Information technology (IT) is meant to be messed with. Software can be reset, retooled, and reconfigured until optimal results are achieved. But operational technology (OT) is different. OT systems and infrastructure are meant to be set up and then left to run with minimal intervention from either humans or other machines.
This is just one of many fundamental differences between OT and IT that helps explain why most security solutions designed for IT simply do not function within the parameters, priorities, and realities of the OT space. Let’s examine some common tools used to facilitate secure access in IT environments to discover why exactly they are unable to meet OT needs.
As the name makes clear, virtual private networks (VPNs) were designed to enable privacy, not security. While VPNs can be a suitable solution for allowing a few employees occasional remote access to non-sensitive systems, they are not the right tool for providing secure remote access for large numbers of remote workers on a long-term or permanent basis—especially when critical infrastructure and other OT systems are part of the equation.
Attackers can easily compromise a VPN connection with stolen or leaked credentials. Once an attacker breaches the network, the VPN offers no controls with which to limit access or monitor the attacker’s activity.
VPNs do not prevent malware dwelling in a user’s device from infecting the wider network and disrupting workstations running on the legacy, unpatched operating systems and infrastructure common to the OT space.
Vendors rarely allow for the installation of a VPN agent on contractor devices in the first place. This means that VPNs cannot solve the significant problem of securing access for the many third-party vendors and technicians contracted to perform specialized tasks within OT environments.
In the end, a VPN’s ability to provide anything approaching secure access depends on its not being compromised. Small enterprises running only IT systems may still be able to get away with using a VPN as their primary secure remote access solution, but for organizations operating critical infrastructure and other industrial systems, VPNs are just too risky.
Firewalls have long been a staple of IT security, and now OT-specific firewalls have emerged to monitor OT traffic and configure communication with the OT network. These firewalls sit deeper within the OT layers, at the programmable logic controller (PLC) level or below. While they may be more effective than the firewalls created for IT environments, OT-specific firewalls are still complicated to implement and maintain.
Firewalls come loosely configured with lax passwords and admin interfaces enabled by default. If the organization fails to shore up these interfaces, attackers can easily capture unencrypted credentials that give them access to the network.
Modern tactics like spoofing, port hopping, steganography, and other tactics can easily bypass firewalls. Some IT firewalls can’t identify which set of packet exchanges are permitted in an OT setting, which gives attackers cover to inject malware into the system.
Firewalls require substantial and ongoing maintenance — so much that overworked administrators often implement overly permissive rolls so that legitimate access (and productivity) is not hindered. In addition, updating firewalls requires downtime that is not possible in always-up OT settings.
Finally and perhaps most problematically, firewalls deteriorate over time. Think of a firewall as a literal brick wall. Every type of connection you allow takes a brick out of the wall. If temporary openings allowed for testing or repairs are not promptly closed, the firewall can quickly become porous. The same holds true for vendors as they come and go.
Privileged Access Management (PAM) tools secure critical systems and information by implementing controls around what users can and cannot access. This helps enforce the principle of least privilege and also provides better visibility and logging capabilities.
While PAM solutions take some important steps toward validating a user’s identity—a key part of ensuring secure access—they don’t go far enough.
PAM solutions do not continue to authenticate users after granting initial access to the network. Bad user hygiene, like weak passwords and shadow IT, can undermine the benefits of a PAM solution.
As their name suggests, PAM tools are designed to focus on privileged users, most commonly system administrators. However, high-level executives, human resources team members, and other user groups may also have access to sensitive assets. Even third-party contractors are often over-permissioned in order to get them working as quickly as possible. If the PAM is not enabled for each of these groups, then its effectiveness will be limited from the start.
Cloud-based PAM tools require secrets like credentials and tokens to be shared with the PAM vendor, immediately creating an opportunity for exposure. But on-premises PAM products have their own problems, such as the need for ongoing maintenance and expensive computing resources.
PAM solutions perform the key task of credentials management, but they do not account for how a user accessed an application in the first place. As long as a user can get to the application and present the privileged credentials, they will be granted access. Once again, in the context of critical infrastructure and industrial control systems, this leaves too wide a window for a bad actor to steal or otherwise obtain valid credentials and then wreak havoc directly via the PAM.
Endpoint security solutions like Endpoint Detection and Response (EDR) and anti-virus software seek to secure the network by preventing malware and other malicious payloads from infecting devices — therefore blocking malicious access to the network. But they too struggle to perform in an OT context.
Endpoint solutions require agents to be installed on devices, but most assets and devices in the OT environment lack the computing and storage resources to accommodate agents. OT devices are too deeply integrated with customized control system networks to be serviced by IT-based agents.
OT environments are often highly complex, and endpoint security solutions may struggle to adapt to their unique configurations and requirements. In addition, many endpoint security tools are incompatible with legacy OT systems and equipment.
The nature of industrial processes can generate unusual or unexpected behavior that traditional endpoint solutions might incorrectly flag as a security threat. At the same time, these solutions may fail to detect sophisticated attacks or threats specific to OT environments, leading to false negatives.
Ultimately, most endpoint security solutions designed for IT simply do not support the specialized protocols used by OT systems, cannot adapt to complex OT environments, and depend on processes (like real-time monitoring and behavioral analysis) that could disrupt operations. Moreover, the inability of endpoint solutions to easily integrate with OT-specific security controls, such as intrusion detection systems and specialized monitoring tools, can lead to wide gaps in security coverage.
Advances made in privileged access management, endpoint security, and other areas of IT security are certainly to be lauded, but these solutions simply cannot satisfy the security needs and priorities of OT environments. Beyond the inadequacies of the various tools types examined above, several additional realities make it difficult or impossible to apply IT solutions to OT use cases:
IT security tools almost always require downtime for patching and upgrades. In the OT world, the availability of systems is paramount and even a short patching exercise would likely cause more disruption than can be tolerated.
IT security solutions often route traffic to the cloud or are cloud-dependent in other ways. Even today, OT infrastructure is not always connected to the internet, rendering tools that require a cloud connection unviable.
Many if not most IT security tools cannot support the legacy systems and infrastructure common to OT environments.
IT security products were initially introduced to OT environments because no alternative existed. But this is no longer the case. Given the importance of protecting OT and especially critical infrastructure systems from potentially catastrophic cyberattacks, the time has come for industrial organizations to adopt security tools that were built to meet their specific needs and overcome their specific challenges.
Learn about the Cyolo solution for industrial secure remote access.
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.