This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Secure remote maintenance for safety systems

Author : Alexander Horch, HIMA Group

26 November 2020

The COVID-19 pandemic has given the world a boost in digitisation that no one could have imagined. It can therefore be expected that previously known trends towards automation and digitalisation will continue to increase even faster. A particularly important aspect of digitalisation is the issue of remote access to industrial facilities.

Figure 1: Highly scalable secure remote access system
Figure 1: Highly scalable secure remote access system

Such remote accesses are already used in many industries. However, there are several problems here. Firstly, it may create an opaque network of IT solutions that are difficult to handle and control. Secondly, any external access offers potential vulnerabilities for cyber-attacks.

It is obvious that the remote maintenance of process plants via public networks in an industrial environment enables considerable cost advantages. On the other hand, significant potential security risks can be expected by accessing control system networks remotely. If a process network does not have an effective protective shield, a single security gap can make the whole production process vulnerable to attacks – with potentially catastrophic consequences. It is therefore necessary to reduce these vulnerabilities to an acceptable minimum. The term “acceptable” here means that compromising such a system must be so difficult that any attacker will let off from this plan because of the enormous difficulties in front of him.

It requires considerable know-how to manage secure remote access systems efficiently. Ideally, this know-how is available inside a company or should be acquired through cooperation with a trustworthy partner. Doing nothing, however could be a serious mistake.

Safety systems, the last line of protection in a process plant need to be protected particularly well. When discussing remote access to such systems, the arguments above become even more important. Accessing safety systems remotely is the  strongest challenge for the security of such a system.

The most severe consequence of a vulnerability in a process network is a reduction in plant safety, and there is an increased risk of personal, environmental and huge economic damage. Previously, this ruled out remote access to safety systems. Today, such solutions exist!

Requirements for remote access systems for industrial plants

The German Federal Office for Information Security (BSI), the central point of contact for IT security issues in Germany, helps to avoid risks faced by plant owners and operators. The BSI publication on cyber security (BSI-CS 108 / Version 1.0 / 1.2015 – see References below) provides an overview of the generic requirements for industrial remote maintenance according to the current state-of-the-art. A simple checklist as a basis for an investment decision for remote access systems can be derived from this publication and is shown in the Table below.

When designing secure remote access systems, it is important to take a holistic view. The best way to avoid overlooking hidden vulnerabilities is to comply with requirements from national security institutes such as the German BSI.

In collaboration with its partner genua, HIMA now offers a solution that meets the highest requirements for secure remote maintenance in industrial environments. With that solution, involving a rendezvous-server system, no direct access from the remote maintenance station to the production environment is possible. Instead, all maintenance connections run via a rendezvous server installed in a demilitarised zone (DMZ), where both the maintenance service and the plant personal establish connections during an agreed time window. The rendezvous server maintains the ongoing maintenance connection. Once securely established within the rendezvous server, the maintenance technician can then connect via the remote access app to a dedicated hardware in a segregated portion of the local engineering environment on plant site.

The table below lists a summary of the recommendation of the German BSI and briefly indicates how the genua/HIMA remote access solution satisfies those requirements.

Ger. Fed. Office f. Information Security - Recommendation

Implementation HIMA – genua

Architecture

Uniform solution (no "uncontrolled growth")

All remote maintenance cases can be covered uniformly as well as central management solution

Remote maintenance components in the DMZ

Dedicated server as central remote maintenance gateway in the DMZ

Connections not per (sub)network but fine-granular per IP and port

Remote maintenance relationship always per IP and port

Connection setup from inside to outside, no open ports

Machine operator controls remote maintenance channel (four-eyes principle)

Dedicated systems for remote maintenance

Dedicated system: Remote maintenance appliance genubox

Secure Communication

Secure protocols

SSH, IPsec, SSL/TLS

Secure cryptographic methods

High quality encryption, e.g. AES256

Authentication mechanisms

Granularity of accounts

Guaranteed by user role concept

Strong authentication mechanisms

Authentication via password, OTP (with Yubikey token) together with RSA key

Password security

Guaranteed via password policy

Attack detection

Failed authentication detection

Organisational requirements

Risk analysis

Possible via service

Principle of minimalism

Access generally strictly limited to the remote maintenance object (IP and port)

Process

Comprehensive support for processes and user roles

Inventory

Remote maintenance accesses are fully monitored and recorded

Time windows

Remote access can be limited in time

Functional test

Guaranteed via central monitoring

Specifications for remote service technicians

Testing of specifications by remote maintenance app

Patch process

Central Patch Management

Logging & Alerting

Central Logging & Alerting

Others

Scalability

Easily scalable through central management, even for very large environments

Investment protection

Full IPv6 support, continuous product maintenance

High availability

Highly available provision of all components possible

Overview derived from: BSI-CS 108 / Version 2.0, dated 11.07.2018

Figure 2: Overview of the remote access solution
Figure 2: Overview of the remote access solution

Highly scalable secure remote access system

Through the implemented mechanisms users can build up a remote maintenance concept adapted to their specific needs. That concept can systematically be scaled in order to fulfil the highest demands on both safety and security. There are no real limits to scalability. From the individual solution connecting to a single critical system, to a global multi-site solution, all requirements are achievable. There are no restrictions regarding the integration of third-party automation solutions. The Rendezvous solution gives you complete control over maintenance access to your networks.

Some aspects of realisation

The uniform secure remote access solution from HIMA and genua complies with the BSI recommendations (see table above). It provides a uniform application for all remote maintenance cases and enables a central management solution. Everything comes from a single source, including support. Using a single solution also reduces complexity, another major customer benefit. Today, a large security problem arises due to numerous diverse supplier solutions for remote access.

A dedicated server is implemented as a central remote maintenance gateway in the DMZ, thus ensuring full control through an upstream DMZ. With the rendezvous solution, no unilateral access from the remote maintenance service to the customer network is permitted. Instead, all maintenance connections run via a rendezvous server installed in a DMZ, where both the maintenance service and the customer establish connections in an agreed time window. The Rendezvous server establishes and maintains the continuous maintenance connection. Service engineers can now access the local engineering environment, which is segregated from the rest of the customer network by the remote maintenance app on the external side. The machine operator can also monitor the remote maintenance channel using the four-eyes principle.

The HIMA remote maintenance solution uses secure protocols, such as SSH, IPsec and SSL/ TLS. The employed symmetrical encryption method (AES256) ensures high-quality encryption, and password security is achieved through a state-of-the art  password policy. In addition to the password, the user can be authenticated using a one-time password with a Yubikey token in combination with an RSA key. The granularity of the accounts is ensured via the user role concept.

As required by the BSI, the remote maintenance solution also enables attack detection by identifying any failed authentication attempts. All remote maintenance access attempts are fully monitored and recorded for inventory purposes. The time window for remote accesses can also be restricted as required. Interactions can be tracked via central monitoring, with the added benefits of central patch management, logging and alerting.

An important consideration for users is also the investment security through IPv6 support and continuous product maintenance. Another positive aspect is that the genua/HIMA remote maintenance solution is not limited by proprietary solutions. The highly secure remote maintenance solution enables comprehensive support of processes and user roles. It is easily scalable through central management, even for very large environments – a further economic advantage for the user.

Conclusions

The high-availability remote maintenance solution presented by HIMA und genua complies with highest national recommendations and fulfils the highest security requirements. Users can integrate the solution in the HIMA Smart Safety Platform concept for remote access to safety systems. During the COVID-19 pandemic, HIMA has digitalised numerous activities, such as commissioning and remote factory acceptance testing, and this remote access solution has been used successfully for those applications.


Contact Details and Archive...

Print this page | E-mail this page