{"id":2585,"date":"2024-10-10T15:53:49","date_gmt":"2024-10-10T13:53:49","guid":{"rendered":"https:\/\/insightevents.dk\/isc-cph\/?p=2585"},"modified":"2024-10-10T15:53:49","modified_gmt":"2024-10-10T13:53:49","slug":"new-technology-hardware-enforced-ot-remote-access","status":"publish","type":"post","link":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/","title":{"rendered":"New Technology: Hardware-Enforced OT Remote Access"},"content":{"rendered":"<p><em>By Andrew Ginter, VP Industrial Security, Waterfall Security Solutions<\/em><\/p>\n<p>The recent CISA \/ FBI \/ CertNZ \/ CCCS Guidance <a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/modern-approaches-network-access-security\"><em>Modern Approaches to Network Access Security<\/em><\/a> talks about securing OT systems and mentions some newer technology that not all practitioners may be familiar with. In this article we introduce OT-centric hardware-enforced remote access technology and look at how it compares with conventional software-based remote access security systems.<\/p>\n<h2><strong>\u201cSecure\u201d Remote Access<\/strong><\/h2>\n<p>Before we begin though, credit where credit is due: CISA and their partners did <em>not <\/em>name their guidance document \u201cSecure Remote Access.\u201d This is a big improvement over other guidance that has been issued in recent years, because of course <em>nothing is secure<\/em>. Security is not a binary yes\/no thing \u2013 like safety, security is a spectrum. We can always be more secure, or less secure, so the question \u201care you secure?\u201d is about as useful as \u201care you safe?\u201d.<\/p>\n<p>Beware anyone using \u201csecure\u201d as an adjective: \u201csecure\u201d communications, \u201csecure\u201d remote access, \u201csecure\u201d boot. Most such people are selling something or have just bought a bill of goods. So again, kudos to CISA and partners for getting this right.<\/p>\n<h2><strong>OT Remote Access<\/strong><\/h2>\n<p>The CISA et al document lays out some serious problems with conventional VPN-based and even 2FA-based remote access systems, and recommends that owners and operators look at more modern alternatives. For the most consequential OT systems, the document recommends hardware-enforced network segmentation \u201cwhere cyber operations pose credible threats to public safety, national security, and critical functions.\u201d The document recommends three kinds of hardware-enforced remote access:<\/p>\n<ul>\n<li><a href=\"https:\/\/waterfall-security.com\/technology-and-products\/remote-access\/wf-rsv\/\">Unidirectional remote screen view<\/a>,<\/li>\n<li>Unidirectional systems with separate, independent channels for screen images and keystroke\/mouse movements, and<\/li>\n<li><a href=\"https:\/\/waterfall-security.com\/technology-and-products\/remote-access\/wf-sbp\/\">Time-limited hardware switches<\/a>.<\/li>\n<\/ul>\n<p>Technologies #1 and #3 have been around for a long time and are widely available from a variety of vendors. The more complicated-sounding #2 is newer.<\/p>\n<h2><strong>Independent Channels<\/strong><\/h2>\n<p>What do \u201cindependent channels\u201d mean for hardware-enforced remote access (HERA) to OT systems? This newer technology is designed to address the risks inherent in conventional software-enforced remote access mechanisms. Eg: what happens if an attack steals a password for a firewall and adds an \u201callow all\u201d rule? Or exploits a vulnerability in a VPN server, or jump host? Such attacks generally give the attacker the ability to use the compromised equipment to launch cyber-sabotage attacks on sensitive OT network targets.<\/p>\n<p>With the \u201cindependent channels\u201d approach, we see a remote access server at the protected OT site that consists of two full <a href=\"https:\/\/csrc.nist.gov\/glossary\/term\/unidirectional_gateway\">unidirectional gateways<\/a>. Each gateway has two CPUs in it, one on the Internet-facing side and one on the OT-facing side. And each gateway of course has the unidirectional hardware between those two CPUS, one sending screen images out of the OT network, and the other sending keystroke and mouse movements (KMM) into the OT network. The unusual part of this design is how the encryption and the hardware work together.<\/p>\n<h2><strong>Encrypted Mouse Movements<\/strong><\/h2>\n<p>To understand this cooperation, consider a HERA session. A remote user launches a HERA application on their desktop or laptop and chooses one of the configured OT destinations. The app runs only on computers equipped with Trusted Platform Module (TPM) hardware &#8211; this is hardware-enforced protection for encryption keys. The app uses the TPM to encrypt two (2) standard TLS connections to the HERA gateway at the protected OT site. One connection sends encrypted keystroke and mouse movement (KMM) information, and the other receives screen images. The remote user sees the image of a virtual machine (VM) or a jump host screen come up, and the user is challenged for a username and password. This constitutes two-factor authentication (2FA), with the encryption credentials stored in the laptop\u2019s KVM hardware being the second form of authentication.<\/p>\n<p>At this point, the user can move the mouse and type on the keyboard. The HERA app encrypts each keystroke and each mouse movement \u2013 this time using a different key in the TPM hardware. The app sends the encrypted KMM inside the encrypted TLS connection into the HERA gateway.<\/p>\n<p>The Internet-exposed CPU on the HERA gateway decrypts the TLS connection using its own TPM but does not have the keys to decrypt the encrypted KMM. So, the Internet-exposed CPU sends the encrypted KMM through the one-way hardware into the OT CPU in the HERA device. That hardware contains an ASIC that looks at every message passing into the OT-connected CPU and permits only HERA-encrypted messages to pass. The OT CPU receives and has the TPM keys to decrypt the HERA-encrypted KMM data, and then sends the decrypted KMM into the remote user\u2019s virtual session. The virtual mouse moves. Keystrokes are used by the VM, and new screen images are sent back to the user.<\/p>\n<h2><strong>How Secure Is This?<\/strong><\/h2>\n<p>What does this mean security-wise? Consider a worst-case attack. An attacker reaches across the Internet and uses a zero-day vulnerability or other exploit to compromise <em>both<\/em> Internet-facing CPUs in the HERA gateway. What is the worst that can happen? Well, the attacker can interrupt the flow of screen images and KMM. But \u2013 can the attacker send arbitrary attack messages into the OT network to propagate the attack further into the network? No. The outbound gateway hardware lets nothing back in, and the HERA inbound gateway hardware lets only encrypted KMM messages back in. And if the attacker tries to forge keystrokes and mouse movements, it does not work, because the compromised CPU does not have the keys to encrypt and authenticate keystrokes. Those keys are on the protected OT-resident CPU.<\/p>\n<p>Contrast this with a firewall and software-based remote access solution. Exploit unpatched vulnerabilities in the firewall, VPN server or a complex remote access protocol server and we are in serious trouble. The attacker can reach through the compromised system software and send whatever messages they wish into the OT network to wreak havoc there. Yes, an attack on HERA\u2019s Internet-exposed CPUs can cause the remote access solution to become inoperative, but at most sites this is an inconvenience, not a serious incident. At most sites, remote access saves a little money by reducing travel costs \u2013 remote access is generally not required to assure minute-by-minute safe, correct or continuous operation of the industrial process.<\/p>\n<h2><strong>Bottom Line<\/strong><\/h2>\n<p>Fully interactive HERA is something new in the world. It is more secure than software-based solutions and unlike unidirectional remote screen view or time-limited bidirectional solutions, HERA requires no action by or support from personnel at the protected OT site to open or close sessions. This new kind of technology fills a gap between the high end of conventional software-based remote access, and the low end of conventional unidirectional hardware-enforced remote access &#8211; fully independent and interactive remote access, with stronger security than software-based systems.<\/p>\n<p>For more information on HERA, please connect on LinkedIn, or visit the Waterfall booth at the <a href=\"https:\/\/insightevents.dk\/isc-cph\/\">Industrial Security Conference Copenhagen<\/a> to chat \u2013 I will be there signing books.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Andrew Ginter, VP Industrial Security, Waterfall Security Solutions The recent CISA \/ FBI \/ CertNZ \/ CCCS Guidance Modern Approaches to Network Access Security talks about securing OT systems and mentions some newer technology that not all practitioners may be familiar with. In this article we introduce OT-centric hardware-enforced remote access technology and look [&hellip;]<\/p>\n","protected":false},"author":15,"featured_media":2613,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[3],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New Technology: Hardware-Enforced OT Remote Access - Industrial Security Conference Copenhagen<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Technology: Hardware-Enforced OT Remote Access - Industrial Security Conference Copenhagen\" \/>\n<meta property=\"og:description\" content=\"By Andrew Ginter, VP Industrial Security, Waterfall Security Solutions The recent CISA \/ FBI \/ CertNZ \/ CCCS Guidance Modern Approaches to Network Access Security talks about securing OT systems and mentions some newer technology that not all practitioners may be familiar with. In this article we introduce OT-centric hardware-enforced remote access technology and look [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/\" \/>\n<meta property=\"og:site_name\" content=\"Industrial Security Conference Copenhagen\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-10T13:53:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/insightevents.dk\/isc-cph\/wp-content\/uploads\/sites\/4\/2024\/10\/Design-uden-navn-2024-10-10T155225.743.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Line\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Line\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/\",\"url\":\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/\",\"name\":\"New Technology: Hardware-Enforced OT Remote Access - Industrial Security Conference Copenhagen\",\"isPartOf\":{\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/insightevents.dk\/isc-cph\/wp-content\/uploads\/sites\/4\/2024\/10\/Design-uden-navn-2024-10-10T155225.743.png\",\"datePublished\":\"2024-10-10T13:53:49+00:00\",\"dateModified\":\"2024-10-10T13:53:49+00:00\",\"author\":{\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/#\/schema\/person\/e1b949cdb7e6339b6ba34b36365c444c\"},\"breadcrumb\":{\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#primaryimage\",\"url\":\"https:\/\/insightevents.dk\/isc-cph\/wp-content\/uploads\/sites\/4\/2024\/10\/Design-uden-navn-2024-10-10T155225.743.png\",\"contentUrl\":\"https:\/\/insightevents.dk\/isc-cph\/wp-content\/uploads\/sites\/4\/2024\/10\/Design-uden-navn-2024-10-10T155225.743.png\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/insightevents.dk\/isc-cph\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New Technology: Hardware-Enforced OT Remote Access\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/#website\",\"url\":\"https:\/\/insightevents.dk\/isc-cph\/\",\"name\":\"Industrial Security Conference Copenhagen\",\"description\":\"Industrial Security Conference Copenhagen\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/insightevents.dk\/isc-cph\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/#\/schema\/person\/e1b949cdb7e6339b6ba34b36365c444c\",\"name\":\"Line\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/insightevents.dk\/isc-cph\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7b77f339adf5c930d53d064e7fb88017?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7b77f339adf5c930d53d064e7fb88017?s=96&d=mm&r=g\",\"caption\":\"Line\"},\"url\":\"https:\/\/insightevents.dk\/isc-cph\/author\/line\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Technology: Hardware-Enforced OT Remote Access - Industrial Security Conference Copenhagen","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/","og_locale":"en_GB","og_type":"article","og_title":"New Technology: Hardware-Enforced OT Remote Access - Industrial Security Conference Copenhagen","og_description":"By Andrew Ginter, VP Industrial Security, Waterfall Security Solutions The recent CISA \/ FBI \/ CertNZ \/ CCCS Guidance Modern Approaches to Network Access Security talks about securing OT systems and mentions some newer technology that not all practitioners may be familiar with. In this article we introduce OT-centric hardware-enforced remote access technology and look [&hellip;]","og_url":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/","og_site_name":"Industrial Security Conference Copenhagen","article_published_time":"2024-10-10T13:53:49+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/insightevents.dk\/isc-cph\/wp-content\/uploads\/sites\/4\/2024\/10\/Design-uden-navn-2024-10-10T155225.743.png","type":"image\/png"}],"author":"Line","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Line","Estimated reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/","url":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/","name":"New Technology: Hardware-Enforced OT Remote Access - Industrial Security Conference Copenhagen","isPartOf":{"@id":"https:\/\/insightevents.dk\/isc-cph\/#website"},"primaryImageOfPage":{"@id":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#primaryimage"},"image":{"@id":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#primaryimage"},"thumbnailUrl":"https:\/\/insightevents.dk\/isc-cph\/wp-content\/uploads\/sites\/4\/2024\/10\/Design-uden-navn-2024-10-10T155225.743.png","datePublished":"2024-10-10T13:53:49+00:00","dateModified":"2024-10-10T13:53:49+00:00","author":{"@id":"https:\/\/insightevents.dk\/isc-cph\/#\/schema\/person\/e1b949cdb7e6339b6ba34b36365c444c"},"breadcrumb":{"@id":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#primaryimage","url":"https:\/\/insightevents.dk\/isc-cph\/wp-content\/uploads\/sites\/4\/2024\/10\/Design-uden-navn-2024-10-10T155225.743.png","contentUrl":"https:\/\/insightevents.dk\/isc-cph\/wp-content\/uploads\/sites\/4\/2024\/10\/Design-uden-navn-2024-10-10T155225.743.png","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/insightevents.dk\/isc-cph\/2024\/10\/10\/new-technology-hardware-enforced-ot-remote-access\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/insightevents.dk\/isc-cph\/"},{"@type":"ListItem","position":2,"name":"New Technology: Hardware-Enforced OT Remote Access"}]},{"@type":"WebSite","@id":"https:\/\/insightevents.dk\/isc-cph\/#website","url":"https:\/\/insightevents.dk\/isc-cph\/","name":"Industrial Security Conference Copenhagen","description":"Industrial Security Conference Copenhagen","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/insightevents.dk\/isc-cph\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/insightevents.dk\/isc-cph\/#\/schema\/person\/e1b949cdb7e6339b6ba34b36365c444c","name":"Line","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/insightevents.dk\/isc-cph\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7b77f339adf5c930d53d064e7fb88017?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7b77f339adf5c930d53d064e7fb88017?s=96&d=mm&r=g","caption":"Line"},"url":"https:\/\/insightevents.dk\/isc-cph\/author\/line\/"}]}},"_links":{"self":[{"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/posts\/2585"}],"collection":[{"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/comments?post=2585"}],"version-history":[{"count":0,"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/posts\/2585\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/media\/2613"}],"wp:attachment":[{"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/media?parent=2585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/categories?post=2585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/insightevents.dk\/isc-cph\/wp-json\/wp\/v2\/tags?post=2585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}