For critical infrastructure organizations, third-party access is creating one of the largest external gaps for threat actors to target. In a recent survey report, when asked about how many cyber attacks in the last 12 months originated from third-party vendor access, nearly half of respondents (44%) reported that 5 or more attacks originated from a third-party supplier’s access to their environment. Typically, this is due to an insecure internet connection or an insecurely configured VPN.
According to Claroty’s Team82 research, they found that of 125,000 operational technology (OT) assets analyzed, 13% were insecurely connected to the internet. Of that sample, we learned that more than 36% of the engineering workstations (EWS) and human-machine interfaces (HMIs) with an insecure internet connection also contained at least one confirmed known exploited vulnerability.
These findings emphasize the real risk to industrial environments that are increasingly being targeted by adversaries & the urgent need for network protection controls in order to thwart remote access attacks.
Why is Locking Down Remote and Third-Party Access to OT Networks so Important?
As we mentioned, Team82 has demonstrated numerous times that high-risk devices such as EWS, HMIs, and other critical access points within OT environments can be used to gain an initial foothold onto the enterprise network. They have also identified the greatest number of remotely exploitable vulnerabilities impacting OT, IoT, and IoMT systems at Level 3 of the Purdue Model — the operations and control level where EWS are laid out architecturally. Similarly, they have found that Level 2, where HMIs and other control systems are situated, and Level 1, where field devices live, also contain significantly higher numbers of remotely exploitable vulnerabilities.
In recent years, we have seen some of the highest-profile breaches occur due to insecure remote access. For example, this instance in which attackers allegedly linked to Iran’s CyberAv3ngers compromised 10 water treatment facilities in Israel and several in the United States. Or this instance in which Akira ransomware actors were exploiting Cisco VPNs that were not configured with multifactor authentication to gain access to multiple companies. These breaches highlight the importance of locking down remote access to critical OT networks as more previously isolated devices and control systems come online.
In order to drive successful remote access, organizations must first implement the proper network protection controls. However, there are several challenges they may face on their journey to successful network protection. Let’s discuss a few of the implications organizations face when combining the complexities of cyber-physical systems environments with connectivity.
Challenges to Preventing Remote Access Breaches with Network Protection Controls
Establishing an Asset Inventory: Gaining high caliber visibility for CPS can be challenging due to the fact that standard IT visibility solutions and scanning methods are typically incompatible with and unsafe for industrial networks. Additionally, traditional industrial asset inventory solutions often require hardware that can be expensive, complex, and time consuming to deploy. Without a real-time inventory of all CPS, network segmentation can prove to be extremely difficult to achieve.
Lack of Device Communication Visibility: Understanding your compliance status entails knowing how the assets and users in your environment should and should not communicate under normal circumstances. However, this often requires granular, properly tuned polices that many organizations lack, leaving them unable to detect and manage unauthorized connections.
Policy Misconfiguration: Without full asset and communication visibility, you are unable to create policies that define how they should properly communicate. This could lead to the creation of policies that potentially block or allow the wrong traffic, potentially disrupting operations.
How A CPS-Specific Network Protection Strategy Can Solve These Challenges
Although the adoption of remote access technologies can deliver significant productivity and cost benefits, the use of legacy IT solutions can also lead to insecure connectivity – fueling the need for proper network protection controls and purpose-built secure access solutions. As we’ve discussed, there are several CPS-specific challenges that organizations face in their quest to establish a strong network protection program. However, built-for-CPS solutions can help mitigate these challenges by providing comprehensive cybersecurity capabilities. Here’s how your organization can overcome network protection challenges with Claroty xDome:
Jumpstart & Optimize Network Segmentation: Implementing an effective network segmentation program begins with the challenges of determining which policies to define and how, as well as which technologies to use to enforce those policies. Claroty xDome takes the guess work out of segmentation by leveraging deep domain expertise and dynamic discovery methods to automatically define and recommend network zones for communication policies. By taking a zone-based approach, your organization can simplify the process of monitoring, refining, and enforcing communication policies through your existing security infrastructure.
Policy Simulation for Network Optimization: Once your OT environment’s assets are grouped into zones based on their communications, operations, and business criticality, you then need to create policies that reflect how the CPS in each zone should and should not communicate under optimal circumstances. Claroty xDome ensures this by recommending policies for each zone that aim to reflect optimal communication destinations, protocols, ports, and more for all CPS within it.
Automate Policy Compliance Monitoring: Industrial organizations world-wide are urged or mandated to comply with various policies to help reduce cyber risk. In order to understand your compliance status, you must first understand how the assets and users in your environment communicate under normal circumstances. Claroty solves this challenge by automatically translating zone-specific recommended policies into alerting rules against which you can continuously monitor all traffic in your OT environment and address any policy.
In addition to establishing comprehensive CPS network protection, organizations also require a purpose-built secure access solution to combat the wide open door created by remote access. Claroty xDome Secure Access meets this need by striking a balance between frictionless access and secure control over third-party interactions with CPS. xDome Secure Access seamlessly leverages xDome visibility capabilities, enhancing asset management by identifying and configuring access to assets that require remote connections through granular, entitlement-based policies.
As we know, the growing adoption of multiple IT remote access technologies has led to an expansive attack surface, creating new and greater risks, including threats to public safety, and national and economic security. With network protection controls in place, and the use of a purpose-built secure access solution, organizations can significantly reduce the attack surface available to advanced threat actors looking to disrupt or manipulate industrial processes, impact public safety, and the availability of vital services.
To learn more about how Claroty xDome and xDome Secure Access can assist in your journey to CPS security, talk to one of our experts today.
