ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Remote Access Device Sourcing Considerations for Security

Operational teams running industrial systems rely on remote access devices to do their jobs and rarely think about the non-technical and non-commercial considerations when buying. But recent history is telling us that where the deviceand even components within the devicecome from matters much more than we recognize.

Supply Chain Attacks Are Serious

A supply chain attack is a category of cybersecurity attack where access is gained by targeting upstream elements in the supply chain. A layperson purchasing a deviceperhaps to commission a piece of equipment over the weekendmay think that risk isn’t significant enough to influence the buying decision, but it is.

Supply chain attacks are extremely popular for attackers because, by infiltrating one supplier, they can gain access to many end users. For example, Stuxnet was an effective supply chain attack that targeted PLCs used in a uranium enrichment program. NotPetya, which caused an estimated 10 billion USD in damage to organizations including Merck and Saint-Gobain, was distributed through tax preparation software. Most recently, SUNBURST gave back-door access to up to 18,000 organizations and was distributed through SolarWinds software. This has occurred many times, and will continue because of the payoff for the attacker.

Supply Chain Attacks to ICS Through Remote Access Devices

The idea of a supply chain attack targeting ICS through a remote access device isn’t just theoreticalit has happened before. In 2014, Dragonfly malware infected many organizations and was distributed through Ewon’s Talk2M application setup packages, which is software used to provide VPN access to ICS equipment. The SANS Institute provided a paper on the attack and its impacts, which you can read here.

Considerations Before Buying

So, going back to the layperson purchasing a device so they can commission some equipmentwhat should they do?

In situations where you aren’tand can’t bean expert, it’s wise to look at what experts are doing. In the case of security, one of these experts would be the U.S. Department of Defense. They plainly prohibit purchasing and use of devices, or contracting with providers who use devices, from certain foreign manufacturers because of risks in the supply chain. One DoD memo from July 2020 outlines this practice, and can be publicly viewed here. A named company of significance is Huawei Technologies Company (and its subsidiaries and affiliates), because of the broad use of their chipsincluding in remote access devices, such as Tosibox.

So, one takeaway for the layperson here may be to buy domestic whenever possible. It should be noted that buying domestically manufactured products, and products that were designed with deep layers of security, is not done easily and usually requires a pricing premium, but is undoubtedly worth the cost to the userespecially for remote access to industrial systems.

Beyond supply chain risks, there are many technical and organizational considerations when implementing remote access. I explored these within a work group with The Organization for Machine Automation and Control (OMAC), which then published a Practical Guide for Remote Access to Plant Equipment that I’d recommend reading.


The views expressed here are the author’s own. This article is a product of the International Society of Automation (ISA) Smart Manufacturing & IIoT Division. If you are an ISA member who is interested in joining this division, please log in to your account and visit this page.

Jacob Chapman
Jacob Chapman
Jacob Chapman has a professional background in automation engineering, project management, account management, industrial networking and ICS cybersecurity within the food and beverage, pharmaceutical and energy generation sectors, among others. In his role as Director - BD & Alliances at Nozomi Networks, he leads the organization's strategic partnerships with OT OEMs and technology vendors.

Within the ICS cybersecurity community, he participates in international societies and standard bodies, including serving as an advisory board member to the ISA Global Cybersecurity Alliance (ISAGCA), a member of the Cybersecurity Committee of ISA’s Smart Manufacturing & IIoT Division and a contributor within the ISA99 standards development committee.

Related Posts

Onward and Upward to 2025: Proud of a Great Year

As my year as president of the International Society of Automation (ISA) comes to a close, I wanted to ta...
Prabhu Soundarrajan Dec 20, 2024 10:00:00 AM

How Did Automation Professionals Benefit from ISA in 2024?

The International Society of Automation (ISA) is proud to be the professional home of thousands of member...
Kara Phelps Dec 17, 2024 9:30:00 AM

Ensuring RCM or DCS Redundancy and Its Security in a Complex Industrial Environment

In industrial automation, remote control managers (RCM) or distributed control systems (DCS) are critical...
Ashraf Sainudeen Dec 13, 2024 10:00:00 AM