July 16, 2020 | By Michal Erel, Product Manager

We’ve discussed in a previous blog why the current global health crisis has emphasized the need for remote access solutions such as Claroty Secure Remote Access (SRA). However, remote access and the solutions that provide it have been both a necessity and, in many cases, a high-risk proposition for operational technology (OT) networks long before current events.

The fact that OT networks underpin critical infrastructure and core industry means that they are extra sensitive to vulnerability-driven downtimes and tend to make high-value targets for malicious actors. These are among many characteristics that warrant special consideration when evaluating different options for OT remote access. The focus of this installation will be to take a look at virtual private networks (VPNs) and how they stack up to Claroty SRA and other alternatives as they relate to OT environments.

The VPN Approach

VPN-based remote access solutions remain popular for enterprise IT connectivity largely due to their relative ease of use and the fact that they offer some privacy and security capabilities, notably the ability to encrypt network traffic and conceal the user’s location and browsing activity. While VPNs exist in many forms with varying degrees of capabilities, and have improved with next-generation Software-defined Perimeter (SDP) solutions, they share a broad set of risks across the board. These risks can be particularly significant for OT networks:

  • Limited Access Controls: VPNs provide access to a network but cannot fully control who is able to access what specific information, systems, or devices on the network, for how long it can be accessed, and what actions can be taken once inside. This lack of access control means that once someone is connected to the network there are few barriers that prevent them from exploring. This limitation has been slightly improved with Zero Trust-based controls that can be implemented using SDP solutions, but such solutions are typically only suitable for IT networks because they do not support the full spectrum of use cases required for OT networks.
  • Monitoring & Auditing: Log files taken from VPN sessions show minimal information and do not provide any detail on what actions were taken during the session. This can be problematic for auditing, compliance, and forensic purposes.
  • Expanded Attack Surface: Since traditional VPNs are accessed through the public internet they present a potential entry point for malicious activity. If a user’s credentials are stolen it provides a solid foothold for a malicious actor within an organization’s network. This level of malicious access poses significant operational, financial, and safety risks.

Claroty Secure Remote Access

Professional remote access solutions that go above and beyond both traditional VPN and SDP capabilities are more important than ever for OT security. Aside from overcoming the challenges in the bulleted list above, Claroty SRA boasts fundamental differences in being secure-by-design and tailored to OT network administrator needs and use cases.

What this means is that SRA is built on a two-tier architecture that preserves the Purdue Model and breaks the attack surface by isolating network assets from direct access, tunneling external connections through the SRA site. This level of isolation gives the user a rendered view of the asset’s digital interface, placing SRA between the remote user and the asset itself. SRA is also designed specifically for OT workflows and seamlessly blends with the other aspects of The Claroty Platform to provide a comprehensive security solution.

Diagram of the Purdue model for industrial control systems, which Claroty SRA helps support by isolating network assets from direct access.

Let’s look at an example of what this could look like in an everyday OT workflow: While serving an OT device through SRA, an engineer performs an action that is not covered under their original request for remote access to that device. This causes an alert to be triggered in The Claroty Platform and a Root Cause Analysis to be provided to the security operations center (SOC). From there, security teams can investigate the alert and, if necessary, terminate the remote user’s session. That engineer’s access approval is then immediately invalidated and, if further access is required, they must request it and receive approval from the SRA administrator.

There is no one size fits all approach to remote access, but having a solution that is tailor-made for your applications goes a long way towards safe and efficient operations.

To learn more about how Claroty SRA is purpose-built for OT, request a demo.