There are times in life when you need to be in two places at once, while theoretically possible with quantum mechanics, that’s of little help or comfort at 02:35am when you receive a call needing to be on site to resolve downtime. Your equipment may be under maintenance with a 3rd party who is providing 24/7 support and the asset is in a sensitive area, or financial penalties for an on site out of hours visit are so high that other options need to be considered. Whatever your circumstance we have you covered.
While Virtual Private Networks (VPN) have been around and deployed for over 20 years for enterprise networks they are not as common for managing plant devices on OT networks. VPN’s connect remote devices directly to a target network, some risks can be mitigated by enforcing security settings on the endpoint, firewall rules and network segregation, however if you can gain access to one of these remote connections through nefarious means, an adversary is directly connected inside your network and potentially invisible.
Monitoring network activity may identify malicious activity within your network; however, network monitoring alone doesn’t always provide full details of activity during a connected session. For example, a secure connection to an asset will be tracked as a point to point connection, yet interactions that the engineer has been undertaking within the session is rarely monitored in real time, never mind recorded or integrated into network monitoring. If a 3rd party device is used for the connection then there is no monitoring at all other than the communication traffic that traverse the network, this may be encrypted and made obscure. Network monitoring is an essential part of the security toolset but there are improvements that can be made for these critical gateways.
Claroty Secure Remote Access (SRA) is like a VPN but acts as a security middle-layer between remote connections and industrial devices. Delivering a protocol break at the edge, connections are terminated and re-established from within the secure OT zone and graphically presented into the Enterprise zone. These in turn are then displayed upon the remotely connected device.
SRA provides full visibility and control over remote connections, before, during and after a remote session takes place. Dedicated workflows enable plant administrators to capture, manage and authorise access requests before a connection is even permitted. Session can be recorded and stored for compliance purposes and viewed in real time with “over the shoulder” monitoring, illicit actions which are observed can be identified and the session immediately terminated.
With the run-up to Christmas, consumers aren't the only ones looking to take advantage of Black Friday and Cyber Monday as online sales boom during the holiday season. Cyber criminals are increasingly exploiting the holiday period in order to conduct malicious spear-phishing campaigns designed to harvest credentials and deliver malware. Security researchers at Carbon Black warn that both individuals and organisations should expect to see a rise in attempted cyber-attacks during the holiday season, with the number of incidents having spiked in recent years.
Adversaries will always attempt to go for the low-hanging fruit. In January 2019, Troy Hunt announced the release of Collection #1, a data dump which contained credentials for 773 Million accounts. Collection #1 was just the start, by February Collection #2 through to #5 were also released which totalled 25 billion email address and passwords.
According to Recorded Futures, the average success rate by attackers using credential re-use, aka stuffing, is anywhere between one to three percent. Hence, for everyone million random combinations of emails and passwords, attackers can potentially compromise between 10,000 and 30,000 accounts.
Credential stuffing attacks could also represent a significant risk to Enterprise and OT security. Employees will sometimes register external accounts such as LinkedIn with their enterprise email and log-in. This is all very well until those credentials are breached upon a third-party site. This gives adversaries a golden opportunity to take over corporate accounts. Take control of email and you can often reset passwords on different platforms or masquerade as a trusted person within the organisation.
We know we should use a different password for every online service. We also know that most of us re-use passwords, because it's impossible to remember a different password for each service. Password managers are ideal tools to ease this burden but the best defence from an enterprise perspective is to enforce multi factor authentication.
Claroty Secure Remote Access eliminates the interaction between remote users and OT via a centralised management for all user credentials, keeping them safe and out of the hands of the end user. Strong credentials can be managed by system administrators, which are never released to the end user via password vaulting. Access can also be managed where passwords are not vaulted and only known by the end user. These methods can put a stop to known or shared passwords for multiple individuals or across 3rd party organisations.
SRA Authentication, Authorisation, and Accounting (AAA) which can be local, Active Directory integrated or federated through SAML 2.0. Credentials between the Enterprise administrators and OT administrators can be different delivering segregation of duties. Accounts can be protected using multi factor authentication using common tokens such as Google Authenticator, implement a unified security governance model leveraging existing security resources across both IT and OT.
Claroty SRA does not natively require additional software to be installed, access is provided securely over HTTPS through a HTML5 web browser such as Google Chrome or Microsoft Edge. This delivers a high degree of flexibility, providing engineering staff the ability to access critical assets securely and safely from anywhere, even their bed at 02:40am, establishing if the call out is necessary or if the fault can be cleared without a visit to site.
SRA fully integrates with the Claroty Continuous Threat Detection (CTD) platform to provide a holistic view in real time. Actions which may generate alerts from a connection upon SRA will be tied into the event feed and story lines of CTD to deliver a single interface for reporting or investigation.
Claroty’s technology has been tested, selected and adopted by the most influential industrial automation control vendors. Isn’t it about time you took back control of your network?
SolutionsPT are a Claroty preferred UK and Ireland distributor and platinum partner with over 30 years combined Industrial IT experience with in-depth knowledge of OT architectures. By taking a ‘secure by design’ approach, we deliver a long-term security architecture that is inherently secure against threats and can achieve compliance within your industry. Whether the design is for a new installation or an upgrade to existing operations, we help improve your security posture which will reduces your overall risk.