INDUSTRY INITIATIVE

ei³ leads OMAC's Security Considerations for Remote Access Initiative

Recent ransomware attacks have put the spotlight on potential security vulnerabilities of some industrial Remote Access solutions. Around the world, users are scrambling to understand and mitigate these vulnerabilities. With this in mind, the Organization for Machine Automation and Control (OMAC) convened its second “Remote Access Workgroup,” to present practical, field-tested methods for reducing cybersecurity-related risk.

The workgroup, led by ei³, also reviews issues created by actors or processes that cause intentional or unintentional security incidents. This document is a follow-up to the initial OMAC document titled “Practical Guide for Remote Access to Plant Equipment ,” published in January 2021. It is recommended that the reader of this addendum first review that document to better understand all the aspects of remote access before taking a detailed look at security.

About the Security Considerations for Remote access Workgroup

PARTICIPATING ORGANIZATIONS

The “Security Considerations for Remote Access” document provides a broad perspective and insights from an experienced group of 47 members representing End Users, and the OEMs, System Integrators, and Equipment Suppliers that support them.

End Users include Cargill, Colpal, Corning, Frito Lay – Pepsico, General Motors, P&G, Rohm and Haas
OEM’s such as Barry-Wehmiller, Dürr USA, Mettler Toledo, Milacron, Nordson Corporation, ProMach
System Integrators like Applied Control Engineering, Bachelor Controls, DMC, Interstates, Martin CSI, The EOSYS Group, Outlier Automation, Rovisys, SAGE and
Groundbreaking Technology Companies like Beckhoff, Cisco, Dispel, Dynics, EtherCAT Technology Group, KORE Wireless, Mitsubishi Electric Europe B.V., Nozomi Networks, Sick, Siemens
A special mention goes to Packaging Machinery Manufacturers Institute (PMMI) for their support

TOPICS

Cybersecurity Challenges

Chapter 1:

Individual or Operational Threats

Chapter 2:

Remotely Connecting Outside the Facility

Chapter 3:

Internal Security

Chapter 4:

Policies or Procedures When Vetting a Remote Access Solution

What the members say

"There are very few examples of realistic and well-thought-out Remote Access plans. Often, it’s uncontrolled with operators/engineers installing TeamViewer, VNC, etc., to get the job done. Even larger companies suffer from this because they tend to lock things down to the point where production staff deliberately bypass restrictions to keep production running."

"Suddenly, the need to remotely access 1-2 systems has ballooned to 5-10x. Previously it was acceptable to fly someone in to make changes, especially on systems that were more likely air-gapped. Combine this with the fact that there are savings in fixing something more quickly via Remote Access. Now we need to enable more Secure Remote Access to many more systems, which has increased the complexity and chances of issues."

"Many companies would just grab whatever was free to connect, regardless of licensing or security risks. Now I’m seeing blanket policies that prevent such access."

"Backup, patching and antivirus solutions are all best practices but can provide a false sense of security if they are not maintained and monitored. It’s like having a spare tire in the trunk, only to discover its flat when you need it."

"Consider methods that can limit connection to the specific devices of interest. It is important to minimize or limit a connection from accessing other devices that may be on the same local area network but not required for support. This is especially true if multiple devices of the same type exist on the network. A major concern and cause of security problems is individuals making changes to the wrong device."

"A solid disaster recovery policy should also be developed (backup/restore) to allow a system to be returned to a known state quickly if the security controls don’t prevent an attack."