Does your company have explicit rules and expectations for vendors to follow when they connect to your industrial...
controls via remote connection or while on-site? What about their on-site use of 802.11x and other wireless standards? These can be risky for the factory or power plant if the vendor "touches" the industrial control systems without some added controls and discipline.
There are a few ways to help better protect industrial control systems, as well as other systems from undisciplined vendor access.
When a vendor arrives on-site -- and before it begins working on the industrial control systems -- take some time to review your expectations for vendor security performance. Some key considerations for industrial control systems security include:
- Portable media and laptops: Before using any portable media (e.g., USB drives) or attaching laptops to your industrial control systems, ensure the portable media has been verified as "clean," i.e., without any malware. Check that laptops have antivirus installed, the signatures are up to date, and a virus scan has been run before connecting either by direct cable or via wireless.
- Change control: Remind the vendor that all changes to industrial control systems need to be preapproved by your on-site point of contact. Do not allow the vendor to make changes without discussing the expected impacts and ensuring a back-out plan is ready to be implemented.
Vendor remotes in
Often the vendor expects access to equipment and systems via remote dial-up or via the Internet. If done incorrectly, this can result in serious security problems for the enterprise. Here are some ways to handle the industrial control systems security risks posed by remote vendor access:
- Best means of remote access: The best and most secure means of establishing remote access for the vendor is via a virtual private network (VPN). This VPN should be set up to have the initial touch-point, either in the enterprise network or DMZ, but not directly to the production network. The VPN should be encrypted or tunneled with SSL or other stronger means. Also, require the vendor to use two-factor authentication.
- Controlling vendor access: Some organizations use a "timer" approach that only allows vendor access for a preset duration. Also, some vendor access is only permitted with select plant personnel permission. Ad hoc vendor access without the plant's knowledge is discouraged.
- Vendor personnel: What if a vendor's employee is terminated for cause? Should you as a plant operator be aware? The answer is "yes." Your contract terms and conditions should require the vendor to inform your plant point of contact when a vendor employee who previously had access to the remote connection is let go -- especially for cause. This can help avoid "accidental" access if you assume the vendor contact is still employed by the company.
Set vendor requirements to avoid pitfalls
Overall, the vendor can be your friend and very helpful for a company; however, it can also create many industrial control systems security problems unless you set expectations and security requirements. Simple actions with portable media can be highly destructive if not checked for malware. And remote access needs to be via VPN with strong authentication and via the enterprise network or DMZ.
Excellent guidance in this area is included in the National Institute of Standards and Technology Special Publication SP800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security.
Learn about the evolution of the ICS guide NIST SP800-82