An in depth reasoning behind the value of remote access regarding isolated assets.
To address the challenges and limitations of traditional approaches, organizations are isolating each asset onto their own protected microsegment. Unlike VPNs, where only inbound traffic is filtered, inspected, and monitored, isolating each device in a communication pair provides total control over the entire connection.
This concept works by sitting between each protected asset and the network interface port to which it is attached, establishing a secure overlay network that is invisible to all except those assets that’ve been isolated. This approach enforces absolute least privilege access policies. The result is that each asset can only perform authorized tasks and it limits their access to the specific device or devices they are authorized to communicate with. If an attacker is on the local network, they won’t be able to find the asset, nor will they be able to communicate laterally within the overlay. The isolation method used prevents the paired devices from knowing that the other device is even attached to a network.
Completely isolating remote access is unique to how OT cybersecurity is enhanced. Unlike traditional approaches, its enforcement does not sit in the cloud, at the perimeter, or on the endpoint. Instead, it is positioned between the protected asset and where it interfaces to the network. For ethernet, that is between the asset and the switch. For wireless devices, it is between the asset and the Wi-Fi APs.
Compartmentalizing access is key to reducing the risk of resource misuse and ensuring sensitive resources can be isolated and protected from unauthorized access. Through the Byos Secure Lobby Overlay, administrators can establish networking “Zones” which are OSI Layer 2 enforced networking boundaries. Layer 3 and 4 access control routes to specific resources (ports and service combinations) can then be applied to specific microsegments, completely isolating assets and restricting access to only the necessary devices, ports/tasks, minimizing the potential for unauthorized or malicious activity. An admin is only authorized to access a resource within the Byos network after all three controls are completed to ensure granular secure communications across devices connecting from unknown networks.
Furthermore, a key factor in keeping the OT network completely protected requires an administrative interface that intuitively leads to the creation of consistent rules and policies. This simplifies the process of managing and maintaining the security measures as designed, reducing the likelihood of misconfigurations or policy deviations. It has the additional benefit that day-to-day administration can be performed by plant personnel without having to involve a highly-trained network and security specialist.
By leveraging these mechanisms, Byos’ isolated remote access enables organizations to establish a secure and controlled environment for remote support, allowing properly authorized individuals to perform their tasks while minimizing the risk of potential security breaches.