In May 2020, Iranian attackers attempted to alter chlorine levels in drinking water in a cyber attack against an Israeli water utility, and in February 2021, a hacker actually accessed a Florida city’s water treatment plant monitoring software and changed the level of sodium hydroxide that would have gone into the drinking water system.
Years after those incidents, it seems many organizations haven’t learned the importance of tightening remote access to operational technology (OT) networks that run machines, pipelines, electric grids, and other critical infrastructure.
In a report this week, OT security provider Claroty said remote access tool sprawl and the use of non-enterprise grade remote access tools are still a big risk to organizations.
The company scanned over 50,000 devices earlier this year from 120 companies that use its products, and found 55% of them used four or more remote access tools that connect OT to the outside world. Almost 22% of firms have eight or more remote access tools.
Many of the devices are Windows workstations used as human machine interfaces (HMI) to machines, programmable logic controllers (PLCs), or sensors.
In addition, the survey showed almost 80% of organizations in the dataset had more than two non-enterprise grade remote access tools in their OT environment.
“I’m actually surprised the numbers aren’t higher,” Katell Thielemann, a Gartner vice-president and distinguished analyst specializing in the security of cyber-physical systems, said in an interview.
Traditionally, she noted, CISOs and infosec leaders haven’t been responsible for securing OT networks and devices.
It’s not that OT security isn’t important to organizations, she said. But because of the pandemic, IT and OT staff shortages, and the need to save money, the need to remotely access OT assets has increased. And OT and corporate managers are focused on keeping machines going.
However, she added, OT security can’t be accomplished with IT-centric access applications like TeamViewer, Anydesk, or similar software. OT remote access providers include Claroty, Dispel, Wallix, and Cyolo, she said.
Among the special capabilities that an OT remote access tool needs are granular access control, the ability for an admin or process engineer to cancel a session if they see suspicious activity, and the recording of every access session for forensic investigations.
Why aren’t IT tools appropriate?
It’s true that an attacker on the IT side can erase all corporate data and/or do so much damage that PCs and servers can’t be rebuilt. But, as Tal Laufer, Claroty’s vice-president of products, pointed out, an OT hacker “can blow up stuff, and stop machinery that cost millions of dollars per hour from working.”
So why do operational personnel reach for the wrong access application? Sometimes, she said, “it’s a simple case that a technician or an IT guy needs to reach a computer, and for some reason something is not working for them, so they install something off the internet to do their job as fast as they can, without thinking about the security consequences.”
In such cases, both Laufer and Thielemann agree, that’s a failure of security awareness training.
As for the acceptance of multiple remote access tools, Laufer acknowledged, ”some tools have to be able to reach machinery remotely or fix stuff on the network.” But, she added, “there is no justification for the four, six, even 12 tools we have seen in some OT networks we looked into, because each one of them is a threat vector. An organization should be looking at reducing the number of remote access tools deployed within their environment.”
This raises the question of whether there should be a single hand on both OT and IT security.
Ideally, Laufer said, security should be governed in a centralized way. But, she added, OT has different requirements and constraints. So whoever is responsible for OT security has to use specialized tools and methodologies for OT.
That doesn’t mean IT should call the shots, she said, because it might impose IT tools. OT networks, she argued, need more security than their IT counterparts.
If the organization feels OT security falls under the CISO, that person should make sure they’ve got an OT-specific team and tools deployed, she said. The CISO should “have a specialized team responsible for OT security,” she advised.
Increasingly, Thielemann said, CISOs are being asked to oversee the risk and security posture of OT environments.
“For a lot of CISOs, this is a brand new world,” she said. “Unlike in IT security, where they can take a command and control approach and decide what kind of security tools will be deployed … in an OT environment, you can’t do that. You need to work with process engineers, with facility leaders, with business leaders that need to ensure production and output continues.”
CISOs should say to OT personnel, “Let’s work together, let’s partner to understand what our current risk posture is, who’s making decisions.”
Threat actors will take advantage of any vulnerability to access an OT network, which is why they should be segmented from IT networks. Security experts have warned for years that PLCs are a target if they can be accessed remotely. PLCs in remote installations are often connected to an organization’s control center through wireless or cellular IoT gateways and these can have vulnerabilities that are remotely exploitable, researchers point out.
Experts also note that it may not be easy to bring OT under the IT umbrella, because operational systems like supervisory control and data acquisition (SCADA), manufacturing execution systems (MES), and controllers are typically managed as individual devices from disparate vendors.
Experts told CSO Online that one solution may be creating a high-level governance body over IT and OT issues within the company that brings together staff from both sides.