This facility is common in our daily life for convenience with digital function components. Examples that we are familiar with are TV, air conditioners and ceiling lights. Sometimes, the features in the remote are even much more than those in local device.
Given that digitalization dominates the consumer market, it is common to see digital devices have remote control counter-part.
In industry use cases, OT systems are established for controlling and monitoring the physical plants. OEM will make the life of operation easier by equipping remote control as option to help operators, support staff in managing devices over a diverse geographical area.
The intention is good for cost-effectiveness, better throughput. I come across a cybersecurity practitioner that this remote control capability hits the nerve. His immediate response is to demand such remote control should be disabled.
What are the key lessons here?
First, the terminology must be precise. Typically, plants are installed in equipment room where they will be monitored and controlled from a different location, say central control room. Strictly speaking, this is “remote control” because operators will not go to the plant room to operate the plants.
Second, cybersecurity practitioner must understand the business context, how is the OT system functioned and connected, the likelihood of threat exploitation and consequence tolerable level. Cybersecurity principle is to help business rather than kill the initiative by prohibition.