Secure remote access combines several security strategies designed to allow users to operate technology offsite from a physical facility while protecting the security of networks and data from unauthorized users. By permitting geographically dispersed access from a variety of devices, secure remote access supports business and IT operations while reducing the possibilities of a cyberattack and preventing a breach of sensitive data – whether intentional or not. The importance of secure remote access for information technology (IT) and operational technology (OT) has grown significantly in recent years, while the challenges in preventing access to systems and data by unauthorized internal or external users have also increased.
The Exponential Growth of Secure Remote Access in OT
Historically, remote access to network systems was reserved for IT administrators and perhaps a few business users at the top of the leadership chain. But the move to hybrid and multi-cloud environments mixed with on-premises infrastructure, as well as the rise of mobile and remote workers, have greatly increased the number of people with access. The COVID-19 pandemic also changed the landscape for secure remote access, with millions of employees suddenly connecting to enterprise systems from home.
Today, any employee can get access to the network, from any location, at any time, using a variety of devices. And with the growth of cloud infrastructures and services, remote access also applies to third parties, as well as a growing number of applications, services and Internet of Things devices.
In industrial enterprises, remote plant operations that combine operational technology (OT) with IT systems are common. OT operations often must account for older, unpatched operating systems and software, and likely require a different layer for logical access and security to support Supervisory Control and Data Acquisition (SCADA) as well as other Industrial Control Systems (ICS).
As a result, secure remote access today has become a complex undertaking, beyond the abilities of traditional security methods. Protocols such as Remote Desktop Protocol (RDP) and Secure Shell (SSH), for example, can be difficult to deal with and don’t provide the granularity of control that is required. Another common tool, virtual private networks (VPNs), can be slow to work with and, if compromised, can allow an attacker to move laterally around the network.
The Elements of Secure Remote Access (SRA) Today
Secure remote access is something of a catch-all term, covering a range of security policies and practices designed to prevent unauthorized access to systems and data. It doesn’t have a single, precise definition. But in today’s distributed cloud environments, any secure remote access implementation should include several essential features.
- Zero Trust. A zero-trust strategy is increasingly at the foundation of secure practices in modern computing environments. Its focus on continuously authorizing and authenticating identities helps ensure that systems and data are being accessed only by authorized users. It also keeps track of user activities, which is essential to mitigating any damage in the event of a breach. (Zero-trust conforms with one of the tenets of current security strategies, which is assuming that threat actors have gained entry.)
- Least Privilege. Another essential element of secure remote access—and part of a zero-trust strategy—is enforcing the principle of least privilege. Users, devices, applications, APIs or any other network identity should have only the minimum access privileges necessary to complete a specific job or task. In the event that an identity is compromised, least privilege helps ensure that an attacker cannot move up or though the network. Least-privilege also can be strengthened through steps such as time-based access, which not only keeps privileges to a minimum but also limits the time in which a user can perform a task.
- MFA. Multi-factor authentication, which relies on two or more ways to verify a user’s identity, has been proven to significantly reduce credential compromises, yet many organizations still neglect the practice. MFA combines “something they know” (such as a password), with “something they have” (such as a hardware token) or “something they are” (such as a fingerprint or other biometric feature).
Controlling Access for Industrial Systems and Critical Infrastructure
In industrial settings involving a mix of OT and IT, other steps that can help ensure secure remote access include:
- RBAC. Similar to least-privilege principles, role-based access control can provide granular control that can permit access for specific functions, such as operating a human-machine interface (HMI) or patching an asset.
- TBAC. Time-based access control sets the days or hours during which a vendor or other partner can gain access to assets.
- OT Asset and Protocol Isolation. This practice builds on the practice of network segmentation to keep users isolated, with access only to their assigned assets on the OT network.
- Moderated Asset Access Control. In this approach, OT managers can maintain control by moderating vendors accessing their critical assets, after first checking in to a virtual “wait lobby.”
- Moderated Secure File Transfer. This approach allows an organization to approve and log the movement of files to or from a vendor system, which supports access reporting and auditing.
- Session Logging and Screen Recording. Fully logging and recording vendor access sessions are used for both forensic and training purposes.
Modernizing Secure Remote Access with Protocol Isolation
Implementing secure remote access strategies and technologies can help organizations protect their data and critical systems in an increasingly complex, distributed environment. That environment has greatly increased the operational capabilities and efficiencies for many organizations, but it has also expanded the attack surface, potentially exposing more weaknesses and vulnerabilities. As a result, threat actors have shifted some of their tactics to focus more on credential-based attacks rather than delivering malware, and security strategies need to adapt.
There are countless reasons professionals running oil rigs in the middle of the ocean, manufacturing plants meeting high demand, water treatment facilities serving large populations and other critical facilities need 24/7 access to their operational technology. But providing that access has traditionally been complex and fraught with security issues. Giving authorized users consistent secure access regardless of their location or the time of day, while effectively preventing access by unauthorized users, requires a secure remote access strategy built to address all modern computing platforms and threat landscapes.
Technology agnostic and configured in minutes, XONA’s proprietary protocol isolation and zero-trust architecture immediately eliminates common attack vectors, while giving authorized users seamless and secure control of operational technology from any location or device. With integrated multi-factor authentication, user-to-asset access controls, user session analytics, and automatic video recording, XONA is the single, secure portal that connects the cyber-physical world and enables critical operations to happen from anywhere with total confidence and trust.