OT remote access: can you trust your technician’s laptop?

Zero Trust Network Access (ZTNA) is a secure remote access service that verifies remote users and grants access only to specific resources at specific times based on identity and context policies. This is part 2 in our ZTNA blog series for operational environments. Read the first blog here.

Right now, somewhere in the world a robot arm needs a firmware upgrade, a wind turbine is stalled, and a highway message sign is displaying gibberish. If your business depends on operational technology (OT) or industrial control systems (ICS), you need to allow machine builders, maintenance contractors, or your own experts and technicians to remotely access equipment for configuration, troubleshooting, and updates.

Shrink the risk with ZTNA

In our last blog we gave a 10,000-foot view of Cisco Secure Equipment Access (SEA) and how it can help to secure remote access to your industrial network. Cisco SEA is a Zero Trust Network Access (ZTNA) solution controlling who can connect, which OT assets they can access, and when. It starts with a default deny posture and offers least-privilege access only once it trusts the user identity.

Clientless and agent-based ZTNA

In addition to restricting access to specific assets and schedules, Cisco SEA can also restrict the access method remote technicians can use to log into an OT asset. If they are using RDP, VNC, SSH, Telnet, or HTTP(S), they only need a web browser—no client software is needed. Cisco SEA proxies all remote access traffic, meaning that users never have direct IP access to the asset or the network. Completely isolating critical resources gives you unmatched security.

In some situations, you might need a full IP communication path between the remote user and an OT asset. Examples are if technicians are using a vendor-specific management software, modifying a PLC program using a native desktop application, or transferring files to and from an asset. To address these advanced use cases, Cisco SEA offers an agent-based ZTNA access method called SEA Plus.

SEA Plus installs a lightweight application on the remote user’s computer to create a secure end-to-end IP connection with the OT asset, enabling any TCP, UDP, and ICMP communications. However, unlike the network extension offered by a VPN solution, traffic always goes through the SEA trust broker, which enforces security policies such as which assets can be accessed, when, and which protocols and ports can be used.

Overall, SEA Plus provides native IP access to operational technology from remote computers, but without the need to design, deploy, and maintain a VPN infrastructure. It also strengthens and simplifies security with highly granular controls tightly restricting access to OT assets as required by the ZTNA least-privilege principle.

Take ZTNA to the next level with automated security-posture checks

Control over the who, what, how, and when of remote access is a giant step toward robust protection of your industrial network and critical infrastructure. But when using SEA Plus, you are granting full IP access to an asset. How can you be sure the user’s computer will not expose the asset to malware or malicious traffic? To gain full trust, you need to verify the device the technician is using to log in.

Good news: Cisco SEA and Cisco Duo work together to automatically check device health before granting access to an asset. When a remote user tries to establish a session using the SEA Plus access method, Duo verifies that the user’s computer complies with your security policies—for example, operating system version and patch level, firewall status, use of antivirus software, and more. If a device does not meet your requirements, the technician cannot gain access.

Stronger security with less effort

Summing up: As a hybrid-cloud solution, Cisco SEA avoids the costs and complexity to maintain secure remote access capabilities at scale across your industrial network and critical infrastructure. As a ZTNA solution, it lets you take control back by enforcing least-privilege security policies based on identity and context. And with the integration between SEA and Duo, you can also check the security posture of remote computers—another key aspect of zero trust.

Check back soon for our next ZTNA blog, to learn how Cisco Secure Equipment Access can help you monitor remote access sessions for regulatory compliance, investigating incidents, or training purposes.

In the meantime, make sure you subscribe to our OT Security newsletter, learn more about Cisco Secure Equipment Access (SEA), and have a look at our Cisco Validated Design Guide for assistance on how to implement ZTNA in your operational environment.


Latest articles


Related articles

Leave a reply

Please enter your comment!
Please enter your name here