Secure remote access has remained the bane of security professionals trying to defend operational technology (OT) and industrial control systems (ICS), especially when enabling access to trusted third parties.
There are very good reasons why: many OT/ICS devices are older, sometimes decades older, and they are designed and built without security in mind. These devices lack, or cannot support encryption, modern authentication, and control capabilities, which run on older protocols such as Modbus and DNP, which are common in these environments and were not built to handle security threats. When many of these systems were deployed, the system architects didn't imagine they would be exposed directly to the Internet.
According to a survey released last year by the Ponemon Institute, of those knowledgeable of their organization's approach to managing IT system access, only 27% of respondents maintain an inventory of the assets in their OT environment, and 38% said that while their organizations do have such an inventory, it may not be accurate.
Further, while 73% of respondents said that their organization permits access to their OT environment, only 30% of respondents limit third-party access to onsite. A recent analysis by Claroty's Team82 found that 55% of organizations have four or more remote access tools in their OT environment, while 33% have six or more. Perhaps most concerning was the research group's findings that many remote access tools used by third-party vendors lack basic privileged access management capabilities.
Michael Farnum, advisory chief information security officer at technology services provider Trace3, said many challenges remain because OT environments weren't built for such active remote connections.
"Most companies put in the easiest methods for connecting when remote access was needed, including tools such as virtual network computing and TeamViewer," he said. Those tools have primarily stayed in place and remained unsecured, Farnum said.
That explains why enterprises managing these environments need to focus more on access basics than blocking "sophisticated attacks" such as rootkits, firmware attacks, and zero-day exploits that target ICS environments – that are all very important and dangerous – but also garner so much attention because of their potential for high-value impact. These threats often exploit vulnerabilities in OT/ICS environments and remote access systems. Still, there's no need for threat actors to go to the extent of these attacks or risk exposing zero-day vulnerabilities when poor remote access security and credential management make for such easy access to targeted systems.
Fortunately, there are steps security professionals can take to control the security posture of their systems better and better manage third-party access. And a good chunk of that risk mitigation includes basic cybersecurity hygiene.
"In general, it's because there has been a lack of good controls around identity, and those have just started becoming mature in the last 4 to 5 years. Perimeter controls were often OK for internal users, but there hasn't been a good single "control plane" for ID until recently. Now remote access tools are taking advantage of that control plane—even in OT environments—which will hopefully translate into better remote access security," says Farnum.
Properly mitigating these risks becomes essential, and it can be done by following a few basic practices:
Experts recommend gaining visibility into the current OT/ICS network architecture and connected assets. Especially the most critical systems. This can be best achieved by leveraging a mix of toolsets, such as network monitoring and asset discovery and inventory, tools to identify assets automatically, and interviews with various system stakeholders. However, ongoing monitoring is essential to keep system inventories up to date continuously.
Every third party with remote access capabilities needs to be identified, and access must be limited only to those systems and network segments. As with the asset inventory, this list of third parties with remote access must be kept current.
Implement strong authentication and multi-factor authentication, and enforce strict access control policies for OT/ICS environments and IT network segments that connect to them. Default credentials must be replaced, and healthy password policies must be enforced. In most environments, strong privileged access management capabilities should be in place.
Using zero trust principles, isolate IT, OT, and IoT systems. Also, all third parties should be limited to only those segments and specific systems they need to perform their work. For granular control and vigorous policy enforcement, consider micro-segmentation strategies based on software-defined networking that can be focused on application layer traffic. This enables policies to be applied and enforced more efficiently at the application level.
Ensure third parties use secure tunneling (VPNs, SSL/TLS, etc.) and deploy demilitarized zones (DMZs) with jump hosts for added protection. A DMZ is a network segment that's a buffer zone between an organization's private network and untrusted external networks (the Internet). Jump hosts, or jump boxes or servers, are hardened systems used within DMZs to facilitate secure access.
Regularly monitor and audit remote sessions while employing AI-powered tools for anomaly detection. That details actively observing, recording, and analyzing user activities during remote connections. This is critical for maintaining security, ensuring compliance, and detecting potential threats or misuse.
Farnum says the most significant challenges with remote access in OT/ICS environments include balancing the need to bring increased operational efficiencies and digital transformation with the proper levels of security.
"There's an inherent friction there and managing the increased attack surface. And many organizations will continue to struggle to transform and secure their environments simultaneously," says Farnum.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
