Hardening Remote Access a Must for OT

Attacks on operational technology (OT) and industrial control systems (ICS) are rising. New research from Fortinet’s 2024 Global State of Operational Security report shows attacks on OT systems increased from 49% of organizations in 2023 to 73% this year, and the percentage of organizations that experienced more than six intrusions in the past 12 months leapt from 11% to 31%. Because of increased connectivity and investments in digital transformation, remote access attacks will likely remain high.

Earlier this year, the Cybersecurity & Infrastructure Security Agency (CISA) and the FBI announced that they responded to several U.S.-based wastewater system operators that experienced what is being described as “limited physical disruptions” from a threat actor that gained remote access to human-machine interfaces (HMIs). 

“Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations,” CISA said in an advisory.

The advisory reported that the pro-Russia threat actors relied on a variety of techniques to gain access to those HMIs, including using the VNC protocol, the VNC Remote FrameBuffer, VNC over port 5900 to access HMIs with access granted through default credentials, weak passwords, or only single-factor authentication. 

Due to the high-stakes nature of OT/ICS environments, securing remote access is crucial as breaches can lead to manipulation of OT systems, including equipment damage, production disruptions, environmental hazards, and even risk to human safety. 

Seven Ways to Secure Remote Access

Because many OT systems are commonly placed in difficult-to-reach places or require third-party access from suppliers or partners, remote access tools such as RDP and TeamViewer will remain popular. However, these remote access tools are also ripe entry points for threat actors when not appropriately secured. 

We contacted several security experts for advice regarding the steps organizations must take to harden remote access and improve their security posture. Here’s their guidance:

Segment networks: Chris Warner, senior security consultant at GuidePoint Security, advises organizations to implement network segmentation to isolate OT networks from business networks and from having direct access to the Internet. “Use firewalls and access control lists (ACLs) to enforce strict traffic control between network segments. Further, develop micro-segmentation designs and work to build enclaves and safe-restart zones,” Warner says.

Jonathan Sword, director at security services provider Agility Cyber, agrees that compartmentalization is essential in securing OT/ICS environments when remote access is provided. “Network [segmentation] is an important part of the security for the remote access solution and ensures authentication is required before network traffic can be transmitted into the OT environment. Standard best practices apply here for having robust authentication, including MFA enabled,” says Sword.

Segmenting networks provides several security benefits, such as reducing the attack surface and making it more difficult for attackers to move laterally within the breached environment, making monitoring and identifying suspicious behavior easier, supporting least privilege access policies, and minimizing the potential of disruption to the breached segment.

“Network [segmentation] is an important part of the security for the remote access solution and ensures authentication is required before network traffic can be transmitted into the OT environment."

—Jonathan Sword

Ensure secure connectivity: Ensure the organization is enforcing secure connectivity of network traffic. This includes using secure protocols (such as TLS) supported by OT devices within the environment and VPNs. “TLS-protected web interfaces often require configuration to ensure they operate with secure settings. While legacy OT devices tend not to support cryptographically secure communications, the only option is to encapsulate the traffic in a VPN,” says Sword.

Enforce strong authentication and least privilege access: Beyond strong passwords, organizations must require a minimum of two forms of authentication, such as one-time tokens, biometric verification, and smart cards, to access all OT/ICS systems and devices. “OT devices need robust access controls implemented,” says Sword.

Access also needs to be limited to what’s required for the user (machine or human) to do their tasks. “These controls are mostly chosen to work in a role-based manner, and increasingly time-based access control is being added on top to minimize the risks of a compromise,” adds Sword. 

Unfortunately, many legacy OT/ICS devices don’t support role- or time-based access control. 

“More specific user accounts need to be configured,” adds Sword. “In this case, a privileged access management (PAM) solution can provide additional security. A PAM solution allows passwords to be checked out through an approval process and even changed on the remote device, invisibly to the user after their permitted usage time has expired, thus stopping them from logging in again,” he says. 

If not already, adopt zero trust: With zero trust, there’s no implicit trust provided within the environment, and all access is verified, while access is also limited to least privilege, and authentication is continuously vetted. “In a zero-trust approach, access is granted based on continuous verification of identity, device health, and compliance with security policies rather than assuming trust based on location or network segment,” says Warner. 

We’ve covered zero trust in depth here.

Monitor remote access systems closely: In addition to being part of a zero-trust architecture, access should be monitored and logged so that any abnormal remote access behavior will be identified. Logging should include network devices, identity systems, and device logs. “Rules need to be defined to detect where a connection is made with one account and another account being used at a later stage, indicating an impersonation attack, for example. Part of this monitoring activity needs to ensure that if a privilege access management solution is utilized, accounts are being provided and utilized in an approved fashion,” says Sword.

“Monitoring is not only for detecting attacks. Monitoring can identify what devices are communicating over the network and how they are communicating. This information can be collected passively to understand the protocols in use, which can not only alert the organization to misuse but also uncover legacy protocols that have known security flaws. This monitoring needs to extend to the trusted, privileged access workstation to ensure that the full picture of how a connection is coming in and the tasks conducted is captured,” he adds. 

Maintain strong vulnerability and configuration management: Build an effective vulnerability and configuration management program. That starts with comprehensive asset discovery and inventory capability, vulnerability and misconfiguration assessments, remediation prioritization, and fix deployments. Warner advises regular vulnerability assessments to be conducted to identify insecure configurations, open ports, and other potential vulnerabilities. “Proper OT scanning for vulnerabilities and weaknesses in the OT and associated IT network infrastructure should be performed regularly,” says Warner.

Be sure to pay attention to secure remote access systems, such as RDP or TeamViewer, to ensure they are configured securely with strong passwords, restricted access permissions, and up-to-date patches.

Include remote access in penetration testing and tabletop exercises: While vulnerability assessments go a long way to identify security weaknesses associated with remote access, actual human penetration testing and incorporating remote access-related breaches into security response tabletop exercises are essential. “OT environments are increasingly under attack, and the best way of finding where the vulnerabilities are is to simulate an attack in a controlled manner,” advises Sword.

“Conduct OT-safe penetration testing exercises to simulate real-world attacks and identify insecure remote access methods and use ethical hacking techniques to discover vulnerabilities before malicious actors exploit them,” says Warner.

In addition to actual penetration tests, tabletop exercises — discussion-based incident response simulations — designed to test an organization’s response must include remote attack scenarios. 

Finally, keeping environments secured against attacks on remote access capabilities requires governance frameworks to be in place that ensure each of these elements — network segmentation, secured network traffic, strong authentication practices, zero-trust, vulnerability management, and testing — remain in place.