Implementing remote working in ICS environments
In today’s society it’s become common practice to work and follow up business from home or a remote location. The flexibility which some employees have today is getting in higher demand from other businesses as well. One of these businesses is production areas whom are working with a different kind of end users, this can go from operators and engineers to business owners.
In this use case we take the assumptions that our IT landscape is following the ISO27000 series standard.. For our production / manufacturing area the IEC62443 standard will be our guideline for building an adequate and resilient remote connection.
These rules should be kept in mind when setting this up:
End user level:
* Only an IT-hardened laptop or IT-hardened image is allowed to connect with your corporate infrastructure with proper multi factor access control mechanism.
* No split VPN tunnel is allowed
* A system image health check is needed before the VPN tunnel is established (Antivirus / OS Patches)
* Multi Factor Authentication is mandatory for establishing the VPN tunnel
Company IT level:
* All communication flows to the ICS environment should be encrypted to the first DMZ “Sandwich” firewall. A sandwich firewall is an minimum of 2 firewalls which encapsulates the DMZ layer as shown in image below. There is one firewall on top, the DMZ layer in the middle and one firewall at the bottom. Best practices describes two different kind of firewall from an different vendor.
* OT and IT should be separated by a DMZ (This can be designed with a High Availability perspective)
- This DMZ is preferable separated by 2 different types of firewalls to create a “Sandwich”
* Dataflows from IT to OT should be practicing the port swap technique
Company OT level:
* The remote user can only connect to a “view” terminal server.
- The user shouldn’t have any configuration or admin rights. In case there is need for such elevated privileges, additional mitigations should be in place.
* Network segregation should be done according IEC62443-3-2
At Toreon, we have extensive experience working in both ICS and ICT environments and can bridge the gap between your IT and your OT . Want to know more? Get in touch with our experts.