Remote Maintenance for Critical Infrastructure: Made Possible through Security
Remote maintenance for critical infrastructure? A sensitive matter. The IT systems of the German Pension Insurance Association process medical and social data and are classified as critical infrastructure. The German Pension Insurance Association shows how remote maintenance that needs to satisfy the highest security requirements can be achieved.
"In our organizational area, approximately 50 different manufacturers would like to access installed systems via the Internet to perform remote maintenance. Under critical infrastructure conditions, this is a major challenge with respect to security," says Tobias Birk, Director of Security of the German Pension Insurance Association Baden-Württemberg (Dt.Re.Vers.), as he describes the initial situation.
The administrators of the German Pension Insurance Association (specifically: Northern Bavaria, Bavaria South, Swabia, Rhineland-Palatinate, Hesse, Saarland, Baden-Württemberg) operate a joint computer center in Würzburg. This supplies the administrators, spread over five federal states, with a number of regional centers, branch offices, socio-medical services as well as rehabilitation clinics and therapy centers. A wide range of different IT and technology solutions are operated at these locations, from the laboratory equipment in the clinics to the elevator controls in the building technology and office IT for the administration of the insured.
"We need a secure solution, comparable to that in the analog world," says Birk, as he describes the challenge. He explains this using the once-common on-site deployment of service technicians as an example. The technician first had to register in person at the reception desk. An IT employee of the German Pension Insurance Association checked his identity and authorization and accompanied him to the system. Every step of the technician was personally monitored. "Unauthorized persons had no chance. Even if they made it from the parking lot to the reception desk, they could not enter the well-secured building unsupervised,” formulates the IT security specialist, explaining the need for a secure remote maintenance solution.
"Remote maintenance over external networks or by third parties is especially critical," according to the German Federal Office for Information Security (BSI) in chapter "Securing remote maintenance" of the IT-Baseline-Protection Catalog (IT-Grundschutz-Katalog). The law for increasing the security of information technology systems (IT Security Act), which went into effect in 2015, prescribes how critical infrastructure operators implement IT security in accordance with the "state of the art." The BSI specifies the basic rules for securing remote maintenance access points and describes the necessary security functions that should be fulfilled. "The BSI rules were for us the basis of the functional specification of the remote maintenance solution. We placed special emphasis on the tamper-proof recording – including by video – and the implementation of a four-eyes principle. In addition, our employee should be able to interrupt the remote maintenance session at any time," says Birk as he lists the requirements.
First, a market analysis and evaluation of relevant remote maintenance solutions was performed with the involvement of an external, neutral service provider. In the end, two providers were left to choose from. In a proof of concept, the solutions of both providers were simulated under real conditions with three clients and intensively tested for approximately three months. The PoC was performed according to the typical cooperation method in the joint computer center of the German Pension Insurance Association in Würzburg together by the IT from the German Pension Insurance Association Baden-Württemberg and the specialists of the German Pension Insurance Association Rhineland-Palatinate and Bavaria South. The decision was made in favor of the remote maintenance solution of the German IT security company genua GmbH. The tests confirmed that the solution satisfied all essential criteria and also proved effective in operation.
The central security element of the solution from genua is the so-called rendezvous concept. With this approach, no unilateral remote maintenance access is permitted into the network of the German Pension Insurance Association. All external connections are made via a rendezvous server that is installed in a demilitarized zone (DMZ) next to the firewall. Both the external maintenance technician and the internal employee of the German Pension Insurance Association establish connections to the server at an agreed time. These are created as strongly encrypted and authenticated point-to-point connections via a VPN tunnel. A direct maintenance connection is created only once the rendezvous has been established on the server. No direct network coupling occurs. Through the rendezvous solution, the German Pension Insurance Association retains full control of the maintenance access in its networks.
The remote maintenance solution was implemented together with genua and was set up within two weeks. The preconfigured and tested elements from the proof-of-concept could be used in the solution. "With the genucenter as a management station, we administrate all remote maintenance elements from a central point. As a result, it is relatively simple to keep an eye on the status or to integrate additional hardware," reports Tobias Birk. The IT security specialist works in Stuttgart, the computer center is in Würzburg and the systems that are to undergo remote maintenance are in Bavaria, Baden-Württemberg, Rhineland-Palatinate, Saarland and Hesse.
For these distributed structures, the German Pension Insurance Association required a differentiated role concept to satisfy the needs of multiple legally independent users. In the event of an audit, the various security officers should only obtain access to the data of their client. To complete the remote maintenance solution, the German Pension Insurance Association had still further remote desktop requirements. These included the possibility of making the option of a data transfer configurable so as to be flexible here. "genua accepted the change requests and implemented them according to our wishes," says Birk. "The assistance and support from genua are good. If necessary, we always have a contact person and not just an anonymous web-ticket system. If it is urgent, we can use additional escalation levels."
The participating employees from the German Pension Insurance Association first had to familiarize themselves with the new system. The consensus was ultimately very positive because the new solution is uniform for all applications. There is no longer a range of different methods and user interfaces. In addition, each admin can adapt the necessary details for his area. The SSH connection can thereby be established using tools such as Putty or a viewer from genua. The external maintenance access can also be restricted to certain areas or individual systems via the central management station. With respect to time, use can also be restricted to certain times of day. Lastly, it is possible to limit the remote maintenance session in terms of duration. "This is equivalent to the inspections once performed by a guard service. We define an electronic guard book and know at all times who is still present and what they are doing," Birk says in summary.
This central solution is operated within the South-Southwest region of the German Pension Insurance Association / in the Würzburg computer center (RZW-Verbund) according to the cooperation model that prevails here. In concrete terms, this means that the German Pension Insurance Association Baden-Württemberg and the German Pension Insurance Association Rhineland-Palatinate share the operation. Contact to the external manufacturers and service providers is made available via a single point of contact.
The concept is fully transparent. All authorized users are registered in an order database. The respective authorizations of each user are also stored here. The external partners initially responded very apprehensively to the new solution. Once reference was made to the critical infrastructure requirements, however, there was more understanding. Ultimately, the extremely streamlined solution could convince. "Manufacturers and IT service providers do not need to install any additional software. They download a "portable client," load the predefined configuration provided by the German Pension Insurance Association and the client is functional. And that’s it," says Birk.
This solution with the rendezvous concept for integrating external access has proven in practice to be fast, reliable and secure for the German Pension Insurance Association. The security from the analog world could be successfully transferred to the critical infrastructure.
"The remote maintenance solution is simple and secure. And when it’s simple, it’s also accepted. Even if a laptop belonging to an external service technician is stolen, the thief will make it only as far as the parking lot in front of the building. The interior of the building itself remains secure. This is security by default," says the head of the German Pension Insurance Association competence team in positive assessment of the security solution.