AC-17: REMOTE ACCESS

TAILORED FOR INDUSTRIAL CONTROL SYSTEMS

• ICS Control Baselines:

• Low
• Moderate
• High

• a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
• b. Authorizes remote access to the information system prior to allowing such connections.

SUPPLEMENTAL GUIDANCE

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

ICS SUPPLEMENTAL GUIDANCE

In situations where the ICS cannot implement any or all of the components of this control, the organization employs other mechanisms or procedures as compensating controls in accordance with the general tailoring guidance.

CONTROL ENHANCEMENTS

AC-17 (1) REMOTE ACCESS | AUTOMATED MONITORING / CONTROL

• ICS Control Baselines:

• Moderate
• High

The information system monitors and controls remote access methods.

Supplemental Guidance:

Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

ICS Supplemental Guidance:

Example compensating controls include employing non-automated mechanisms or procedures as compensating controls (e.g., following manual authentication [see IA-2], dial-in remote access may be enabled for a specified period of time or a call may be placed from the ICS site to the authenticated remote entity.

RELATED CONTROLS: AC-17 (1)

• AU-2 — AUDIT AND ACCOUNTABILITY | AUDIT EVENTS
• AU-12 — AUDIT AND ACCOUNTABILITY | AUDIT GENERATION

AC-17 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION

• ICS Control Baselines:

• Moderate
• High

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

Supplemental Guidance:

The encryption strength of mechanism is selected based on the security categorization of the information.

ICS Supplemental Guidance:

ICS security objectives often rank confidentiality below availability and integrity. The organization explores all possible cryptographic mechanism (e.g., encryption, digital signature, hash function). Each mechanism has a different delay impact. Example compensating controls include providing increased auditing for remote sessions or limiting remote access privileges to key personnel).

RELATED CONTROLS: AC-17 (2)

• SC-8 — SYSTEM AND COMMUNICATIONS PROTECTION | TRANSMISSION CONFIDENTIALITY AND INTEGRITY
• SC-12 — SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
• SC-13 — SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC PROTECTION

AC-17 (3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS

• ICS Control Baselines:

• Moderate
• High

The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.

Supplemental Guidance:

Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.

ICS Supplemental Guidance:

Example compensating controls include connection-specific manual authentication of the remote entity.

RELATED CONTROLS: AC-17 (3)

• SC-7 — SYSTEM AND COMMUNICATIONS PROTECTION | BOUNDARY PROTECTION

AC-17 (4) REMOTE ACCESS | PRIVILEGED COMMANDS/ACCESS

• ICS Control Baselines:

• Moderate
• High

The organization:

• (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
• (b) Documents the rationale for such access in the security plan for the information system.

Supplemental Guidance: NONE

ICS Supplemental Guidance:

Example compensating controls include employing nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance.

RELATED CONTROLS: AC-17 (4)

• AC-6 — ACCESS CONTROL | LEAST PRIVILEGE

AC-17 (5) REMOTE ACCESS | MONITORING FOR UNAUTHORIZED CONNECTIONS

[Withdrawn: Incorporated into SI-4].

AC-17 (6) REMOTE ACCESS | PROTECTION OF INFORMATION

The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.

Supplemental Guidance: NONE

RELATED CONTROLS: AC-17 (6)

• AT-2 — AWARENESS AND TRAINING SECURITY | AWARENESS TRAINING
• AT-3 — AWARENESS AND TRAINING SECURITY | ROLE-BASED SECURITY TRAINING
• PS-6 — PROGRAM MANAGEMENT | INFORMATION SECURITY MEASURES OF PERFORMANCE

AC-17 (7) REMOTE ACCESS | ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS

[Withdrawn: Incorporated into AC-3 (10)].

AC-17 (8) REMOTE ACCESS | DISABLE NONSECURE NETWORK PROTOCOLS

[Withdrawn: Incorporated into CM-7].

AC-17 (9) REMOTE ACCESS | DISCONNECT/DISABLE ACCESS

NOT SELECTED FOR THE NIST ISC CONTROL SET

The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period].

Supplemental Guidance:

This control enhancement requires organizations to have the capability to rapidly disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions/business functions and the need to eliminate immediate or future remote access to organizational information systems.

REFERENCES:

• NIST Special Publication 800-82
• NIST Special Publication 800-113
• NIST Special Publication 800-114
• NIST Special Publication 800-121
• NIST Special Publication 800-46
• NIST Special Publication 800-77