Secure remote access for operational tech

Historically, operational technology (OT) such as industrial control systems (ICS) and sensors were designed to work in isolation, and thus remotely executed attacks were not of concern. But digital transformation and the rapid shift to working from home amid the Covid-19 pandemic has made remote access to facilities a necessity. Yet, the very nature of remote access means that it inevitably gives attackers more points of entry into the network.

Claroty’s General Manager for APAC and Japan, Eddie Stefanescu, answers why remote access solutions specifically designed for IT networks are needed, and more.

Eddie: VPN-based remote access solutions remain popular for enabling enterprise IT connectivity, and many security professionals assume that VPNs can simply be applied to OT networks and provide the same level of security. However, OT networks have unique requirements and proprietary protocols that are largely unrecognisably by VPNs and other traditional IT security tools. Aside from providing limited access controls and session log files, traditional VPNs also present a potential entry point for malicious activity since they are accessed through the public internet. If a malicious actor steals an authorized user’s credentials, they gain a solid foothold within the organisation’s network. This level of unauthorized access poses significant operational, financial, and safety risks.

Additionally, OT and IT have different security priorities. Specifically, IT teams typically prioritize the CIA triad, which encompasses the principles of confidentiality, integrity, and availability in the context of data or information and corresponding IT systems. Meanwhile, OT teams typically prioritize the principles of availability, reliability, and safety in the context of physical processes and corresponding OT systems.

Thus, the problem is that most IT solutions are not designed to effectively work for OT. Organisations with facilities, for example oil and gas or water, require remote OT access solutions that are specially designed to secure and control without incurring downtime or impeding workflow.

EITN: How can an organisation manage auditability and privileged access in a remote cyber environment?

Eddie: To manage security in ICS environments, remote access solutions require auditing, control and monitoring capabilities. Generally, traditional VPN or gateway-based tools do not adequately log user activities, provide auditing capabilities, or allow for administrators to monitor remote sessions, nor do they disconnect sessions in the event of malicious activity in real time.

Claroty’s Secure Remote Access (SRA), which is built for industrial environments, includes extremely granular role- and policy-based access controls for industrial assets at multiple levels and geographic locations, supporting Zero Trust and Least Privilege security principles.Additionally, SRA streamlines audits with comprehensive monitoring capabilities that provide full, real-time visibility into users’ activity. It keeps detailed logs and automatically records full-length length videos of all remote sessions for retroactive analysis.

EITN: How is visibility into network assets key to detecting unauthorised remote connections?

Eddie: Visibility into network assets on an OT network can help to identify vulnerabilities such as out-of-date operating systems and software, and also any common vulnerabilities and exposures associated with products, allowing administrators to take action.

It is critical to proactively monitor for indicators of threat actors attempting to exploit your environment. At Claroty, we have a dedicated research team for discovering vulnerabilities, understanding how they are exploited, and to continue to monitor proactively for new vulnerabilities. Their expertise drives the continuous threat detection capabilities in our platform which automatically weeds out false positives and provides signatures to respond to threats. When threats do surface, our customers are equipped with the latest protections and controls to manage and mitigate risk from both known and unknown, emerging threats.

EITN: Which industries are more prone to risk by remote attacks?

Eddie: Claroty’s Biannual ICS Risk & Vulnerability Reportfound that the critical manufacturing, energy, water and wastewater, and commercial facilities sectors—all designated as critical infrastructure sectors—were by far the most impacted by ICS vulnerabilities disclosed during the second half of 2020, and 71% of those vulnerabilities were remotely exploitable through network attack vectors.

For instance, in February, there was a remote attack against a water treatment facility in Oldsmar, Florida, that was accessed twice via a compromised version of TeamViewer, a remote access solution, to increase levels of sodium hydroxide in residential and commercial drinking water, a dangerous substance if consumed.

Furthermore, the increase in remote work has resulted in a greater reliance on email communication, heightening the risk of personnel being targeted by phishing or spam attacks and thus ransomware and other malware infections. It is likely that we will see more ransomware attacks affecting critical sectors, employing extortion methods, and strategic targeting, particularly for critical infrastructure sectors that cannot afford downtime.

As the pharmaceutical industry continues to produce and distribute vaccines for the world, it may also be susceptible to remote attacks. For example, in December 2020, the New York Times reported that a cyber attack targeting the vaccine supply chain may have been waged by nation-state adversaries. While this may have been an attempt to steal proprietary information related to technology for transporting mass quantities of the vaccine, some experts suspect that these adversaries may have intended to wage a disruptive ransomware attack to hold the vaccine distribution process hostage.

EITN: From the interview pitch, is Claroty implying for industrial organisations to do risk assessments to understand potential threats? If yes, what are the steps to translate this into a holistic cyberdefense for the organisation.

Eddie: A thorough risk assessment is necessary to establish full visibility of potential threats. After all, effective industrial cybersecurity starts with knowing what needs to be secured. This means having a comprehensive and up-to-date inventory of all OT, IoT, and IIoT assets, processes, and connectivity paths in the network.

Assessing risk in these areas requires highly specialised tools that can work with the countless proprietary protocols across different assets. Additionally, OT systems often have limited bandwidth, so tools must be able to run without disrupting operations.

That being said, once visibility is established, the next step is to enable real-time threat detection and response. Speed is always essential for fighting any cyber threat but is especially important for OT. The smallest disruption can result in catastrophic issues, such as interrupting power supplies or halting production lines.

Detection mechanisms should account for both known and unknown attack types. It is also important to have a unified view of both IT and OT systems to identify attackers attempting to exploit connectivity on both fronts simultaneously. Automatically grouping related alerts together can also help to establish a higher signal-to-noise ratio and make it easier to identify serious threats.

The third step is continuous vulnerability management. Since OT networks are usually made up of legacy equipment dating back many years, there is likely a high volume of potential vulnerabilities that have gone unnoticed. The limited operational bandwidth afforded by OT systems means genuine vulnerabilities can be hard to detect amongst all the false positives. As a result, a security strategy needs to address both incoming active attacks and existing weaknesses that could be exploited in the future.

Automatically identifying and comparing individual OT, IoT, and IIoT assets to a database of known vulnerabilities will help bring the potential risks under control. This should include a variety of sources, such as the latest Common Vulnerabilities and Exposures (CVE) data from the National Vulnerability Database (NVD).