As a remote access tool, Dispel has received this question a few times: How can you maintain security while transitioning to a remote workforce?

As Coronavirus (COVID-19) has spread, thought leadership focusing on IT individuals working remotely has increased, but we’d like to offer our insight to benefit those working in both IT and OT.

Here at Dispel we champion remote work for our own employees and want to help yours transition to working remotely, securely. We’re sharing the advice we’ve been providing to our customers. Keep in mind that the transition to working remotely will require buy-in from your whole team.

Here’s what we’ll cover:

1. How to Impose Physical Security at Home
2. Upgrade, or at Least Patch, Your VPN
3. Provide Trusted Devices or Virtual Desktops
4. Enforce MFA & Strong Encryption
5. Keep IT & OT Segmented
6. Enable Whitelisting and Be Wary of Lateral Movement
7. Don’t Let Remote Access Circumvent Local Security Tools
8. Record Remote Access Sessions
9. Make Sure You Can Scale Up/Down

Let’s take a look at how to keep your OT and IT team productive and secure while working remotely:

1.     How to Impose Physical Security at Home

Don’t leave sensitive documents out on your desk—make sure they are locked up in a filing cabinet and stored securely, and require employees do the same. If you’re using a BYOD policy, ensure devices carry full disk encryption and install anti-virus software on all computers.

To promote productivity, encourage employees to create workspaces at home that are separate from their personal space. If work takes place outside of the home, ensure employees utilize an encrypted connection method when connecting to public Wi-Fi or use cellular hotspots when applicable.

2.     Upgrade, or at Least Patch, Your VPN

Many OT workers may need to access equipment without heading to the work site and risking infection. That’s where remote access comes in. Out of necessity, companies often piece together jump hosts and VPNs to solve this problem, but they sacrifice efficiency and security in this process.

If you are committed to using your current VPN, consider whether or not it’s patched. Updating VPNs takes IT time. If unpatched, this can mean a compromise to your network. While looking into VPN security, consider modern alternatives, such as a Moving Target Defense (MTD) network to up your security game. Not only is MTD fast, but it’s more secure than a traditional static VPN and easy to implement.

Examples of VPN breaches:

  • Pulse Connect Secure: CVE-2019-11510 allows an unauthenticated remote attacker to send a specially crafted URI to perform an arbitrary file reading vulnerability.
  • Fortinet: CVE-2018-13382 has an improper authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 under SSL VPN web portal, that allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests.
  • Cisco: CVE-2019-1828 created a vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers, that could allow an unauthenticated, remote attacker to access administrative credentials.

3.     Provide Trusted Devices or Virtual Desktops

Ideally, you want users to access your network from trusted devices. From a remote perspective, there are two ways to go about doing this. The first method is to send employees home with company-purchased laptops, equipped with endpoint security software pre-installed. Another method is to provide virtual desktops that employees can access from their own devices.

If you don’t have an inventory of laptops on hand, you should be using a virtual desktop schema. Virtual desktops protect your systems by allowing users to access equipment securely, even if they’re not on trusted devices. Virtual desktops serve as an intermediary step to protect against malware and can offer full session recording of a user’s interactions with your internal systems. For the best-in-class security, use disposable virtual desktops that cycle on a daily basis with fresh updates and security patches automatically applied.

For OT specifically, some regulations require remote access to ICS through an intermediary server. These include:

NERC-CIP:

  • CIP-005-5, Part 2.1: “Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset.”
  • CIP-005-5, Part 2.2: “For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System.”
  • CIP-005-6, Part 2.1: “For all Interactive Remote Access, utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset.”
  • CIP-005-6, Part 2.2: “For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System.”

NIST 800-82:

  • 5.4 Boundary Protection: “Implementing proxy servers that act as an intermediary for external domains’ requesting information system resources (e.g., files, connections, or services) from the ICS domain. External requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity.”

4.     Enforce MFA & Strong Encryption

As a best practice, all user access should require Multi-Factor Authentication (MFA) when logging in. Temporary one-time passwords, and modern hardware tokens are standard methods of MFA and recommended for logging in. If your industry releases compliance regulations, MFA is often required as part of auditability and necessary to include.

Additionally, all remote connections should be encrypted with the highest level of protection, with at least AES-256.

Compliance regulations that recommend MFA include:

NERC-CIP:

  • CIP-005-5, Part 1.4: “Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets.”
  • CIP-005-5, Part 2.3: “Require multi-factor authentication for all Interactive Remote Access sessions.”
  • CIP-007-6, Part 5.1: “Have a method(s) to enforce authentication of interactive user access, where technically feasible.”

NIST 800-82:

  • 5.3 Firewalls: “Enforce secure authentication of all users seeking to gain access to the ICS network.”
  • 5.7 General Firewall Policies for ICS: “All firewall management traffic should be carried on either a separate, secured management network (e.g., out of band) or over an encrypted network with multi-factor authentication. Traffic should also be restricted by IP address to specific management stations.”
  • 5.10.2 Remote Support Access: “Remote support personnel connecting over the Internet or via dialup modems should use an encrypted protocol, such as running a corporate VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme, in order to connect to the general corporate network.”
  • 6.2.7.1 Password Authentication: “In environments with a high risk of interception or intrusion (such as remote operator interfaces in a facility that lacks local physical security access controls), organizations should consider supplementing password authentication with other forms of authentication such as multi-factor authentication using biometric or physical tokens.”
  • 6.2.7.3 Physical Token Authentication: “Multi-factor authentication is an accepted good practice for access to ICS applications from outside the ICS firewall.”

CMMC:

  • Identification and Authentication, IA.3.083: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.”
  • Maintenance, MA.2.113: “Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.”

5.     Keep IT & OT Segmented

Segment your IT and OT. The last thing you need is for an adversary to traverse your IT network to gain access to your OT network. There’s no need for your marketing department to have access to your OT network. In fact, OT employees should have a remote access pathway that is independent and fully segmented from the standard IT access pathway.

In practice, this can be accomplished by building two separate VPN networks, one for your OT and one for IT. As VPN concentrators can be quite expensive and tedious to set up, you may also consider moving target defense networks as a more secure and cost-effective alternative.

Here’s a great example of why this is important: https://www.zdnet.com/article/dhs-says-ransomware-hit-us-gas-pipeline-operator/

6.     Enable Whitelisting and Be Wary of Lateral Movement

Enable whitelisting on both IT and OT networks to grant users appropriate access. Maintain the principle of Least Privilege and make sure remote employees only have access to resources they need access to. Consider implementing a time-based access strategy so that you can more quickly flag out-of-band activity.

7.     Don’t Let Remote Access Circumvent Local Security Tools

A common remote access technique allows direct access to a target or server through a process known as UDP Hole Punching. Although UDP Hole Punching grants convenient, fast access, it creates another threat surface that could put your control systems at risk. Then multiply that surface by the number of endpoints you want to grant access to. UDP Hole Punching works by allowing a remote user to fully bypass most, if not all, of an IT or OT network's local security in order to directly interact with a control system. Given how risky this maneuver is, look for a tool that offers both speed and security instead.

8.     Record Remote Access Sessions

If you’re concerned about how operators and vendors are interacting with your critical systems, use session recording. Virtual desktop platforms can offer session recording, to monitor users—both operators and third parties—and prevent inadvertent malware spread. Recording all actions can help you ensure your equipment is handled correctly, identify interesting training insights, and keep your workers/vendors accountable for their billing hours.

If your industry requires compliance with particular regulations, you must use monitoring and logging techniques to adhere with these standards. Compliance regulations that discuss recording remote sessions include:

NERC-CIP

  • CIP-007-6: “Log events at the BES (Bulk Electric System) Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events: 4.1.1. Detected successful login attempts; 4.1.2. Detected failed access attempts and failed login attempts; 4.1.3 Detected malicious code.”

NIST 800-82

  • 5.3 Firewalls: “Record information flow for traffic monitoring, analysis, and intrusion detection.”
  • 5.16 Monitoring and Logging: “The security architecture of an ICS must also incorporate mechanisms to monitor, log, and audit activities occurring on various systems and networks.”

CMMC:

  • Access Control: “Monitor and control remote access sessions.”

9.     Make Sure You Can Scale Up/Down

We know this won’t last forever. A lot of these users who need to work remotely now will return to their jobs in a few months’ time. Look for a solution that is easy to implement initially, can scale quickly to meet this surge in demand, and can scale back down once this crisis is over (without costing you multi-year per-user contracts in the meantime).

We’re Here to Help

If you feel like your current method of remote access isn’t working, we may be able help. For more information, visit us at dispel.io.

REFERENCES

https://www.zdnet.com/article/gartner-cancels-events-dell-world-goes-virtual-due-to-coronavirus-2020-tech-conference-cancellations-and-travel-bans/

https://www.inc.com/jason-aten/microsoft-google-twitter-are-telling-employees-to-work-from-home-because-of-coronavirus-should-you.html

https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-005-5.pdf

https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-007-6.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf


Invest in reliable remote access that works for your team and doesn’t require compromising security. Tell us about your unique OT needs, and get a quote in your first meeting.

Get your demo at https://dispel.io