Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
Decreasing Administrative Complexity with Remote Access
By The Claroty Team | October 7, 2021
One way COVID-19 impacted businesses is by emphasizing the need for business continuity no matter where workers are located. This created challenges across industries, but especially in the operational technology (OT) space. Assets managed by industrial control centers were never architected with remote access in mind so for years, administrators have had to implement and maintain cumbersome, costly, and complex infrastructures. These “solutions” usually consist of multiple tools that demand different ports and protocols.
Remote access administrators, both on the information technology (IT) and OT side, are constantly trying to balance convenience for employees and vendors, and security for their organization.
Complexity Affects More than Just Administrators
Historically, managing remote access meant making compromises. Either organizations choose a simple option but are left with little to no security metrics. Or, organizations choose a more security-conscious approach, but implementation and usability becomes very complex. Plus, these solutions were created with an IT network in mind– not industrial environments.
For example, best practices recommend network segmentation between IT and OT networks with a DMZ. This means an OT engineer or contractor will need to traverse a long maze of firewalls, VPN, authentication, more firewalls, jump servers, and more authentication to finally reach an asset and start repair work.
Administrative complexity affects far more than just the OT or IT department. For instance, consider the following impacts:
Increased mean time to repair (MTTR)
In the example above, it’s clear that if the organization chooses the route of a more secure option, leadership would have to accept a higher MTTR.
Frustration for end users
Not only is it going to take longer to repair, but the process for the end-user is not straightforward. The end user will need training to understand the pathway to each asset, and need to have multiple tools and devices to pass authentication steps.
Between the training, technology, tools, and devices, legacy IT remote access solutions can get expensive when retrofitted for OT environments.
Secure Remote Access Designed for OT Environments
There are unique considerations for remote access for OT environments, including the following requirements:
OT assets regularly need to be accessed by internal users and third-party vendors.
Access needs to be quick and reliable. (In an emergency, there is no time for multiple levels of authentication, VPNs, jump servers, etc.)
Administrators need to know (and control) who is logging in from where, for what purpose, and know whether that purpose is legitimate.
Claroty Secure Remote Access (SRA), part of The Claroty Platform, was purpose-built to meet specific operational, administrative, and security needs of industrial networks. SRA minimizes the cost and complexity of administering safe, secure, and reliable OT remote access for internal and third party users.
SRA Updates in 2021
Claroty has made many enhancements to SRA over the course of this year, which build on our vision to provide organizations frictionless secure access to their critical industrial assets with less administrative complexity—no matter where users, facilities, or assets are located. A few highlights of 2021 releases include the following:
Easier User Provisioning & Authentication
User provisioning can be automated using a SAML– or OIDC-based identity provider. Instead of enabling users one by one, administrators can turn on Single Sign On and Just-in-Time provisioning within SRA and leverage pre-existing user roles and group associations from your existing IdP. As a result, SRA users gain immediate, secure, and highly controlled access when they need it, and administrators can spend less time securing, configuring, and managing OT remote access.
Stronger Security with Antivirus Integrations
One complex challenge remote access administrators face is protecting the OT environment from corrupt files. SRA integrates easily with any ICAP-based antivirus solution, allowing administrators and users to track upload status and prevent spread of unsafe files. Every file is scanned for safety and in the event a file is malicious, the user is immediately notified and prevented from uploading it to the asset.
Extending Secure Remote Access to Legacy Assets
Some industrial environments still include legacy assets that don’t support modern protocols. These assets need remote support and maintenance, but administrators may struggle to find a secure way to allow access. SRA supports Telnet protocol to allow remote sessions to legacy assets, while maintaining tight security for the overall environment.
Current SRA administrators can take advantage of these benefits today. Choosing a solution designed to decrease complexity of managing remote access also reduce the total cost of ownership, so administrators can focus on more pressing priorities.
To take a closer look at Claroty Secure Remote Access, request a demo.