Fewer people working onsite due to the pandemic means critical infrastructure is at greater risk in industries like oil and gas, manufacturing, and utilities—and most organizations don’t have the right tools in place, according to Dave Weinstein, chief security officer at Claroty, a provider of OT software. “It’s not an indictment of them, it’s just the reality of operations in this new domain,” Weinstein said. “This is probably something that organizations have been struggling with prior to the coronavirus outbreak, it’s just more profound now.”
In an interview with TechRepublic, Weinstein discussed the importance of bridging the industrial cybersecurity gap between IT and OT environments. The interview has been edited for length and clarity.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
Esther Shein: How good a job is IT doing at securing industrial systems as more employees are working remotely due to COVID-19 restrictions?
Dave Weinstein: They’re struggling, mainly because most organizations just don’t have the right tools to deal with this problem. Employees have to access systems remotely: Operational technology engineers, engineers, the people who work in plants and factories who are now, in many cases, not on site, but they still need to perform certain activities, whether they are around controlling the actual devices themselves, providing maintenance, or analytics.
IT security teams that are responsible for provisioning and monitoring access [to those systems] need to make sure there is an identity management solution in place so they know exactly who is on the other end. They need to be able to monitor those sessions in real time and if necessary, terminate them.
Esther Shein: What should security/IT teams be most concerned about now?
Dave Weinstein: Attack vectors are growing…and they’re more profound now in the coronavirus age given the fact that even less people are onsite. There is risk associated with provisioning these types of accesses. It continues to be the top threat vector based on what we’re seeing, based on targeted attacks on OT systems.
Esther Shein: What exactly is the risk with shared access?
Dave Weinstein: You have individuals with private access directly to operational technology networks and there’s no real security controls around that access—individuals are sharing passwords through emails and there’s not necessarily any unique identifications associated with those accesses.
Esther Shein: What, if any, mistakes are being made with remote access management?
Dave Weinstein: A lot of the blocking and tackling of remote access management isn’t happening, so there’s clearly a need for that; certainly in the coronavirus age, but even before the pandemic occurred and even after it goes away.
Historically, organizations have been able to get away with not adopting best practices with respect to secure remote access, for example, sharing passwords in plain text and unique IDs because the threat wasn’t heightened to the level it is today, and connectivity between OT and IT didn’t exist.
In the last three-to-four years that has changed and OT networks really need to adopt many of the controls that are present that we take for granted on the IT side…things like secure methods for managing passwords or having an identity and access management policy. With our systems you don’t need a password to initiate a session; we accomplish that through multiple ways of accessing the system, but ideally, we want to eliminate passwords. We enable organizations to initiate sessions by having the admin click a button and grant a request from a remote user, so the vetting occurs.
Once a session is terminated [the remote user] can’t get back in so it doesn’t grant an attacker persistent access with no means of detecting it. So permission needs to be granted for every individual session, and once it’s done, they’re out.
Esther Shein: Do you track threats to OT networks? What are you seeing?
Dave Weinstein: Generally speaking, most of the threats coming into the network from OT are exploiting what is a growing level of connectivity between IT and OT networks. Take manufacturing, for example. Manufacturers are embracing industry 4.0 digital transformation initiatives where they’ll bring data from the factory floor to the cloud to run analytics and hopefully, increase efficiencies and performance.
You used to have an isolated factory floor that was air gapped…and now there are so many systems connecting to OT infrastructure, so attackers are taking notes and after years of trying to attack OT networks directly, they’re compromising the IT network now using traditional attack techniques like spear phishing. Once it is compromised, they move laterally to the OT network.
Most of our efforts are around how we can secure that intersection of IT and IoT so [organizations] can essentially elevate barriers to entry. That’s the primary threat vector that we see—it’s that most of the threats that find their way to the OT network come from IT networks.
We’re also finding malware to be increasingly prevalent in OT environments. There’s a lot of IT devices like Windows machines on those networks and if they get infected, that will cause a loss of view and ultimately, bring down a plant. Our assessment is we’ll see more tailored ransomware for OT networks because it’s unfortunately proven to be a viable business model for cyber criminals and manufacturers and other organizations can’t afford downtime.
Esther Shein: What are some red flags to watch out for when using secure remote access to move data in and out of OT systems?
Dave Weinstein: One red flag is if a third party is performing operations outside of the normal window that might indicate a threat or anomaly. Another might be to examine the operations themselves and validate that whatever the third party or remote user is doing is in a particular scope of work.
Esther Shein: Besides encryption and two-factor authentication, what other good hygiene steps should IT be taking to protect against cyber threats from a remote work posture?
Dave Weinstein: Another would be VPN technology if available, and making sure folks are using it for things that are sensitive. And security teams also have to be aware of recent vulnerabilities associated with certain VPN solutions—they themselves have been hot targets for attackers. They need to make sure they’re running up-to-date VPN solutions and all patches have been applied. Other steps people can take at home are making sure they have secure passwords on wireless routers and running up-to-date equipment.