The issue of remote access to the data of an industrial automation and control system is not new.
For years, plant managers have studied ways for managers, operators, maintenance technicians, System Integrators and business partners to access valuable real-time information.
Industry4.0, IIoT, globalization, TPM maintenance, just-in-time manufacturing, etc. have determined the need for low-latency remote access to machine and plant data, in industry and utilities, often through unreliable networks for semi-reliable users.
For example, a manufacturer may want to share some of its manufacturing information with a remote supplier within its supply chain, but not provide access to the manufacturing system or its entire database.
Here are some security issues that have arisen from this need for remote access to real-time data:
- Exposure to Internet attacks. When a user is allowed to remotely access the plant's control and automation system, the attack surface of the network is naturally enlarged for malicious people who could also try to access the system.
- Exposure to attacks from the IT network. If you allow a user to access your system remotely, you risk also exposing the network infrastructure of the Company's IT system. It would be recommended that the plant network be a subnet within the larger corporate network. Access to the plant network is often via the IT infrastructure. As a result, certain types of problems in the IT network could interrupt the normal flow of network data from the plant network. It is therefore advisable to separate IT and OT networks as much as possible.
- Remote access with data access limitation. Giving a remote user access to a desktop, with VNC, TeamViewer, or Microsoft RDP, means that a curious (or malicious) user may attempt to gain access to programs and data beyond what is intended. Even if the user is trusted, but his PC is already compromised, a RAT (Remote Access Tool) becomes a point of attack on the OT/IT network.
- Exposure of a portion of the OT network. Some establishments have chosen to use VPN (Virtual Private Network) connections to limit Internet attacks. However, a VPN effectively puts all participants on a local subnet, which provides participating machines with effective access between networked computers. Compromising any machine on the network (onsite or remotely) gives an attacker the opportunity to hack into the plant network via the VPN.
- High costs. VPNs, RATs, firewalls and routers require constant expertise, attention and commitment from IT staff. This cost has a cost that increases as the number of network participants increases.
What can be done with Skkynet and SkkyHub?
Skkynet, with SkkyHub ™ provide an effective solution to address all the traditional security problems in remote access to plant data.
That's how:
- Protection from Internet attacks/accidents. With SkkyHub by Skkynet an Agent is installed within the OT network which collects information on the system and sends it to Skkynet's real-time data servers. Since this connection is only outgoing, from the plant to the Internet, it is not necessary to open any incoming TCP ports in the firewall and therefore the plant OT network is not exposed to attacks or incidents from the Internet.
- Protection from attacks/incidents originating from the IT network. It is good practice to isolate the plant from the IT network, according to what is also contained in the ISA/IEC62443 standard, using firewalls and/or routers that only allow outgoing connections from the plant to the IT network, using a DMZ (De-Militarized Zone) . Using the SkkyHub service, the IT network can be treated as an "untrusted" connection to the plant and additional firewall placed between the two networks, not allowing incoming connections to the OT network. Outages on the IT network will not affect the flow of data within the plant network, although they may affect the flow of data from the plant to the Skkynet service. The plant remains safe and operational, even if remote access to data is interrupted or degraded in terms of performance.
SkkyHub by SkkyNet for secure remote access
With SkkyHub by SkkyNet we have a solution to address the traditional security problems for remote access to plant data.
Here are some details for data and access security:
- Access only necessary/requested data. Through SkkyHub, plant personnel decide which data to make available remotely. Plant management managers can choose any subset of data produced by machines and plants to make them available to remote users, in an orderly/organized manner. Each group can have its own restricted read/write permissions based on the remote user name and the IP address from which the remote user connects. The remote user cannot in any way extend his access to the data beyond what the plant manager has decided.
- No exposure beyond the defined network portion of the plant. The SkkyHub service does not create a VPN or any kind of generic network structure. It only makes a TCP connection for data transmission. As a result, no participating machine is ever exposed to another via a local network or VPN. Data can be routed through network proxies, data proxies and DMZ servers to ensure that the plant network never has a direct connection to the internet, even for outgoing connections. Systems participating in the Skkynet service never share a network or subnet.
- Limited and scalable costs. SkkyHub solves many security problems, thus substantially reducing implementation costs and offloading the effort (and responsibility) of IT. Often a plant can install the Skkynet service without any changes to the existing IT infrastructure: there is no need to draw on additional IT expertise or install other equipment on the network. Often the only cost is the time for configuring the Skkynet Agent (simple and within the reach of personnel with minimal IT/OT skills) and the Skkynet service itself, with a periodic fee with well-defined costs.
Skkynet technology follows industry best practices by using SSL connections for all Internet traffic and secure (trusted) connections with the use of certificates. This improves security for the OT network and Industrial IoT and protects against many threats, including OT network snooping and man-in-the-middle attacks.
Below are some examples of architecture created with SKKYNET
