Secure Remote Access is highlighted by SANS as one of the Five Critical Controls for ICS/OT security. Many organizations have moved to a remote or hybrid work ecosystem, which has, in part, led to remote access becoming a high value target vector for adversaries to gain initial access. Organizations will often have shared credentials to access both IT and OT systems, which poses a significant risk to the business and allow adversaries to gain access to the most critical systems for an industrial organization.
It is crucial that organizations evaluate options to establish secure remote access today and diversify risk as much as possible. As such, there are several factors that Dragos recommends organizations consider for implementing a remote access solution:
- Leverage existing infrastructure and expertise
- Implement a DMZ with a secure jump host
- Multi-factor authentication (MFA)
- Third-party remote access requirements
- Monitoring and auditing of remote access sessions
Leverage Existing Infrastructure and Expertise
Organizations have been working to provide remote access to systems for employees and third parties for decades. Many organizations have a wealth of knowledge, expertise, and perhaps even an existing solution to provide SRA. In almost each of these cases, the IT team is likely in charge of the process and may already have a preferred vendor providing SRA to IT tools. Leveraging the existing resources, such as identity and access management, that are likely already in place in IT networks can provide several benefits when looking at SRA to OT environments. This can be incredibly helpful in terms of providing access to third parties, such as OEM vendors, and can ensure that access is limited to only approved users and devices.
Firstly, IT teams are highly familiar with privileged access for their systems; they have identity controls in place, monitor for unauthorized access, and can act as a first layer of defense to identify unauthorized systems access. With all this already in place, it begs the question, “Why wouldn’t we take advantage of all this to protect OT remote access as well?”
If the above criteria are met, implementing similar controls for identity management in a jump box in an IT/OT DMZ becomes a significantly less daunting task. Many organizations have successfully implemented this type of approach.
Implement a DMZ with a Secure Jump Host
Network segmentation is a common security configuration that physically and logically separates network security zones. Physical network segmentation includes securing smaller environments using additional network hardware (switches, routers, firewalls), while logical network segmentation uses common concepts such as subnetting and VLAN configuration. A jump host, also referred to as a jump box, is a secured network asset used for access and device management in separate security zones.
Ideally, IT, DMZ, and ICS environments are configured with separate IP addressing schemes, segmented via network security devices, with restricted access between specific logical networks. Active Directory (AD) groups, categorized by using the principle of least necessary privilege, ensure that users are only able to access what is needed to carry out their job responsibilities.
Dragos recommends restricting management application access to specific user accounts or DMZ assets. Jump Hosts inside DMZ environments enable an organization to not only control who has access to what through the jump host. Additionally, an organization can implement a DMZ subnetwork configuration, which logically separates different environmental configurations via a network security device. This configuration permits an organization to limit or deny user access across specific subnetworks. Best practices recommend separate jump hosts for internal and external resources. Separation of access enables organizations to enact individual security controls and monitor third-party sessions more closely.
Multi-Factor Authentication (MFA)
Multi-factor authentication refers to requiring multiple categories of authentication. A common example of this would be a traditional password followed by entering a number received from an SMS. Suppose an adversary were to gain control of a user account. If MFA were in place, they would still need to complete a separate attack to obtain control of additional authentication materials — possession of a mobile phone or details of a fingerprint, for example. If MFA were not in place, the attacker could immediately use the account and begin impersonating the user. MFA provides defense in depth with another layer of protection.
Dragos recommends implementing multi-factor authentication for logging into remote-access sessions, if possible. This will make remote session hijacking significantly more difficult. It is important to consider any attack scenarios where both authentication factors could be compromised at once. MFA’s effectiveness is based on separating these materials and requiring an adversary to complete multiple attacks to compromise MFA.
Third-Party Remote Access Requirements
Third parties, such as vendors, often need remote access to conduct maintenance on equipment. Sometimes they require exceptions to the organization’s remote access policies, procedures, and architectures. For example, some vendors may require that the organization install hardware in their ICS/OT network, which the vendor may access at any time, and which bypasses the organization’s remote access security controls.
Some OEM vendors have been known to install their own remote access tools to ensure they are able to conduct maintenance activities, at the expense of security. A traffic monitoring tool can assist in identifying this type of access into a controls environment. Requiring vendors to use the organization’s remote access methods, such as the company remote-access gateway, to access the ICS/OT environment remotely. Another secure way to accomplish this is to limit vendor access by leveraging tools designed only to allow remote access if initiated from an internal resource, such as a key switch. If that is not possible, attempt to require vendors to log the who, when, and what about their remote access activities as they conduct them.
Monitoring and Auditing of Remote Access Sessions & File Transfers
Auditing remote access sessions means that an organization can view what accounts are currently logged into a system or network remotely. Sometimes additional details are included such as where they come from and how long they have been logged in. As a part of remote access, account information should never be shared. This will ensure that a paper trail can be established and individual users’ actions monitored to prevent malicious actions. It must be stated that in addition to external traffic monitoring, it is strongly recommended that organizations monitor networks and individual hosts as well to maintain a composite record of all logs in the event of an incident.
If remote sessions cannot be audited, adversaries could remote into an environment at odd hours or for extended periods of time and never be caught. Similarly, an inactive session may also go unnoticed. It will be more difficult to detect or piece together malicious activity after the fact if remote sessions are not monitored. File monitoring ensures that malicious files are not inadvertently moved into the environment. Many existing solutions have some aspects of session and file monitoring.
Another consideration for remote access monitoring may be Privileged Access Management (PAM). PAM is a means to provide certain users with restricted access beyond that of a typical user. These accounts are generally treated with extreme care because they can pose risks to an environment if used nefariously. Some remote monitoring solutions include PAM as a part of their offering. Others go as far as to create certain privileged accounts idle only as honey tokens and monitor in case an activity exists, indicating an adversary behavior.
When considering remote access solutions, it is important to acknowledge that any external connection comes with risk. To ensure that an environment remains as secure as possible, organizations should maintain safeguards and auditing on any remote access solution with a logging and alerting tool. Due to the high level of specialization in OT environments, these tools will likely differ from those used in IT. Technology is only one piece of the puzzle, and it is imperative to have the people (via training) and processes in place to also ensure which remote access technologies are used are used as securely as possible.
In addition to an SRA solution, Dragos strongly recommends additional resources to avoid a single point of failure which could allow a security breach. A traffic monitoring tool, such as the Dragos Platform, which monitors protocol traffic, can alert a security team to unexpected remote access sessions. Each organization should take the time to review and prioritize an approach to remote access based on what is feasible for their team to implement.
Discover 5 Critical Controls
Ready to put your insights into action?
Take the next steps and contact our team today.