選擇和實(shí)施遠(yuǎn)程訪問解決方案時(shí)的五大建議(中英文)
遠(yuǎn)程訪問機(jī)器為制造業(yè)帶來了明顯的優(yōu)勢(shì)。根據(jù) ARC 的說法,63% 的機(jī)器維護(hù)工作是為了例行檢查,或者他們發(fā)現(xiàn)根本沒有問題。此外,其中 30% 或更多的維修可以通過在網(wǎng)絡(luò)上修改參數(shù)或在現(xiàn)場人員的輕微協(xié)助下遠(yuǎn)程進(jìn)行??紤]到計(jì)劃外停機(jī)可能造成高達(dá) 50 萬歐元/小時(shí)的損失,遠(yuǎn)程訪問為原始設(shè)備制造商和資產(chǎn)所有者帶來了巨大的節(jié)省。
Remote access to machines brings clear advantages for manufacturing. According to ARC, 63% of the maintenance work on a machine is either for a routine check, or they discover that there is simply no problem. Furthermore, 30% or more of these repairs can be made remotely by modifying parameters over the Internet or with minor assistance by an onsite person. Considering that unplanned downtime can cost up to 500k € / hr, remote access brings huge savings to OEMs and asset owners.
工業(yè)控制系統(tǒng)的網(wǎng)絡(luò)安全
/Cybersecurity for Industrial Control Systems
與信息技術(shù) (IT) 系統(tǒng)相比,工業(yè)控制系統(tǒng) (ICS) 的工作方式存在重要差異。
ICS 的設(shè)計(jì)目的是為了高效地進(jìn)行高速數(shù)據(jù)傳輸和確定性過程,但不是為了安全。對(duì)于ICS,可用性至關(guān)重要。與 IT 系統(tǒng)相比,IT 系統(tǒng)將安全性和機(jī)密性放在首位,較少關(guān)注確定性。此外,雖然 IT 風(fēng)險(xiǎn)分析會(huì)考慮對(duì)可能的數(shù)據(jù)丟失或業(yè)務(wù)運(yùn)營失敗的影響,但工業(yè)控制系統(tǒng)首先考慮生命、設(shè)備或產(chǎn)品損失的風(fēng)險(xiǎn)。
以下是建議最終用戶在選擇和實(shí)施穩(wěn)健、可擴(kuò)展且安全的遠(yuǎn)程訪問解決方案時(shí)應(yīng)執(zhí)行的建議。
There are important differences between how Industrial Control Systems (ICS) work compared to Information Technology (IT) systems.
ICS’s have been designed to be efficient for high speed data transmission and for deterministic processes, but not for security. Availability is of utmost importance when it comes to ICS’s. Contrast that to IT systems, which prioritize security and confidentiality above all else, with less of a focus on determinism. Furthermore, while a Risk Analysis for IT would consider the impact on possible data loss or business operations failure, Industrial Control Systems consider first the risk of life, equipment, or product loss.
Below are our recommendations that end users and asset owners should enforce when selecting and implementing a robust, scalable, and secure remote access solution.
1. 加強(qiáng)身份認(rèn)證控制
/Enforce Identification and authentication control
為每個(gè)用戶提供唯一的標(biāo)識(shí)和認(rèn)證
每個(gè)用戶都必須具有唯一的標(biāo)識(shí)和身份驗(yàn)證。如果需要撤銷用戶的訪問權(quán)限(例如,因?yàn)殡x開公司),應(yīng)該可以直接在帳戶上進(jìn)行。
PROVIDE A UNIQUE IDENTIFICATION AND AUTHENTICATION PER USER
Every user must have a unique identification and authentication. In case the access of a user needs to be revoked (for instance, because of leaving the company), it should be possible to do it directly on the account.
首次配置設(shè)備時(shí)修改默認(rèn)密碼
默認(rèn)密碼是工業(yè)自動(dòng)化社區(qū)眾所周知的,它們可以很容易地在互聯(lián)網(wǎng)或任何說明手冊(cè)中找到。首次配置時(shí)不要忘記更改設(shè)備/應(yīng)用程序的密碼。
CHANGE THE DEFAULT PASSWORD WHEN CONFIGURING THE DEVICE FOR THE FIRST TIME
Default passwords are well-known by the industrial automation community, they can be easily found in internet or any instructions manual. Don’t forget to change the password of the device/application when configuring it for the first time.
盡可能使用多重身份驗(yàn)證
多因素身份驗(yàn)證應(yīng)被視為遠(yuǎn)程訪問工業(yè)機(jī)器的最佳實(shí)踐之一,因?yàn)樗峁┝祟~外的安全層。
USE MULTI-FACTOR AUTHENTICATION WHENEVER POSSIBLE
Multi-factor authentication should be considered among the best practices in remote access to industrial machines as it provides an added layer of security.
2. 允許訪問控制和連接管理
/Allow for Access Controls and Connection Management
定義每個(gè)個(gè)人用戶的不同權(quán)利
在服務(wù)器級(jí)別對(duì)訪問機(jī)器的權(quán)限進(jìn)行集中管理,為用戶權(quán)限管理提供了額外的安全層。每個(gè)用戶都必須屬于一個(gè)組,該組已分配角色(權(quán)限)才能訪問每個(gè)路由器或路由器組。
系統(tǒng)應(yīng)提供支持授權(quán)用戶管理所有帳戶的能力,包括添加、激活、修改、禁用和刪除帳戶。
DEFINE DIFFERENT RIGHTS PER INDIVIDUAL USER
A centralized management of the rights to access the machines at server level offers an additional security-layer to the user permission management. Every user must belong to a group who has assigned roles (permissions) to access every of the routers or groups of them.
The system shall provide the capability to support the management of all accounts by authorized users, including adding, activating, modifying, disabling and removing accounts.
必須能夠?qū)徍诉B接和更改
系統(tǒng)必須能夠記錄有關(guān)訪問控制、錯(cuò)誤、操作系統(tǒng)、控制系統(tǒng)、備份和恢復(fù)、配置更改、潛在偵察活動(dòng)和審計(jì)日志的事件。單項(xiàng)審計(jì)記錄應(yīng)包括時(shí)間戳、來源、類別、類型、事件ID和事件結(jié)果。
THE CONNECTIONS AND CHANGES MUST BE ABLE TO BE AUDITED
The system must be capable of logging events on access control, errors, operating system, control system, backup and restore, configuration changes, potential reconnaissance activity and audit log. Individual audit records should include the timestamp, source, category, type, event ID and event result.
遠(yuǎn)程會(huì)話許可/終止
供應(yīng)商通常出于兩個(gè)原因需要遠(yuǎn)程訪問:緊急操作支持和系統(tǒng)維護(hù)。通??梢园才畔到y(tǒng)維護(hù),并且可以建立和監(jiān)控遠(yuǎn)程訪問連接的協(xié)議。
因此,為了提供額外的安全和控制,VPN或互聯(lián)網(wǎng)訪問應(yīng)該通過機(jī)械信號(hào)(例如鑰匙開關(guān))啟用/禁用。這允許用戶在需要之前禁用供應(yīng)商遠(yuǎn)程連接。任務(wù)完成后,資產(chǎn)所有者可以再次禁用供應(yīng)商遠(yuǎn)程連接。
REMOTE SESSION PERMISSION / TERMINATION
Vendors will usually require remote access for two reasons: emergency operational support and system maintenance. System maintenance can normally be scheduled and protocols for remote access connections can be established and monitored.
Therefore, to provide additional security and control, the VPN and/or internet access should be enabled/disabled via a mechanical signal, such as a key switch. This allows the asset owner to disable vendor remote connectivity until it’s required. Once the tasks is completed, the asset owner can disable the vendor remote connectivity once again.
3. 所有連接都應(yīng)該保密和加密
/All connections should be confidential and encrypted
VPN 支持是一種最佳做法
通過網(wǎng)絡(luò)連接的遠(yuǎn)程支持人員應(yīng)使用加密協(xié)議,例如運(yùn)行 VPN 連接客戶端、應(yīng)用程序服務(wù)器或安全 HTTP 訪問,并使用強(qiáng)大的機(jī)制進(jìn)行身份驗(yàn)證,例如基于令牌的多因素身份驗(yàn)證方案。
VPN SUPPORT IS A BEST PRACTICE
Remote support personnel connecting over the Internet should use an encrypted protocol, such as running a VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme.
4. 在您的設(shè)施內(nèi)設(shè)計(jì)合適的遠(yuǎn)程訪問架構(gòu)
/Design a proper remote access architecture inside your facility
機(jī)器供應(yīng)商應(yīng)該只能訪問他們的機(jī)器,而不能訪問工廠網(wǎng)絡(luò)
機(jī)器供應(yīng)商應(yīng)該只接觸他負(fù)責(zé)支持和維護(hù)工廠的機(jī)器。因此,系統(tǒng)必須是可配置的,以將機(jī)器網(wǎng)段或區(qū)域與網(wǎng)絡(luò)的其余部分隔離開來。
MACHINE VENDORS SHOULD HAVE ACCESS TO ONLY THEIR MACHINE, NOT TO THE PLANT NETWORK
Machine vendor should only reach the machines under his responsibility for support and maintenance in the plant. So, the system must be configurable to segregate the machine network segment or zone from the rest of the network.
避免使用控制設(shè)備(HMI、PC、PLC……)作為遠(yuǎn)程連接的 VPN 主機(jī)
使用作為機(jī)器控制一部分的任何設(shè)備(例如 PC、HMI 或 PLC)作為 VPN 主機(jī)可能會(huì)減少其資源,從而降低其主要任務(wù)(即控制本身)的性能。為了確??刂葡到y(tǒng)的可用性,它還必須提供在 DoS 事件期間以降級(jí)模式運(yùn)行的能力。因此,外部路由器將作為邊界保護(hù)設(shè)備來過濾某些類型的數(shù)據(jù)包,以保護(hù)控制系統(tǒng)免受 DoS 事件的直接影響,從而避免任何外部攻擊直接影響控制系統(tǒng)并停止機(jī)器。
AVOID USING A CONTROL DEVICE (HMI, PC, PLC…) AS A VPN HOST FOR REMOTE CONNECTIVITY
Using any equipment that is a part of the machine control (such as a PC, HMI or a PLC) as a VPN host might reduce its resources and thus its performance for its main task, which is the control itself. In order to ensure the availability of the control system, it has also to provide the capability to operate in a degraded mode during a DoS event. Therefore, an external router will act as a boundary protection device to filter certain types of packets to protect control systems from being directly affected by DoS events, thus avoiding any external attack to affect directly the control system and stopping the machine.
僅允許從受信任區(qū)域到不受信任區(qū)域的傳出連接
不應(yīng)打開或向網(wǎng)絡(luò)公開任何入站防火墻端口,并且不應(yīng)要求靜態(tài)網(wǎng)絡(luò) IP 地址。
工業(yè)路由器應(yīng)與云端特定賬戶發(fā)起出站安全VPN隧道點(diǎn)對(duì)點(diǎn)連接。此隧道使用 HTTPs 進(jìn)行身份驗(yàn)證和加密,并通過公司網(wǎng)絡(luò)和防火墻(僅限出站)。
ALLOW ONLY OUTGOING CONNECTIONS FROM TRUSTED TO UNTRUSTED ZONES
No inbound firewall ports should be opened or exposed to the Internet and no static Internet IP addresses should be required.
The industrial router should initiate an outbound secure VPN tunnel point-to-point connection with a specific account in the cloud. This tunnel is authenticated and encrypted with HTTPs, and goes over the corporate network and through the firewall (outbound only).
5. 著眼于未來,選擇可維護(hù)的解決方案
/Choose a maintainable solution with a view to the future
保持最新的固件版本和安全補(bǔ)丁更新
根據(jù)設(shè)備制造商的建議。此外,可以通過 ICS-CERT(工業(yè)控制系統(tǒng)網(wǎng)絡(luò)緊急事件)通知在工業(yè)自動(dòng)化設(shè)備中發(fā)現(xiàn)的漏洞,并收到所需補(bǔ)丁的建議。
遠(yuǎn)程訪問解決方案(路由器和云服務(wù))中包含的系統(tǒng)并不總是至關(guān)重要的,而且大多數(shù)時(shí)候都是斷開連接的。因此,除了制造商推薦的政策外,沒有必要遵循特定的系統(tǒng)升級(jí)政策。資產(chǎn)所有者應(yīng)該規(guī)范和維護(hù)如何以及何時(shí)接收最新的安全補(bǔ)丁。
STAY UP TO DATE WITH THE LATEST FIRMWARE VERSION AND SECURITY PATCH UPDATES
In accordance to the device’s manufacturer recommendations. Moreover, you can be notified by the ICS-CERT (Industrial Control Systems Cyber Emergency) about vulnerabilities found in industrial automation equipment and receive recommendations of required patching as well.
The systems included in a remote access solution (router and cloud services) are not always critical and are most of the time are disconnected. Therefore, it is not necessary to follow specific policies for the upgrade of the system other than those recommended by the manufacturer. The asset owner should standardize and maintain how and when to receive the latest security patch.
遠(yuǎn)程訪問服務(wù)的高可用性
每當(dāng)緊急操作支持需要遠(yuǎn)程訪問支持時(shí),遠(yuǎn)程服務(wù)對(duì)于機(jī)器的可用性就變得至關(guān)重要。因此,訪問的服務(wù)提供商必須通過 SLA(服務(wù)水平協(xié)議)保證云服務(wù)的高可用性服務(wù),并且該 SLA 必須通過多個(gè)操作和控制目標(biāo)來加強(qiáng)。
HIGH AVAILABILITY OF THE REMOTE ACCESS SERVICE
Whenever remote access support is needed for emergency operational support, remote service becomes critical for the availability of the machine. Thus, the service provider of the access must guarantee a high availability service of the cloud service with an SLA (Service Level Agreement) and this SLA must be reinforced by several actions and control objectives.
這些只是對(duì)所有希望遠(yuǎn)程連接解決方案標(biāo)準(zhǔn)化的公司的一些建議。
These are just some of our recommendations for all companies looking to standardize on a remote connectivity solution.
聲明:
- 文章轉(zhuǎn)載自網(wǎng)絡(luò),由愛澤工業(yè)翻譯,如有侵權(quán),請(qǐng)聯(lián)系刪除!
- 如有偏頗,歡迎指正!