Remote Access: Melding Network, Security Expertise
Wednesday, April 5, 2017 @ 10:04 AM gHale
By Robert Albach
When it comes to remote access, the chances of a security breach or accident can be summed up in three words: Anything but remote.
A remote user could theoretically gain access to a robot, and swing its arm 360 degrees at a very rapid pace, inadvertently damaging machines in a factory halfway around the world. A cybercriminal could hack into a company’s system, causing physical and financial damage in seconds.
As the manufacturing industry becomes more and more comfortable adopting digital technologies, devices on the factory floor are communicating with one another like never before. At the same time, these manufacturing facilities receive support from employees around the world and multiple vendors, many of whom demand remote access or must access equipment on the plant floor. There is no doubt this adds to the efficiency, productivity and flexibility quotients, but it also introduces layer upon layer of security risks on and off the shop floor.
The only true way to secure a factory in this era of increasing remote access is to introduce security measures at the beginning, end, and everywhere in between. Enterprises that know that, and put the systems in place to get it right, will be the ones that properly balance the seamless access vs. tight security conundrum.
Some are already doing it. In nearly every case, the more modern the network is, the more security — including security surrounding remote access — has played an integral role in building it out. For those manufacturing companies that find themselves trying to retrofit security solutions into their existing networks, the challenge is almost always much greater.
How We Got Here
To understand why the challenge exists, it is useful to look at how we got here in the first place, not just in the realm of remote access but in industrial environments in general.
The workforce is aging rapidly: According to the Department of Labor, nearly one in four people in the labor force will be 55 or older by 2024. By comparison, this age group only made up 11.9 percent of the workforce in 1994.
This aging workforce is being asked to make sense of a very rapid modernization of network technology, which ideally will replace the very simple and siloed networks that exist today. The imperative is to connect the disparate parts of the networks so they can communicate with one another, but that is no easy task considering these pieces were designed by humans without an eye toward the unforeseen security concerns that could one day pop up. The catch is, that one day has arrived.
Adding to the complications is the network components aren’t the only things operating in silos –- the humans themselves are, too. Often, one contributor creates a component, another assembles it and a third person integrates it. This makes for a series of handoffs from one group to another, with a lack communication among the key contributors. In this scenario, not only is the current problem not being solved, the enterprise is also vulnerable against threats that don’t even exist yet. Fortunately, there are better ways to go about these challenges, and best practices continue to emerge.
Intentional, Unintentional Threats
It is important to note threats don’t always come from a malicious place. More often than not, a breach of remote access security involves nothing untoward or illegal. In a sense, though, the cause doesn’t matter. A hack might cause little or no systemic damage to a manufacturing organization. However, errors may increase when equipment is accessed by individuals who don’t have knowledge of local conditions.
One manufacturing company almost learned this the hard way. A remote user began issuing commands to a piece of equipment being debugged, but this person didn’t have full knowledge of the machine’s location.
The robot dutifully received and responded properly to the commands, but unfortunately one of those commands damaged equipment immediately within the area of the robot’s reach. In fact, if the command had been issued just a few seconds earlier, the robot could have physically injured a person who walked by.
In any network environment, the challenge of unintentional threats is almost always more difficult to deal with than intentional ones. In the case of remote access, the challenge becomes amplified because the remote actor may not have – literally – visibility into the environment in which he’s operating.
From “Nice-to-Have” to “Imperative”
The example above notwithstanding, remote access isn’t going away. Its proliferation is a byproduct of the complexity of systems, and the fact remote users often understand these systems better than local users. It is, of course, paramount remote users with more knowledge gain access to the systems. After all, a person with no automotive knowledge would be ill-advised to try and fix their broken car. Instead, they would just go to the mechanic.
The other key driver of remote access is a manufacturing enterprise’s desire to optimize production, forestall equipment malfunction or downtime or capture information about the operation of the equipment. Turning to anyone other than an expert on the equipment would be a missed opportunity to quickly address any issues or optimize production before a problem gets worse.
How it Should Look
So how does an enterprise secure its remote access communications? For one, it must have a system of interoperating parts, rather than disparate ones. Two components of such a solution are a strong firewall and virtual private network (VPN) client. Another is a system with the ability to provide constant security status reporting. These status reports would regularly monitor which operating system a remote user is running, whether that system is fully patched, up-to-date, with updated security software installed. It should be no surprise a device is less likely to be infected with a potential threat if its systems are updated, so it is imperative the manufacturing enterprise granting remote access has the systems in place to stay informed on remote users’ environments at all times.
This end-to-end security package should also include advanced malware protection, which monitors whether the operating system being used is under attack.
Ideally, it also has an identity services engine, which decides ahead of time how it is going to handle a remote access user depending on their personal and company profile. Once a secure connection takes place, contact is made with the plant, which treats the communication as specific to that very user, not just that user’s organization. This true customization adds yet another layer of security to the remote access communication. On top of that, two-factor authentication – which combines something the end user knows and something he or she has – can further protect a manufacturing company against security threats. More recently, companies have turned to three-factor authentication — which adds “something you are,” such as a fingerprint or other biometric factor.
Network Knowledge Not Enough
Network technology has changed and will continue to change, and security tools will continue to evolve as new threats emerge. These threats, nefarious or otherwise, are being introduced nearly every day. Companies looking at remote access through the single lens of network knowledge are missing half the picture. Getting remote access right takes an adeptness in juxtaposing network and security issues. Thus, the right solution to remote access security involves end-to-end control and visibility over the security state of a network.
Perhaps most crucially, getting remote access right no longer relies solely on network expertise. For the first time, it requires network and security expertise.
Robert Albach joined Cisco in 2010 when he defined and delivered three network security solutions with the most recent — Cisco’s first Industrial Security Appliance. Prior to his Cisco tenure, he guided the IPS Management solutions and low end IPS solutions for Intrusion Prevention company TippingPoint.
Leave a Reply
You must be logged in to post a comment.