Secure Remote Updates For Air-Gapped Systems

Challenges with, and solutions for, securely updating modern complex control systems deployed in locked-down, air-gap-style networks.

Agilicus AnyX enables and secures remote updates through air gaps.

Overview

In “From Smoke Stacks to Smartscapes: Evolving Industrial Operations in the Digital Age” we wrote of the evolution the industrial world has been facing. Equipment has shifted from buy once run forever to lease, update, repeat. License managers, signed-code with online certificate revocation checking, specialised skill sets, frequent code changes have become the norm rather than the exception.

Agilicus AnyX provides a comprehensive solution to this issue, integrating Zero Trust principles with operational technology needs to secure air-gapped environments.

The Challenge of Air-Gapped Systems

Air-gapped systems are intentionally separated from unsecured networks to prevent unauthorised access and cyber threats. However, this isolation also makes it difficult to update and manage these systems. Traditional methods require physical access or risky network connections. Organisations require a secure solution for remote access to these critical systems without compromising their security.

Typical challenges include

  1. Signed Code. Updates are brought in via sneakernet, but, the operating system has to verify their signature, and this involves online connectivity to an Online Certificate Status Protocol (OCSP) Certificate Revocation List.
  2. License Managers
  3. Activation servers
  4. Online patches, windows updates
  5. Multi-disciplinary commissioning requires unique skill sets from individual team-members, not all of whom can be on-site.
  6. Multiple-companies (integrator, panel manufacturer, OEM, operator, …) each have bespoke needs to subsets of systems
  7. Backup
  8. Diagnostic logs transfer
  9. Cloud-integrated big data, AI, predictive-maintenance
  10. Post-commissioning debug/update models of deeply embedded devices such as a PLC

The Solution: Agilicus AnyX

Agilicus AnyX solves these challenges, tailored to the needs of an operational technology air-gapped-style architecture.

Signed Code Challenge

A cyber-security best practice is to have the vendor sign each binary. This is a requirement to install drivers on Microsoft Windows. Proper signing means having a method of revocation. And this means having access to an unbounded set of certificate revocation lists,

There is no ‘well-known’ list of IP’s, ports, hostnames, that can be allowed in order to enable certificate revocation lookups: each vendor may use a different extended-validity signing authority, and each of these in turn may have different URL’s for revocation lookups.

Agilicus AnyX has a unique solution to this complex challenge: a OCSP-aware firewall, allowing safe traversal outbound through the firewall.

License Manager, Activation-Server, Patches Challenge

Modern software has complex, expensive intellectual property. Vendors often use license managers to guarantee revenue streams. License managers are commonly Internet-enabled or activated.

This might occur in building management systems, physical security systems. It might be used only in maintenance activities, e.g. development-tools needed to update PLC’s and HMI’s.

Agilicus AnyX provides a safe, secure method via the AnyX Service Forwarder, guaranteeing that outbound activity can be narrowly-tailored, per user or system needing it, and only when and where required. This in turn reduces the risk of a covert command-and-control C2 channel operating: outbound only for the systems needing it, nothing more.

Multi-Disciplinary, Multi-Company Commissioning and Support

Modern operational technology comprises many components. Some components vertically integrated, with one manufacturer integrated into another in a supply-chain model. Some are horizontally integrated, distributed control systems. In each case, domain experts are distinct people working for distinct companies.

During integration and commissioning it all comes together. People from all companies and teams are working to debug, deploy. It is inefficient to force all to be physically present as the size of the team and company list grows. It is insecure to create hub and spoke VPN setups. It is impossibly insecure to create shared accounts for this plethora of users.

Agilicus AnyX solves this challenge with a unique unified authentication model. The operator decides who (individual user who) is allowed, without having to consider who those people work for. Each person sees a simple single-sign-on experience, no different than their corporate e-mail. This is much strong for a spear-phishing training and avoidance protection. Its much simpler for all parties. And, it provides a unique audit trail, per person, per action.

Diagnostic Logs Transfer

A common challenge in an air-gapped environment is getting diagnostic logs out. Sneakernet via USB keys provides a large risk: what malware might those devices carry? In addition, sneakernet is inefficient, slow.

Agilicus AnyX solves the diagnostic logs transfer with a unique Share architecture. Take any directory, on any device, and make it available to anyone in the world. With the correct per-user permissions (read-only, read-write, read-write-delete) as needed. The end user can use a browser to access their files, or a traditional desktop mounted share model. No VPN, no layer 3. Simple seamless sign on with multi-factor, and then direct file access. Efficient, secure.

Post-commissioning debug/update models of deeply embedded devices such as a PLC

In a manufacturing setting, Programmable Logic Controllers (PLCs) are used to automate processes like assembly lines, robotic devices, and machinery control. These devices are usually air-gapped to prevent cyber threats, making software updates and patches difficult. The realities of a Distributed Control System make these devices difficult to segment. The realities of their architecture make them difficult to natively secure.

Agilicus AnyX provides a unique solution, efficient for the user, secure for the operator. Operating with industry standard tools like Rockwell Studio, Schneider, etc, the end-user sees the singular PLC they need as if it were locally connected. And nothing else. No VPN is used, there is no concern for overlapping IP’s, for inadvertently programming the wrong device. AnyX provides a Zero-Trust single-user to single-PLC paradigm that is seamless, secure, segmented.

The Traditional VPN For Secure Remote Updates

In Industrial Air Gap – A Tale Of 2 Users we contrasted the security, efficiency of the VPN approach versus the Agilicus AnyX Zero Trust approach. Looking at the key diagram there, we can see the data flow of a VPN approach, its risks, complexities.

Although this may enable remote updates, they are far from secure:

  • which PLC are you accessing? Be careful, there’s more than one
  • Change your desktop IP’s to match the plant’s first
  • Malware on the desktop PC has a highway to everything
  • No solution for outbound needs such as license managers, certificate revocation
  • No solution for per-user, per company controls
  • No fine-grained audit of who did what when

Although the VPN may solve remote, it does not solve secure: It is not a viable solution for Secure Remote Updates.

Secure Remote Updates Solution: Agilicus AnyX

Bringing everyone onsite is impractical. Giving everyone a fully-meshed VPN is insecure. Agilicus AnyX provides security you need with the convenience the users need.

Key Aspect: Outbound only connectivity via HTTPS to single destination IP

No inbound connectivity is required. Pass a pentest with 0 open ports. No DMZ. Works behind cellular and satellite NAT. Works with a nested Air Gap inside a larger corporate network.

Single outbound IP makes it easy to configure the firewall rules. The most complex certificate revocation and software updates are reduced to a single destination, a single tunnel, a single rule.

All traffic becomes HTTPS, inspectible by a Next-Generation Firewall if needed. No proprietary protocols. No smuggled Command & Control channels.

Key Aspect: Strong Modern Encryption For All

All traffic is carried over TLS 1.3 with strong encryption. Each resource has its own unique public certificate allocated with a full audit trail. Even the most legacy industrial protocol like Telnet or Modbus can be carried safely, securely.

Key Aspect: Modern Authentication and Multi-Factor

Each user is uniquely identified, using their existing public identity, regardless of company. Multi-factor authentication can be enforced with no need to provided shared hardware keys.

Audit trails are provided per person, per access per resource.

Key Aspect: Fine Grained Authorisation

Tools like a VPN or a door-key are all-or-nothing. Agilicus AnyX allows fine-grained rules per user, per role, per resource.

You have have a ‘monitoring’ role with read-only access to all HMI. A developer role with read-write access, but only when enabled, to a specific PLC or HMI.

Key Aspect: No Changes, No Software for End Users

End users interact either directly through a browser, or through their existing applications. No change in their workflow. Build/Update/Test/Repeat cycles operate as if the user were onsite. Users can interact with multiple sites simultaneously, even when faced with overlapping IP addresses.

Conclusion

By embracing the evolution of Operational Technology towards online, multi-user environments and eliminating the reliance on shadow IT solutions, organisations can enhance their security posture, reduce compliance risks, and streamline their operations. Agilicus AnyX is the ideal solution for achieving an effective Zero Trust Air Gap in Operational Technology systems, providing seamless, secure, and convenient remote access with unparalleled peace of mind.

Ready To Learn More?

Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.

9f758437 agilicus logo horizonta

info@agilicus.com, +1 ‪519 953-4332‬

300-87 King St W, Kitchener, ON, Canada. N2G 1A7

partner

info@partner.com, +1 ‪555 555-5555

1 Main Street, Townsville, ON, Canada. POST-CODE