Our vendors need to remote into our systems for troubleshooting, but giving them a standard VPN into the whole network is a huge security risk. How are you guys managing "Just-in-Time" access for external technicians? We need to record their sessions and ensure they can only touch the specific machine they are assigned to fix.
3 answers
You should move away from traditional VPNs to a "Secure Remote Access" (SRA) platform designed specifically for OT. These platforms act as a proxy. Instead of the vendor being "on the network," they log into a portal where they can see only the specific HMIs or workstations they have permission for. You can enforce "Request and Approve" workflows so their access only lasts for 4 hours. Most importantly, these systems provide full RDP/SSH session recording. If a vendor accidentally changes a setpoint that causes a machine to overheat, you have the video evidence to see exactly what they did and when they did it.
Are these SRA solutions easy to integrate with our existing Active Directory, or do we have to manage a whole new set of credentials for every vendor?
Multi-Factor Authentication (MFA) is non-negotiable here. Even if a vendor's laptop is compromised, the MFA requirement prevents an attacker from using their saved credentials to enter your plant.
Agreed, Nancy. We had a vendor with a leaked password last month, and our MFA was the only thing that stopped a potential breach of our water treatment controls.
Joseph, most of them integrate via SAML or LDAPS. To answer your question, you can keep your AD as the source of truth but use the SRA tool to manage the specific "roles." This keeps the user management centralized while the "permissions" stay granular for the factory floor.