Remote access technologies for industrial control systems


  • Christian Valassi
  • Lars Westerdahl

Publish date: 2019-04-26

Report number: FOI-R--4751--SE

Pages: 49

Written in: Swedish


  • remote access
  • security policy
  • security analysis
  • industrial control systems


The ability to access internal resources remotely is part of many organisations' day-to-day operations. Establishing and managing such functionality can however be a complex process when there are different categories of users, both internal and external, that need remote access to internal resources and information of varying protection value. The problem is even harder to solve for organisations that, in-house, lack the competence and capacity to define requirements and manage remote access solutions. This report aims to provide stakeholders with security-related information pertaining to remote access issues, which can be used as a foundation for making decisions related to establishing remote access infrastructure. The report describes the process of constructing remote access functionality in an organisation and describes the questions that need to be answered, and the considerations to be made throughout this process. Furthermore, the report describes the most common remote access methods that provide remote access functionality. These methods are exemplified in three scenarios that discuss threats, risks and describe how each method, complemented with additional security mechanisms, can be used to lower the probability of a threat or to mitigate the effects of the consequences of an attack. The results of this report show that most threats and risks pertaining to remote access in an organisation can be mitigated or counteracted with the techniques described in the report. However, it is important to note that each technique generally needs to be supplemented with additional security mechanisms. The results also show that some threats and risks cannot be mitigated by any of these techniques. In these cases, it is instead important for the organisation to focus on minimising the effects of related consequences. The report ends with a number of recommendations for aspects that need to be fulfilled before the process of constructing a remote access infrastructure can begin. These recommendations include identifying the needs of the organisation, performing security analyses and implementing relevant security policies.