Remote Access Device Sourcing Considerations for Security

Operational teams running industrial systems rely on remote access devices to do their jobs and rarely think about the non-technical and non-commercial considerations when buying. But recent history is telling us that where the device-and even components within the device-come from matters much more than we recognize.

Supply Chain Attacks Are Serious

Supply chain attacks are extremely popular for attackers because, by infiltrating one supplier, they can gain access to many end users. For example, Stuxnet was an effective supply chain attack that targeted PLCs used in a uranium enrichment program. NotPetya, which caused an estimated 10 billion USD in damage to organizations including Merck and Saint-Gobain, was distributed through tax preparation software. Most recently, SUNBURST gave back-door access to up to 18,000 organizations and was distributed through SolarWinds software. This has occurred many times, and will continue because of the payoff for the attacker.

Supply Chain Attacks to ICS Through Remote Access Devices

Considerations Before Buying

In situations where you aren’t-and can’t be-an expert, it’s wise to look at what experts are doing. In the case of security, one of these experts would be the U.S. Department of Defense. They plainly prohibit purchasing and use of devices, or contracting with providers who use devices, from certain foreign manufacturers because of risks in the supply chain. One DoD memo from July 2020 outlines this practice, and can be publicly viewed . A named company of significance is Huawei Technologies Company (and its subsidiaries and affiliates), because of the broad use of their chips-including in remote access devices, such as Tosibox.

So, one takeaway for the layperson here may be to buy domestic whenever possible. It should be noted that buying domestically manufactured products, and products that were designed with deep layers of security, is not done easily and usually requires a pricing premium, but is undoubtedly worth the cost to the user- especially for remote access to industrial systems.

Beyond supply chain risks, there are many technical and organizational considerations when implementing remote access. I explored these within a work group with The Organization for Machine Automation and Control (OMAC), which then published a Practical Guide for Remote Access to Plant Equipment that I’d recommend reading.

The views expressed here are the author’s own. This article is a product of the International Society of Automation (ISA) Smart Manufacturing & IIoT Division. If you are an ISA member who is interested in joining this division, please log in to your account and visit this page.

About the Author

As Grantek’s leader in the space, Jacob maintains involvement and leadership positions in international societies and standard bodies-including the Cybersecurity Committee Chair of ISA’s Smart Manufacturing & IIoT Division, a Registered U.S. Expert to TC65 of the IEC, and a member of the ISA99 standards development committee.

Originally published at https://blog.isa.org.

The International Society of Automation (isa.org) is a non-profit professional association founded in 1945 to create a better world through automation.