Enabling cybersecurity features using a layered connectivity to promote secure remote operation and maintenance

The cyber attacks which resulted in power outages in Ukraine in 2015 and 2016 generated a great awareness regarding the requirement for cyber secure operations. Securing the connection by employing virtual private networks (VPN) creates a layer of security around legacy systems but operating only at the network level is not sufficient to achieve a defence in depth with the required level of security expected of energy providers. Since it is common to find old software running on outdated operating systems that no longer can have its vulnerabilities patched, the security analogous to internal network provided by VPN is not sufficient to protect legacy devices with known vulnerabilities. In order to work around those issues while maintaining compatibility with legacy systems, it is possible to add layers of security virtualising the computer running the configuration tools and HMI. The virtualised machine can have all its external connections secured by the host computer and can be backed-up and restored into a different host if necessary. This paper investigates managing the access to the configuration computer on the host computer which can be interfaced with common access control strategies used by IT/OT networks with LDAP or RADIUS technologies.