ResizedImage7684-pollard
ResizedImage7684-pollard
ResizedImage7684-pollard
ResizedImage7684-pollard
ResizedImage7684-pollard

How to balance risk and remote access

Sept. 21, 2016
Who’s responsible for cybersecurity of automation at the plant level?
About the author
Jeremy Pollard, CET, has been writing about technology and software issues for many years. Pollard has been involved in control system programming and training for more than 25 years.

Well, I can’t tell you how happy I am to have gotten hooked into Netflix, and my bride and I are watching a few episodes of Scandal. Clever, but disturbing.

A governor kills his wife’s lover, she goes to jail, and then of course it was found to be pre-meditated, but he still gets away with it.

Why? No one tells. Like most data and cyber breaches!

This is the last installment of my three-column overview on remote access and the security aspects of ‘remoting’ into a plant’s infrastructure and/or critical infrastructure.

When I spoke with Steve Hechtman, CEO of Inductive Automation, a SCADA/HMI software development company, I was so surprised to hear about some of the security issues that have not been brought up by their users and the requirements of such users with regard to security.

I also posed this question to Don Pearson, chief strategy officer of Inductive Automation: “If a security breach or hack occurred, would you want to have your company or product brand name associated with the hack?” I think you know what the answer was.

Just to set the table a bit here, some automation vendors provide only guidelines and expect the end user’s IT department to provide the cybersecurity needed to protect the systems and the plant in general.

So Pearson was talking to the fact that a software vendor should do all it can to provide safety for its customers. “Inductive Automation always wants to do things ourselves.” Quite a different approach from most.

He agreed that providing security solutions could be a unique business opportunity for the company, but we didn’t discuss any details on that.

But I did ask him if the technology from Route1 could help. On the surface he said that any technology that can provide solid remote access should always be considered.

Hechtman is almost passionate about the subject. And in fact he has had conversations with many of his customers, and the answers he got are shocking, but not surprising.

“They want it, but they don’t want to pay for it.” Yikes! So, I’m thinking that, if a company provided some security around remote access and made it part of the recurring support systems, then they can still have it and not know they are paying for it as such. More Scandal stuff.

He went on to say that no one really cares as such. When he used the word “risk” and how it applied to the customer base, he was somewhat agnostic toward it. The customer has to evaluate the risk.

While true, I am still wondering about vendor-supplied solutions.

He truly feels that, until it is legislated for various industries, it won’t happen.

There are some companies that are taking things into their own hands regarding remoting. Ian Verhappen, who is a fieldbus legend and a contributor to Control magazine, has been around the block a few times and had a few observations.

His stance on remote hacked access typically would require some specialized knowledge of the end point, such as a HART-connected valve, or an Ethernet/IP PLC. Verhappen’s background is in process industries, such as oil and gas.

So, from that point of view, the systems that he has been exposed to have a greater reliance on IT setups for remote access and security. The asset management system (AMS) typically requires two-factor authentication in order to access the connected devices.

What this means though is that there is a single point of access to the DCS in the plant. Once this point is breached, the world is the hacker’s oyster.

Even with handheld devices, the DCS AMS requires certain authentication. He mentioned that a Canadian oil producer had three levels of access via passwords to finally get to the AMS. Most hackers wouldn’t be interested. That was the message here.

But he also mentioned that some remote people have to take a company-supplied laptop on the road since the media-access-control (MAC) address of the laptop is registered at the firewall level. That is two-factor authentications where the risk of rogue remote access can be considered high.

Other companies that he is familiar with use common access cards (CACs) to allow employees to use company assets like computers tied into the network and of course remote access.

Route1’s multi-factor technology can use these CACs from anywhere. Verhappen and I both agree it doesn’t have to be expensive to be good. I submit that cost associated with remote-access security does not translate to the bottom line and is nothing but an expense that isn’t needed by most accounts.

In conclusion, it’s obvious to me that we are not taking things seriously regarding remote access, and we may not be looking outside our industry for solutions. We want to re-invent the wheel, but we shouldn’t have to. Managing risk is everything. Evaluate that risk, evaluate all possible solutions, and make a plan. Do it out of being informed, not out of fear. When it happens to you, then security is no longer an expense.

I would like to thank all my interviewees for their time and guidance to bring this important message to our community.

Also read: How to close the PLC security gap

Homepage image courtesy of hywards at FreeDigitalPhotos.net

About the Author

Jeremy Pollard | CET

Jeremy Pollard, CET, has been writing about technology and software issues for many years. Pollard has been involved in control system programming and training for more than 25 years.