Welcome to Ewon's Blog

Discover how Ewon solutions can turn your IIoT ambitions into reality!

Top 5 recommendations to End Users when selecting and implementing a Remote Access solution

by Horst Lange, Xavier Cardeña, and Vivek Mano | Apr 30, 2020

Remote Access to machines brings clear advantages for manufacturing. According to ARC, 63% of the maintenance work on a machine is either for a routine check, or they discover that there is simply no problem. Furthermore, 30% or more of these repairs can be made remotely by modifying parameters over the Internet or with minor assistance by an onsite person. Considering that unplanned downtime can cost up to 500k € / hr, remote access brings huge savings to OEMs and asset owners.

 

Top5-remote access 1

 

Cybersecurity for Industrial Control Systems

There are important differences between how Industrial Control Systems (ICS) work compared to Information Technology (IT) systems.

ICS’s have been designed to be efficient for high speed data transmission and for deterministic processes, but not for security. Availability is of utmost importance when it comes to ICS’s. Contrast that to IT systems, which prioritize security and confidentiality above all else, with less of a focus on determinism. Furthermore, while a Risk Analysis for IT would consider the impact on possible data loss or business operations failure, Industrial Control Systems consider first the risk of life, equipment, or product loss.

Below are our recommendations that end users and asset owners should enforce when selecting and implementing a robust, scalable, and secure remote access solution.

 

1. Enforce Identification and authentication control

Provide a unique identification and authentication per user

Every user must have a unique identification and authentication. In case the access of a user needs to be revoked (for instance, because of leaving the company), it should be possible to do it directly on the account.

Change the default password when configuring the device for the first time

Default passwords are well-known by the industrial automation community, they can be easily found in internet or any instructions manual. Don’t forget to change the password of the device/application when configuring it for the first time.

Use Multi-factor authentication whenever possible

Multi-factor authentication should be considered among the best practices in remote access to industrial machines as it provides an added layer of security.

 

Top5-remote access 2

2. Allow for Access Controls and Connection Management

Define different rights per individual user

A centralized management of the rights to access the machines at server level offers an additional security-layer to the user permission management. Every user must belong to a group who has assigned roles (permissions) to access every of the routers or groups of them.

The system shall provide the capability to support the management of all accounts by authorized users, including adding, activating, modifying, disabling and removing accounts.

The connections and changes must be able to be audited

The system must be capable of logging events on access control, errors, operating system, control system, backup and restore, configuration changes, potential reconnaissance activity and audit log. Individual audit records should include the timestamp, source, category, type, event ID and event result.

Remote session permission / termination

Vendors will usually require remote access for two reasons: emergency operational support and system maintenance. System maintenance can normally be scheduled and protocols for remote access connections can be established and monitored.

Therefore, to provide additional security and control, the VPN and/or internet access should be enabled/disabled via a mechanical signal, such as a key switch. This allows the asset owner to disable vendor remote connectivity until it’s required. Once the tasks is completed, the asset owner can disable the vendor remote connectivity once again.

 

Top5-remote access 3

 

3. All connections should be confidential and encrypted

VPN support is a best practice

Remote support personnel connecting over the Internet should use an encrypted protocol, such as running a VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme.

 

Top5-remote access 4

 

4. Design a proper remote access architecture inside your facility

Machine vendors should have access to only their machine, not to the Plant network

Machine vendor should only reach the machines under his responsibility for support and maintenance in the plant. So, the system must be configurable to segregate the machine network segment or zone from the rest of the network.

Avoid using a control device (HMI, PC, PLC…) as a VPN host for remote connectivity

Using any equipment that is a part of the machine control (such as a PC, HMI or a PLC) as a VPN host might reduce its resources and thus its performance for its main task, which is the control itself. In order to ensure the availability of the control system, it has also to provide the capability to operate in a degraded mode during a DoS event.  Therefore, an external router will act as a boundary protection device to filter certain types of packets to protect control systems from being directly affected by DoS events, thus avoiding any external attack to affect directly the control system and stopping the machine.

Allow only outgoing connections from trusted to untrusted zones

No inbound firewall ports should be opened or exposed to the Internet and no static Internet IP addresses should be required.

The industrial router should initiate an outbound secure VPN tunnel point-to-point connection with a specific account in the cloud. This tunnel is authenticated and encrypted with HTTPs, and goes over the corporate network and through the firewall (outbound only).

 

5. Choose a maintainable solution with a view to the future

Stay up to date with the latest firmware version and security patch updates

In accordance to the device’s manufacturer recommendations. Moreover, you can be notified by the ICS-CERT (Industrial Control Systems Cyber Emergency) about vulnerabilities found in industrial automation equipment and receive recommendations of required patching as well.

The systems included in a remote access solution (router and cloud services) are not always critical and are most of the time are disconnected. Therefore, it is not necessary to follow specific policies for the upgrade of the system other than those recommended by the manufacturer. The asset owner should standardize and maintain how and when to receive the latest security patch.

High Availability of the remote Access service

Whenever remote access support is needed for emergency operational support, remote service becomes critical for the availability of the machine. Thus, the service provider of the access must guarantee a high availability service of the cloud service with an SLA (Service Level Agreement) and this SLA must be reinforced by several actions and control objectives.

These are just some of our recommendations for all companies looking to standardize on a remote connectivity solution.

If you’re curious to learn more, HMS Industrial Networks has created an all-in-one guide with our Secure Remote Access for Dummies book, which you can download below:

 

Download your free guide today

Industrial Routers

Ewon Industrial Routers for Easy and Secure Connectivity

Enjoy the benefits of on-demand remote access, collect and aggregate industrial operations data locally or centrally in the cloud.
Your machine portal

Web Dashboard: M2Web

The free white label web portal of Talk2M providing secure mobile access to your remote HMI, web server, PC and panels.
Remote Access VPN client

Smart VPN Client: Ewon eCatcher

The Talk2M Remote Connectivity software enabling you to connect within a high secure environment to all your devices.
Connectivity as a Service

Industrial Cloud: Ewon Talk2M

Discover Talk2M, a scalable, reliable, and fully redundant Industrial Cloud.