Secure remote access for water treatment plants
The processes and technology used to monitor the performance of assets in water treatment plants has evolved rapidly. A plant operator no longer needs to physically check assets at regular intervals or wait until a problem occurs to take action, as technology now allows assets to be accessed remotely and in real time, with data able to be analysed to find problems before they occur. Here, we look at secure remote access, and what you need to know in order to keep your systems secure.
Secure remote access involves the use of both hardware and software working seamlessly to simplify remote network access, programming and logistics. This has a number of benefits for water treatment plants as it can enhance operations, reduce operational costs, increase productivity and provide easy access to real-time data.
However, by implementing a remote access system, the plant and its operations are also exposed to the risk of cyber-attacks if it is installed incorrectly or not maintained. Secure remote access can also be compromised due to inherent weaknesses in a lack of access control and network segmentation, as well as process control systems which all create opportunities for cyber vulnerabilities.
One of the core oversights is only having one cyber defence solution in place. Having one solution at the perimeter of a SCADA system leaves the entire system and all its components vulnerable to malicious software which can change faster than antivirus vendors can react.
Water treatment plant owners should consider implementing additional security zones, and port-level security and firewalls between each of these zones to mitigate these vulnerabilities and stop malicious software from compromising the system regardless of how current the antivirus is.
Securing remote access with additional cyber defence solutions can be achieved using various methods, we will look at two common ways: Virtual Private Networks (VPNs) and Demilitarised Zones (DMZ).
Virtual private networks (VPNs)
VPNs are commonly used to secure remote access to SCADA networks by keeping data paths open to a limited group of persons, while keeping it closed to unauthorised people. They are typically installed as part of a firewall, or as part of an external machine which users need to authenticate to gain access to the data.
For systems which use the Internet as the main channel for transporting data, VPNs encrypt data between the departure point and the destination, as well as use other security methods to ensure the data is not intercepted and can only be accessed by an authorised person.
The VPN protocol is an agreed set of rules for data transmission and encryption. Most VPN providers give users the option to choose from several VPN protocols. Some of the most common protocols include: Point to Point Tunnelling Protocol (PPTP) – now mostly obsolete – Layer Two Tunnelling Protocol (L2TP) – does not provide any encryption or confidentiality by itself – Internet Protocol Security (IPSec) and OpenVPN (SSL/TLS).
Due to their use of existing network infrastructure, data encryption and tunnelling, VPNs are highly secure, however they can also be very expensive to set up and maintain in site-to-site applications as they are more complex and system performance can degrade quickly. A number of third party hosts provide VPN services to greatly reduce the cost of setting up a VPN.
As much as possible, avoid VPNs that are primarily based on MD5 or SHA-1 hashing algorithms and PPTP or L2TP/IPSec protocols. Go for those that support current versions of OpenVPN (considered extremely secure) and SHA-2. If unsure which algorithm your VPN uses, refer to the VPN documentation or contact Automation IT for support.
Demilitarised zones (DMZs)
Like VPNs, DMZs can also be used to provide an extra layer of security for secure remote access. DMZs create a buffer between a SCADA network and the internet or business network through the use of additional firewalls and routers.
The main benefit of using a buffer zone is that data can be collected from the SCADA environment and then transferred to an IT environment without the need for multiple IT connections into the SCADA environment. Data collection and archiving can be moved into a Data Historian DMZ to further limit access to the SCADA and allowing tighter firewalls to be installed between zones.
Such a system allows those that need access to the SCADA system to access it, however those who only require access to the data can retrieve it from the Data Historian DMZ without needing direct access to the actual SCADA.
Hybrid DMZ with VPN Access
The best solution for industrial plants and public utilities that could potentially be targets is to use a hybrid solution where a VPN is used to provide external access to the DMZ.
In the typical firewall scenario, the firewall separates three distinct network zones: the Internet, the private network and the DMZ. Inbound connections from the Internet are allowed only to servers in the DMZ; no direct connections are allowed between the Internet and the private SCADA network. Servers that offer services to the public (e.g. Web servers, SMTP servers, Historians etc.) are placed in the DMZ, while servers that offer services to internal SCADA users reside on the private network.
This combination provides the benefits of both VPN and DMZ technology, however it is more complex to configure and more expensive to implement.
The VPN provides remote users with access to private resources. Users authenticate to the VPN, they then may access internal resources on the private network through that VPN connection.
Keeping systems secure
While VPNs and DMZs are generally highly secure, they can be compromised from the inside if staff with access are not mindful that such an opening can be made that allows hackers to gain access, for example, by using an application that’s not secure. It is for this reason that staff should be trained on the proper use of equipment connected to the system, and any system logins should be seen as assisting in the ongoing and safe operation of the plant rather than considering it as another ‘inconvenience’ for having to login each time.
One relatively simple implementation is to to disable any spare network ports to avoid the connection and access of a 3rd party device, such as a laptop or USB device, as these can harbor unseen cyber vulnerabilities such as viruses or other malware. Radio and WIFI networks are especially vulnerable to cyber-attack, so implementing robust security measures across all network devices will ensure the risk of a major disruption is minimised.
When considering the overall risk versus cost, the benefits of implementing a robust security system far outweigh the negatives, procuring the services of a trusted and experienced systems integrator can greatly reduce the risks.