chris - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Manage vendor access for industrial control systems security

Industrial control systems should be securely managed by the enterprise, specifically when vendors need access to them. Here are some ways to handle industrial control systems security.

Does your company have explicit rules and expectations for vendors to follow when they connect to your industrial...

controls via remote connection or while on-site? What about their on-site use of 802.11x and other wireless standards? These can be risky for the factory or power plant if the vendor "touches" the industrial control systems without some added controls and discipline.

There are a few ways to help better protect industrial control systems, as well as other systems from undisciplined vendor access.

Vendor on-site

When a vendor arrives on-site -- and before it begins working on the industrial control systems -- take some time to review your expectations for vendor security performance. Some key considerations for industrial control systems security include:

  • Portable media and laptops: Before using any portable media (e.g., USB drives) or attaching laptops to your industrial control systems, ensure the portable media has been verified as "clean," i.e., without any malware. Check that laptops have antivirus installed, the signatures are up to date, and a virus scan has been run before connecting either by direct cable or via wireless.
  • Overall, the vendor can be your friend and very helpful for a company; however, it can also create many security problems unless you set the expectations and security requirements.
    Wireless hot spots: There are too many instances of vendors bringing their own wireless access points to the job site and connecting them to the nearest Internet connection -- which can often be the enterprise network jacks. Be sure the vendors know they cannot attach any devices to your enterprise or production network without explicit -- preferably written -- permission. And, if they do set up an access point, key security requirements for broadcast IDs (i.e., SSID) and passwords need to be implemented. Default passwords should not be allowed and should be changed regardless of where the access point is connected.
  • Change control: Remind the vendor that all changes to industrial control systems need to be preapproved by your on-site point of contact. Do not allow the vendor to make changes without discussing the expected impacts and ensuring a back-out plan is ready to be implemented.

Vendor remotes in

Often the vendor expects access to equipment and systems via remote dial-up or via the Internet. If done incorrectly, this can result in serious security problems for the enterprise. Here are some ways to handle the industrial control systems security risks posed by remote vendor access:

  • Best means of remote access: The best and most secure means of establishing remote access for the vendor is via a virtual private network (VPN). This VPN should be set up to have the initial touch-point, either in the enterprise network or DMZ, but not directly to the production network. The VPN should be encrypted or tunneled with SSL or other stronger means. Also, require the vendor to use two-factor authentication.
  • Controlling vendor access: Some organizations use a "timer" approach that only allows vendor access for a preset duration. Also, some vendor access is only permitted with select plant personnel permission. Ad hoc vendor access without the plant's knowledge is discouraged.
  • Vendor personnel: What if a vendor's employee is terminated for cause? Should you as a plant operator be aware? The answer is "yes." Your contract terms and conditions should require the vendor to inform your plant point of contact when a vendor employee who previously had access to the remote connection is let go -- especially for cause. This can help avoid "accidental" access if you assume the vendor contact is still employed by the company.

Set vendor requirements to avoid pitfalls

Overall, the vendor can be your friend and very helpful for a company; however, it can also create many industrial control systems security problems unless you set expectations and security requirements. Simple actions with portable media can be highly destructive if not checked for malware. And remote access needs to be via VPN with strong authentication and via the enterprise network or DMZ.

Excellent guidance in this area is included in the National Institute of Standards and Technology Special Publication SP800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security.

Next Steps

Find out why enterprises need to implement ICS security training and take a closer look at the development of the ICS security framework

Learn about the evolution of the ICS guide NIST SP800-82

This was last published in November 2015

Dig Deeper on Security vendor mergers and acquisitions