選擇和實施遠程訪問解決方案時的五大建議(中英文)
遠程訪問機器為制造業(yè)帶來了明顯的優(yōu)勢��。根據(jù) ARC 的說法�����,63% 的機器維護工作是為了例行檢查�,或者他們發(fā)現(xiàn)根本沒有問題。此外���,其中 30% 或更多的維修可以通過在網(wǎng)絡(luò)上修改參數(shù)或在現(xiàn)場人員的輕微協(xié)助下遠程進行�?����?紤]到計劃外停機可能造成高達 50 萬歐元/小時的損失����,遠程訪問為原始設(shè)備制造商和資產(chǎn)所有者帶來了巨大的節(jié)省。
Remote access to machines brings clear advantages for manufacturing. According to ARC, 63% of the maintenance work on a machine is either for a routine check, or they discover that there is simply no problem. Furthermore, 30% or more of these repairs can be made remotely by modifying parameters over the Internet or with minor assistance by an onsite person. Considering that unplanned downtime can cost up to 500k € / hr, remote access brings huge savings to OEMs and asset owners.
工業(yè)控制系統(tǒng)的網(wǎng)絡(luò)安全
/Cybersecurity for Industrial Control Systems
與信息技術(shù) (IT) 系統(tǒng)相比��,工業(yè)控制系統(tǒng) (ICS) 的工作方式存在重要差異。
ICS 的設(shè)計目的是為了高效地進行高速數(shù)據(jù)傳輸和確定性過程�,但不是為了安全���。對于ICS�,可用性至關(guān)重要���。與 IT 系統(tǒng)相比���,IT 系統(tǒng)將安全性和機密性放在首位,較少關(guān)注確定性��。此外�,雖然 IT 風險分析會考慮對可能的數(shù)據(jù)丟失或業(yè)務運營失敗的影響,但工業(yè)控制系統(tǒng)首先考慮生命��、設(shè)備或產(chǎn)品損失的風險�。
以下是建議最終用戶在選擇和實施穩(wěn)健、可擴展且安全的遠程訪問解決方案時應執(zhí)行的建議����。
There are important differences between how Industrial Control Systems (ICS) work compared to Information Technology (IT) systems.
ICS’s have been designed to be efficient for high speed data transmission and for deterministic processes, but not for security. Availability is of utmost importance when it comes to ICS’s. Contrast that to IT systems, which prioritize security and confidentiality above all else, with less of a focus on determinism. Furthermore, while a Risk Analysis for IT would consider the impact on possible data loss or business operations failure, Industrial Control Systems consider first the risk of life, equipment, or product loss.
Below are our recommendations that end users and asset owners should enforce when selecting and implementing a robust, scalable, and secure remote access solution.
1. 加強身份認證控制
/Enforce Identification and authentication control
為每個用戶提供唯一的標識和認證
每個用戶都必須具有唯一的標識和身份驗證。如果需要撤銷用戶的訪問權(quán)限(例如��,因為離開公司),應該可以直接在帳戶上進行����。
PROVIDE A UNIQUE IDENTIFICATION AND AUTHENTICATION PER USER
Every user must have a unique identification and authentication. In case the access of a user needs to be revoked (for instance, because of leaving the company), it should be possible to do it directly on the account.
首次配置設(shè)備時修改默認密碼
默認密碼是工業(yè)自動化社區(qū)眾所周知的,它們可以很容易地在互聯(lián)網(wǎng)或任何說明手冊中找到�。首次配置時不要忘記更改設(shè)備/應用程序的密碼。
CHANGE THE DEFAULT PASSWORD WHEN CONFIGURING THE DEVICE FOR THE FIRST TIME
Default passwords are well-known by the industrial automation community, they can be easily found in internet or any instructions manual. Don’t forget to change the password of the device/application when configuring it for the first time.
盡可能使用多重身份驗證
多因素身份驗證應被視為遠程訪問工業(yè)機器的最佳實踐之一��,因為它提供了額外的安全層����。
USE MULTI-FACTOR AUTHENTICATION WHENEVER POSSIBLE
Multi-factor authentication should be considered among the best practices in remote access to industrial machines as it provides an added layer of security.
2. 允許訪問控制和連接管理
/Allow for Access Controls and Connection Management
定義每個個人用戶的不同權(quán)利
在服務器級別對訪問機器的權(quán)限進行集中管理,為用戶權(quán)限管理提供了額外的安全層��。每個用戶都必須屬于一個組���,該組已分配角色(權(quán)限)才能訪問每個路由器或路由器組���。
系統(tǒng)應提供支持授權(quán)用戶管理所有帳戶的能力,包括添加�����、激活、修改����、禁用和刪除帳戶。
DEFINE DIFFERENT RIGHTS PER INDIVIDUAL USER
A centralized management of the rights to access the machines at server level offers an additional security-layer to the user permission management. Every user must belong to a group who has assigned roles (permissions) to access every of the routers or groups of them.
The system shall provide the capability to support the management of all accounts by authorized users, including adding, activating, modifying, disabling and removing accounts.
必須能夠?qū)徍诉B接和更改
系統(tǒng)必須能夠記錄有關(guān)訪問控制��、錯誤�、操作系統(tǒng)����、控制系統(tǒng)、備份和恢復�、配置更改、潛在偵察活動和審計日志的事件�。單項審計記錄應包括時間戳、來源��、類別�、類型、事件ID和事件結(jié)果����。
THE CONNECTIONS AND CHANGES MUST BE ABLE TO BE AUDITED
The system must be capable of logging events on access control, errors, operating system, control system, backup and restore, configuration changes, potential reconnaissance activity and audit log. Individual audit records should include the timestamp, source, category, type, event ID and event result.
遠程會話許可/終止
供應商通常出于兩個原因需要遠程訪問:緊急操作支持和系統(tǒng)維護。通?�?梢园才畔到y(tǒng)維護,并且可以建立和監(jiān)控遠程訪問連接的協(xié)議��。
因此�,為了提供額外的安全和控制,VPN或互聯(lián)網(wǎng)訪問應該通過機械信號(例如鑰匙開關(guān))啟用/禁用���。這允許用戶在需要之前禁用供應商遠程連接�����。任務完成后���,資產(chǎn)所有者可以再次禁用供應商遠程連接。
REMOTE SESSION PERMISSION / TERMINATION
Vendors will usually require remote access for two reasons: emergency operational support and system maintenance. System maintenance can normally be scheduled and protocols for remote access connections can be established and monitored.
Therefore, to provide additional security and control, the VPN and/or internet access should be enabled/disabled via a mechanical signal, such as a key switch. This allows the asset owner to disable vendor remote connectivity until it’s required. Once the tasks is completed, the asset owner can disable the vendor remote connectivity once again.
3. 所有連接都應該保密和加密
/All connections should be confidential and encrypted
VPN 支持是一種最佳做法
通過網(wǎng)絡(luò)連接的遠程支持人員應使用加密協(xié)議�����,例如運行 VPN 連接客戶端����、應用程序服務器或安全 HTTP 訪問,并使用強大的機制進行身份驗證����,例如基于令牌的多因素身份驗證方案��。
VPN SUPPORT IS A BEST PRACTICE
Remote support personnel connecting over the Internet should use an encrypted protocol, such as running a VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme.
4. 在您的設(shè)施內(nèi)設(shè)計合適的遠程訪問架構(gòu)
/Design a proper remote access architecture inside your facility
機器供應商應該只能訪問他們的機器��,而不能訪問工廠網(wǎng)絡(luò)
機器供應商應該只接觸他負責支持和維護工廠的機器����。因此�,系統(tǒng)必須是可配置的,以將機器網(wǎng)段或區(qū)域與網(wǎng)絡(luò)的其余部分隔離開來���。
MACHINE VENDORS SHOULD HAVE ACCESS TO ONLY THEIR MACHINE, NOT TO THE PLANT NETWORK
Machine vendor should only reach the machines under his responsibility for support and maintenance in the plant. So, the system must be configurable to segregate the machine network segment or zone from the rest of the network.
避免使用控制設(shè)備(HMI��、PC、PLC……)作為遠程連接的 VPN 主機
使用作為機器控制一部分的任何設(shè)備(例如 PC���、HMI 或 PLC)作為 VPN 主機可能會減少其資源�����,從而降低其主要任務(即控制本身)的性能�����。為了確?���?刂葡到y(tǒng)的可用性,它還必須提供在 DoS 事件期間以降級模式運行的能力�����。因此�����,外部路由器將作為邊界保護設(shè)備來過濾某些類型的數(shù)據(jù)包�����,以保護控制系統(tǒng)免受 DoS 事件的直接影響����,從而避免任何外部攻擊直接影響控制系統(tǒng)并停止機器。
AVOID USING A CONTROL DEVICE (HMI, PC, PLC…) AS A VPN HOST FOR REMOTE CONNECTIVITY
Using any equipment that is a part of the machine control (such as a PC, HMI or a PLC) as a VPN host might reduce its resources and thus its performance for its main task, which is the control itself. In order to ensure the availability of the control system, it has also to provide the capability to operate in a degraded mode during a DoS event. Therefore, an external router will act as a boundary protection device to filter certain types of packets to protect control systems from being directly affected by DoS events, thus avoiding any external attack to affect directly the control system and stopping the machine.
僅允許從受信任區(qū)域到不受信任區(qū)域的傳出連接
不應打開或向網(wǎng)絡(luò)公開任何入站防火墻端口�����,并且不應要求靜態(tài)網(wǎng)絡(luò) IP 地址���。
工業(yè)路由器應與云端特定賬戶發(fā)起出站安全VPN隧道點對點連接�。此隧道使用 HTTPs 進行身份驗證和加密,并通過公司網(wǎng)絡(luò)和防火墻(僅限出站)�。
ALLOW ONLY OUTGOING CONNECTIONS FROM TRUSTED TO UNTRUSTED ZONES
No inbound firewall ports should be opened or exposed to the Internet and no static Internet IP addresses should be required.
The industrial router should initiate an outbound secure VPN tunnel point-to-point connection with a specific account in the cloud. This tunnel is authenticated and encrypted with HTTPs, and goes over the corporate network and through the firewall (outbound only).
5. 著眼于未來,選擇可維護的解決方案
/Choose a maintainable solution with a view to the future
保持最新的固件版本和安全補丁更新
根據(jù)設(shè)備制造商的建議�。此外,可以通過 ICS-CERT(工業(yè)控制系統(tǒng)網(wǎng)絡(luò)緊急事件)通知在工業(yè)自動化設(shè)備中發(fā)現(xiàn)的漏洞�����,并收到所需補丁的建議�����。
遠程訪問解決方案(路由器和云服務)中包含的系統(tǒng)并不總是至關(guān)重要的���,而且大多數(shù)時候都是斷開連接的�����。因此,除了制造商推薦的政策外�����,沒有必要遵循特定的系統(tǒng)升級政策�����。資產(chǎn)所有者應該規(guī)范和維護如何以及何時接收最新的安全補丁。
STAY UP TO DATE WITH THE LATEST FIRMWARE VERSION AND SECURITY PATCH UPDATES
In accordance to the device’s manufacturer recommendations. Moreover, you can be notified by the ICS-CERT (Industrial Control Systems Cyber Emergency) about vulnerabilities found in industrial automation equipment and receive recommendations of required patching as well.
The systems included in a remote access solution (router and cloud services) are not always critical and are most of the time are disconnected. Therefore, it is not necessary to follow specific policies for the upgrade of the system other than those recommended by the manufacturer. The asset owner should standardize and maintain how and when to receive the latest security patch.
遠程訪問服務的高可用性
每當緊急操作支持需要遠程訪問支持時�,遠程服務對于機器的可用性就變得至關(guān)重要。因此���,訪問的服務提供商必須通過 SLA(服務水平協(xié)議)保證云服務的高可用性服務�,并且該 SLA 必須通過多個操作和控制目標來加強����。
HIGH AVAILABILITY OF THE REMOTE ACCESS SERVICE
Whenever remote access support is needed for emergency operational support, remote service becomes critical for the availability of the machine. Thus, the service provider of the access must guarantee a high availability service of the cloud service with an SLA (Service Level Agreement) and this SLA must be reinforced by several actions and control objectives.
這些只是對所有希望遠程連接解決方案標準化的公司的一些建議。
These are just some of our recommendations for all companies looking to standardize on a remote connectivity solution.
聲明:
- 文章轉(zhuǎn)載自網(wǎng)絡(luò)��,由愛澤工業(yè)翻譯���,如有侵權(quán)�����,請聯(lián)系刪除�����!
- 如有偏頗�,歡迎指正!
