Energy and utility companies around the world are exploring how to merge their information technology networks and operational technology infrastructure. But by connecting the two, they may expose themselves to cybersecurity vulnerabilities, writes Shmulik Aran
Many energy and utilities companies around the world are currently exploring how to merge their information technology (IT) networks and operational technology (OT) infrastructure.
By converging IT and OT environments, an energy supply company can have better control over operational processes and improve the overall reliability, safety and profitability of its production.
In order to securely benefit from the merger of IT and OT, energy and utility companies must implement a corporate strategy to address the cybersecurity risks associated with connected operations. The starting point for this OT security management strategy is obtaining visibility of the full inventory of operational assets and establishing secure remote connectivity to these devices and equipment.
On a regular basis, operational equipment must be monitored and accessed remotely in order to maintain high levels of safety, reliability and availability. Many routine maintenance tasks are performed remotely and examples include patching, hardening and log collection. Rapid responses to incidents also require remote access.
For instance, if a plant engineer detects a sudden reduction in production output, a remote expert may need immediate access to provide a solution for the on-site team.
There are two general functions involving remote access to operational equipment. The first function is the remote access (RDP, SSH, HTTP) itself and the second function is for transferring data to a remote machine or from the machine to the control centre.
Some routine maintenance activities are automated without any human intervention or supervision and are performed remotely through machine-to-machine (M2M) communications.
While these functions that are performed remotely are essential to the safety and reliability of a plant, connectivity from the outside, especially by third parties, increases an energy supply company’s exposure to cybersecurity risks. The points of remote connectivity are often targeted by cyberterrorists to obtain unauthorized access and launch an attack.
Controlling remote access and managing the functions of multiple vendors, first- and third-party staff, and machines is a highly complex task that involves establishing numerous connections to various facilities and equipment. Remote access must be granted so that only authorized and authenticated users have access to only their specific systems according to granular policies defined by the corporate office.
Today, Virtual Private Networks (VPNs) are the most common method used for remote access in the energy supply industry. In general, a VPN is intended to provide a secure encrypted tunnel for which data between a remote user and a facility’s network can be transferred. Despite its popularity, there are several severe drawbacks for using VPNs for remote access.
To start with, each party requiring remote access has its own VPN. With numerous parties constantly requesting remote access, this is a highly complex task for a facility’s network and security administrators to manage. Managing multiple VPNs means that subsequent openings in the firewall must also be managed.
At the same time, remote users accessing the plant LAN through a VPN may have excessive privileges that allow them to view or access equipment or devices for which they have no authorization.
In addition, a VPN provides a two-way communication. This means that a connection can be established from not only outside the organization, but also from within. Here, a cyberterrorist can seize control of a third party VPN connection and initiate a malicious attack by sending malware to an operational asset.
As an alternative to VPN access, many vendors have developed their own remote access solutions, which are certified by the energy supply company when the vendor deploys its equipment on-site. The drawback to this approach is similar to the problem with VPN access in that remote security teams must manage multiple certifications at each facility and deal with multiple openings in the security infrastructure. Also, such access cannot always be monitored by corporate security teams.
Secure remote access
Below is a list of best practice recommendations for energy and utility companies that need to provide secure remote access. These recommendations are not limited to energy supply companies and apply to any industrial enterprise. These best practices will ensure high availability, reliability and safety without compromising operational security.
• Implement top-down control. All third-party remote access to the operational network should be funneled and authenticated through a single location. This eliminates difficult-to-manage VPN and vendor-based connections. Consolidating all the remote connections through a single point reduces the number of connections and creates a more secure access framework;
• Protect asset credentials. Grant remote users privileged access without proving the credentials to any assets. This can be accomplished by using a password vault. This facilitates access without sharing the actual password. This method avoids the compromise of credentials through keylogging and risky password management. It also eases the management of password expirations and renewals. In a time of crisis, a third party can gain rapid remote access without the risk of forgetting a unique password;
• Enforce accountability and monitoring. All user activity should be monitored and audited. IT and OT teams should be able to approve, deny or terminate any session as necessary. Network monitoring capabilities can be used to evaluate the traffic passing through these connections and alert on anomalies;
• Use a policy for access. Manage all user access at the ‘least privileged’ mode and grant exceptions to the policy on an individual basis. A flexible rule engine can be used to configure access granularity, such as who can access which asset, when, from where, using which protocols and performing which activities;
• Allow data and file transfer. Build a secure framework to transfer files to the ICS systems, such as for patch management and sending logs and alerts from the ICS to the control centre.
Additional best practices for a secure remote access control setup that provides the business logic for authentication, privileges management and accountability include the following:
• The connections between remote users and operational equipment should be highly secured. As such, a single outbound port for all simultaneous connections to the operational facility rather than multiple VPNs should be used. All traffic should be funneled through this port, which should be controlled and monitored by both the IT and OT security teams;
• Use standard secure communication protocols, such as TLS, to encrypt all communications;
• Multiple protocols must be supported due to the uniqueness and diversity of vendor and purpose-built systems;
• There should be the ability to connect to existing IT solutions such as SIEM, LDAP and Jump servers.
Better security posture
Secure remote access to operational equipment and devices is essential for high availability, reliability and safety. Controlling the remote access of multiple internal and external parties to a distributed operational environment is a complex task.
Security teams at an energy supply company that need to provide remote access must do so in a framework that allows authentication and privileges management and accountability, running on top of a strong and secure infrastructure. This will position the energy or utility company to improve its overall security posture and better manage the security of its OT operation.
Shmulik Aran is the chief executive of NextNine, a provider of security management solutions for connected industrial control system environments. www.nextnine.com