Is Remote Access to Your Control System Safe?

Anytime a new conduit to an ICS network is created – especially one which transits the internet – there is inevitable trepidation about the potential security risks it might create. So, when we talk about creating a tunnel from your network into the cloud, you’re going to have mental alarms going off. This article will describe how Champion keeps your network secure while providing unprecedented levels of service and support.

The Cloud Zone

A security zone is created in the cloud specifically for you. Here, it serves as an extension of the Demilitarized Zone (DMZ) of your control system. The same security concepts that apply to your DMZ apply here as well.

There are only two paths in and out of your cloud zone:

• The Tunnel, as defined below, to your on-premises DMZ.
• Dedicated secure route to our portal servers to enable the features provided by our managed service offering.

These paths are restricted by routing and firewall rules to pass only the authorized data.

No windows administrative connections (RDP, WMI, RPC, and other evil acronyms) can be made from outside the DMZ and cloud zones. All administrative activity happens within the cloud zone via hosted desktop sessions. These sessions are delivered using virtual desktop presentation technologies so that only the video stream leaves, and only keyboard and mouse commands enter. No proprietary data or external threats can be transferred via either cloud path.

The Tunnel

In order to connect your site to the cloud, a tunnel must be created. This tunnel is built using the best available VPN protocols. Like most tunnels, its job is to keep the good things in and the bad things out.

This includes:

• Ensuring that only your DMZ can connect to the cloud zone and only the cloud zone can connect to your DMZ.
• Encrypting the data so that it cannot be monitored by outside forces.
• Ensuring the data stays intact from one end to the other.

The Eyes

It’s often stated that if you can’t see it, you can’t secure it. To ensure your network stays safe, it’s vital to have eyes on the traffic that’s going through it. Like a building with door sensors, motion detectors, smoke detectors, security cameras, and a remote monitoring service… Champion can be your partner in notifying you in real-time of any abnormal activity.

• Intrusion Detection Systems (IDS) designed with OT networks in mind are deployed for your network. These are strictly passive systems that merely sound the alarm if a potential compromise is detected.
• IDS sensors are installed in strategic locations to passively monitor as much of the traffic on your network as possible.
• Firewalls guard all the border crossings of your network. Anyone without the right credentials cannot get through.
• End devices are protected with antivirus software. This blocks malware which makes it to a computer and sends out alerts.
• A Security Information and Event Management (SIEM) server collects real-time data from all these safeguards and more and presents them to Champion’s monitoring team.
• Should an event occur, we’ll notify you immediately. If you authorize it, we can also take action to mitigate any threat per your Incident Response Plan.

The Result

While opening a tunnel between your network and the cloud might sound scary, using the proper technology and partner allows your network and OT assets to be safer than ever. Not only will you be better protected from security threats, but now we can even alert you to process issues before they become big problems.

Remote support engineers can respond even quicker and without introducing you to unnecessary risks like VPN connections from untrusted computers, unmonitored persistent virtual desktop access, or cellular modems.

Interested in learning more or scheduling a free consultation?