If there's one thing you can depend on, it's that for better or worse, people will always try to find a way to make their day a little easier. Unfortunately, this is often done without taking security into account—and in our world, that can be a big deal. Two instances come to mind when I think about a person cutting cybersecurity corners for the sake of convenience: one at a vast mining complex in South America, and the other at a potable water supplier in the United States.
As part of Claroty's evaluation process, like many vendors, we sometimes perform a proof of concept (PoC) before moving forward with a complete site deployment. While not something that all customers require, PoCs allow the enterprise to evaluate a cybersecurity solution against their needs. At the same time, it gives the cybersecurity vendor a chance to view the architecture of the customer and plan the most efficient way to deploy the solution.
My role at the time was as the Technical Consultant sent to help define the deployment architecture and ensure the implementation went smoothly. Both companies in this scenario were evaluating Claroty Continuous Threat Detection (CTD) to provide visibility and protection for their site infrastructure, and in both locations, the deployment was successful. The systems were set to collect traffic from the process environment for the next 48 hours before we presented our findings to senior management. What happened next is two examples of potentially costly shortcuts:
The Mining Complex
The data coming back from the mining appeared to be normal at first glance, however a particular non-routable IP address stood out to the CISO while reviewing the data. The device communicating over this protocol was identified with CTD's passive discovery method, meaning that it was picked up on the network without Claroty actively searching for it. This called for attention, because the CISO recognized that the IP address range was the one used by the company's enterprise group, not the company's process network.
Upon seeing that the bypass had been discovered, an IT analyst in the room sunk into their chair. We had unknowingly gotten the analyst into trouble by revealing that they had been accessing the process network from their IT system. The analyst knocked a hole in the firewall by creating an exception for the IP address in question because they did not want to walk over to the mine network to perform their duties. In doing so, they unintentionally created an unsecured connection—an open pathway through which threats could potentially travel—between the enterprise's IT and OT environments.
The Water Supplier
While we were reviewing the data that CTD discovered with the site's management team, we noticed a couple of unexpected assets on the process network. CTD identified a specific Linksys Wireless Access Point (WAP) on the network. This was cause for alarm because, as far as the CISO was aware, there should be absolutely none of this type of WAP on the network.
A short while and a few conversations later, the CISO discovered that one of their employees had taken a WAP and plugged it into a network switch. This would allow the employee to work on the process network without leaving their desk. While there are many ways to safely and efficiently provide remote access to internal maintenance staff, this was not one of them. The speed and fervor with which the router was unplugged assured staff members that it would not be used again.
Instances like these are not rare and highlight the fact that the human element of cybersecurity is just as powerful and important as the controls that a cybersecurity solution can provide. Building bridges between IT and OT networks is inevitable, and, if done correctly can provide an enterprise with immense benefits in productivity and security alike. Proper visibility, access controls, segmentation, anomaly detection, and behavioral analysis can help prevent malicious elements from taking advantage of these bridges to exploit further vulnerabilities within the network.
To learn more about how Claroty provides total visibility into operational network assets, sessions, and process, request a demo.
