Research highlights remote access risks facing critical OT assets

Claroty has announced new proprietary data revealing that 13% of the most mission-critical operational technology (OT) assets have an insecure internet connection, and 36% of those contain at least one known exploited vulnerability (KEV), making them both remotely accessible and readily exploitable entry points for threat actors to disrupt operations.

To address these risks fuelled by the growing adoption of remote access technologies in industrial network environments, Claroty today launched its newly enhanced Claroty xDome Secure Access (formerly Claroty Secure Remote Access). The company said the solution balances frictionless access and secure control over interactions to CPS, thereby enhancing productivity, reducing complexities and risk, and ensuring compliance across first- and third-party users.

According to Gartner, “While [various network] technologies (often interchangeably called OT/IoT/IIoT/ICS/IACS/SCADA, etc) that support production or mission-critical processes were initially deployed in isolation, they have become increasingly connected to each other and to enterprise systems. In addition, organisations now need OEMs, contractors and employees to operate, maintain and update them from afar.”

To shed light on the security implications of this increased connectivity, Claroty’s research group Team82 analysed a sample of over 125,000 OT assets, their internet connections and exploitability. Key findings include:

• 3.7% of all OT assets have an insecure internet connection: This means they communicate with the internet generally, excluding unidirectional, manufacturer and endpoint security communications, allowing attackers to easily scan the IP address space to find and attempt to access them remotely.
• 13% of engineering workstations (EWS) and human-machine interfaces (HMIs) have an insecure internet connection: These linchpin assets are used to monitor, control and update production systems, and because they can connect up and down the Purdue Model architecture for ICS and in some cases to the enterprise IT network, attackers can use them as an initial foothold for lateral movement.
• 36% of insecurely internet-connected EWS and HMIs contain at least one KEV: The combination of high criticality, high exposure and high exploitability makes these assets prime targets for threat actors seeking to maximise operational disruption.
   

“Our research supports the notion that increased remote access translates to an expanding attack surface and greater risk of disruption to critical infrastructure, which can ultimately impact public safety and the availability of vital services,” said Amir Preminger, Vice President of Research for Claroty’s Team82. “As remote access to mission-critical OT assets such as EWS and HMIs is now the standard operating approach, organisations must ensure they are equipped to grant access to specific assets intentionally and on a least-privileged basis.”

To address the unique and complex security challenges posed by the rise in CPS remote access, Claroty has released its xDome Secure Access solution that it says is purpose-built for the specific needs of the OT domain. It is said to provide the right balance between frictionless access and secure control over third-party interactions with a control system, thereby enhancing productivity, reducing complexities and risk, and ensuring compliance across first- and third-party users, and integrates foundational security principles such as identity governance and administration, privileged access management and zero-trust network access.

Team82’s findings can be found in the report An Open Door here.

Image credit: iStock.com/Vertigo3d