Too often, organizations assume that as long as they're compliant with all pertinent regulations, they've done enough to secure their data. Unfortunately, that's not true.
A few years ago, one of our clients had issues with dust in their operations environment. It was a common problem in their part of the province, with a defined solution: dust sensors.
They contacted a local third-party OT vendor to build the sensors for them and asked iON to set up the sensors in their operational technology (OT) environment.
Once the sensors were installed, our client toggled them on and panicked when the very first thing the sensors did was reach out to an IP address in China.
It turns out that even though these sensors were made locally, the firm that made them had purchased the main board from AliExpress, a China-based online marketplace. As a result, the sensors had reached out to the Chinese IP for a firmware update.
Though our client didn’t face any consequences outside of a scare, the case does illustrate the potential vulnerability that every third-party integration brings with it.
Key Points
Third-party vendors introduce risk into your OT environment
Why that risk matters
How to solve those issues
Secure Remote Access: A critical control for ICS
Visibility and control are essential to maintaining a strong security posture, especially in your OT infrastructure. But when you allow a third-party remote access, you lose a degree of both, as:
Your OT is accepting connections from an alien environment where you have no visibility or control,
You have no way of confirming that the vendor identities operating in your network are being controlled by the personnel authorized to access the environment.
You have no idea what other OT environments your vendor is interacting with, what the security posture of those environments is, and what malware they may have been exposed to.
That’s a significant loss of control that leaves your OT security dependent on the security of your third-party vendors, their clients, and the third-party vendors they use.
Due to the unique needs, goals and history of OT, these gaps pose major risks when they are introduced into your network.
OT has traditionally been sectioned off from broader connectivity, so security was primarily physical, like keylock switches controlling electronic write access, with little to no consideration given to cybersecurity. Today, OT is increasingly connected to networks, but many of those original, unsecured OT controllers are still in use, and that probably won’t change for some time.
That leaves connected OT with security gaps that are almost impossible to fill retroactively.
For example, the first Newtrax systems deployed on industrial vehicles all came with the same IP addresses and the same credentials. At the time, this wasn’t an issue because the systems were air-gapped. The only way to access them was by physically accessing the vehicle.
Now, however, features like fatigue management systems and fleet awareness have been added to the system, each of which requires continuous network connectivity. The air gap that was keeping attackers from accessing the old systems is now gone, but the configuration has not changed, leaving them vulnerable.
OT is the technology that makes industrial businesses money. It’s the sensors and actuators that allow oil and gas companies to pump fluids or electrical companies to distribute electricity. That proximity to money has two knock-on effects that make it a more tempting target for attackers.
If a malicious actor gains access to OT, they have more leverage than in IT because they are closer to the money. If an attacker is able to stop the flow of oil in a pipeline, for example, the oil company is losing millions of dollars an hour. That means they are very motivated to get the problem fixed, whether by stopping the attack or paying the attackers money.
Because OT uptime directly correlates to money, the people in charge of OT almost always prioritize uptime over security. This can cause security to lag behind best practices (especially if updates or new equipment require downtime to install), leaving an appealing target for malicious actors.
The prevalence of insecure and unsecurable tech in OT requires that organizations take a unique approach to securing vendor access.
The first step to securing OT is controlling who has access and how much access they have.
One of the most effective ways of doing this is by abstracting the third-party vendor’s computer with a remote access tool so that they’re not getting direct access to your network. Instead, they’ll get mediated access, like a browser session, where you restrict their access based on your own parameters and role-based access control.
Network and identity-based access controls ensure that each third-party or vendor can only access the specific systems and applications that they support. For some organizations (where third-party access is infrequent), it may even make sense to institute a ‘call for access’ protocol, whereby a third-party vendor needs to call to get a code they can then use to access your network.
Because third-party vendor access inherently decreases the visibility and control you have over everything connected to your OT, strong monitoring is essential for securing your OT.
Session recording and audit logs ensure that you know exactly how potentially unsecured identities are interacting with your system. This ensures changes don’t get lost during emergencies, when everyone is rushing to get the OT up and running again.
Second, it allows you to detect, track and react to identities that are not acting the way they should. If third-party identities act in unexpected ways, or if you are investigating a cybersecurity incident, audit logs and session recording enable you to respond appropriately.
Segmentation, where appropriate, can help you control traffic within your OT environment, even if the OT itself is largely unsecured.
Your segmentation should follow the unique needs of each piece of OT equipment.
This requires a deep understanding of your environment, the third-party support required by the equipment, and the risk and exposure of the other systems connected to the same network segments, so you can set up your remote access to restrict access to only what is required by each individual.
For example, if you have a massive MindStar system all supported by Caterpillar, then it may be appropriate for it to sit in a bubble separate from your other production systems that support your processing environment.
Remote access is a factor in 44% of OT incidents, according to a Claroty survey report.
That makes it one of your biggest areas of exposure and a priority to get right.
Unfortunately, usability is still one of the main priorities in OT. As a result, leadership too often decentralizes security, leading to the mistakes that increase exposure.
Security and usability don’t have to fight for priority, though.
At iON, we have the products and expertise to help customers architect, design, and implement a remote access solution that:
minimize risk
maximize security
maintain or even increase usability
Don’t settle for choosing between two essentials. Call us today to build an OT environment that matches your needs.