By Andrew Ginter, VP Industrial Security, Waterfall Security Solutions
The recent CISA / FBI / CertNZ / CCCS Guidance Modern Approaches to Network Access Security talks about securing OT systems and mentions some newer technology that not all practitioners may be familiar with. In this article we introduce OT-centric hardware-enforced remote access technology and look at how it compares with conventional software-based remote access security systems.
“Secure” Remote Access
Before we begin though, credit where credit is due: CISA and their partners did not name their guidance document “Secure Remote Access.” This is a big improvement over other guidance that has been issued in recent years, because of course nothing is secure. Security is not a binary yes/no thing – like safety, security is a spectrum. We can always be more secure, or less secure, so the question “are you secure?” is about as useful as “are you safe?”.
Beware anyone using “secure” as an adjective: “secure” communications, “secure” remote access, “secure” boot. Most such people are selling something or have just bought a bill of goods. So again, kudos to CISA and partners for getting this right.
OT Remote Access
The CISA et al document lays out some serious problems with conventional VPN-based and even 2FA-based remote access systems, and recommends that owners and operators look at more modern alternatives. For the most consequential OT systems, the document recommends hardware-enforced network segmentation “where cyber operations pose credible threats to public safety, national security, and critical functions.” The document recommends three kinds of hardware-enforced remote access:
- Unidirectional remote screen view,
- Unidirectional systems with separate, independent channels for screen images and keystroke/mouse movements, and
- Time-limited hardware switches.
Technologies #1 and #3 have been around for a long time and are widely available from a variety of vendors. The more complicated-sounding #2 is newer.
Independent Channels
What do “independent channels” mean for hardware-enforced remote access (HERA) to OT systems? This newer technology is designed to address the risks inherent in conventional software-enforced remote access mechanisms. Eg: what happens if an attack steals a password for a firewall and adds an “allow all” rule? Or exploits a vulnerability in a VPN server, or jump host? Such attacks generally give the attacker the ability to use the compromised equipment to launch cyber-sabotage attacks on sensitive OT network targets.
With the “independent channels” approach, we see a remote access server at the protected OT site that consists of two full unidirectional gateways. Each gateway has two CPUs in it, one on the Internet-facing side and one on the OT-facing side. And each gateway of course has the unidirectional hardware between those two CPUS, one sending screen images out of the OT network, and the other sending keystroke and mouse movements (KMM) into the OT network. The unusual part of this design is how the encryption and the hardware work together.
Encrypted Mouse Movements
To understand this cooperation, consider a HERA session. A remote user launches a HERA application on their desktop or laptop and chooses one of the configured OT destinations. The app runs only on computers equipped with Trusted Platform Module (TPM) hardware – this is hardware-enforced protection for encryption keys. The app uses the TPM to encrypt two (2) standard TLS connections to the HERA gateway at the protected OT site. One connection sends encrypted keystroke and mouse movement (KMM) information, and the other receives screen images. The remote user sees the image of a virtual machine (VM) or a jump host screen come up, and the user is challenged for a username and password. This constitutes two-factor authentication (2FA), with the encryption credentials stored in the laptop’s KVM hardware being the second form of authentication.
At this point, the user can move the mouse and type on the keyboard. The HERA app encrypts each keystroke and each mouse movement – this time using a different key in the TPM hardware. The app sends the encrypted KMM inside the encrypted TLS connection into the HERA gateway.
The Internet-exposed CPU on the HERA gateway decrypts the TLS connection using its own TPM but does not have the keys to decrypt the encrypted KMM. So, the Internet-exposed CPU sends the encrypted KMM through the one-way hardware into the OT CPU in the HERA device. That hardware contains an ASIC that looks at every message passing into the OT-connected CPU and permits only HERA-encrypted messages to pass. The OT CPU receives and has the TPM keys to decrypt the HERA-encrypted KMM data, and then sends the decrypted KMM into the remote user’s virtual session. The virtual mouse moves. Keystrokes are used by the VM, and new screen images are sent back to the user.
How Secure Is This?
What does this mean security-wise? Consider a worst-case attack. An attacker reaches across the Internet and uses a zero-day vulnerability or other exploit to compromise both Internet-facing CPUs in the HERA gateway. What is the worst that can happen? Well, the attacker can interrupt the flow of screen images and KMM. But – can the attacker send arbitrary attack messages into the OT network to propagate the attack further into the network? No. The outbound gateway hardware lets nothing back in, and the HERA inbound gateway hardware lets only encrypted KMM messages back in. And if the attacker tries to forge keystrokes and mouse movements, it does not work, because the compromised CPU does not have the keys to encrypt and authenticate keystrokes. Those keys are on the protected OT-resident CPU.
Contrast this with a firewall and software-based remote access solution. Exploit unpatched vulnerabilities in the firewall, VPN server or a complex remote access protocol server and we are in serious trouble. The attacker can reach through the compromised system software and send whatever messages they wish into the OT network to wreak havoc there. Yes, an attack on HERA’s Internet-exposed CPUs can cause the remote access solution to become inoperative, but at most sites this is an inconvenience, not a serious incident. At most sites, remote access saves a little money by reducing travel costs – remote access is generally not required to assure minute-by-minute safe, correct or continuous operation of the industrial process.
Bottom Line
Fully interactive HERA is something new in the world. It is more secure than software-based solutions and unlike unidirectional remote screen view or time-limited bidirectional solutions, HERA requires no action by or support from personnel at the protected OT site to open or close sessions. This new kind of technology fills a gap between the high end of conventional software-based remote access, and the low end of conventional unidirectional hardware-enforced remote access – fully independent and interactive remote access, with stronger security than software-based systems.
For more information on HERA, please connect on LinkedIn, or visit the Waterfall booth at the Industrial Security Conference Copenhagen to chat – I will be there signing books.