World-Class OT Cybersecurity: Intro to Secure Remote Access
My name is Dillon Lee. I am a Principal Technical Account Manager at Dragos and a Key Volunteer at ICS Village. At this point in my career, I have worked with hundreds of unique environments across all sectors. Through my work, I hear and see the challenges of customers and students. All views expressed in my articles are my own and not representative of Dragos or ICS Village.?
The customer journey is dynamic.
When entering the fourth of the five Critical Controls, you might think they are linear in progression. This is not the case. For example, in the last article, we covered finding gaps in the defensible architecture built prior. That feedback loop allows you to secure or build policies around that new understanding. We will continue that dynamic journey of feedback loops with secure remote access.
Secure remote access will be a fascinating topic for most users, as this technology is utilized in today's environment. The journey to "World-Class" often leads to consolidating tools and services in larger enterprises, which is not bad but can be detrimental if not implemented and maintained. The care and feeding of the work put into the five critical controls become more important along the journey. We will keep a secondary focus on building policy around exceptions and document them sufficiently to allow better alignment in the future with shareholders of this technology.
The pandemic in 2019/2020 created a significant driving force for remote workers in the OT space to allow remote monitoring and control of ICS environments. This also increased the availability of remote access solutions that can be exploited in OT and IT. Utilizing the conduits from the defensible architecture can allow both connection choke points and logging connections coming inbound for remote access. If IT/OT chokepoints often use a firewall appliance, this termination point of remote access also allows for additional logging insights.
This phase of the journey aims to implement controls that keep unwanted users out, authenticate and verify users, and track established connections. While MFA is common in IT, we will also discuss how it can be a low-level implementation to protect your OT. The last point I will touch on is logging. While it is essential in controls 1 and 2, showcasing who and what connections are used in this stage will become even more critical.
"Secure remote access is critical to OT environments. A key method, multi-factor authentication (MFA), is a rare case of a classic IT control that can be appropriately applied to OT. Implement MFA across your systems of systems to add an extra layer of security for a relatively small investment. Where MFA is not possible, consider alternate controls such as jump hosts with focused monitoring. The focus should be placed on connections in and out of the OT network and not on connections inside the network."
Safety, Security, and Usability
The balancing act of secure remote access involves many differing opinions, technologies, and implementations. This article touches on a few secure remote access solutions you can deploy. The following examples are those I have deployed, used, or seen firsthand with customers I work with.
The many ways to connect
Secure remote access aims to connect a user or process with a remote resource. Historically, these systems rely on using virtual private networks or VPNs. You can read about the different variants of VPNs from Palo Alto Networks. The VPN solutions use tunnel technologies of different variants to connect users to resources, but more than building this secure connection in the last few years is needed. Once an endpoint is compromised, the threat actor will have a secure tunnel into the enterprise, which is high on the list of actively exploited pivots in the OT security space.
Vendors like VMWare and Citrix created products that reduce the need for VPNs but allow controlled remote access to solutions inside an environment. These products have increased the ability for enterprises to allocate and manage resources, but like VPNs, they are also actively exploited by threat actors. Combining remote access solutions with VPNs and robust logging methodology creates layers like an onion that require multiple MFA successes, no red flag rules firing, and the ability to chain exploits. Each technology creates a point in which logging or security controls could prevent the continued exploitation of a network.
Even though this is just a brief introduction to secure remote access, you should work with your vendor of choice to understand the benefits and risks of each vendor's technology. There is no silver bullet in this stack of your environment, but a single vendor can implement a holistic solution. The holistic solution should consist of varying technologies that work together with your ecosystem of logging and user workflows.
Multi-factor authentication
Starting secure remote access security is multi-factor authentication or MFA, a defining piece of your secure remote access capability. I think the folks at IBM have done a fantastic job with the YouTube series and wanted to include the quick video on MFA:
领英推荐
The security control around MFA is enormous. It allows assigning roles based on authentication, logging approved (or denied) logins, and gaining a general understanding of connections in the environment. The biggest ask in this customer journey phase is to use a different MFA offering than IT. The scenario of rolling out a secondary MFA is to prevent the pivot via the IT infrastructure. Some of the offerings from both IT alongside OT specific vendors can be found below:
Each vendor above has standard features and is almost identical, but there are still differences in MFA implementation. There is no right technology to deploy with your MFA implementation. However, sharing MFA between IT and OT can create a failure in protection. In well-implemented environments, users should connect to the IT environment using a VPN, Jumphost, or other remote service and then answer MFA to establish the connection. The users who are now successfully in the IT environment must traverse the conduit into OT. During the traversal of the OT firewall into either VPN termination of that firewall, application-based service like Keeper or Cyolo style products, or into a jump host enabled with MFA, you should answer another unique set of MFA.
Logging the conduits and connections
With all the types of vendors and technology, one of the most essential parts of the implementation process is logging the connections and failed connections in your work process. Using a tool like an SIEM to take in all these logs allows a nice centralized place to collect firewall logs, secure remote connection logs, failed authentication / MFA attempts, and log things from your passive network monitoring tool.
As you mature through the journey, the logs are now accessible to a user in proactive threat hunting. For now, just being able to see the whole picture of the environment is the starting place. Being able to rebuild the steps a staff member or malicious actor provides invaluable insights into confidently relying back to management that the threat
The last piece of login secure remote access is using technologies like your firewall to watch for the implemented technologies crossing your IT / OT boundary. Insights given from the logging of the conduits combined with implemented technologies like passive network monitoring, firewalls, and a defensible architecture will give your company complete visibility into the operations of the environment.
Starting your feedback loop
Completing this part of the five critical controls leads to a solid foundation, but you are just starting. Taking the insights you are gathering from your systems, you can use them to build knowledge and control your environment based on feedback and learning from implementation. Finding suitable conduits for secure remote access may lead to changes in the architecture, which may require more monitoring. This journey is just that, a journey, not a goal or finish line. We need to keep moving down the road towards a safer, more secure future.
Quick Wins for Leadership
Working through control number one, ICS incident response plan, we were able to:
Control number two, defensible architecture built the physical network segmentation and that foundational layer built:
Control number three, visibility and monitoring, we started using learnings from both of our previous critical controls to drive security forward and found:
Critical Control four, secure remote access, connects business functions securely.