Many security practitioners have the mistaken impression that Unidirectional Security Gateways are incompatible with remote access and remote support. There are in fact a host of options for strong, unidirectional remote access and support. In this posting, I review the most common three options: server replication, Remote Screen View and Secure Bypass hardware.
Each of these three options is much stronger than traditional software-mediated VPN/RDP/two-factor remote access solutions. Understanding options for safe, secure remote access is especially important in this time of COVID-19 travel restrictions and quarantines for vital employees or vendor personnel.
The simplest and safest unidirectional remote access is access to a replica. Unidirectional Security Gateways routinely replicate OPC, SQL, historian and other servers, unidirectionally. Gateway software queries the source server normally, asking for all the latest data in real time. The software translates this data into Waterfall’s internal formats and transmits the data unidirectionally through Unidirectional Gateway hardware. On the external enterprise network, gateway software connects normally to an identical replica server and updates the server with the latest real-time data. The result is an OPC, SQL, historian or other server on the enterprise network that is a faithful, real-time copy of the industrial server.
Enterprise users, product vendors and other remote support providers interact normally and bi-directionally with the enterprise replicas. These remote support providers can see all the latest production and industrial data in the replica servers. These providers have access to all the latest industrial data, without ever sending any query, command or any other message into the protected industrial network. Server replication provides remote access to industrial data, without requiring remote access to industrial systems.
Remote Screen View
Unidirectional Remote Screen View (RSV) is the safest way to bring about changes to industrial systems remotely. With RSV, an engineer or technician at the industrial site sits down at an industrial workstation and enables RSV. The RSV software sends screen images to the enterprise network, through the unidirectional hardware. On the enterprise network, a remote support person can see the industrial workstation’s screen in real time, in a conventional web browser, but of course no signal of any sort can penetrate back through the unidirectional hardware into the industrial network to put that network at risk.
Instead, the external support provider works with the person at site over the phone. The external provider can analyze data on the industrial workstation and provide instructions to the on-site technician to bring up additional diagnostics, or to correct configurations or equipment settings. The external provider can see all screen activity in real time, and so can be completely confident that the advice they are providing is accurate, timely and relevant.
Secure Bypass Hardware
Secure Bypass hardware is a way to provide true, time-limited, bi-directional access to industrial systems for external providers. When an industrial site needs temporary assistance from an external support provider, someone at the site goes to the key closet and signs out a physical key. This person inserts the key into the Secure Bypass hardware and physically turns the key.
This action physically, electrically, connects a 1Gbps bi-directional copper cable from an external network into the industrial network. Note that a Secure Bypass unit is not deployed to connect enterprise and industrial network switches directly, but rather connects an enterprise network segment to a traditional industrial jump host, with the latest software-based VPN and two-factor security mechanisms installed and activated. The remote service provider logs into this jump host conventionally, and so gains temporary, bi-directional remote access to the industrial site.
After a pre-programmed interval, most commonly 30-90 minutes, the Secure Bypass hardware automatically disables again. This physically, electrically disconnects the copper connection. At this point, no attack packets of any sort can penetrate the Secure Bypass unit into the industrial network. Secure Bypass hardware provides personnel at industrial sites with physical control over when and for how long remote employees and other service providers have remote access to the site.
With conventional, software-mediated remote access, we deploy software and we cross our fingers. All passwords can be guessed or phished. All security software has vulnerabilities and zero-days, even firewall software, cryptosystems and two-factor authentication software.
Waterfall customers apply physical discipline to their remote access systems. Unidirectional server replication gives remote personnel access to data without providing them access to industrial systems. Remote Screen View lets remote personnel see industrial screens in real time and provide detailed advice to site personnel in order to diagnose and correct operations issues. Secure Bypass hardware gives personnel at industrial sites physical control over when and for how long remote personnel have software-mediated access to industrial systems.
These are the three most popular unidirectional remote access options, but many other designs exist. For a free consultation with a Waterfall solutions architect to explore your specific needs and the most secure unidirectional designs that meet those needs, please contact us through this link.
And if you are an existing Waterfall customer, please be reminded that Waterfall is offering free Remote Screen View licenses to all existing customers through September of 2020 to help our customers through the Coronavirus crisis. For more information on this program, again, please click here, enter your information and we will get back to you promptly.
Please stay safe. Work remotely when practical – safely and unidirectional.