Secure remote maintenance for safety systems
26 November 2020
The COVID-19 pandemic has given the world a boost in digitisation that no one could have imagined. It can therefore be expected that previously known trends towards automation and digitalisation will continue to increase even faster. A particularly important aspect of digitalisation is the issue of remote access to industrial facilities.
Figure 1: Highly scalable secure remote access system
Such remote accesses are already used in many industries. However, there are several problems here. Firstly, it may create an opaque network of IT solutions that are difficult to handle and control. Secondly, any external access offers potential vulnerabilities for cyber-attacks.
It is obvious that the remote maintenance of process plants via public networks in an industrial environment enables considerable cost advantages. On the other hand, significant potential security risks can be expected by accessing control system networks remotely. If a process network does not have an effective protective shield, a single security gap can make the whole production process vulnerable to attacks – with potentially catastrophic consequences. It is therefore necessary to reduce these vulnerabilities to an acceptable minimum. The term “acceptable” here means that compromising such a system must be so difficult that any attacker will let off from this plan because of the enormous difficulties in front of him.
It requires considerable know-how to manage secure remote access systems efficiently. Ideally, this know-how is available inside a company or should be acquired through cooperation with a trustworthy partner. Doing nothing, however could be a serious mistake.
Safety systems, the last line of protection in a process plant need to be protected particularly well. When discussing remote access to such systems, the arguments above become even more important. Accessing safety systems remotely is the strongest challenge for the security of such a system.
The most severe consequence of a vulnerability in a process network is a reduction in plant safety, and there is an increased risk of personal, environmental and huge economic damage. Previously, this ruled out remote access to safety systems. Today, such solutions exist!
Requirements for remote access systems for industrial plants
The German Federal Office for Information Security (BSI), the central point of contact for IT security issues in Germany, helps to avoid risks faced by plant owners and operators. The BSI publication on cyber security (BSI-CS 108 / Version 1.0 / 1.2015 – see References below) provides an overview of the generic requirements for industrial remote maintenance according to the current state-of-the-art. A simple checklist as a basis for an investment decision for remote access systems can be derived from this publication and is shown in the Table below.
When designing secure remote access systems, it is important to take a holistic view. The best way to avoid overlooking hidden vulnerabilities is to comply with requirements from national security institutes such as the German BSI.
In collaboration with its partner genua, HIMA now offers a solution that meets the highest requirements for secure remote maintenance in industrial environments. With that solution, involving a rendezvous-server system, no direct access from the remote maintenance station to the production environment is possible. Instead, all maintenance connections run via a rendezvous server installed in a demilitarised zone (DMZ), where both the maintenance service and the plant personal establish connections during an agreed time window. The rendezvous server maintains the ongoing maintenance connection. Once securely established within the rendezvous server, the maintenance technician can then connect via the remote access app to a dedicated hardware in a segregated portion of the local engineering environment on plant site.
The table below lists a summary of the recommendation of the German BSI and briefly indicates how the genua/HIMA remote access solution satisfies those requirements.
| Ger. Fed. Office f. Information Security - Recommendation |
| Implementation HIMA – genua |
| Architecture |
| Uniform solution (no "uncontrolled growth") |
| All remote maintenance cases can be covered uniformly as well as central management solution |
| Remote maintenance components in the DMZ |
| Dedicated server as central remote maintenance gateway in the DMZ |
| Connections not per (sub)network but fine-granular per IP and port |
| Remote maintenance relationship always per IP and port |
| Connection setup from inside to outside, no open ports |
| Machine operator controls remote maintenance channel (four-eyes principle) |
| Dedicated systems for remote maintenance |
| Dedicated system: Remote maintenance appliance genubox |
| Secure Communication |
| Secure protocols |
| SSH, IPsec, SSL/TLS |
| Secure cryptographic methods |
| High quality encryption, e.g. AES256 |
| Authentication mechanisms |
| Granularity of accounts |
| Guaranteed by user role concept |
| Strong authentication mechanisms |
| Authentication via password, OTP (with Yubikey token) together with RSA key |
| Password security |
| Guaranteed via password policy |
| Attack detection |
| Failed authentication detection |
| Organisational requirements |
| Risk analysis |
| Possible via service |
| Principle of minimalism |
| Access generally strictly limited to the remote maintenance object (IP and port) |
| Process |
| Comprehensive support for processes and user roles |
| Inventory |
| Remote maintenance accesses are fully monitored and recorded |
| Time windows |
| Remote access can be limited in time |
| Functional test |
| Guaranteed via central monitoring |
| Specifications for remote service technicians |
| Testing of specifications by remote maintenance app |
| Patch process |
| Central Patch Management |
| Logging & Alerting |
| Central Logging & Alerting |
| Others |
| Scalability |
| Easily scalable through central management, even for very large environments |
| Investment protection |
| Full IPv6 support, continuous product maintenance |
| High availability |
| Highly available provision of all components possible|
Overview derived from: BSI-CS 108 / Version 2.0, dated 11.07.2018
Figure 2: Overview of the remote access solution
Highly scalable secure remote access system
Through the implemented mechanisms users can build up a remote maintenance concept adapted to their specific needs. That concept can systematically be scaled in order to fulfil the highest demands on both safety and security. There are no real limits to scalability. From the individual solution connecting to a single critical system, to a global multi-site solution, all requirements are achievable. There are no restrictions regarding the integration of third-party automation solutions. The Rendezvous solution gives you complete control over maintenance access to your networks.
Some aspects of realisation
The uniform secure remote access solution from HIMA and genua complies with the BSI recommendations (see table above). It provides a uniform application for all remote maintenance cases and enables a central management solution. Everything comes from a single source, including support. Using a single solution also reduces complexity, another major customer benefit. Today, a large security problem arises due to numerous diverse supplier solutions for remote access.
A dedicated server is implemented as a central remote maintenance gateway in the DMZ, thus ensuring full control through an upstream DMZ. With the rendezvous solution, no unilateral access from the remote maintenance service to the customer network is permitted. Instead, all maintenance connections run via a rendezvous server installed in a DMZ, where both the maintenance service and the customer establish connections in an agreed time window. The Rendezvous server establishes and maintains the continuous maintenance connection. Service engineers can now access the local engineering environment, which is segregated from the rest of the customer network by the remote maintenance app on the external side. The machine operator can also monitor the remote maintenance channel using the four-eyes principle.
The HIMA remote maintenance solution uses secure protocols, such as SSH, IPsec and SSL/ TLS. The employed symmetrical encryption method (AES256) ensures high-quality encryption, and password security is achieved through a state-of-the art password policy. In addition to the password, the user can be authenticated using a one-time password with a Yubikey token in combination with an RSA key. The granularity of the accounts is ensured via the user role concept.
As required by the BSI, the remote maintenance solution also enables attack detection by identifying any failed authentication attempts. All remote maintenance access attempts are fully monitored and recorded for inventory purposes. The time window for remote accesses can also be restricted as required. Interactions can be tracked via central monitoring, with the added benefits of central patch management, logging and alerting.
An important consideration for users is also the investment security through IPv6 support and continuous product maintenance. Another positive aspect is that the genua/HIMA remote maintenance solution is not limited by proprietary solutions. The highly secure remote maintenance solution enables comprehensive support of processes and user roles. It is easily scalable through central management, even for very large environments – a further economic advantage for the user.
The high-availability remote maintenance solution presented by HIMA und genua complies with highest national recommendations and fulfils the highest security requirements. Users can integrate the solution in the HIMA Smart Safety Platform concept for remote access to safety systems. During the COVID-19 pandemic, HIMA has digitalised numerous activities, such as commissioning and remote factory acceptance testing, and this remote access solution has been used successfully for those applications.
Contact Details and Archive...