It’s no secret that the unprecedented global events of recent years have transformed the extent to which organizations operate remotely. Despite the COVID-19 pandemic that catalyzed this transformation, a silver lining has since emerged via the undeniable benefits of remote work: from greater productivity to reduced costs to happier employees. Unfortunately, these benefits are becoming increasingly outweighed by cyber risks posed by the unsecured means through which remote access is often enabled. Such risks are especially severe in critical infrastructure sectors where remote personnel require access not only to the IT network but also to operational technology (OT) and other cyber-physical systems.
Unlike its IT counterpart, OT remote access can provide the means to directly impact the physical processes underpinning the availability, integrity, and safety of critical infrastructure. When this access is weaponized or exploited, the implications can be dire. Look no further than the 2021 incident at an Oldsmar, Florida water treatment facility to grasp what’s at stake.
The Oldsmar incident raised awareness of just how vulnerable public health and safety can be to cyber risks. In addition to spurring discussions about OT cybersecurity and the importance of strictly controlling remote access to OT environments, the incident also motivated the U.S. government to further prioritize and strengthen cybersecurity for critical infrastructure. One of the more recent (and significant) developments is the release of Cross-Sector Cybersecurity Performance Goals (CPGs) from the U.S. Cybersecurity Infrastructure & Security Agency (CISA).
Developed with the National Institute of Standards and Technology (NIST), the CPGs are a “prioritized subset” of eight of the dozens of cybersecurity practices covered by NIST’s Cybersecurity Framework (CSF). Recognizing that implementing the full NIST CSF can be a lengthy and often resource-prohibitive endeavor, CISA now recommends that organizations prioritize the practices set forth by its CPGs as a starting point to “meaningfully reducing risks to both critical infrastructure operations and to the American people.”
Notably, out of the eight CPGs, six pertain in some capacity to OT remote access, thereby underscoring its fundamental role in critical infrastructure cybersecurity. Details about each of these six CPGs and how Claroty’s Industrial Secure Remote Access (SRA) solution can help you achieve them are as follows:
CPG 1.0 focuses on protecting against credential-based attacks by recommending practices including logging of failed login attempts, multi-factor authentication, stringent password hygiene, role-based access controls, and effective offboarding procedures for departing employees.
These recommendations extend to all accounts and associated access levels utilized by both internal and third-party OT remote users and are essential for preventing unauthorized activity in the OT environment during remote sessions.
Claroty SRA supports these recommendations by extending multiple account-level security controls to OT remote users via enforcement of MFA, least privilege policies, and role-based access. SRA also supports advanced credential policies to further reduce the risk of unauthorized access and DoS attacks.
CPG 2.0 aims to help protect against supply chain attacks, rogue devices, operational disruption, and other device-level compromises by recommending enforcement of policies and procedures to define and/or maintain hardware and software approval processes, asset inventory, and change control and configuration management.
These controls are highly relevant to OT remote access due to the caliber of asset changes that do or can occur during remote maintenance or related remote sessions, as well as the extent that remotely exploitable vulnerabilities can be leveraged as attack vectors by threat actors seeking to compromise OT environments.
Claroty SRA assists with establishing a change control process by managing administrative access and ensuring only authorized users can make configuration changes remotely. SRA also logs details of all sites and assets accessed and changes made during remote sessions.
CPG 3.0, which focuses on protecting data and information from compromise, recommends strong encryption, secure log storage, and enhanced visibility into security logs — all of which can help reduce detection, response, and remediation time for potential cyber incidents.
These recommendations also apply to all logs related to remote OT connections, which therefore must be stored securely and in a manner that provides the visibility necessary to support optimal response to incidents related to OT remote user activity.
Claroty SRA supports these controls by collecting over-the-shoulder video recordings of all user sessions, logging all such activity, and encrypting all user- and asset-related data.
CPG 5.0 provides recommendations on how to identify, prioritize, and mitigate vulnerabilities in an organization's systems and networks to minimize the exploitable attack surface.
These recommendations are also relevant to OT remote services, many of which tend to be uniquely prone to vulnerabilities targeted by threat actors seeking to access critical OT environments. As such, CPG 5.0 focuses heavily on monitoring, authentication, access, and other controls that help reduce this risk. .
Claroty SRA enforces these controls by providing secure remote access, MFA, granular access control, real-time monitoring, activity logging, change control processes, and mechanisms that limit potential damage from compromised credentials.
CPG 7.0 provides guidance on how to prepare for and respond to cyber incidents. It covers incident response planning, communications, and exercises, as well as recovery activities such as restoring normal operations and post-incident review.
The scope of CPG 7.0 extends to OT remote access in the context of its data backup and recovery recommendations for OT networks. It is crucial that such controls be applied to all data related to the often-extensive and critical nature of OT remote activity to ensure organizations can quickly restore normal operations — including those supported both onsite and remotely — and minimize the impact of an incident.
Claroty SRA supports the implementation of CPG 7.0’s recommendations by regularly backing up and retaining logs of OT remote user activity, providing live monitoring video recordings of all OT remote sessions, and ensuring this information is stored in accordance with all relevant regulatory requirements and backup and recovery needs.
CPG 8.0 aims to enhance the security of OT networks by preventing unauthorized access. It recommends implementing measures such as segmentation of the OT network, reducing the risk of common email-based attacks, and detecting and preventing known threats that use common tactics, techniques, and procedures (TTPs).
Network segmentation controls in particular are highly relevant to OT remote access because, when implemented properly, they can help ensure that all communication paths to and from OT networks — including those remote connections — are legitimate, monitored, in compliance with established access control and related policies, and ultimately, secure.
Claroty SRA enables organizations to easily implement these controls via a zero-trust approach that eliminates direct, unfettered remote connectivity to OT assets. The solution also continuously monitors personnel activity during remote all OT connections, including those initiated by external service providers for maintenance, auditing, or other purposes.
As the only remote access solution truly purpose-built for OT, Claroty SRA empowers thousands of engineers, plant managers, and other security and operations personnel globally to reduce risk while optimizing workflows and driving resilience.