Updated August 16, 2022. Originally published November 16, 2021.
In the first blog in this series, we outlined the differences between OT and IT. Having made that distinction, we’ll now turn our attention to the security challenges OT teams may encounter.
OT networks are often air gapped and not connected to the external public network. However, companies and factories running OT and SCADA systems do occasionally need to give access to external uses, and this can lead to potential security risks.
OT networks are usually accessed by a small number of highly-skilled factory employees. They access the network to monitor the performance of the factory’s machines and devices and to ensure operational efficiency. However, sometimes the factory needs the OEMs/vendors to access the network as well. This could be for support, services, remote monitoring, optimizations or preventative and predictive maintenance.
For example, if a plant bought a device from an OEM and they need to train new people to use it, or if they want to understand why a certain capability isn’t working, they need to find a way to connect external users to the network. This is similar to the way an IT expert would connect to an employee’s computer to troubleshoot an issue.
Quite often, providing such a connection capability is a prerequisite by the OEM, as part of the device warranty. As a result, companies have no choice but to provide the OEM with remote access capabilities so they can continuously gather the data and run it through machine learning algorithms.
Companies are even required to purchase a professional services contract as part of the monitoring package. Otherwise, their devices, which might have cost millions of dollars, will not be monitored and maintained to ensure they achieve their agreed-upon SLA or that their parts are being replaced in case of a malfunction.
However, unlike IT systems, OT and SCADA networks cannot be easily accessed by remote users. There are a number of reasons for this:
Technological – OT and SCADA systems are self-contained and do not integrate with external networks – by design. Setting up such an integration is resource-heavy and complicated, and the ROI is not clear.
Compliance and Regulations – Sensitive and critical systems, like power or water, are required to be disconnected from external networks to ensure security and operational capabilities.
Since the OT network is often not connected to the public network but external users do need access, factories are required to find a different solution. These include:
Physical access – OEM representatives may be flown to the factory site to access the systems. This is costly and slow, and was not an option during COVID-19.
VPNs – The plants set up a VPN to connect the SCADA systems to the OEM monitoring center. This is insecure as well as inconvenient.
VPNs operate as a private tunnel between points in the public network. Users who have access to the VPN can reach assets in both networks it connects. This architecture is based on the legacy castle-and-moat approach, according to which trust is given to users who managed to pass a preliminary barrier to entry. This solution gives OEM representatives access to the OT network. But unfortunately, access may not be limited to them alone.
The problem with the VPN approach is that bad actors can access the VPN, due to built-in VPN vulnerabilities and if they manage to perform reconnaissance. Once they’re in, they will have access to all the organization’s most valuable assets. In the case of OT security, this could mean they have the power to neutralize and destroy expensive and highly critical systems, including power, waste water and even hospitals.
In other words, with VPNs there is little to no accountability and governance of the connected user’s actions. This makes it hard to keep track of what the user originally connected for and which changes they have made, putting the entire network at risk.
The risk becomes even greater when taking into consideration the fact that plants have multiple OEMs. This means they are connecting their network through multiple VPNs, thus increasing the attack surface and the chance they will get attacked.
Is this a chance plants, factories and heavy industries should be taking?
Many organizations do not have the ability to connect to the public internet, so they require a VPN to connect OEM service providers. However, by incorporating zero trust access as an additional layer of security and authorization, factories can enable accessibility only for authorized users. The zero trust model authorizes users and devices according to their identity, not their IP or originating network. By placing a zero trust solution between the VPN and the OT network and inside the OT network, organizations can prevent perpetrators from gaining access to critical systems, even if they manage to breach the VPN. Read more about how it’s done by Rapac Energy.
In the upcoming third blog in this series, we will look more closely at how zero trust access can address security network challenges.
Eran Shmuely is the Chief Architect and Co-Founder of Cyolo. Prior to Cyolo, Eran was the Senior Security Engineer at Salesforce and the Open-Source Security Research Leader at GE Digital.