Functional Requirements for Remote Access - IEC62443 Directives

While technology have taken a paradigm shift in last few years followed by fast pace moving transformational & disruptive journey just like a "thruster" which can't be resist looking the todays competitive globalized business scenarios as well as high ambition to sustain in long term. Hence, Remote Access requirement of Industrial Automation and Control System in OT environment specially for critical infrastructure is one of such business case in which matter end-users are still in dilemma specially considering the fact of most of the existing brownfield infrastructure.

If I recall there were time when IT were requesting to take control of our desktops for troubleshooting, installation of some software's etc., know as "remote desktop access and support capabilities" then while working in industrial environment for one of the captive power plant/boiler functional check and commissioning somewhere in 2006, can't forget those times while debugging some commissioning issues along with Vendor/Control System Engineer calling over phone, discussing in detail with SME remotely, writing the steps of checks then login back to engineering station checking the communication protocols / configuration settings, way installation, application program diagnostics etc. were taking sometimes few days to sort-out the problem and commission respective line equipment. Time changed many other ways emerged and OT ICS environment was also not untouched with such tools be it team viewer, use of RDPs plus other immature remote desktop solutions. However every new solution/technology emerge with their own pros & cons specially there is a saying that in cyber world nothing is 100% perfect and every technology/solution take its own maturity pathways followed by support of both extremists i.e. sinful (cyberterrorism) v/s virtuous (cyber-defenders) cyberpunks.

Hence in nutshell remote access of IACS environment including main stream process control/MES/3rd parties etc. been no more luxury but became a need over the time due to the fact it serves as a critical bridge between operational efficiency and modern technological advancements. The need for remote access in IACS OT environments arises from a variety of factors that aim to enhance operational effectiveness, streamline maintenance, and respond to the demands of an increasingly interconnected world which is moving not only on fast pace by on hyper pace and conception of upcoming hyper-automation system is one of the well demonstrable example. Few key reasons advocating the necessity of remote access in the ICS environment are as follows:

1. Efficient Monitoring and Control
2. Reduced Downtime
3. Cost Savings
4. Rapid Response to Emergencies
5. Data Analytics and Insights
6. Flexibility and Scalability

Now let's jump to the main topic i.e. what exactly "Remote Access" defined by IEC62443 and associated conclusive fundamental functional requirement directives as well as additional/supplementary requirements defined in IEC62443-2-4

Definition of Remote Access as per IEC62443:

Use of systems that are inside the perimeter of the security zone being addressed from a different geographical location with the same rights as when physically present at the location.

However it shall be noted that definition associated risk of “remote” can vary according to the situation as follows:

• Access may come from a location that is remote to the specific zone, BUT still WITHIN the boundaries of a Company or Organization.
• Above configuration of remote access might represent a lower risk than access that originates from a location that is remote and OUTSIDE of a Company’s/Organization's boundaries.

IEC62443 explains that "Remote access bypasses the local physical security controls of the boundaries of the system. It extends access to the trusted zone to a completely different geographic location and includes a computer that may not have undergone the security checks of the computers that are physically in the area of the trusted zone. Different mechanisms are required to provide the same level of security as the trusted zone."

Now the question in today's competitive market lot of vendors and solutions are available claiming one of the best fit of ICS OT environment. Some claims easier way to provide secure remote access and segment your network at the same time, other claims that their competitors solution is point-to-point VPN solution which might be okay for some vendor access but they claim it's not ideal for users with longer engagements and working in a low bandwidth environment, Some claims Remote Command-Line Access (Secure Shell), other claims Remote Access with Monitoring and Control, web based remote access, cloud based remote access etc etc etc...

Now being an end-user expectation is not to get confused and complicate the matter, hence let's see what IEC62443-2-4 defines as a foundational/base requirement functionality in terms of security tool and software, technical requirements as well as data protection point of view. I have tried to summarize the requirement IDs as explained by IEC as follows:

Requirement IDs SP.07.01 / SP.07.02 / SP.07.03 / SP.07.04 are Fundamental/Base Functional Requirements (BRs)

While SP.07.04 is enhanced with additional / supplementary requirements specified with data protection in case it is a priority based on application such as high confidentiality OT data.

Hence following these 4 core functional base requirements as well as one of the enhanced/supplemented directive, user can be in position to formulate well their Remote Access specification/contractual scope of work/framework for ICS OT environments and will be in position to evaluate technically very well what exactly is the foundational functional requirement which shall be quoted and supplied by Vendor as a minimum and what other offerings in addition which can be compared well before finalization of your remote access infrastructure capability.

There are other topic of debates which can be further discussed such as Architecture of Remote Access as a part of overall Perdue model, its zoning & dedicated DMZ such as separate / sandwiched in between firewalls of different dedicated OEMs/Jump-over servers deployments / EDR / Multifactor authentication etc.

Well to enhance further your knowledge and grow together to next level let's click follow on my profile so that not to miss my upcoming technical articles with blend of practical ICS OT experience of lifecycle as well as simplified summarized boundaries of various IEC62443 series and associated requirements.