Secure Remote Access: How to Protect Your Plant Floor
December 4, 2019
By Elliott Pennington, Business Development Lead
As plant floors become more connected – from the equipment to the systems – the way manufacturers manage internal and external access to that technology is evolving. Digitization has myriad benefits, but it also comes with inherent risks, and IT/OT convergence doesn’t make it any easier. Every manufacturer should be concerned about the rise in ransomware and cyber attacks that have taken advantage of the vulnerabilities specific to the OT environment.
More commonly, human errors can result in unplanned downtime as well as safety and environmental risks. While remote access enables virtual troubleshooting and monitoring that would otherwise be expensive and time-consuming, it also opens up the potential for mistakes. For example, it’s not difficult for an off-site vendor or on-site manager to accidentally download a program to the wrong PLC, which can result in incorrect functioning, downtime, production losses and additional costs.
Secure Remote Access: What is It?
Secure remote access provides both a secure line of communication and an avenue for remote access to enable the active management of access to the machines, equipment, controllers and systems on your plant floor. Most manufacturers use equipment brought in by original equipment manufacturers (OEM) or system integrators (SI), who can remotely connect in order to troubleshoot and manage that equipment, including HMIs and PLCs. Thanks to secure remote access, they can respond more quickly to issues and provide better uptime and availability for their equipment.
While some manufacturers are on top of their secure remote access policy and management, many are not. And that’s understandable – it’s complicated. After all, you may have a number of OEM and SI partners needing access to parts of your manufacturing lines. And depending on what industry you’re in, your plant may not have to adhere to regulations that require stringent cybersecurity plans.
Secure remote access is about much more than the technology used to enable it, which in most cases is a VPN, or virtual private network. The VPN provides the infrastructure, serving as a secure virtual tunnel, for managing who is traveling through that tunnel to access your plant floor.
Controlling Virtual Traffic
With secure remote access, you can manage the policy and procedures, control who has access to what, ensure secure communications, and conduct audits and traceability of service.
One way to restrict access is to enact a specific firewall rule configuration that only allows outbound, not inbound, traffic from your site. That inbound traffic is restricted to specific IP addresses with authentication requirements, further limiting that access. By restricting the communications capabilities and managing access, you’re able to monitor, track and log all activity.
Not only does this give manufacturers the power to proactively control the virtual traffic on their plant floors, but it provides enormous value by providing timely issue resolution and reducing unplanned downtime. In manufacturing, time is money – secure remote access can help protect your bottom line by helping you make modifications to the production environment more quickly, run more efficiently, and make better data-driven decisions.
People, Policy and Procedures
In order to make security a part of the workplace culture, manufacturers need to focus on three things: People, policy and procedures.
- – People: This includes everyone who is involved in the use and management of secure remote access, including third-party security providers, OEMs and system integrators who have users with access, site staff and managers, and the corporate governance team. These teams are key to making policies and procedures work. And with the right education and training, they will help you create a culture of security in the workplace that will help decrease vulnerabilities and risk.
- – Policy: The policy is where you start – this guiding principle defines how secure remote access will be managed. It should outline who needs access, to what, and why. It should address whether there’s one process or multiple, whether access is centralized or spread out, and whether this is active or passive management. Are there other policies that need to be taken into consideration when developing this one, such as the overall security profile? If you already have a policy for physical security, which might include badge access and rules about who is allowed where, how does that extend to or interconnect with the remote community? If you want to revise your current policy, review logging and traceability capabilities as well as audit results. And don’t forget to test your own system to look for holes and improvements.
- – Procedures: This is where you explain what steps need to be followed to enact the policy. When documented and put into place, procedures provide great value as playbooks that anyone should be able to understand and follow. Procedures bring it full circle – ensuring that the people involved are properly communicated with, that consistency is maintained through any workforce turnover, and that a culture of security is part of the conversation.
Security and Network Solutions, Customized for Your Needs
Whether you’re starting from scratch and or looking to improve your current secure remote access policy and procedures, Rockwell Automation Security Services can help. We can help you proactively control and manage the access of OEMs, SIs and other partners. We can also provide solutions to help you deal with the industrial skills gap – whether that means maximizing the impact of your current staff by leveraging their skills remotely, or outsourcing a remote monitoring and administration capability to our team of engineers.
The bottom line for manufacturers is: if you don’t actively manage the remote access to your plant floor, you are exposing your assets to vulnerability risk. And every day, those risks just get more serious.