As shop floors and factories get smarter, we’re seeing an unprecedented surge in, and demand for, remote access to manufacturing systems. Why? For one, smart factories and smart manufacturing operations use sensors, computerized equipment, and other means of collecting data that is analyzed to identify areas for efficiency gains and process improvement. The ability to remotely monitor and configure these tools is invaluable to an organization looking to make real-time manufacturing flow updates in response to changes in conditions on the shop floor.
Ultimately, we’re talking about new efficiencies, better productivity, and cost reductions. But these gains can go out the door in a big hurry if systems are insecurely connected to the corporate network and external Internet. One of the biggest cybersecurity mistakes in operational technology (OT) is directly exposing manufacturing assets or systems to the Internet instead of behind a set of firewalls or secure remote access solutions. Opening a port on an external-facing firewall for an asset, for example, gives it a public IP address that is scannable. Any crafty attacker could map a particular class of devices, abuse weak credentials, and gain access to either the device or dig deeper into the enterprise network into manufacturing systems.
Other utilities such as the Remote Desktop Protocol (RDP), TeamViewer, or VNC, meanwhile, afford external users easy access but do little in the way of enterprise-grade cyber security. Some of these tools lack basic security hygiene or features such as multi factor authentication, logging, session recording, and much more that can enable an asset owner the ability to lock down access to manufacturing devices from the internet, or cut off that external access if it’s deemed malicious.
The protection for remote access is not one area where you should be skimping.
Secure remote access for factories connects engineers, integrators, and asset operators to industrial equipment on the shop floor. It not only enables admin/maintenance operations from anywhere in the world, but also brings efficiencies via remote monitoring of processes, and ensures data integrity of information as it moves about the integrated networks and beyond to external third parties.
Organizations successfully managing enterprise-grade cyber secure remote access implementations can enjoy a number of benefits that ultimately hit the bottom line:
Reduced travel costs by eliminating much of the need for engineers and other technical experts to fly to remote global sites.
Minimal downtime, for the same reason; the potential for real-time resolution of issues remotely in minutes vs. paying to fly someone to a remote site over many days.
Increased opportunities for specialization services from third parties who are given permission to tunnel in remotely and are monitored securely.
VPNs, firewalls, and secure remote access solutions should bring a handful of security features and complement other network-level protections for your overall cybersecurity ecosystem:
Multifactor authentication is no longer a nice-to-have feature. Secondary forms of authentication should be a policy mandate and enforced regularly. Note: many regulations today require MFA, whether a PIN sent to a mobile device or a hardware-based token, in order to meet compliance and regulatory requirements.
Privileged access controls limit who has access to sensitive process functions, who is authorized to make configuration changes or perform security/feature updates; this access should be monitored and strictly enforced as well.
Ensure that manufacturing endpoints are at current operating system and patch levels during planned shutdown windows on the factory floor, and that critical factory networks are segmented from the corporate network—and definitely segmented from the public internet as well.
There are many challenges to secure access for manufacturing, and one of the most obvious is the plethora of technology, systems, and excessive number of OT tools in use. Third-party contractors, supply-chain partners, and even internal asset operators and engineers may want to bring their own remote access tools to the party, many of which lack modern cybersecurity features such as MFA, role-based access controls, and privileged access management capabilities that we’ve listed above, not to mention a firm’s loss of control of changes made.
A recent Claroty report showed that 55% of organizations deployed four or more remote access tools that connect OT to the public network. These are expansive attack surfaces that not every organization has complete visibility into. Worse, some versions of these deployed tools are no longer supported by their respective vendors and contain unpatched vulnerabilities or lack modern security features.
Organizations must inventory these tools, and globally establish and enforce policies that prohibit the implementation of a remote access utility that doesn’t meet established company security standards.
The zero-trust security model within factory environments requires constant verification and authentication of any device, user, or system attempting to access an asset on the manufacturing network.
This approach, while complex and expensive to implement, is a crucial strategy as factories become smarter and advanced technologies such as digital twins, augmented reality, machine learning, and more machine learning and AI tools are introduced. These systems not only provide advanced data collection and analytical capabilities, but also introduce additional risk to manufacturing operations that must be well understood and managed.
Secure remote access is part of this risk equation, and zero trust can be especially effective in validating user and machine-to-machine authentication and communications based on a number of factors, including remote location and certain privileges attached to particular roles/functions.
Zero trust approaches rely on the enforcement of the principle of least privilege, while similar to other controls, can minimize the damage from a compromised system or account. This is at the crux of developing resilient OT system networks that can withstand attacks; zero trust in concert with network segmentation and other security controls like asset identification and verification for visibility can minimize the spread of network intrusions and reduce the risk that industrial processes are disrupted or modified maliciously.
The growing demand for remote access isn’t about to lessen any time soon, especially in manufacturing environments. Here are a few reference resources to consider:
Jim LaBonty is the retired Director and Head of Global Automation Engineering for Pfizer's Global Engineering & Technology division. In this role he primarily focused on establishing the strategic direction and harmonizing control system solutions across 42 manufacturing sites globally, including securing the development of Pfizer's COVID-19 vaccine. Previously, LaBonty held senior engineering and system architect roles at Rockwell Automation, Eli Lilly & Company, and Eastman Kodak Company. He now leverages his decades of experience to help firms with their corporate OT cyber strategy and global program execution, with the goal of protecting manufacturing.
