Digitalisation, including cybersecurity

Remote access to IT and operating technology (OT) systems

Introduction

Digitalisation is increasingly ubiquitous and is now expected to be leveraged across the lifecycle of an asset, including in the process industries. It is not uncommon to retrofit older equipment with modern(ised) digital control systems in response to obsolescence or to extract more value. Having remote access to digital infrastructure is usually expected to be part of new packages or to be available after revamps. The risks, including cybersecurity risks, of having or not having remote access to digital data and systems should be addressed as part of change management, and existing systems should be also challenged as part of any risk (re-)assessment.

Control system vendors and packaged equipment providers usually offer support services remotely, which should translate to more cost-effective maintenance and assistance request response times. Similarly, vendor services for performance or security monitoring are not uncommon and may be implemented as Internet of Things (IoT) devices. Exclusive remote control of an operation is increasingly common for remote sites and may be a practical necessity, if not a contractual requirement, for sites that exist across multiple jurisdictions. However, owners and operators must understand that remote access is an inherently higher security risk versus air-gapped (physically isolated) architecture. Owners and operators of plants that interact across battery limits should also be aware of their exposure to cyber threats on the other side of the boundary.

Depending on the risk profile of the plant and its control architecture, the concern given to malicious remote access (cyber attacks) should be considered with the same seriousness as a process safety incident because of the realistic probability of cyber and safety incidents leading to one another or occurring in succession. For example, a cyber attack may compromise safety systems, leading to a safety incident, whether intentional or incidental to the initial cyber attack. The operational cost of not having remote access must therefore be balanced against the risk of a robust remote access solution.

Common technical features of robust remote access solutions

There are two mechanisms commonly used together to provide remote access to an industrial control system (ICS). Implementation details may vary within a common arrangement as described below:

Virtual Private Network (VPN) – provides the first point of authentication. Once VPN access is granted, the user has access to the organisation’s corporate network as if they are using a direct-access workstation on company premises.
Layered or zoned networks and firewalls – provide software selectivity. Only the endorsed software for remote access will work (e.g. a remote desktop application). This creates security by obscurity, requiring the user to have the plant specific knowledge as to where to find the ICS once connected to the VPN. Layered networks also help facilitate intrusion detection. If layers are implemented two dimensionally, i.e. zoned instead of layered, then each remote user can be more readily confined to the areas intended for their access by the asset owner.

Note that Safety Integrated Systems (SIS) are typically air-gapped, i.e. not remotely accessible, to maximise their security and integrity.

Often the success of both 1 and 2 above relies on the secrecy of usernames and passwords. Multi-factor authentication (MFA) helps prevent stolen or lost password credential from being used effectively. Old accounts and specially configured hardware represent potential access points and their removal or reconfiguration is critical for MFA security. Procedures are a weak protection, and technical security enforcement such as mandatory password changes and requiring MFA are a free improvement.

In the case of third parties such as ICS vendors connecting remotely, it is practicable to only allow remote access on request of a trusted company person, to limit the risk the third party’s account being misused. A request also provides an enforced communication step, notifying operations that may have relevant work permit procedures. Regular security patching of the software that implements the arrangement described above reduces the likelihood that the software can be bypassed.

Role of chemical engineers

The often multidisciplinary role of chemical or process engineers in projects best places them to identify increased risk in areas which are not traditionally in the spotlight of change management procedures, including cybersecurity. The process engineer ought to be able to identify the risk to existing or new plant when packaged equipment or partner-operated plant is introduced with its own means of remote access.

Within operations, engineers should ensure that up to date procedures are available and are able to be implemented. Procedures may include the response to suspected unauthorised access, or the proper means to authorise ad hoc or third-party remote access, for example as part of a work permit system.

Who is responsible for remote access?

Implementing the infrastructure for remote access typically falls to a combination of owner/operator IT staff and ICS vendors, with engineering oversight, to ensure compliance with all system and process requirements. In the cases of vendor-packaged equipment and partner-operated plant, the technical solution used should be communicated to all stakeholders, so that each can ensure that they are aligned on the accepted level of risk. The judgement of process engineers who are sufficiently knowledgeable of the process and aware of the safety, environmental and digital risks should guide this communication. For the remote access system to be sufficiently robust to cyber attacks, it may be necessary for mandatory communication from vendors and partners about staff movements or policy changes to be vetted and established during procurement.

Case study

March 2000 – Maroochy Shire, Queensland, Australia - A disgruntled former engineer retained their ex-employer’s laptop and radio transmitters, which they used to upset pumping systems and cause the release of untreated sewage into waterways. While privileged accounts had been disabled by the employer, they were unaware of other accounts that were accessible by the engineer via the retained company devices.