KVM over IP for Field Access?
A reader question - -
A client has asked to implement KVM over IP as the remote access solution to RTU in the field. I have been trying to find information if the industry approves or disapproves this.
Cheers, Jamie
The main security issue is the IP connectivity, not the KVM itself. It extends the routable network perimeter, potentially to unmanned field sites that are less secure than the control center. This could allow an attacker at the field site to attack the control center. If you have unpatched servers in the control center this attack could bring down the whole control system.
IP to the field is increasing and probably is unstoppable. It offers a lot of benefits in bandwidth, cost and reliability. So the key is to put the security controls in place to mitigate this new risk. We have some presentations on the site of where the ’second’ firewall should be placed to limit field attacks.
Author: Dale Peterson
Posted: March 9th, 2006 under Remote Access.
Comments: 3
Comments
Comment from Anonymous
Time: March 9, 2006, 11:54 am
I am interested to know how much of the IP connectivity to the feild goes over Internet Vs leased lines or fiber. I am guessing not a lot, in which case security is probably a non-issue.
Comment from Dale Peterson
Time: March 9, 2006, 1:53 pm
Anonymous,
You are right and wrong in my opinion.
You are right that only a small percentage of field traffic travels over the Internet. Low cost cellular Internet is changing this a bit though.
You are wrong that it is a non-issue. Those ethernet ports at remote field stations can communicate with the control center. The method of transport doesn’t matter. An attacker wouldn’t need to penetrate a secure and manned control center, when he can simply go to a remote, unmanned field site and hack away at his leisure. Granted this is a directed attack with someone out to get the control system as opposed to the general Internet threat.
Again, with unpatched systems in the control center it is script kiddie time with Nessus and Metasploit.
Comment from Anonymous
Time: March 9, 2006, 9:12 pm
Thank you for your thoughts on KVM over IP.
Remote access seems an ever increasing requirement to SCADA sites where cost and response times for geographically challenging locations are increasing.
Many solutions have been available in the past but most are software driven and require a certain operating system and configuration which compromises vendors’ service level agreements.
This step away for the machine and remote controlling the input devices (KVM) might keep these service level agreements valid and allow devices which do not have the stock standard OSes to connect with a common medium.
This technology might bring an alternative which is cost effective to the boardroom.
Jamie
Write a comment