A closer look at the current - increasingly digitalized - operational technology (OT) landscape reveals its enormous heterogeneity with decentralized infrastructures, diverse control systems and access types. As a result, there are a large number of different remote maintenance access points with an unmanageable number of hardware and software components. This presents processing companies in particular with the challenge of implementing the right remote maintenance solution with maximum security and convenience. OT and IT are equally affected.

A comparison of current remote maintenance systems reveals many similarities and even more differences. It is essential to use secure connections, both in terms of the protocols in question, such as Simple Network Management Protocol (SNMP), and in terms of interfaces, for example Intelligent Platform Management Interfaces (IPMI). The latter is increasingly being replaced by Redfish, which supports web technologies such as JSON as a data format and HTTPS for data transmission. There are also various cryptographic procedures. The AES-256 standard, for example, is used to encrypt data and connection paths.

In addition, OT infrastructures often use proprietary protocols rather than common standards such as TCP/IP or IPsec. This poses enormous risks for OT networks, as numerous Ekans, Triton and Industroyer cyberattacks have shown. Industroyer, for example, brought the energy supply to the Ukrainian capital Kiev to a complete standstill in 2016.

OT remote maintenance also has to provide other functions that are not part of pure IT remote maintenance. One example is access to the ICS (industrial control system) to ensure that systems can be started or stopped. The remote maintenance system should also ensure the integrity of the data generated and restrict the required communication channels.

Basic requirements for remote maintenance

The Federal Office for Information Security (BSI) regularly considers the security situation of local companies and publishes the 'IT baseline protection compendium'.

Since February of this year, it has included the section "IND 3.2 - Remote maintenance in an industrial environment". According to this, remote maintenance access must meet certain requirements to ensure a minimum level of security. This includes, for example, the selection of systems that can only be remotely maintained from the outside. The basic requirements for remote maintenance in OT and IT environments also include keeping the number of required access points and communication channels to a minimum. Reliable AES-256 encryption should also be used.

Recommended standard conditions

OT remote maintenance must, for example, regulate the safe starting and stopping of systems in order to prevent personal injury or damage to property.

© bigstockphoto.com / Freshpixel

In addition to the basic requirements, remote maintenance should fulfill further standard conditions: These include end-to-end encryption of the required remote maintenance connections using cryptographically encrypted protocols. In addition, generally applicable guidelines should be established to define roles, responsibilities and accountabilities. For even more security, the use of so-called MFA procedures, which often use hardware tokens, is recommended. For example, a USB key provides security for passwordless access to particularly sensitive user accounts. It is also important to have an emergency plan that defines the necessary steps in the event of a malfunction, for example the response to a malware attack. Among other things, personnel responsibilities and the method of system recovery are defined.

Requirements for increased protection needs

Operators of critical infrastructures (KRITIS) in particular - such as water and electricity supply companies - have an increased need for protection, which results in the following aspects with regard to the required remote maintenance system, among others:

• If possible, only remote maintenance systems that can be used to manage IT and OT clients should be used.
• Redundant communication connections should ensure the highest possible reliability.

Two types of remote maintenance

A distinction is made between hardware-based and software-based approaches to remote maintenance of industrial IT and OT systems. Software-based remote maintenance scores points with fast operational readiness, integrated operating and monitoring functions and low license costs. At first glance, online remote maintenance solutions that are established via an Internet connection are the obvious choice. But beware: remote maintenance of often inadequately protected OT systems via external connections harbors dangers! This is why the BSI's basic protection compendium recommends using this type of remote maintenance as rarely as possible. It is better to manage closed OT infrastructures only with remote maintenance software that does not require external access.

On the other hand, there are dedicated, hardware-based remote maintenance solutions. Their advantages and disadvantages are obvious: These solutions have a high level of security, but have quite high acquisition costs and their setup requires highly qualified personnel.

The organization of secure remote access

Secure remote access to IT and OT systems is closely linked not only to technical but also to organizational requirements. In addition to the aforementioned risk analysis, this includes minimizing the implementation of remote access options, precisely defined processes and procedures, clearly regulated time windows for remote access and the regular management and evaluation of log data.

It would be practical if IT and OT systems could be managed remotely with just one tool, ideally with the security standards required by the BSI. This would allow both IT end devices as well as machines and control units in the production environment to be maintained remotely using a single, central software.

The author: Robert Korherr is Managing Director of ProSoft in Geretsried.

© ProSoft

One example of such a tool is the 'NetSupport Manager' from Prosoft. It can be used to remotely maintain networks distributed across several locations as well as heterogeneous system environments. This is done using mobile devices such as smartphones or tablets. On the operating system side, the tool supports the latest platforms such as Windows, macOS, Linux, iOS, Android and Google Chrome. The tool is installed exclusively in the company's own data center, so control remains completely local. It also features encrypted data transmission for maximum security. This is also ensured by the possible integration of NT-Security and Active Directory. The tool also supports 'NetSupport Manager Smartcards' for secure authentication.