Remote Access should not allow general access to all

equipment but be restricted to specific devices.

Only when it is determined that there is a requirement to access other
devices to correct an issue should access to those additional devices be
allowed. There are several methods to achieve this critical capability, so this
should be seriously considered in developing the plan.

As discussed previously, there are cases when several devices are required
to be accessed at the same time when troubleshooting. Access should only
be granted for the specific equipment and systems that are necessary. The
more control you have over who accesses what, the safer. Not everyone
should be trusted with complete access to all devices.

Methods to validate that an individual is the proper resource.

All resources accessing systems remotely should be uniquely identified. One
must know who was in the system by the individual, not just group access.
A continuous validation procedure is essential in which a “multi-factor
authentication (MFA)” system is used.

Examples of such process are:

• A user account is created by IT, authenticated
by the administrator, account is within a special
user-group, Remote Access platform has 2FA,
and OT staff can specify the devices the account
is whitelisted to access.
• Captive portal or other techniques that makes
the user of a public-access network view and
interact with a particular webpage before being
granted access.

2021 I Practical Guide for Remote Access to Plant Equipment 59