection process. This is definitely not an exhaustive list (although it might be exhausting, and certainly assumes some table stakes beyond the scope of this article). Also, this is NOT one of those question lists walking you to the crystal clear conclusion that “Solution X is the only choice.” On the contrary, any given answer could kick you off one solution and onto another. Some questions may leave multiple solutions in the running, while others that might point to only one solution may do so at the expense of other features you value more. There is no universally perfect solution. With that bitter pill out of the way (sorry, not sorry product marketers!), let's get on with this game of Minesweeper.
Security
1) Does it support AD integration? (It MUST to be considered) OR Does it have its own user database and management? (We don’t have AD in our ICS.)
2) Does it support any two-factor authentication (2FA) options? SMS? OR Google Authenticator or other time-based one-time password (TOTP)? OR Certificate-based? Does it have its own PKI? OR We only want hardware 2FA; how about Yubikey or similar?
3) What kind of access control is available? How granular - can we limit users to a specific site? to a specific device? to a specific protocol on a device? Is it industrial protocol aware? Does it support industrial protocol deep packet inspection (DPI)?
4) Does it support tiered administration? Can a master admin allow a site owner, department head, OEM or other to setup and manage their own users for just their site/department/machine? How difficult is it to revoke access? Are there options to time-limit a user's access?
5) What kind of logging is recorded for auditing purposes? What events are captured? Where can I send them? Are they human-readable or can they only be read by IBM Watson?
6) At the remote sites, are internet-exposed ports (directly or port forwarded/NATed through site internet firewall) required or only outbound connectivity? In the overall architecture, where are the attack surfaces in your architecture? Are those my (customer) or your (vendor) responsibility to secure? How many of these attack surfaces are persistent, never changing over time?
7) If outbound initiated only, does it have to leverage vendor cloud servers, or can the server component be customer owned and operated?
8) If outbound initiated only, does the vendor cloud server facilitate matchmaking only, or does my data traverse your server?
9) Could local site personnel easily control when remote access is possible? Can indication be provided to local site personnel that remote access is currently taking place?
10) If a given device, say a PLC for example, is already being remotely accessed, can we prevent another remote user from having access to it concurrently?
Functionality
1) Does it provide direct network access? Ex. Can my remote laptop running RSLogix, Unity, etc. use it to remote in and perform PLC uploads, downloads, and online changes? How about Layer 2 access so my broadcast discovery apps will work across it as if I was REALLY on site? OR Can it leverage and/or does it provide jump hosts? How many? Under no circumstances can there be direct network access.
2) What is required on the client machine? If software is required, what desktop/server platforms are supported (Windows/OSX/Linux)? Are mobile clients supported (iOS, Android)? If so, is the functionality the same across all platforms, or are there differences/limitations on any platforms?
3) For the sites to be accessed remotely, do I have to purchase a hardware appliance or are software versions available that we could deploy on existing hardware (servers, desktop PCs, panel PCs, IPCs, etc.)? If software is available, for what platforms (Windows/OSX/Linux)? Are container deployments possible?
4) Does the solution natively address connecting to multiple remote networks of overlapping/duplicate IP Scheme or do we have to deal with NAT configurations for each?
5) So I can access my ethernet devices - great. Any chance I could also remotely access the USB port on a PLC or serial port on a device as if it were directly connected to my laptop?
6) What does administration look like - adding sites, users, configuring access control? Does it require IT personnel, or can it be administered by a controls engineer?
Licensing
1) How is the solution licensed? Are there fixed and subscriptions costs? If there are no subscription costs, what assurances do I have that the solution will continue to be updated in the future? Do costs go up based on the number of total users, concurrent users only, number of assets/services being accessed?
Beyond Remote Access
1) Does your site solution include a full firewall? Traditional or next-generation (NGFW)? Does it include NAT capabilities for additional needs we have on-site? What types of NAT - Source? Destination? Double?
2) Can your solution facilitate secure remote access AND secure persistent connectivity site-to-site or site-to-cloud for data exchange, data collection, dashboarding, etc. concurrently?
3) Can it connect securely to legacy existing infrastructure at other sites (support for IPSec)?
Did you make it to the end? That's impressive. I barely did myself. If you made it here and somehow still want to talk more about any of the above, just reach out. We've been side-stepping these mines for over a decade!