Universal Tunneling to simplify OT & ICS Access Security

Unique to WALLIX, Universal Tunneling enables users to benefit from all the power and ease of the WALLIX Bastion while simplifying the user experience. WALLIX secures OT & ICS Systems by centralizing internal and external connections, and through comprehensive traceability and audit capabilities of all maintenance, and the activity performed across the infrastructure.

Boosted by digitization – and the digital transformation to Industry 4.0 – the IT-OT convergence has left the industrial sector highly vulnerable to frequent cyber-attacks. Reduce the attack surface area of your industrial environment by eliminating multiple unmanaged VPNs and centralizing internal and external access to your IT system.

WALLIX secures operators’ access to industrial control systems (ICS) and offers a simplified user experience perfectly designed for OT environments through Universal Tunneling.

Increasingly Exposed Process Environments

The so-called “industrial” and “office” networks have remained well-separated for many years. Technologies and needs differed, as did the challenges and risks each area of the business faced.

Today, however, OT relies on IT technologies but is adapted to the operational safety constraints that characterize the industry. The maintenance of IT-OT components is no exception to the need for security. Unfortunately, the proliferation of network access points, secure or not, is characteristic of the massive digitization of industrial environments.

In 2020, Kaspersky’s ICS CERT observed a 53% increase in remote access to OT environments and, at the same time, an average reduction in cybersecurity budgets of 24%.

Rampant, uncontrolled, and unmonitored remote access drastically increases the attack surface of OT environments. And in a sector rife with sensitive data and public implications, the potential consequences are significant, in terms of lost production costs, data leakage, or human impacts (public safety, biomedical concerns, etc.).

The IT-OT Context

The industrial sector faces particular and specific regulations for IT security. The ISA / IEC 62443-2/3 standard defines a range of requirements for authentication and management of access rights for operators and service providers working on industrial control systems (ICS).

WALLIX secures ICS by centralizing internal and external connections, and through comprehensive traceability and audit capabilities of all maintenance, and the activity performed across the infrastructure. This enables Industrial organizations to monitor all IT-OT maintenance actions and connections to sensitive assets.

However, in order to ensure production continuity, service providers and operators must be able to access their production resources without any environmental, location, or time constraints. With Universal Tunneling, WALLIX offers a simplified user experience adapted to complex OT environments.

Thanks to the constraints of industrial sites and distributed networks, it’s not always feasible to rely on jump servers to access resources. For instance, some service providers have their own tools to connect to machines, with their own configuration and their own habits. To facilitate their work efficiency, it becomes necessary to secure their connection directly from their workstation to the target to guarantee operational efficiency.

Some confidential programming data cannot be shared on the same engineering station by multiple providers. The versioning of the administration tools cannot be common to all the PLCs of the same manufacturer

Through Universal Tunneling with the WALLIX Bastion, these challenges are no longer an issue, making it simple and efficient for IT and equipment administrators to connect to the resources necessary to carry out critical tasks.

Universal Tunneling

Through this unique tool, the main obstacles to implementing a Privileged Access Management (PAM) solution in OT environments are resolved. Industrial protocols (e.g. Modbus, Profinet, Bacnet, EtherCAT, etc.) are encapsulated directly in an SSH tunnel, allowing service providers to connect to their PLCs, gateways, and other industrial components, exactly as they would without Bastion.

Authentication, traceability, and session control remain assured; it has never been easier to secure the maintenance of critical assets in OT.

Universal Tunneling OT Security

With the WALLIX Bastion complete with Universal Tunneling, the risk of compromising workstations or servers at the end of a jump to resources targeted by an attacker is reduced to the absolute minimum.

The removal of jump servers allows:

A reduction in costs (servers, licenses)
> Optimized user experience
> Enhanced security

Universal Tunneling promotes user adoption while reducing the TCO (Total Cost of Ownership) of the solution.

Advantages

Simplified User Experience
> Agentless on user-side
> Simple HTML5 User Interface
> Universal Tunneling to maintain its working environment
> Existing VNC integration

OT Endpoint Security
> Legacy OS support
> Works in a disconnected environment and without Active Directory
> Rule’s granularity (Kernel approach)

Support for all OT Targets
> Agentless on target-side
> Universal tunneling to manage industrial protocols
> Multi-protocols to support all OT components
> Strong OT features :
> Approbation workflows
> Multi-Factor Authentication
> Data Leak Prevention and Antivirus systems integration

Easy to Manage and Operate
> Only 2 modules based on Linux OS (Bastion and Access Manager)
> Single vendor hardened image: Included OS layer + DB layer + Application layer
> Integration : SSO / MFA / SIEM / API /…
> Security by design