With governments closing down workplaces all over the world, telecommuting presents not just online administrative and capacity challenges for organizations, but also security challenges. As highlighted in a recent article by Andy Greenberg from Wired, when more and more employees are asked to VPN into corporate networks from home, this creates not only clogged networks but attack opportunities for the unscrupulous.
In the case of industrial and critical infrastructure sites, however, the most important employees generally do not have the luxury of telecommuting and must be on-site to carry out physical repairs and refurbishments. As operators struggle to balance the recommendations of social distancing with the need to keep vital services functioning, there is no getting around the fact that conventional remote connections into industrial control networks are a very bad idea.
Why is it a bad idea?
On the one hand, remote access to normal IT networks is in everyone’s best interest. Without this capability, coping with this pandemic would be all the more challenging. But on the other hand, giving access to critical infrastructure sites to every computer on the Internet with a password and two-factor dongle poses unacceptable risks. The importance of protecting safe and reliable operations for the computer networks that control some of the world’s most powerful physical equipment, equipment that provides essential services to the public in this time of crisis, cannot be overstated. Looking at connectivity to operations networks through the lens of remote access to IT networks is a mistake. For example:
- VPN software encrypts communications between Internet-based laptops and remote access endpoints, providing a degree of protection against man-in-the-middle attacks. What such encryption does not do, however, is protect against compromised endpoints. VPNs and other cryptosystems encrypt attacks just as happily as they encrypt legitimate communications. This is the point of Virtual Private Network software – the software provides a remote user or attacker with the illusion of being locally connected to the target network, able to do anything to the target network that a local user could do.
- Remote access firewalls are software. Like all software, firewalls have defects, some of which are security vulnerabilities, both discovered and undiscovered. While it is possible to patch for known vulnerabilities, there is no patching for unknown, zero-day attacks. Worse, firewalls are porous even when the most rigorous management and rule sets are deployed. Firewalls are routers at their hearts – they forward network traffic from external networks, such as the Internet, into the very networks the firewalls are intended to protect. Think about this for a minute – firewalls forward into protected networks every packet that matches an “allowed” rule in the firewalls’ configuration. Why do we permit this? What value is there in letting attackers from all over the Internet test the security of our critical infrastructure networks with whatever attack packets they wish?
- Two-Factor Authentication is held up as the gold standard for remote access, but two-factor mechanisms have suffered countless attacks in recent years. SIM jacking and social engineering defeat cell-phone-based two-factor authentication, and compromised laptops and cell phones hijack legitimate remote access session keys and cookies once two-factor authentication is complete. This article has more detail on attacks defeating two-factor authentication.
The Wired article argued that it is essential to engineer a way to provide remote access to control system environments for critical infrastructure services such as water, electricity, and fuel refining during the coronavirus crisis. Such access minimizes the risks to employees and 3rd party vendors would otherwise need to travel to the site and minimizes risks to the health of critical personnel who simply must work on-site in order to carry out physical repairs and other manual activities. When designing such a solution though, we must keep at the front of our minds the potential severity of the consequences of cyber compromise to critical infrastructures.
Robust remote access
The world’s most secure industrial sites do not accept the VPN/firewall/two-factor software remote access risks described above. The world’s most secure sites control their industrial network perimeters with more than just software; they install hardware-enforced unidirectional gateways. Through server replication, critical infrastructure sites enable 100% real-time visibility into protected networks, 100% protection from remote attacks, with a number of options for truly secure remote access in this time of crisis.
While the word “unidirectional” may seem to rule out any sort of remote access, this is not the case. Waterfall for Intrusion Detection Systems (IDS) enables
safe monitoring of OT networks Unidirectionally-protected sites routinely provide their remote vendors and quarantined critical employees with unidirectional Remote Screen View (RSV) as a means to provide critical remote support. When an on-site worker activates RSV on an industrial workstation, remote support personnel can see the workstation’s mouse movements and screen in real-time. Remote personnel can then guide the on-site worker in real-time, providing advice over the phone as to how to move the mouse, how to interpret information on the screen and how to diagnose, adjust and correct problematic configurations in real-time.
And all of this occurs through a hardware-enforced unidirectional gateway. No compromised laptop or Internet-based attacker can send even a single attack packet through the unidirectional hardware at the heart of the RSV solution. The gateway hardware is one-way outbound – unlike a firewall or VPN – and there is physically no way to send attack information into the critical infrastructure network through the gateway hardware.
It is not just secure sites who tout the benefits of unidirectional gateways to protect critical infrastructure, this technology is also required by regulations and guidance in the world’s most cyber-secure jurisdictions. Authorities in Israel, Singapore, South Korea, and France require the use of unidirectional technology for critical industrial control systems, and all modern industrial security standards recommend unidirectional gateways for physical processes where safe and reliable operations are crucial.
Keeping CI secure in an unprecedentedly uncertain time
Even in the midst of the COVID-19 pandemic, there are always critical employees who must work locally and physically at our critical infrastructure sites. To protect these workers, to gain access to our quarantined experts, and to minimize unnecessary travel, truly safe remote access is essential. Hardware-enforced Remote Screen View provides such remote access in a way that is truly secure, and so helps to keep our lights on, our water safe to drink, and fuel in our gas stations, no matter what unscrupulous attacks might be launched at our infrastructures from across the Internet.
Waterfall Security Solutions leads the world in the production and installation of Unidirectional Security Gateways. During this time of crisis, Waterfall is providing customers with Remote Screen View licenses at no cost to enable truly secure remote access to critical infrastructure sites. For more information about Waterfall’s Unidirectional Security Gateways, Remote Screen View or Waterfall’s other powerful, physically-enforced critical infrastructure security tools, please visit the “contact us” page on the Waterfall website and request a free consultation with a Waterfall expert.