Support Vendor Laptops Continue To Be A Challenge
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
Most asset owners who have been working on OT security for 5+ years have dealt with the removable media risk. My preference is USB drives and other media dedicated to the OT environment; never used on another network.
All needed software / firmware is brought through a data transfer server in the OT DMZ where it is assessed before being made available.
This prevents the walk around the protection and detection issue, and it relies less on the users following more complex processes to test media before it enters the OT environment. It also doesn't prevent bringing new firmware in, loading it on a USB drive, and bringing it to devices deep in the OT environment that might not have a network connection.
A larger number of asset owners take the approach of having a process to scan removable media brought in from outside of OT. There are dedicated OT security products for this that take a kiosk approach, like Honeywell's Secure Media Exchange or OPSWAT's MetaDefender Kiosk. Some asset owners build their own scanning station using software from malware detection vendors.?
The kiosk / scanning station approach is better than relying on the endpoint protection in each computer to detect and prevent malware. Many asset owners go with a combination of turning off or protecting USB drives on most computers and relying on endpoint detection on the remaining computers. There are a lot of approaches, and they have significantly reduced the introduction of malware into OT by removable media in asset owners with an active OT security program.
Portable computing, most often laptops although tablets are increasing, are a harder problem to solve. The asset owner employees can, and should, have a dedicated laptop for OT. It never leaves OT. It gets its updates and any required software in OT. It's a bit of a hassle and cost, but not difficult.
The harder problem I see frequently is support vendor laptops that are brought into OT after being connected to many networks. Most security conscious asset owners have a procedure to assess and scan the laptop prior to connection to OT. This process is likely to only catch mass market malware.
领英推荐
By nature these support vendor laptops have the technician logged in with admin privileges, are loaded with a lot of tools of varying providence, are one offs because each technician has their preferred kit, and are connected to a lot of networks. Letting them connect to your OT environment is not a small risk.
So why let them connect? Because the system is down or needs some troubleshooting. The asset owner can't figure it out and needs assistance. The technician with the expertise can't do their job without connecting a system with typically an eclectic set of tools organized in a way that makes sense to the technician. The laptop is scanned, the technician / company has to sign something say they don't have malware, and the connection to OT occurs.
How often does this happen in your OT environment?
A minority of asset owners, in the US primarily the bulk electric sector, will go through the trouble of having OT dedicated laptops available for support vendors to use when they come in. This requires pre-planning and isn't easy. You need to know who will come in, get all the tools loaded, maintain the tools, and even then it will likely make the support vendor's job harder. It may be impossible for emergency support ... do you want me to connect and fix your system or not? If I use your laptop it will at least take me longer and I might not be able to fix it.
Many of OT security vendors and consultants have been through this dichotomy. You tell the asset owner do not allow anything that was connected to an external network to connect to their OT environment, and let me connect my laptop to your OT environment.?
I wish I had an easy answer to address this risk.?
ICS/OT Enterprise Architect | SCADA/OT Expert | OT Cybersecurity Leader | Water Leadership Innovator | Driving Industry Transformation.
1 年Dale Peterson Insightful article. The integration of vendor laptops into industrial control systems is indeed a complex issue. Emphasizing network segmentation, pre-connection compliance checks, and the strategic use of Demilitarized Zones (DMZs) has shown promise in mitigating these risks. Although these methods are not foolproof, they are critical components of a layered defense strategy. Continued dialogue and knowledge sharing on this subject are invaluable. I'm keen to learn about other hands-on experiences and potential solutions.
This is one of the bigger challenges our customers face and informed our roadmap early on to significantly address the risks you outline. We combined secure remote access, file transfer, and remote native application access to reduce the risks you outline. The workflow includes: file transfer-based security policies (type, who, when, MFA, target workstation) based on the identities of both the operator and target workstation, automated AV and malware scanning, file integrity checks, with a reverse, multi-hop remote access proxy to reach Level 2 process workstation from anywhere. This allows our customers to have secured target machines internal to the site as the landing point and sanitized physical media to remain on site (USB drives, SD cards). Our customers take advantage of remote native app support (policy-based controls and visibility) where the laptops and applications access the assets only through our Fabric and are proxied (see above). Our customers have found this greatly reduces risks because of consistent controls of file distribution, reduced shadow IT, 3rd party laptop physical access, and elimination of multiple physical media copies. Xage Security If at ARC Feb 5 - stop by and see us. #iiot #otsecurity
Director OT @ Intersect Power | GICSP | Speaker
1 年Exactly right Dale. The challenge isn’t the existence of the dedicated OT laptop or Engineering workstation, it’s the software the technician has that the Control System company either won’t tell us what it is because it’s “proprietary” or price it so high that no reasonable person would pay for it. I think it should be reasonable that when you spend several million on a control system that a bill of materials should let companies know what tools are needed by their resources to perform technical support. It shouldn’t be a surprise when the outage comes up.
CE CS Security Controls Assessor
1 年Exactly Dale!? This has been a standard practice in our arena for several years now.? Dedicated laptops, approved external storage devices and procedures for code transfer, with AV scanning, provides a baseline for vendor maintenance ln the field. Great article.
Partner Cybersecurity & Privacy, CISA, CISSP | Head of EMEA Cloud Security Practice
1 年Great article, Dale. The challenge with vendor laptops in OT environments is a classic risk-versus-need scenario. Centralized, pre-approved tool repositories for vendors could be a game-changer, streamlining both security and operational needs. As always, it’s about finding smarter solutions, not just stricter controls.