The hybrid and remote workforces that emerged early on during the pandemic are here to stay. Companies have had to shift focus to providing new practices to allow their employees to work how and when they want to work from anywhere in the world. Technicians who previously had to fly to perform upgrades on critical OT systems on-site no longer have the same convenient travel options or would rather not spend their life on planes. In fact, Okta’s 2021 New Workplace Report found that 42% of workers want a hybrid-work model.
Companies are also seeing benefits to their productivity and their bottom line, including a major cost reduction in travel expenses and mean time to resolve. However, in early 2020 most industrial organizations were not equipped to tackle this change so rapidly, so existing security controls were frequently circumvented and vulnerabilities were exposed.
The Next-Gen Industrial Worker’s Attack Surface
This new wave of connected workers is empowering organizations to reduce travel expenses, system downtime, and human risk while increasing operational productivity. However, industrial networks were not designed for our new reality of instant anywhere access. The introduction of IoT devices, embedded systems, cloud applications, and 3rd party user access all pose threats both internally and externally. Publicly exposed IoT sensors, HMIs, or system controls are prime targets for hackers – as their firmware and/or operating systems are typically outdated. Allowing remote access to engineering stations or corporate IT resources with a VPN still allows for lateral movement across your network.
Regulatory compliance in the Industrial space places strict guidelines on how OT systems are to be isolated and communicate across specific physical boundaries. Critical applications running on end-of-life operating systems have no other choice but to be isolated – patches may be unavailable, and downtime is out of the question. Another item to consider is that these connectivity limitations may hinder some of the benefits these connected workers bring. Too much security can result in workflow restrictions – it’s a fine line to walk.
The Human Element
Verizon’s 2021 DBIR found that, yet again, credential-based attacks are the number one type of cyber-attack. Why? Because these attacks take advantage of the human willingness to trust. Users may “trust” a website, so they reuse their password, often repeatedly. Companies with BYOD policies may “trust” their users to have proper AV and patches installed. Admins may “trust” that their users won’t do anything bad, so they don’t enforce MFA on their VPN. Phishing emails look more and more realistic, and all it takes is for one user to mistakenly trust that email and give away their credentials.
Identity-Based Connectivity for the Industrial Workforce
To counteract the inherent issue of human trust, our computer systems must negate the need for trust. While no singular product or vendor can solve this for you entirely, it is important to note that tooling such as multi-factor authentication (MFA), single sign-on (SSO), and zero trust network access/software-defined perimeter (ZTNA/SDP) are critical pieces of the equation.
Cyolo’s identity-based approach empowers organizations of all types to augment their existing infrastructure with zero trust access. Our completely agentless and agnostic platform means you can bring any identity provider, any application, any device – while enabling any user to securely connect to remote resources wherever they are.
To securely enable remote third-party connectivity, a functionality critical in many industries including the industrial sector, Cyolo supports both supervised access and session recording. Admins can create fine-grained access policies to restrict a vendor’s access to specific days and times and require that they request access from a supervisor before connecting to an application. The supervisor can conveniently approve or deny that request from their mobile device and interact in real-time with the user’s session, including the ability to revoke access at any time. For SSH and RDP sessions, organizations can record a user’s entire session and keep a full video recording for audits, compliance, change management, and incident response.
Isolating critical OT systems is sometimes the only way you can protect them. Older applications can’t support modern security tools, and any patches or OS updates could result in unplanned downtime and monetary loss. With Cyolo, organizations can effectively blackhole their entire infrastructure – no public IPs are required with any Cyolo component to restrict all public Internet access. This results in a concept called virtual patching, whereby systems that were essentially unpatchable are made secure as granular access controls have been applied.
Cyolo’s two on-premise components, the IDAC (Identity Access Control) and the Edge, are able to run on a CIS-hardened Ubuntu distribution along with Ubuntu Core 20. This means the IDAC and Edge can be applied to small board computers, rugged small form factor computers, and really anything under the sun. Easily create physical boundaries while maintaining regulatory compliance in even the most remote environments.
Starting the Journey
Enabling identity-based zero trust access is not an overnight project; it is a journey that takes a lot of up-front organizational planning before implementation. However, a strong platform such as Cyolo can significantly accelerate your project timelines and ultimately empower your teams to connect everything, increase operational productivity, and reduce your overall attack surface.
Bringing a next-gen connectivity solution to the next-gen industrial workforce allows you to create strong security practices while still maintaining the benefits that these workers provide.