Industrial control systems play a vital role in critical infrastructure. In the past, the risk to these systems was reduced by ensuring complete separation of operational domains from external networks and access to the control function was limited to authorised users with physical access to a facility. Today, business demands have accelerated the interconnectivity of these once isolated systems. This new connectivity has empowered asset owners to maximise business operations and reduce costs associated with equipment monitoring, upgrading and servicing, whilst creating a new security paradigm for protecting control systems from cyber incident.
Part of the security equation involves how operational assets are accessed and managed and how the cyber security posture of a control system can be impacted if the management of remote access is not understood by business or is conducted poorly. However, the application of proven and accepted remote access solutions may not map perfectly to control systems environments. Requirements for availability and integrity, combined with the unique nuances and attributes often found in ‘purpose built’ systems, drive new demand for guidance as it pertains to creating secure remote access solutions for industrial control systems environments.
This good practice document provides support for developing remote access solutions for industrial control systems. Common good practices from standard information technology solutions will be presented in the context of control systems environments, along with insight into how remote access solutions can be deployed in a manner to mitigate cyber risk unique to control systems architectures. The goal of this practice document is to provide guidance regarding the development of secure remote access strategies for industrial control systems environments.