选择和实施远程访问解决方案时的五大建议（中英文）

远程访问机器为制造业带来了明显的优势。根据 ARC 的说法，63% 的机器维护工作是为了例行检查，或者他们发现根本没有问题。此外，其中 30% 或更多的维修可以通过在网络上修改参数或在现场人员的轻微协助下远程进行。考虑到计划外停机可能造成高达 50 万欧元/小时的损失，远程访问为原始设备制造商和资产所有者带来了巨大的节省。

Remote access to machines brings clear advantages for manufacturing. According to ARC, 63% of the maintenance work on a machine is either for a routine check, or they discover that there is simply no problem. Furthermore, 30% or more of these repairs can be made remotely by modifying parameters over the Internet or with minor assistance by an onsite person. Considering that unplanned downtime can cost up to 500k € / hr, remote access brings huge savings to OEMs and asset owners.

工业控制系统的网络安全

/Cybersecurity for Industrial Control Systems

与信息技术 (IT) 系统相比，工业控制系统 (ICS) 的工作方式存在重要差异。

ICS 的设计目的是为了高效地进行高速数据传输和确定性过程，但不是为了安全。对于ICS，可用性至关重要。与 IT 系统相比，IT 系统将安全性和机密性放在首位，较少关注确定性。此外，虽然 IT 风险分析会考虑对可能的数据丢失或业务运营失败的影响，但工业控制系统首先考虑生命、设备或产品损失的风险。

以下是建议最终用户在选择和实施稳健、可扩展且安全的远程访问解决方案时应执行的建议。

There are important differences between how Industrial Control Systems (ICS) work compared to Information Technology (IT) systems.

ICS’s have been designed to be efficient for high speed data transmission and for deterministic processes, but not for security. Availability is of utmost importance when it comes to ICS’s. Contrast that to IT systems, which prioritize security and confidentiality above all else, with less of a focus on determinism. Furthermore, while a Risk Analysis for IT would consider the impact on possible data loss or business operations failure, Industrial Control Systems consider first the risk of life, equipment, or product loss.

Below are our recommendations that end users and asset owners should enforce when selecting and implementing a robust, scalable, and secure remote access solution.

1. 加强身份认证控制

/Enforce Identification and authentication control

为每个用户提供唯一的标识和认证

每个用户都必须具有唯一的标识和身份验证。如果需要撤销用户的访问权限（例如，因为离开公司），应该可以直接在帐户上进行。

PROVIDE A UNIQUE IDENTIFICATION AND AUTHENTICATION PER USER

Every user must have a unique identification and authentication. In case the access of a user needs to be revoked (for instance, because of leaving the company), it should be possible to do it directly on the account.

首次配置设备时修改默认密码

默认密码是工业自动化社区众所周知的，它们可以很容易地在互联网或任何说明手册中找到。首次配置时不要忘记更改设备/应用程序的密码。

CHANGE THE DEFAULT PASSWORD WHEN CONFIGURING THE DEVICE FOR THE FIRST TIME

Default passwords are well-known by the industrial automation community, they can be easily found in internet or any instructions manual. Don’t forget to change the password of the device/application when configuring it for the first time.

尽可能使用多重身份验证

多因素身份验证应被视为远程访问工业机器的最佳实践之一，因为它提供了额外的安全层。

USE MULTI-FACTOR AUTHENTICATION WHENEVER POSSIBLE

Multi-factor authentication should be considered among the best practices in remote access to industrial machines as it provides an added layer of security.

2. 允许访问控制和连接管理

/Allow for Access Controls and Connection Management

定义每个个人用户的不同权利

在服务器级别对访问机器的权限进行集中管理，为用户权限管理提供了额外的安全层。每个用户都必须属于一个组，该组已分配角色（权限）才能访问每个路由器或路由器组。

系统应提供支持授权用户管理所有帐户的能力，包括添加、激活、修改、禁用和删除帐户。

DEFINE DIFFERENT RIGHTS PER INDIVIDUAL USER

A centralized management of the rights to access the machines at server level offers an additional security-layer to the user permission management. Every user must belong to a group who has assigned roles (permissions) to access every of the routers or groups of them.

The system shall provide the capability to support the management of all accounts by authorized users, including adding, activating, modifying, disabling and removing accounts.

必须能够审核连接和更改

系统必须能够记录有关访问控制、错误、操作系统、控制系统、备份和恢复、配置更改、潜在侦察活动和审计日志的事件。单项审计记录应包括时间戳、来源、类别、类型、事件ID和事件结果。

THE CONNECTIONS AND CHANGES MUST BE ABLE TO BE AUDITED

The system must be capable of logging events on access control, errors, operating system, control system, backup and restore, configuration changes, potential reconnaissance activity and audit log. Individual audit records should include the timestamp, source, category, type, event ID and event result.

远程会话许可/终止

供应商通常出于两个原因需要远程访问：紧急操作支持和系统维护。通常可以安排系统维护，并且可以建立和监控远程访问连接的协议。

因此，为了提供额外的安全和控制，VPN或互联网访问应该通过机械信号（例如钥匙开关）启用/禁用。这允许用户在需要之前禁用供应商远程连接。任务完成后，资产所有者可以再次禁用供应商远程连接。

REMOTE SESSION PERMISSION / TERMINATION

Vendors will usually require remote access for two reasons: emergency operational support and system maintenance. System maintenance can normally be scheduled and protocols for remote access connections can be established and monitored.

Therefore, to provide additional security and control, the VPN and/or internet access should be enabled/disabled via a mechanical signal, such as a key switch. This allows the asset owner to disable vendor remote connectivity until it’s required. Once the tasks is completed, the asset owner can disable the vendor remote connectivity once again.

3. 所有连接都应该保密和加密

/All connections should be confidential and encrypted

VPN 支持是一种最佳做法

通过网络连接的远程支持人员应使用加密协议，例如运行 VPN 连接客户端、应用程序服务器或安全 HTTP 访问，并使用强大的机制进行身份验证，例如基于令牌的多因素身份验证方案。

VPN SUPPORT IS A BEST PRACTICE

Remote support personnel connecting over the Internet should use an encrypted protocol, such as running a VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme.

4. 在您的设施内设计合适的远程访问架构

/Design a proper remote access architecture inside your facility

机器供应商应该只能访问他们的机器，而不能访问工厂网络

机器供应商应该只接触他负责支持和维护工厂的机器。因此，系统必须是可配置的，以将机器网段或区域与网络的其余部分隔离开来。

MACHINE VENDORS SHOULD HAVE ACCESS TO ONLY THEIR MACHINE, NOT TO THE PLANT NETWORK

Machine vendor should only reach the machines under his responsibility for support and maintenance in the plant. So, the system must be configurable to segregate the machine network segment or zone from the rest of the network.

避免使用控制设备（HMI、PC、PLC……）作为远程连接的 VPN 主机

使用作为机器控制一部分的任何设备（例如 PC、HMI 或 PLC）作为 VPN 主机可能会减少其资源，从而降低其主要任务（即控制本身）的性能。为了确保控制系统的可用性，它还必须提供在 DoS 事件期间以降级模式运行的能力。因此，外部路由器将作为边界保护设备来过滤某些类型的数据包，以保护控制系统免受 DoS 事件的直接影响，从而避免任何外部攻击直接影响控制系统并停止机器。

AVOID USING A CONTROL DEVICE (HMI, PC, PLC…) AS A VPN HOST FOR REMOTE CONNECTIVITY

Using any equipment that is a part of the machine control (such as a PC, HMI or a PLC) as a VPN host might reduce its resources and thus its performance for its main task, which is the control itself. In order to ensure the availability of the control system, it has also to provide the capability to operate in a degraded mode during a DoS event.  Therefore, an external router will act as a boundary protection device to filter certain types of packets to protect control systems from being directly affected by DoS events, thus avoiding any external attack to affect directly the control system and stopping the machine.

仅允许从受信任区域到不受信任区域的传出连接

不应打开或向网络公开任何入站防火墙端口，并且不应要求静态网络 IP 地址。

工业路由器应与云端特定账户发起出站安全VPN隧道点对点连接。此隧道使用 HTTPs 进行身份验证和加密，并通过公司网络和防火墙（仅限出站）。

ALLOW ONLY OUTGOING CONNECTIONS FROM TRUSTED TO UNTRUSTED ZONES

No inbound firewall ports should be opened or exposed to the Internet and no static Internet IP addresses should be required.

The industrial router should initiate an outbound secure VPN tunnel point-to-point connection with a specific account in the cloud. This tunnel is authenticated and encrypted with HTTPs, and goes over the corporate network and through the firewall (outbound only).

5. 着眼于未来，选择可维护的解决方案

/Choose a maintainable solution with a view to the future

保持最新的固件版本和安全补丁更新

根据设备制造商的建议。此外，可以通过 ICS-CERT（工业控制系统网络紧急事件）通知在工业自动化设备中发现的漏洞，并收到所需补丁的建议。

远程访问解决方案（路由器和云服务）中包含的系统并不总是至关重要的，而且大多数时候都是断开连接的。因此，除了制造商推荐的政策外，没有必要遵循特定的系统升级政策。资产所有者应该规范和维护如何以及何时接收最新的安全补丁。

STAY UP TO DATE WITH THE LATEST FIRMWARE VERSION AND SECURITY PATCH UPDATES

In accordance to the device’s manufacturer recommendations. Moreover, you can be notified by the ICS-CERT (Industrial Control Systems Cyber Emergency) about vulnerabilities found in industrial automation equipment and receive recommendations of required patching as well.

The systems included in a remote access solution (router and cloud services) are not always critical and are most of the time are disconnected. Therefore, it is not necessary to follow specific policies for the upgrade of the system other than those recommended by the manufacturer. The asset owner should standardize and maintain how and when to receive the latest security patch.

远程访问服务的高可用性

每当紧急操作支持需要远程访问支持时，远程服务对于机器的可用性就变得至关重要。因此，访问的服务提供商必须通过 SLA（服务水平协议）保证云服务的高可用性服务，并且该 SLA 必须通过多个操作和控制目标来加强。

HIGH AVAILABILITY OF THE REMOTE ACCESS SERVICE

Whenever remote access support is needed for emergency operational support, remote service becomes critical for the availability of the machine. Thus, the service provider of the access must guarantee a high availability service of the cloud service with an SLA (Service Level Agreement) and this SLA must be reinforced by several actions and control objectives.

这些只是对所有希望远程连接解决方案标准化的公司的一些建议。

These are just some of our recommendations for all companies looking to standardize on a remote connectivity solution.

声明：

- 文章转载自网络，由爱泽工业翻译，如有侵权，请联系删除！

- 如有偏颇，欢迎指正！