Claroty reports critical OT assets vulnerable to internet exploitation; release of xDome Secure Access

Claroty, an industrial cybersecurity firm, revealed that 13 percent of the most critical OT (operational technology) assets are inadequately connected to the Internet. In a comprehensive analysis of over 125,000 OT assets, Claroty’s Team82 researchers identified that 3.7 percent were insecurely linked to the internet. Within this subset, it was discovered that more than 36 percent of Engineering Workstations (EWS) and Human-Machine Interfaces (HMIs) with insecure internet connections also harbored at least one confirmed Known Exploited Vulnerability (KEV). This susceptibility exposes these assets to remote access and exploitation, underscoring the potential for threat actors to disrupt operations through these vulnerable entry points.

In its research report titled ‘An Open Door,’ Claroty identified direct connections of OT assets to the internet rather than through a secure access solution or virtual private network creates a risky exposure point open to attackers who can easily scan the IP address space for these devices, attempt to access them remotely and burrow deeper into the network. 

EWS, typically Windows-based rugged computers, are utilized by engineers to program, configure, and troubleshoot process control applications in devices like PLCs. These machines require access to the corporate network for domain authentication, security updates, and database connectivity. Exploiting a vulnerability in a PLC through an EWS can have severe consequences as engineers use them to interact with various devices on the OT network, altering logic and transferring data. An attacker controlling an EWS could potentially compromise every PLC in a factory by introducing malicious files or exploiting network weaknesses. 

On the other hand, an HMI serves as a touch-panel interface for process control engineers to interact with machines or field devices, providing real-time data visibility and monitoring capabilities. HMIs typically operate on a Linux-based Real-Time Operating System (RTOS) or Windows CE. Unauthorized access to an HMI could enable an attacker to manipulate displayed data, potentially causing damage while deceiving engineers.

Highlighting recent attacks by cyber adversaries, Claroty pointed to attackers allegedly linked to Iran’s CyberAv3ngers that compromised ten water treatment facilities in Israel and several in the U.S. gaining remote access to Unitronics’ integrated HMIs/PLCs. The attackers defaced the devices, demonstrating their access to the systems. It’s still unknown whether they were able to move laterally onto the respective facilities’ networks. 

The Akira ransomware actors were exploiting Cisco VPNs that were not configured with multi-factor authentication to gain access to multiple companies. Akira is prolific with its extortion schemes through this tactic, which includes brute-force password attacks attempting to gain unauthorized access to the VPNs. Systems lacking MFA are vulnerable to this initial access threat vector.

Additionally, Team82 has also identified the greatest number of remotely exploitable vulnerabilities impacting OT, IoT, and IoMT (Internet of Medical Things) systems at Level 3 of the Purdue Model—the operations and control level where EWS are laid out architecturally. Level 2 where HMIs and other control systems are situated, and Level 1 where field devices live, also contain significantly higher numbers of remotely exploitable vulnerabilities.

As more previously isolated devices and control systems come online, organizations must ensure they are equipped to grant access to specific assets intentionally and on a least-privileged basis. Increased convergence and connectivity translate to an expansive attack surface, and new and greater risks, including threats to public safety, and national and economic security. 

“Our research supports the notion that increased remote access translates to an expanding attack surface and greater risk of disruption to critical infrastructure, which can ultimately impact public safety and the availability of vital services,” Amir Preminger, vice president of research for Claroty’s Team82, said in a media statement. “As remote access to mission-critical OT assets such as EWS and HMIs is now the standard operating approach, organizations must ensure they are equipped to grant access to specific assets intentionally and on a least-privileged basis.”

To address these risks fueled by the growing adoption of remote access technologies in CPS environments, Claroty launched its newly enhanced Claroty xDome Secure Access (formerly Claroty Secure Remote Access). The solution balances frictionless access and secure control over interactions with CPS, enhancing productivity, reducing complexities and risk, and ensuring compliance across first- and third-party users. 

“Frictionless access to industrial CPS assets is essential to maximize business outcomes, yet many OT assets were historically insecure by design,” said Grant Geyer, chief product officer at Claroty. “Safe and secure CPS access requires precise access management, identity management, privileged access, and identity governance capabilities – all built for the exacting operational requirements, environmental constraints, and risk tolerances unique to OT environments. 

He added that every access to an OT asset is privileged access by definition as they have the potential to impact safety and availability. “Claroty xDome Secure Access not only provides  frictionless access to maximize productivity, it also does so with built-in security that is invisible to the operator which is crucial for safeguarding critical infrastructure.”

Claroty xDome Secure Access operationalizes the right balance between frictionless access and secure control over third-party interactions with CPS, thereby enhancing productivity, reducing complexities and risk, and ensuring compliance across first- and third-party users. By integrating foundational security principles such as Identity Governance and Administration (IGA), Privileged Access Management (PAM), and Zero Trust Network Access (ZTNA), Claroty xDome Secure Access sets new standards for resilience and operational excellence in the CPS landscape.

Key benefits include:

• Increase productivity: Seamless access for both first- and third-party users effectively reduces Mean Time to Repair (MTTR) by facilitating quicker issue resolution, operating under low bandwidth conditions, ensuring high system availability, and upholding critical site survivability.
• Reduce risk: The solution incorporates a tailored Zero Trust framework, PAM capabilities, and IGA functionality to enhance incident management, access controls, and system monitoring, ultimately minimizing risks and safeguarding critical assets, so organizations can manage and govern the entire identity lifecycle, from initiation to retirement, with the utmost precision and security.
• Reduce complexity: Significantly reduce administrative complexity with a scalable, cloud-managed architecture that offers the flexibility to operate seamlessly on-premises and in the cloud. The solution also simplifies administrative tasks that require constant operational control by integrating seamlessly with Identity and Access Management (IAM) tools, enhancing identity management, and enabling centralized site management and policy creation.
• Maintain compliance: The solution adheres to key compliance standards and provides the necessary controls for real-time logging and auditing of user identities, which is crucial for maintaining comprehensive audit trails and meeting regulatory requirements, protecting your organization against potential legal and financial penalties.

Earlier this month, Claroty revealed that 68 percent of federal OT administrators and managers reported experiencing an OT cyber-incident in the past year, while 90 percent of federal OT leaders say their agency has prioritized OT cybersecurity in the past two years. However, only approximately half felt confident they could detect or mitigate a threat today.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.