New Challenges in Remote Access for Operational Environments (OT)
This post is also available in: 
עברית (Hebrew)
By Or Shalom, security and cyber expert and adviser
OT environments are computing networks characterized by computerized processes operations and command & control, therefore they are more complex than classical IT environments. One can find these environments in production lines, critical infrastructures, power stations, pumps (water, sewage desalination), SCADA systems in ports, airports, hospitals, building operational systems (BMS), etc.
As such, they are vital and critical from an operational point of view, therefore attracting assailants to gain control in order to cause damage, harm the manufacturing or operational processes. This is why one of the classical and robust controls for such environments is their physical isolation from interfacing external networks and organizational networks. This isolation decreases the attack surface and creates a strong network separation to prevent logical connectivity to this environment.
The operational process is computerized, and includes monitoring and control features, therefore hacking is attractive. As a rule, the modes of operation and threat space for a cyber attack, gaining dominance and causing damage to OT systems, are based on modes of operation targeting the supply chain line (manufacturers, suppliers and service providers), internal threats (intent or by mistake), and side-channel attacks, and a constant mapping for locating interfaces for connection with the external networks in order to bridge and jump over environments.
When the attack surface is traced, the assailant can choose from a wide variety of interventions and changes in data, targeting the physical process itself by exploiting vulnerabilities and damaging the controller, as well as denial of service attacks. These attacks result in threats to human lives, security, environment, daily life (stopping work at ports, hospitals, etc.) and halting production lines and operations.
As said, one of the OT systems’ major characteristics is also the operation of a computerized process of self-control and the running of commands and processes. This means that as the action X process is completed, the system will know to move on to the next command and action according to necessity. Describing it simply as two process events, in one event the controller will identify (through a dedicated sensor) the chlorine dosage in a pool and provide water accordingly, and in the other event of operational control systems use – the fire distinction control system will identify the smoke, and will process the next command for water and foam spraying, etc.
Therefore, as the assailant sees it, there is an opportunity for offensive cyber to intervene by changing a value or action and influence the system, the procedural order/neutralization. This is achieved by feeding the wrong data or value, causing overload to the system, etc.
The COVID-19 crisis has imposed the need for remote access also in OT environments. Although it is not a trend, because the risks and advantages of the air gap and isolated network are still clear, there is a recent requirement and demand for technological responses.
The rationale for response requires a process of calculating the conditions and functional demands vs. the possible cyber attack surface. This work process, which on the one hand defines the need and on the other hand defines the risk, contributes in aspects of discussion and synergy of the organization’s cybersecurity teams with the computing teams, enabling the characterization of controls systematically, basing on a clear rationale.
For example, let’s look at the operational need to open a remote supplier support for software updates and solving problems in the operational OT systems in the organization. Currently, it is clear that this capability might widen the attack surface in the following major channels: risks emanating from adverse man in the middle (MITM) awaiting or mapping this connectivity to the internet (through tools such as Shodan), taking advantage and manipulating for deception (impersonating to a software company), threats from end-users in a support-providing company, etc.
The art of risk management, the security response and the controls are measured through the balance with the user experience while minimizing functional influences, user’s experience, and working time. Therefore, the more we add controls – we might bring about technological complexity and cumbersome work processes.
According to this method, choosing the controls should be directed to strong and broadside controls so that their integration will provide security against several threats. The integration of multi-factor authentication (MFA) into the identification process will provide a broad response for several threats presented at specific attack scenarios.
Of course, one should integrate controls to secure and encrypted channels, make efforts that the connection would not be applied directly to the operational environment (the alternative: a dedicated environment for updates or connecting damaged components and controllers). Also, the need for the cancellation of irrelevant applications and software (e.g. external email). The integration of recording along the support process (for documentation and forensic investigation purposes), the prevention of uncontrolled programming or changing of logics regarding the controllers, and of course, the disconnection of the environment from the internet after the initiation of a connection to the net for support and problem-solving.
Among the sources: trendmicro.com ics-cert.kaspersky.com
Or Shalom – Security and cyber expert and adviser to government entities and defense industries. He holds a master’s degree, as well as civil and national qualifications in the realm of information security and cyber. He has experience in developing cyber risk mitigation plans for companies and organizations, as well as experience with business development in the cyber fields. Mr. Shalom has led various professional cyber programs to various entities in academia and the civilian and security industries.
