It has been reported that researchers at an Israeli operational technology (OT) company have discovered multiple critical vulnerabilities in two popular industrial remote access software solutions. The flaws can be used to access industrial production floors, break into company networks, tamper with data, or steal highly sensitive trade secrets.
The flaws recently discovered by security researchers underscore the importance of independently monitoring ICS systems. Products that provide remote access, VPN connectivity, firewalling, etc are prone to the same issues any technology faces, which is staying ahead of the attackers and being as cyber resilient as possible. However, sometimes there can be a window of opportunity for the attackers while systems get patched, and mitigations put into place.
Furthermore, if there are combined tools, like remote access + monitoring, it’s a double whammy because operator may not know if attackers took advantage of the flaws before the systems were patched. Additionally, an even more common issue is misconfiguration of cybersecurity products, allowing attackers to bypass systems without taking advantage of flaws. In the case of an advanced persistent threat (APT), if the Secure Remote Access solution (SRA) or VPN is successfully preventing the attacker from gaining access, they will resort to other methods. In any case, it’s critical for operators to think in terms of being in a constant state of recovery, not to think that their walls are impenetrable. It’d not if they get hacked, it’s when. Once this mindset is embraced, it’s easy to see that ongoing monitoring, by an independent, 3rd party technology is key to maintaining visibility and control of ICS systems.
Monitoring all the activities of the SRA solutions, the VPN tunnels, all of the industrial control system traffic, knowing what’s allowed to traverse which network zone, and combining it with anomaly detection, attack signature matching, and malware sandboxing, enabling facility operators to prevent or minimise the impact of a failure in those cybersecurity boundaries. Hardening the target is also an important part of reducing the impact of the discovered flaws, by developing a detailed asset inventory, complete with identifying vulnerabilities and the necessary mitigation plans for the ICS systems. But, in the very least, maintaining independence between the remote access technologies and the cybersecurity monitoring technologies is important, especially in the midst of discoveries such as these.