New research by Claroty’s Team82 revealed that 55 percent of OT (operational technology) environments utilize four or more remote access tools, increasing the attack surface and operational complexity and providing varying degrees of security. Additionally, the study found that organizations aiming to boost efficiency in OT are inadvertently creating significant cybersecurity risks and operational challenges. Such exposures pose a significant threat to companies and are compounded by excessive demands for remote access from employees, as well as third parties such as vendors, suppliers, and technology partners.
Team82’s research also found that a staggering 79 percent of organizations have more than two non-enterprise-grade tools installed on OT network devices, creating risky exposures and additional operational costs. These tools lack basic privileged access management capabilities such as session recording, auditing, role-based access controls, and even basic security features such as multi-factor authentication (MFA). The consequence of utilizing these types of tools is increased, high-risk exposures and additional operational costs from managing a multitude of solutions.
In a report titled ‘The Problem with Remote Access Sprawl,’ Claroty’s Team82 researchers looked at a dataset of more than 50,000 remote access-enabled devices across a subset of its customer base, focusing exclusively on applications installed on known industrial networks running on dedicated OT hardware. It disclosed that the sprawl of remote access tools is excessive within some organizations.
“Since the onset of the pandemic, organizations have been increasingly turning to remote access solutions to more efficiently manage their employees and third-party vendors, but while remote access is a necessity of this new reality, it has simultaneously created a security and operational dilemma,” Tal Laufer, vice president products secure access at Claroty, said in a media statement. “While it makes sense for an organization to have remote access tools for IT services and for OT remote access, it does not justify the tool sprawl inside the sensitive OT network that we have identified in our study, which leads to increased risk and operational complexity.”
Team82 also disclosed that nearly 22% of OT environments use eight or more, with some managing up to 16. “While some of these deployments are enterprise-grade solutions, we’re seeing a significant number of tools used for IT remote access; 79% of organizations in our dataset have more than two non-enterprise grade remote access tools in their OT environment,” it added.
It also noted that most of these tools lack the session recording, auditing, and role-based access controls that are necessary to properly defend an OT environment. Some lack basic security features such as multi-factor authentication (MFA) options or have been discontinued by their respective vendors and no longer receive feature or security updates.
Others, meanwhile, have been involved in high-profile breaches. TeamViewer, for example, recently disclosed an intrusion, allegedly by a Russian APT threat actor group. Known as APT29 and CozyBear, the group accessed TeamViewer’s corporate IT environment using stolen employee credentials. AnyDesk, another remote desktop maintenance solution, reported a breach in early 2024 that compromised its production systems. As a precaution, AnyDesk revoked all user passwords and code-signing certificates, which are used to sign updates and executables sent to users’ machines.
The Team82 report identifies a two-fold approach. On the security front, it detailed that the remote access tool sprawl adds to an organization’s attack surface and exposures, as software vulnerabilities and supply-chain weaknesses must be managed across as many as 16 different tools. Also, IT-focused remote access solutions often lack security features such as MFA, auditing, session recording, and access controls native to OT remote access tools.
On the operational side, the researchers revealed a lack of a consolidated set of tools increases monitoring and detection inefficiencies, and minimizes response capabilities. They also detected missing centralized controls and security policy enforcement opens the door to misconfigurations and deployment mistakes, and inconsistent security policies that create exploitable exposures; and more tools means a much higher total cost of ownership, not only in initial tool and hardware outlay but also in time to manage and monitor diverse tools.
While many of the remote access solutions found in OT networks may be used for IT-specific purposes, their existence within industrial environments can potentially create critical exposure and compound security concerns. These would typically include a lack of visibility where third-party vendors connect to the OT environment using their remote access solutions, OT network administrators, and security personnel who are not centrally managing these solutions have little to no visibility into the associated activity. It also covers increased attack surface wherein more external connections into the network via remote access tools mean more potential attack vectors through which substandard security practices or leaked credentials can be used to penetrate the network.
Lastly, it includes complex identity management, as multiple remote access solutions require a more concentrated effort to create consistent administration and governance policies surrounding who has access to the network, to what, and for how long. This increased complexity can create blind spots in access rights management.
In its conclusion, the Team82 researchers call upon organizations to combat the risks and inefficiencies of remote access tool sprawl. It suggests beginning with complete visibility into their OT networks to understand how many and which solutions are providing access to OT assets and ICS (industrial control systems). Engineers and asset managers should actively seek to eliminate or minimize the use of low-security remote access tools in the OT environment, especially those with known vulnerabilities or those lacking essential security features such as MFA.
Furthermore, organizations should also align on security requirements, especially those in the supply chain, and require security standards from third-party vendors whenever possible. OT security teams should govern the use of remote access tools connected to OT and ICS and ideally, manage those through a centralized management console operating under a consolidated access control policy. This helps alignment on security requirements, and whenever possible, extends those standardized requirements to third-party vendors in the supply chain.
Comments
Post a Comment