Secure Remote Access for Industrial Networks Design Guide
Page 3
Contents
Introduction ............................................................................................................................................................................................................. 4
Security Landscape ...................................................................................................................................................................... 4
Secure Remote Access Solutions ............................................................................................................................................................................... 6
Virtual Private Networks ................................................................................................................................................................ 6
Accessing Jump Servers with the Remote Desktop Protocol ....................................................................................................... 7
Zero Trust Network Access ........................................................................................................................................................... 8
Verify Users .................................................................................................................................................................................. 8
Device Posture ............................................................................................................................................................................. 9
Least Privilege Access Control ..................................................................................................................................................... 9
Auditing ......................................................................................................................................................................................... 9
Secure Equipment Access Design Guidance ............................................................................................................................................................ 10
Cisco Secure Equipment Access ................................................................................................................................................ 10
Cisco SEA Components ............................................................................................................................................................. 11
Cisco SEA Architecture Guidance .............................................................................................................................................. 12
Cisco Duo ................................................................................................................................................................................... 16
Cisco Duo Components .............................................................................................................................................................. 16
Validating User Trust with Cisco Duo .......................................................................................................................................... 17
Validating Device Trust when using the SEA Plus Access Method ............................................................................................ 18
Cisco Secure Endpoint ............................................................................................................................................................... 18
Cisco Secure Endpoint Capabilities ............................................................................................................................................ 19
Secure Equipment Access Implementation Guidance .............................................................................................................................................. 20
Pre-Requisites ............................................................................................................................................................................ 20
Add Users to IoT OD ................................................................................................................................................................... 20
Create User Groups .................................................................................................................................................................... 21
Add Users to the User Group ...................................................................................................................................................... 21
Enable Multi-factor Authentication .............................................................................................................................................. 21
Add SEA Agent to Network Device ............................................................................................................................................. 22
Add Connected Clients ............................................................................................................................................................... 22
Add Access Methods .................................................................................................................................................................. 23
Add Access Methods to User Groups ......................................................................................................................................... 24
Verify SEA Connectivity .............................................................................................................................................................. 24
Scheduling Access for a group ................................................................................................................................................... 24
SEA Plus ..................................................................................................................................................................................... 25
Posture Check for SEA Plus ....................................................................................................................................................... 25
Cisco Duo Policies ...................................................................................................................................................................... 26
Active Session Monitoring and Termination ................................................................................................................................ 28
Audit Logs ................................................................................................................................................................................... 28
Appendix A – Mapping Cisco Secure Remote Access Capabilities to Common Industry Standards ........................................................................... 30
NIST 800-82r3 ............................................................................................................................................................................ 30
ISA/IEC 62443 3-3 ...................................................................................................................................................................... 32
NERC CIP-005-7 ........................................................................................................................................................................ 34
TSA Security Directive 1580/82-2022-01 .................................................................................................................................... 36
Appendix B – Duo MFA for SEA Plus........................................................................................................................................................................ 38
Appendix C – Acronyms .......................................................................................................................................................................................... 40