Securing Remote Access

Security assessments of plant networks and audits of production equipment reveal that manufacturers are using a wide range of methods to support remote access to their equipment.

With few exceptions, this creates unacceptable security risks and many manufacturers will have to decommission their remote access capability while they look for more secure solutions. Because remote diagnostic access can be critical, finding acceptable methods may soon become a priority issue.

There is still a lack of generally accepted strategies for securely managing remote access in most industries. Companies are therefore assembling their own, typically limited, solutions from common network security components. The semiconductor industry is an exception to this rule. Its industry groups and software suppliers have been addressing this problem for several years, and developed e-Diagnostic Guidance, which provides a comprehensive base of concepts and approaches. Other industries might benefit from these efforts as they develop their own guidance and solutions. Ideally, some cross-industry approaches will also emerge.

While security is critical, manufacturers must still support remote access for external service specialists in many situations: when equipment is complex, redundancy is impractical, product is very expensive, the cost of down time is high and local maintenance and spares are not available. Many manufacturers are also considering use of outsourced maintenance to reduce their operating costs.

The business case for remote diagnostics is clear and compelling. The challenge is to find a way to support the required level of remote access in a secure manner.

Beyond the basics

More sophisticated attacks and diverse attack methods (vectors) are rendering many traditional remote access methods ineffective. Manufacturers must therefore reconsider what they need to ensure security. Use of individual modems, remote desktop control software, temporary elevation of operations network access rights, and closely monitoring access to firewall ports and phone lines should all be candidates for reevaluation.

Replacement strategies for traditional remote access methods should consider a comprehensive view of remote equipment service processes, beyond basic communications. They should exploit standards wherever possible and should consider issues such as consistent security management, control over remote service capabilities, control over access times and flexibility to incorporate new security technologies that may be developed to address future threats.

High value product, complex processes and large equipment investments characterize the semiconductor industry. Fast response to equipment problems is critical and investments in remote support capabilities have been justifiable. Manufacturers in this industry worked together through the e-Diagnostic program of the International SEMATECH Manufacturing Initiative (ISMI) to develop advanced guidance and solutions. (ISMI is a global semiconductor industry alliance that is a wholly owned subsidiary of SEMATECH, an Austin, Texas-based industry-government consortium that takes its name from SEmiconductor MAnufacturing TECHnology.) While the guidance is oriented toward the needs and language of the semiconductor industry, the concepts may provide a useful starting point for other industries.

As security assessments and reviews shut down many of today’s remote support methods, the need will arise for guidance and solutions that limit escalation of support costs across a broad range of industries and equipment types. Non-semiconductor industry groups should consider the approach in the ISMI e-Diagnostic Guidelines and advocate the development of guidance that can be cost effectively applied to multiple industries. Equipment suppliers should partner with third party e-Diagnostic software suppliers for solutions and toolkits to enable more consistency, interoperability and advanced support in manufacturing sites.

The ISMI e-Diagnostic Guidelines are available for download at http://ismi.sematech.org/emanufacturing/ediag.

Robert Mick, bmick@arcweb.com, is Vice President of Emerging Technology at ARC Advisory Group, Dedham, Mass.

More in Control