How can you help keep your remote equipment network secure? These tips about protecting your infrastructure can help.
By Keith Blodorn, director of Product Management, and Vishal Prakash, strategic product manager, ProSoft Technology
It’s 4 p.m. on Friday, when the phone rings with news that the palletizer on your plant’s main bottling line just went down. The plant technical team is stumped, and the palletizer vendor’s service engineer won’t arrive until Monday. The plant manager is on the phone, asking you to somehow let the vendor access the palletizer control equipment to resolve the problem remotely. Otherwise, he’ll need to idle the plant through the weekend, costing your company tens of thousands of dollars in lost revenue and wages.
This scenario is a frequent occurrence in today’s environment of automated manufacturing. At the same time, horror stories of corporate data breaches — including breaches due to outside contractor access mechanisms — raise the stakes for enterprise security professionals.
With production quotas and profitability targets to meet, simply saying “no” to outside access is not an option for most companies. But before handing out a guest account on your corporate VPN or setting up a remote desktop connection to a production line PC, let’s consider the security and personnel safety factors associated with remote access to machine networks.
To begin with, consider these three key zones:
- Machine Zone: This includes the machine control equipment, the network that interconnects that equipment, and possibly remote access modules. Multiple machine zones within a plant make up the plant zone.
- Enterprise Zone: This includes the enterprise core network, business assets like servers and applications, Internet access and firewalls.
- Outside Zone: This includes the remote user, cloud connectivity service, and communications infrastructure like the Internet and cellular networks.
Each of these zones presents unique network security requirements and challenges. Understanding these challenges will help the enterprise network engineer determine the best solution that balances the production team’s need for fast remote support, the safety manager’s need to help maintain personnel safety, and the enterprise network team’s need to safeguard the company’s data and information systems.
Machines are more complex than ever. A machine like a palletizer or filling machine typically has one or more programmable automation controllers (PAC), electronic operator interface screens, and scores of sensors, motors and actuators. Often, these controllers and devices are connected via Ethernet.
However, the machine Ethernet network should be segregated from the Enterprise Zone network and other machine networks through a demilitarized zone (DMZ), which allows the machine to carry out its critical high-speed control communications without having to share its network capacity with office applications or other machines.
This segregation also provides an important layer of security, because only specific connections between machines and enterprise assets are allowed to communicate and transfer data with each other. This minimizes the risk of industrial devices infecting enterprise assets, and vice versa.
Before considering network security in the Machine Zone, however, it’s critical to first understand machine safety. The equipment in the Machine Zone is responsible for running motors, energizing actuators and running the machine. Anyone accessing the machine network can cause the machine to operate and must fully understand the risks associated with any changes to the machine controls. Access to the machine network should be limited to only when the machine is in a “safe” state.
This brings us to the remote access device used in the Machine Zone. There are two common ways to provide remote access to the Machine Zone — a PC with a remote desktop connection and a dedicated remote access gateway.
The remote desktop connection typically isn’t the best path in the Machine Zone for two key reasons.
- A PC provides a highly capable platform for launching cyberattacks against the machine and up into the Enterprise Zone. PCs typically have more advanced networking capabilities, so the user on the other end of the remote desktop connection now controls a device that can do a lot more than simply connect to the machine control equipment. This setup can allow a remote user, intentionally or inadvertently, to bypass the DMZ and access parts of the enterprise that he shouldn’t access.
- PCs typically have a full-featured operating system. Over time, vulnerabilities in these OS components come to light, creating the need to regularly update the PC. Worse, the PC used for remote desktop access is often supplied by the machine builder or system integrator and may not be under the plant IT department’s standard update and virus protection routine.
A stronger solution for access to the machine network is to use a purpose-built remote access gateway. Devices that can plug in to the local machine network on one side and an Internet-accessible wired or cellular wide area network (WAN) on the other side can be an ideal solution.
An often-overlooked aspect of security and protection is capturing historical information of events and changes. A skilled hacker will defeat the logging in a PC and cover his tracks to avoid detection. It’s best to select a service that keeps an audit trail of events to maintain clear visibility into access and changes.
The Enterprise Zone often is a large, complex network that connects the organization’s PCs, servers, email system, customer databases and financial software. This zone often is the focus of hackers.
The enterprise network commonly provides users with access to the Internet, but also includes firewalls and other technology to limit the kind of connections that enter the network from the outside. Many companies provide VPN access to the Enterprise Zone for authorized users who need to access enterprise network services remotely. Companies sometimes also provide vendor and customer portals for access to some parts of the enterprise network.
Faced with the need to establish a remote connection for the external machine builder, the corporate VPN or a dedicated vendor portal might seem like a quick and easy way to solve the problem. However, guest VPN access will give the remote user access to more of the manufacturer’s enterprise than he needs.
In addition, the enterprise network engineer will need to establish a new connection or route from the Enterprise Zone through the DMZ to the Machine Zone. These ad hoc configurations may inadvertently leave access to confidential enterprise assets open. Since the encrypted VPN tunnel terminates within the Enterprise Zone, the remote user will necessarily gain some visibility to the enterprise network.
Conversely, remote access gateways installed on the machine network provide a more secure way for the remote user to traverse the Enterprise Zone. The ideal solution is one that allows the remote user access to only the machine network through either the enterprise network’s Internet access or the cellular LTE network. Using these solutions, the remote user’s VPN tunnel could be terminated only on the gateway’s local port, so the user never has access to the Enterprise Zone.
The outside zone includes the remote user’s PC, the cloud connectivity service, and communications infrastructure such as the Internet and the cellular network. Several key elements of any remote access solution reside outside the enterprise and are therefore more difficult for the enterprise network engineer to control.
Therefore, it’s vital to understand the security features of the remote access solution’s components in the Outside Zone to determine how well the solution protects the enterprise.
The first component is the remote user’s PC and the software needed to make the remote access solution work. Some remote access gateways only work in conjunction with software that must be installed on the remote PC. This kind of product introduces several critical security issues.
First, the software itself has been targeted by malicious actors such as the Dragonfly group. By replacing the real remote PC software with an infected version, Dragonfly attackers were able to gain access to industrial machine networks across several industries.
Second, the enterprise network engineer has no way to know if the remote user is keeping this software up to date — and failure to do so might compromise your enterprise.
The next Outside Zone consideration is the security of the VPN server technology or appliance that might reside in the Enterprise Zone or in a cloud connectivity service. It’s common practice to try and save a few dollars by using free VPN tools such as OpenVPN installed on a server with a static public IP address and add static or common passwords rather using a hardened two-factor authentication scheme.
After the installation, network engineers must regularly check for vulnerability and security updates to the VPN server software and the PC software running the VPN server.
Cloud service technology, including security, has advanced significantly. In addition, major cloud providers such as Amazon, Microsoft and Google offer a level of physical and cybersecurity that is significantly greater than what most companies can build on their own.
Security-centric services use several key technologies to keep remote machine access secure. One favorable option is a platform that uses a container and micro-service architecture. In this design, each function of the platform would be a stand-alone micro-service run in containers — essentially tiny virtual machines that can be scaled to handle more demand when needed.
The container would only run the application components needed by the micro-service, reducing the likelihood that a security flaw in one OS component would compromise the platform. This isolation of micro-services would also help protect the others if a vulnerability occurred in one.
ProSoft Technology, based in Bakersfield, California, is an EncompassTM Product Partner in the Rockwell Automation PartnerNetworkTM program. ProSoft Technology designs industrial communication solutions that include in-chassis communication modules, stand-alone protocol gateways and a range of wireless solutions.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.