Remote Access Security
Remote access to operational technology is essential for modern energy operations but introduces significant security risks. ISO 27019 provides specific guidance for securing remote connections to process control systems.
Remote Access Use Cases in Energy
Vendor Support
Equipment manufacturers providing remote maintenance:
- Troubleshooting control system issues
- Software and firmware updates
- Performance optimization
- Emergency support during outages
Remote Operations
Staff accessing systems from outside control rooms:
- On-call engineers responding to alarms
- Management oversight and reporting
- Mobile workforce at distributed sites
- Backup operations centers
Multi-Site Management
Centralized monitoring and control:
- Regional control centers overseeing multiple plants
- Corporate oversight of distributed assets
- Centralized engineering and configuration management
ISO 27019 Remote Access Requirements
Multi-Factor Authentication (MFA)
Mandatory for all remote OT access:
- Something you know: Password or PIN
- Something you have: Token, smart card, or mobile authenticator
- Something you are: Biometrics where appropriate
- No exceptions for privileged or vendor access
Encrypted Communications
All remote connections must be encrypted:
- VPN with strong encryption (AES-256)
- TLS 1.3 for web-based access
- SSH for command-line access
- No clear-text protocols (no telnet, FTP)
Just-in-Time Access
Temporary access for specific purposes:
- Access enabled only when needed
- Automatic expiration after time window
- Approval required for each session
- Logging of all access grants
Remote Access Architecture
Jump Host/Bastion Design
Secure intermediary for all remote access:
Remote User → VPN → Jump Host → OT Systems
Benefits:
- Single point of access control
- Centralized monitoring and logging
- No direct connectivity to control systems
- Session recording and auditing
- Simplified security updates
Vendor Remote Access Architecture
Dedicated Vendor VPN
- Separate VPN infrastructure for vendors
- Different authentication requirements
- Limited network access (vendor-specific zones)
- Time-restricted connections
- Advance scheduling required
Vendor Access Controls:
- Pre-approved vendor list only
- Background checks for technicians
- Escort or monitoring during sessions
- Read-only access unless change authorized
- Automatic disconnection after inactivity
Security Controls
Device Posture Checking
Verify remote device security before access:
- Antivirus up-to-date
- Operating system patched
- Host firewall enabled
- Unauthorized software not present
- Company-managed devices preferred
IP Address Restrictions
Limit access to known locations:
- Whitelist specific IP ranges
- Block access from foreign countries (where not needed)
- Alert on access from unexpected locations
- Require additional approval for new source IPs
Time-Based Controls
Restrict access to specific windows:
- Access only during approved maintenance windows
- Automatic disconnection outside business hours
- Emergency access requires escalation
- Different rules for internal vs. external users
Session Monitoring
Continuous oversight of remote sessions:
- Real-time monitoring of critical system access
- Screen recording for audit and review
- Automated alerting on suspicious commands
- Ability to terminate sessions immediately
Vendor Management
Vendor Security Requirements
Contractual obligations for third parties:
- Security training for remote access users
- Incident reporting requirements
- Data handling and confidentiality
- Use of company-approved tools only
- Compliance with utility security policies
Vendor Access Process
- Pre-Approval: Vendor submits access request with justification
- Scheduling: Access window coordinated with operations
- Enablement: Account activated for specific time period
- Connection: Vendor authenticates with MFA
- Monitoring: Session monitored and recorded
- Completion: Access automatically disabled after window
- Review: Session logs reviewed for policy compliance
Monitoring and Logging
Comprehensive Logging
Record all remote access activity:
- Authentication attempts and results
- Connection times and duration
- Systems and devices accessed
- Commands executed and changes made
- Files transferred
- Disconnection events
Anomaly Detection
Alert on unusual remote access patterns:
- Access at unusual times
- Connections from new locations
- Multiple failed authentication attempts
- Access to unexpected systems
- Large data transfers
- Privileged command execution
Common Remote Access Risks
Risk: Compromised Vendor Credentials
Mitigation: Just-in-time access, session monitoring, limited network access, MFA required
Risk: Malware from Remote Device
Mitigation: Device posture checking, jump host architecture, application whitelisting on accessed systems
Risk: Insider Threat via Remote Access
Mitigation: Least privilege access, comprehensive logging, behavioral analytics, dual authorization for critical actions
Risk: Man-in-the-Middle Attacks
Mitigation: Strong encryption, certificate pinning, VPN with modern protocols
Remote Access Policy Elements
Key requirements to document:
- Approved use cases for remote access
- Authentication requirements (MFA mandatory)
- Authorized users and approval process
- Network architecture and access paths
- Monitoring and logging requirements
- Incident response for remote access issues
- Vendor-specific requirements
- Emergency access procedures
Alternatives to Remote Access
Consider safer options when possible:
- On-site vendor visits for non-urgent work
- Unidirectional data sharing for monitoring needs
- Removable media for configuration transfers
- Local proxy for vendor support (utility staff acts as hands)
Next Lesson: Protecting OT systems from malware threats.