Until very recently, operational technology (OT) and industrial control systems (ICS) were characterized by isolation. To ensure both security and availability, OT environments were traditionally isolated from information technology (IT) networks as well as the internet. In addition, because of the types of work they support, OT systems are often deployed in isolated and hard-to-physically-access locations. Examples include the infrastructure sustaining an oil rig hundreds of miles from dry land or a mining operation that sits not only far from the nearest town but also deep underground.
Under these conditions of isolation, OT environments remained relatively secure from the rising tide of cyberattacks targeting IT systems. After all, an attacker seeking to compromise the aforementioned oil rig would need to physically infiltrate it in the middle of the ocean. Perhaps a particularly committed individual would be willing to go to these lengths, but most would undoubtedly just find an easier (and drier) target.
So, isolation had its security benefits. But, for better or worse, we no longer live in a world that supports complete isolation. On the contrary, connectivity is now the expectation – even for oil rigs miles off the coast. To support digital transformation processes and boost business value, OT systems are increasingly being connected to IT networks and even to the internet. In addition, more users and devices than ever before are being granted access — and even remote access — to OT and ICS environments.
Industrial enterprises have long relied on third-party vendors, suppliers, and contractors to perform critical maintenance and specialized service work on key equipment. What is different today is that many if not most of these tasks are being conducted remotely rather than in-person, physically inside the OT environment.
Prior to 2020, most vendors, technicians, and inspectors traveled to each on-site location in order to check and repair their clients’ systems. But when COVID-19 made travel impossible, organizations that had never before permitted remote connections found themselves quickly adopting tools and strategies to give employees as well as third-party contractors remote access to critical systems.
According to a recent Ponemon Institute survey sponsored by Cyolo, 54% of industrial organizations invested in new secure remote access (SRA) solutions in the wake of the pandemic. This is hardly surprising since remote access was not widely practiced before COVID, and most organizations would have needed new tools to enable it.
COVID-19 thus marked a sea change in organizations’ willingness to allow remote connections to OT environments. Industrial enterprises hastily deployed solutions like virtual private networks (VPNs) and jump servers/jump boxes as a means to continue operating in the face of travel restrictions and in-person gathering limitations. But while these tools did serve the immediate purpose of keeping operations afloat, this does not mean they fully met the distinctive security and safety needs of the OT environment.
The benefits of remote access are clear, even beyond the context of a global pandemic. When employees and third-party vendors can connect to systems remotely, travel expenses fall, productivity rises, and technical problems may be diagnosed and resolved significantly more quickly, leading to reduced downtime and improved operational agility.
However, remote connectivity also has serious potential drawbacks. When organizations open their systems to remote access, they greatly expand the attack surface for threat actors. This is especially dangerous in the context of critical infrastructure and other sensitive OT or industrial control systems (ICS). If access is not managed and controlled properly, organizations can be exposed not just to cyberattacks, intellectual property theft, and financial repercussions but also to physical safety risks.
Unfortunately, many solutions that claim to provide ‘secure remote access’ do not actually deliver the necessary levels of security or granular control, leaving industrial enterprises and their operations highly vulnerable. To give just one example, VPNs typically extend access to the entire network rather than to needed assets only. A bad actor who manages to gain unauthorized access via the VPN could roam freely throughout the network and cause potentially catastrophic damage. Another significant shortcoming of traditional SRA tools like VPNs and jump boxes is that they are commonly incompatible with the legacy systems that form the backbone of many OT environments. As long as legacy systems go unprotected, OT security will remain at risk.
Data from the same Ponemon research cited above suggests that the SRA tools adopted during the COVID period and in its aftermath are indeed not meeting current security needs. Only 55% of survey respondents believe their organization is effectively or very effectively mitigating risks and security threats to the OT environment. When what is at stake are the systems that produce the goods we as a society depend on, not to mention those that bring clean water and electricity into our homes and businesses, a 55% success rate hardly feels sufficient.
Despite the risks of connectivity, there will be no return to isolation. Modern industrial enterprises must concentrate on implementing solutions that will reduce the risks of remote access while allowing them to enjoy the benefits.
Designed specifically to solve this challenge, Cyolo approaches secure remote access in a new and innovative way. The ultimate objective for any organization adopting SRA is of course to ensure safe, secure access to all internal systems for all users and devices. However, Cyolo recognizes that certain users and devices pose a greater security risk than others and therefore encourages organizations to prioritize securing privileged remote access scenarios. Exactly who is defined as "privileged" will vary, but it's a category that often includes third-parties, remote users, and anyone accessing critical infrastructure and the other highly sensitive systems. By securing instances of privileged access first, organizations will achieve a meaningful, measurable improvement in security in the shortest amount of time.
With its focus on privileged access, the Cyolo PRO solution both simplifies and modernizes secure remote access for OT. Founded on the principles of zero-trust security and least privilege access but built for the realities of the OT environment, Cyolo PRO enables OT professionals (employees as well as third-party contractors) to safely access and operate OT systems from anywhere in the world. Even legacy systems can be easily retrofitted to support modern security and identity authentication protocols.
By facilitating not just secure remote access but also secure remote operations, Cyolo PRO is leading the evolution of OT security.
To learn more about the Cyolo approach to securing OT environment access, visit https://cyolo.io/product.
Author
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.