Attacks and Vulnerabilities
Control device security
Critical infrastructure
Features
ICS Security Framework
Identity and Access Management (IAM)
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
Secure Remote Access
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities
Zero Trust

Gauging maturity of secure remote access as cybersecurity demands grow in operational, industrial environments

June 16, 2024
2024.06.16 gauging maturity of secure remote access as cybersecurity demands grow in operational, industrial environments

As environments continue to develop rapidly digitally, there is a growing need to have secure access to operational and industrial environments remotely. Furthermore, secure remote access in operational and industrial environments has changed in recent years due to the growing demand for intensive monitoring, maintenance, and control over distributed assets. The evolution has been significantly characterized by integrating IT and OT (operational technology) – something that requires significant security measures to protect critical infrastructure from cyber criminals.

However, since such environments are most often highly sensitive, it becomes imperative to periodically perform a reality check, preferably to determine the maturity of these efforts and efficiency in protecting critical systems and data. According to existing knowledge, there is a significant difference between organizations’ maturity levels in applying remote access solutions in operational and industrial settings. This means that some have put in place measures like MFA (multi-factor authentication), and encryption among others to enhance the security of their systems and data, while others continue using outdated forms of security that make them prone to cyber-attacks.

As these operations have grown and developed and as the threats and attacks against them have become more frequent and advanced companies must review the security of their remote access processes and determine if changes need to be made to address new threats. This also involves having a secured authentication mechanism, reporting logs, and carrying out security checks from time to time.

In the operational and industrial sectors, remote access has evolved considerably in terms of maturity However, ensuring that such security measures are effective requires the injection of capital in the latest technologies, proactive vigilance, and timely responses to threats. The approach will assist in preserving the security of important structures in a world that is progressively becoming dependent on digital systems.

Industrial Cyber consulted with industrial cybersecurity executives to identify key indicators of a mature organization’s secure remote access strategy. They also explored methods for assessing the current maturity levels of secure remote access solutions across various industries.

Massimo Nardone vice president for ot security at ssh communications security
Massimo Nardone vice president for ot security at ssh communications security

The remote access strategy must be part of the OT security strategy as access management is one the most important cybersecurity domains, which must be in place for managing the access, remote or not, to IT and OT systems, which is critical for maintaining the security and integrity of industrial processes, Massimo Nardone, vice president for OT security at SSH Communications Security, told Industrial Cyber.

“A secure remote access strategy is an inseparable part of OT security strategy since access management protects the integrity of industrial processes. It must include comprehensive access control policies documenting, e.g. how remote access is granted, monitored, and revoked,” Nardone noted. “Role-Based Access Control (RBAC) and granular permissions ensure that employees can only access information and systems necessary for their job functions. Phishing-resistant MFA brings an extra layer of security beyond strong passwords.”

He added that secure channels based on VPNs (virtual private networks), encrypted communication protocols (e.g., TLS/SSL), and least-privilege with just-enough-access models are necessary, along with related incident response plans. “IT and OT network segmentation isolates critical OT from IT systems and other potentially less secure parts of the network.”

Nardone noted that by systematically evaluating current practices against best practices and predefined maturity levels. “Conduct a gap analysis, develop an action plan, and prioritize improvements for the security posture. Continuously monitoring and reassessing to ensure that the solutions remain effective and evolve with emerging threats and technological advancements.”

Bill Moore, CEO and founder of Xona Systems, emphasized that well-defined remote access policies that align with a zero-trust model indicate a mature secure remote access strategy within an organization.

Bill Moore, CEO and founder at Xona Systems
Bill Moore, CEO and founder at Xona Systems

He added that some key indicators of a mature secure remote access strategy with regards to critical infrastructure across energy, oil and gas, transportation, and manufacturing include mandatory MFA utilizing HW tokens or TOTP (time-based one-time passwords) compliance mobile apps; implementation of identity and network-based segmentation to reduce attack surface; access control based on least privilege including role-based and time-based access controls; and site level controls such as ‘virtual wait lobby’ and ‘kill session’ for operational safety. 

The executives focus on the impact of zero trust adoption on the landscape of secure remote access given the escalating industrial threat landscape, exploring the challenges organizations face in its implementation and the strategies used to overcome these obstacles.

Nardone called upon organizations to move beyond the initial, not secure, and repeatable stages, to reach stages like ‘Managed’ where security processes are standardized and consistent across the organization, or ‘Optimized’ where continuous improvement practices, advanced threat detection, and response capabilities are implemented. “Align with cybersecurity requirements and regulations like NIS2, GDPR, HIPAA, NERC CIP, etc.”

He highlighted that with the ‘Managed’ or ‘Optimized’ stages of maturity, organizations can better protect themselves against evolving threats and ensure the security and integrity of their information and operational technology environments.

“Achieving ‘Managed’ or ‘Optimized’ stages can be reached by implementing RBAC, advanced MFA, secure communication channels, and continuous monitoring about how remote access is granted, monitored, and revoked,” according to Nardone. “This is combined with network segmentation, well-defined incident response plans, and regular user training.”

Moore recognized that the three most important measures are mandatory MFA to access any critical asset; least privilege model with granular role-based access controls; and utilization of zone protocol isolation instead of ubiquitous VPNs to reduce attack surface and enterprise risks. 

The executives examined the impact of zero trust adoption on the landscape of secure remote access, exploring the challenges organizations face in its implementation and the strategies used to overcome these obstacles.

Nardone observed that it has revolutionized IT/OT secure remote access by enforcing continuous verification, micro-segmentation, and adhering to the principle of least privilege. “These changes have enhanced security, reduced the attack surface, improved incident response, and better supported remote work environments.”

He added that the zero trust approach protects an organization’s critical infrastructure and adapts to the evolving threat landscape. The Zero Trust principle can eliminate the ‘Implicit Trust’ idea where everything inside the network is trusted. Instead, every access request and device must be continuously verified. With micro-segmentation, IT/OT networks are divided and isolated into segments to minimize the potential impact of a breach and to align with Least Privilege Access. Furthermore, IAM/PAM needs to have strong practices, including MFA and continuous user behavior monitoring.

Addressing the challenges faced by organizations, Nardone pointed to the use of automated policy management tools to simplify the creation, deployment, and maintenance of access policies. RBAC and Attribute-Based Access Control (ABAC) can streamline policy management by grouping users and devices with similar access needs.

“Organizations can overcome the challenge of complexity and Integration with Legacy Systems by adopting a phased approach, starting with critical systems, expanding to the entire network, and then utilizing API-based integrations and middleware to bridge the gap between the legacy and modern,” Nardone further noted. “Points to consider include vendor and third-party integration, performance impact and user experience, implementation, and configuration complexity, consistent initial cost and resource investment, just-in-time zero trust access, and the risk of shared or leave-behind credentials.”

Moore said that there is a growing recognition among cyber practitioners that legacy VPNs and jump servers alone do not effectively reduce enterprise risk to critical systems. “Granular role-based access controls and additional MFA for industrial control zones should be required.”

He added that the major challenge organizations have encountered over the last several years is the overwhelming complexity and costs associated with integrating several legacy secure remote access technologies including firewalls/VPNs, VDI, MFA, secure file transfer, jump servers, least privilege RBAC, access monitoring as well as session control and logging to meet zero-trust goals. 

The executives move on to address regulatory requirements that are most relevant to secure remote access and identity management. They also focus on how these regulatory requirements influenced the development and implementation of secure remote access strategies and the potential implications for organizations that fail to comply with these regulations. 

Nardone said that the most important regulatory requirements include NIS2 which is an update to the previous Network and Information Security (NIS) Directive. Its objective is to create a common level of cybersecurity across the European Union’s Member States; General Data Protection Regulation (GDPR within the European Union (EU); Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers in the U.S. 

He also pointed to the Payment Card Industry Data Security Standard (PCI DSS) for credit card transactions; North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for power systems in North America; Federal Information Security Management Act (FISMA) for US federal agencies and contractors; and Sarbanes-Oxley Act (SOX) for U.S. publicly traded companies.

“All of the above regulations influence the development of secure remote access because they regulate access to IT/OT environments,” Nardone added. “Failure to comply can lead to fines and or loss of reputation.”

Moore identified some key regulatory requirements associated with remote access including TSA SDO2C, NERC CIP 003-9, NIS2 (Europe), and NIST 800-53

Drawing from their expertise, the executives discussed the next steps industrial organizations should take to enhance secure remote access. They also evaluated whether secure remote access is currently the most mature aspect of cybersecurity or if other areas need more focus, and explored how industrial organizations can further improve their secure remote access strategies.

“Strong, mature, and secure remote access strategy for managing access, remote or local, to IT and OT systems to maintain the security and integrity of industrial processes,” Nardone noted. “The upcoming NIS2 directive will force more governance, meaning organizations will continue advancing towards a zero trust security model.”

He added that “in almost 30 years of working in cybersecurity for IT and OT, when running vulnerability assessment results showed that remote access to IT and OT Infrastructure is and I believe will be the most crucial finding that must be solved. Because of this, I strongly believe that secure remote access currently and for the future will remain the most mature aspect of cybersecurity that industrial organizations need especially when access management at scale is needed.”

Moore pointed to the need better to manage third-party risk with regard to secure remote access, industrial organizations should be bifurcating employee and vendor (OEM and other third-party) remote access. “This helps with the monitoring, logging, recording, and reporting on third-party remote access. Industrial organizations can employ better governance measures with easy aggregation of third-party user access.”

He concluded by saying that he believed “the use of ‘zero-trust’ architecture and protocol isolation for secure remote (and local) access shows a high level of maturity as most compromises of critical OT (and IT) systems are through exposure of insecure protocols such as RDP (Remote Desktop Protocol) and a lack of internal granular RBAC.”

Anna Ribeiro

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

CISA's Chemical Security Assessment Tool hit by cyberattack, sensitive documents potentially exposed
CISA’s Chemical Security Assessment Tool hit by cyberattack, sensitive documents potentially exposed
Analyzing role of C-Level executives, management in enhancing cybersecurity within industrial sectors
Analyzing role of C-Level executives, management in enhancing cybersecurity within industrial sectors
breaking down the strategic guidance and national priorities for u.s. critical infrastructure security and resilience expert
Breaking Down the Strategic Guidance and National Priorities for U.S Critical Infrastructure Security and Resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security