Cyber Security

How do we implement Secure Remote Access for third-party vendors in an OT environment?

BR Asked by Brian Mitchell · 14-07-2024
0 upvotes 11,099 views 0 comments
The question

Our vendors need to remote into our systems for troubleshooting, but giving them a standard VPN into the whole network is a huge security risk. How are you guys managing "Just-in-Time" access for external technicians? We need to record their sessions and ensure they can only touch the specific machine they are assigned to fix. 

3 answers

0
MA
Answered on 20-08-2024

You should move away from traditional VPNs to a "Secure Remote Access" (SRA) platform designed specifically for OT. These platforms act as a proxy. Instead of the vendor being "on the network," they log into a portal where they can see only the specific HMIs or workstations they have permission for. You can enforce "Request and Approve" workflows so their access only lasts for 4 hours. Most importantly, these systems provide full RDP/SSH session recording. If a vendor accidentally changes a setpoint that causes a machine to overheat, you have the video evidence to see exactly what they did and when they did it. 

0
JO
Answered on 25-08-2024

Are these SRA solutions easy to integrate with our existing Active Directory, or do we have to manage a whole new set of credentials for every vendor? 

PA 30-08-2024

Joseph, most of them integrate via SAML or LDAPS. To answer your question, you can keep your AD as the source of truth but use the SRA tool to manage the specific "roles." This keeps the user management centralized while the "permissions" stay granular for the factory floor.

0
NA
Answered on 05-09-2024

Multi-Factor Authentication (MFA) is non-negotiable here. Even if a vendor's laptop is compromised, the MFA requirement prevents an attacker from using their saved credentials to enter your plant. 

BR 10-09-2024

Agreed, Nancy. We had a vendor with a leaked password last month, and our MFA was the only thing that stopped a potential breach of our water treatment controls.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session