Dull | Problems with VPNs for Operational Technology (OT)

Problems with VPNs for Operational Technology (OT)

Background

Over the last decade, VPNs have worked well to secure the confidentiality of remote user's access to the client or corporate network, but over the last few years there has been a paradigm shift towards remote work. Through this change, worker patterns have evolved from working one - two days at home to three - four days.

The change in worker patterns matched with digital transformation has accelerated the pressure to secure critical remote operations from rapidly increasing cyber threats. Organizations have been using IT tools to secure their operational technology systems - which is putting OT systems at risk. Operational technology systems can't be managed with traditional IT tool as they require different security protocols and access control in order for these systems to be securely accessed internally and externally by third-parties and business partners. These systems are mission critical to large organizations, and support multi-million and billion dollar operations that require security and continuity on a 24/7 basis.

The problem with securing OT systems with VPNs

VPN is an IT tool used to connect IT a headoffice to branch networks, protecting the connection from eavesdropping to ensure data confidentiality. In the cybersecurity CIA triad of Confidentiality, Integrity and Availability, for IT, Confidentiality is priority #1.

VPNs operate on the principle of trust: your connection to the remote site is confidential, but you have access to all devices on the remote network: this contradicts OT’s priority 1, being Availability. It also contradicts the principle of Zero Trust. For maximum Availability in OT networks, you should only access the applications you’re permitted to access – this prevents you, or an adversary, from accessing sensitive equipment and causing an Availability outage.

They typically connect users to networks with high value assets, so are prized targets for adversaries and ransomware: compromise the technician, gain access to an entire subnet through a tunnel, plant Command&Control software inside the protected perimeter to create a reverse SSH-type tunnel to the hackers. Their job then is to find high value servers/databases/applications (Engineering Workstations that control PLCs), as well as jump-boxes connecting that subnet to other subnets.

Hackers are Exploiting VPN Weaknesses

Blog

CISA confirms Hive ransomware group gains access via VPN and RDP

Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information.

Blog

Mitre Att&ck details an adversary technique specific to targeting VPNs for easy network traversal

Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations.

VPNs put Critical Assets in Danger

VPNs operate on the principle of trust: once the user is authenticated, the user has access to all assets on the subnet inside the firewall perimeter. This allows technicians to have completed control of the targeted network with the unrestricted ability to move laterally across the network.

VPNs don't provide the visibility, auditability and granular control required to manage operational technology systems. Technicians have undocumented access into all systems within the targeted network. In the case of a technician's laptop becoming compromised, the threat actor has unprecedented and lateral control of all systems that sit on the network.

VPNs provide little to no evidence of what technicians and third-parties are accessing within the network. Have they accessed their own systems? how much did they see? can they see our corporate network? who accessed what and when?

OT cybersecurity has a strong bias for Availability in the cybersecurity triad: if an OT sensor becomes unavailable, human life can be impacted or significant production outage resulted. These outages have a widespread affect across the supply chain resulting in significant financial loses, brand damage and reputational risk.

The Evils of VPNs

They create a routable tunnel between 2 end-points. Once the tunnel is established, there is free movement between the 2 end points, uninspected.

Carefully crafted social engineering campaigns identify high value technicians, followed by carefully crafted spear-phishing to trick the victim into downloading a malware payload provides the threat actor unimpeded free access across the tunnel connecting the 2 or more organisations.

The threat actor can explore and move laterally, unchallenged, across the tunnel, gaining full access to the network segment inside the other perimeter.

Since VPNs are encrypted, traffic is typically not inspected: this facilitates easy malware propagation.

Since VPNs provide a tunnel to a network segment, the full destination network zone is exploitable, via a RAT activation behind the firewall, facilitating compromise of a multi-homed jumpbox to traverse to less secure network segments and more vulnerable OT systems & sensors.

Dull | Secure Remote Access

Understand how Dull's Secure Remote Access (SRA) secures your supply chain to your industrial control systems (ICS) operational technology (OT).

Talk to an expert

Secure remote access to managed devices, systems and applications