BlueKeep is a Warning for Industrial Automation Professionals Using PC-based Remote Access
For many control engineers, remotely accessing machine control systems means opening up a Remote Desktop session with a PC connected to the same network as the machine. While this is a simple and cheap way to get connectivity, these PC-based remote access solutions are especially risky for machine control applications. The recently published Windows Remote Desktop Services vulnerability (CVE-2019-0708), also known as “BlueKeep”, illustrates the dangers and hidden costs in the remote desktop approach.
First of all, if you are using Remote Desktop on Windows 7 or earlier PCs for access to any of your machines today, stop reading and go make sure that all of those PCs get the latest Microsoft patch right now. MITRE rates this vulnerability with a severity of 9.8 out of 10, as attackers could use this exploit to gain access to the entire network that the affected PC is connected to. Seriously, go check on those PCs.
Now that you’ve patched your PCs, let’s talk about a better approach to secure remote access for your automation equipment. Instead of connecting a PC to each machine, and opening a port on that PC to the outside world, consider using a product designed for industrial environments and applications that uses a dedicated remote access gateway instead. It is important to consider a product designed with defense-in-depth approach to security. Defense-in-depth is a multilayered approach to security that takes into account the device, network, data, medium and policies.
Here are some of the reasons the dedicated gateway with defense –in-depth security is a better approach:
- Patches, patches, patches! When you deploy a PC, it’s critical to keep up with those security updates. While the corporate IT department typically takes care of this for enterprise PCs, the computers on the plant floor and those used by remote technicians may not fall under the regular IT update regime. Cloud-native solutions like ProSoft Connect™ do not rely on PC-installed software. Users are always using the most up to date version, so you don’t have to chase down all your technicians to make sure they’re updating the remote access client software on their PCs.
- Network segregation Good security begins with good network design, and we’ve all heard about maintaining separation of plant floor and enterprise networks. However, when a PC is placed on the plant floor network and then tied in to the enterprise for Internet access, it presents an opportunity for an attacker to access either network. Dedicated, industrially hardened remote access gateways minimize the risk to enterprise networks. Make sure the gateway you choose has isolated WAN and LAN ports, and are not “switched”. That way, you can use the WAN port for Internet access, but a remote user cannot route back up into the enterprise network. Even better, an LTE cellular gateway eliminates the need to use the enterprise network at all.
- Oh, the software licenses! Using a PC-based solution like Remote Desktop means you need to maintain a licensed copy of all of your automation software products on that remote PC. You also need to take care to keep PLC program files synchronized between your office workstation and the remote box. Industrial remote access products allow you to use the software on your own computer, with a network connection to that remote PLC you need to work on. ProSoft Connect’s EasyBridge technology is the easiest way to connect, creating a Layer 2 network with the remote site. This means you don’t even have to configure routing connections in your PLC software, and automatic device discovery tools work just as if you’re plugged into the local machine network switch.
- Safety first Finally, one often overlooked consideration in industrial remote access solutions is worker safety. That Remote Desktop connection gives the user the ability to do lots of things with the control system, and there is often no way for the local production personnel to know that a remote user is in the system. Dedicated industrial remote access solutions address this concern various ways. ProSoft Connect remote access gateways allow the local user to enable and disable remote access through the HMI. Users can also setup virtual Lockout Tag-out (vLOTO™), which requires remote users to request and obtain time-limited access from designated plant personnel, who can approve or deny access based on whether it is safe to work on the machine.
Remote access to industrial automation systems is a real time-saver for controls engineers, and helps keep machines running. Modern threats like BlueKeep make it clear that PC-based remote access is not the safest solution. Instead, dedicated industrially-hardened secure remote access solutions like ProSoft Connect with vLOTO give automation professionals the access they need, with fewer security risks and better worker safety options.
For more information, see our white paper "Top factors to consider for remote connectivity to your Connected Enterprise in the cellular age"