The Need to Isolate Remote, Wide-Area Communications Into a Separate Zone

Jun 21, 2016
5 minutes
... views

In our Reference Blueprint for Industrial Control and SCADA, we describe the need to isolate remote communication technologies into a separate zone. Devices like iNets, unlicensed and licensed microwave, satellite, AMI meters and other forms of longer-range, radio-based communications need to be looked at carefully before being implemented and extra consideration of these types of technology is essential to preventing unintentional access into enterprise and OT systems.

Benefits of Remote Communication Technologies

With the advent of the Industrial Internet of Things (IIoT), or Industry 4.0, new highly efficient, low-energy and low-cost wide-area communication devices are continually being produced, providing more bandwidth and flexibility in deployment items deemed essential in an ICS/SCADA environment.

Improvements in communication technology not only make the possibility of remote automation doable but also attractive, if not a necessity. These advancements in communication help with automation, and make it possible to place more intelligent devices further out, and they reduce labor costs, as an army of people would no longer be required to travel to remote destinations, retrieve information and bring it back. Improved communications would allow operators to gather this information back to a single location, cutting many of the expenses associated with vehicle maintenance, gas and hourly wages.

Remote automation is not only cost-effective, dependable, and safe, it enables owner/operators to be competitive in several ways:

  • It helps improve the efficiency of the system, allowing for real-time, or near real-time, information at regular intervals.
  • It produces data for analytics, which helps improve system performance, increase efficiencies and produce higher yields in a product.
  • It increases visibility into our systems, allowing us to adjust as necessary.

There is, however, a downside to these innovations in communications for ICS/SCADA, which is the need for greater enforcement of security at remote locations.

Challenges of Remote Communication Technologies

Putting high-speed, high-bandwidth connections in remote unmanned areas makes them ideal beachhead attack points, and some areas can take hours to reach due to the remoteness and terrain, serving as an excellent foothold for an adversary because of the access to both enterprise and OT systems. The remoteness of the asset provides attackers with ample time to come and go as needed.

At remote facilities, it is possible for someone to install micro-computing devices that can be left in place and go unnoticed for months, if not years, if the physical placement of equipment and site layout goes unaudited for a long period of time. On-premise equipment could be reloaded with weaponized or malicious code and leveraged against the owner/operator’s internal systems, giving the ability to cause major disruptions.

Placing more intelligent devices further out at remote locations – devices with far more computing power than those previously used – can give attackers better internal resources with which to attack our systems.

Today's broadband technology, in most cases, is some form of shared medium, meaning people with the right skill set and tools are capable of eavesdropping on others, making for insecure communications on systems that run critical real-time production.

One other key element many fail to consider when deploying communication technologies, such as satellite or microwave, is that many of these technologies are easy to remove and relocate. It is not uncommon for satellite dishes to go missing. Just think about what happens when the outdoor unit, dish and block upconverter (BUC), and the indoor unit (IDU) satellite modem go missing, and the relocation still shows online.

Another nefarious scenario is using these remote access points as an attack vector against a competitor or generating denial of service (DoS) attacks against others routed through the owner/operator’s network.

With all of these advances in communication technologies, older forms like frame relay or dedicated leased lines are no longer in use. If they are, they are very expensive to maintain. But older technologies, being point-to-point in nature, do provide slightly more security at remote facilities, unlike most of today's Internet-based communication technologies, which is why greater attention much be paid to the security, both physical and cyber, of remote communication technologies.

Securing Remote Communication Technologies

Physical security at these locations is difficult to maintain due to their remoteness, but cybersecurity and ensuring the traffic coming in from a field site is only that which is required – and nothing more – is an achievable, sustainable objective.

At Palo Alto Networks® we believe in and follow the best practices of Zero Trust networking. In the Zero Trust networking model, it is highly advised that access to and from remote assets be set in an entirely separate zone, and that communications be restricted to only the applications, ports, and protocols needed for the process.

By following this tactic, a company can minimize its attack surface and limit possible exposure caused by breaches with their communications link. By zoning remote connections into a separate isolated enclave restricted by application and user ID, the field of focus is narrowed, providing better visibility into attempts to use the sites’ communications.

Unauthorized attempts to access the OT/IT networks would be painfully obvious in the logs, which would be seen as failed or dropped attempts at communication, especially if contact attempts are made with resources that the zone has no need to communicate with. This would be a clear indicator of compromise (IoC) from that device or facility.

To learn about other useful strategies to help you better secure your ICS/SCADA/PCN networks, go to visit the ICS/SCADA industry page at paloaltonetworks.com and download our reference blueprint architecture for industrial control and SCADA systems.


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.