Remote connectivity has brought many benefits to industrial organizations — from faster response times to lower costs. However, the growth of remote workforces and digital transformation have been accompanied by an alarming rise in cyberthreats targeting operational technology (OT) and industrial controls systems (ICS). The risk of disruptive cyberattacks and potentially disastrous ransomware threatens productivity, safety, and reliability. Yet despite the escalating risks, many industrial organizations continue to rely on traditional secure remote access (SRA) solutions to provide remote connectivity to OT environments and critical infrastructure.
Analyst firm Gartner® recognized the severity of this issue in a recent report, entitled Innovation Insight: CPS Secure Remote Access Solutions. The report states, “Historical VPN and jump-server-based approaches have proven increasingly unsecure and complex to manage. They also often lack the granularity to provide access to a single device, providing access to the entire network instead.”1
In this multi-part blog series, we will examine a variety of widely used remote access solutions and how they fail to ensure the level of security and control that industrial organizations require. We will also introduce various aspects and capabilities of Cyolo's unique approach to securing remote access to OT assets. Here in part one, our concentration will be on the VPN and its security shortcomings.
VPNs are increasingly under attack by bad actors. According to a 2023 survey on VPN risk, “nearly half of organizations reported they have been targeted by cyber attackers who were able to exploit a VPN vulnerability like outdated protocols or data leaks, with one in five experiencing an attack in the past year.”
To give just one example, earlier in 2024 Global Affairs Canada “was the victim of a data breach when one of its Virtual Private Networks (VPN) — which Canada-based workers use to securely connect to GAC’s Ottawa headquarters — was ‘compromised’ for over one month.” Email traffic as well as personal and shared files may have been exposed as a result of this breach.
So far, compromised VPNs have led to fewer attacks on industrial organizations, although the infamous 2021 Colonial Pipeline incident was ultimately determined to have been the result of a leaked password that had access to a VPN. This case perfectly illustrates how attacks on VPNs used in an information technology (IT) context can lead to physical consequences for OT assets and critical infrastructure.
Security has never been the primary function of the VPN. As the word “private” in the name reflects, VPNs were designed to enable online anonymity. Still, as the internet became increasingly vital to business, organizations began adopting VPNs to allow employees and third-party vendors to access internal resources while away from the office.
VPNs work by effectively tunneling into the corporate perimeter from outside. Once on the inside, users can access all applications and assets just as though they were at the office. This is unquestionably convenient; however, VPNs simply replicate the outdated castle-and-moat security model, which places defenses at network entry points but not throughout the entire network or connectivity cycle. Even now that many VPNs require multi-factor authentication (MFA) as a layer of protection against unauthorized access, they remain far too vulnerable to cyberattacks and offer no visibility or control once a user is authenticated and granted access to the network.
Following an initial verification process, most VPNs put the authenticated remote user directly onto the network with access to all assets, in effect extending the network perimeter. Unless added security measures and controls are in place, any user or device that enters via the VPN will be able to freely roam the network, moving laterally as they please and accessing even the most sensitive resources at will.
As we have seen play out numerous times over the years, attackers who manage to connect through the VPN can take advantage of this network-level access to spread malware and wreak havoc. This is far from ideal for any company, but it is particularly dangerous for industrial organizations. An attacker with access to the critical systems contained in many OT environments could conceivably take control of vital processes and put human life and safety at risk.
By offering “all-or-nothing” network-level access, VPNs provide too wide a berth for cybercriminals (or disgruntled employees) to cause devastating damage across the organization.
The Cyolo PRO advanced secure remote access solution grants access according to the principle of least privilege and never permits access to the full network. Users receive access to the applications and assets they need to do their jobs and nothing more. By enforcing zero-trust access, Cyolo PRO mitigates the risks of unauthorized access and limits the amount of harm an attacker could cause even if they were to gain access. Cyolo PRO also effectively thwarts the spread of malware across the entire network because no one, including legitimate verified users, has that level of access.
Application-level access not only plays a key role in limiting the “success” of cybercriminals but also serves as a safeguard against malicious employees, former employees whose access was never revoked, and well-intentioned employees who succumb to the greatest cybersecurity threat of all — human error. When every user and device is restricted to only the necessary access, the organization as a whole is safer and more secure.
Beyond securing the initial point of access, industrial organizations need visibility into and control over what is happening throughout the entire remote session. This is another area where VPNs fall short.
As we’ve already noted, after VPN users enter a correct password and potentially a second authentication factor, they are essentially placed inside the network perimeter with no additional checks or controls provided. VPNs offer no features to detect or respond to unusual activity (which could be malicious), and they cannot block behaviors that might increase risk (such as uploading and downloading files). Some VPNs may provide audit logs, but it is left to security teams to manually piece together activities into a complete picture of a remote user’s actions. In addition, VPNs lack important supervisory/oversight controls such as session recording and supervised access.
Cyolo PRO offers full visibility and oversight for the entirety of all remote sessions. This begins with continuous authorization, which serves as an added layer of access control that helps identify unauthorized actors who may have found a way to pass the initial verification process. Just-in-time access (JIT) can be enabled to limit sessions to a certain duration or to grant temporary access to critical systems and resources.
Connectivity controls restrict the actions that can be performed in a much more granular way than is possible with a VPN. For instance, third-party vendors may have access to view a certain resource but not to copy or paste data or to perform an upload (thus blocking malware). Finally, Cyolo PRO gives admins a wide range of supervisory controls, including session recording, supervised access for risky users or those connecting to critical systems, and the ability to terminate sessions in real time if unusual behavior is detected. All activity is fully logged and audited for compliance and incident response purposes.
By definition, VPNs require an internet connection. This means that they cannot be used to provide access into offline OT environments.
Cyolo PRO facilitates secure access to every type of environment – cloud-connected/online, cloud-averse, on-premises, and fully offline. Even OT environments that are disconnected from the internet and all other networks can use Cyolo PRO to allow users and devices to connect in a safe and secure manner.
OT systems operate atop a range of insecure protocols that were originally designed for closed, isolated environments – not for exposure to the outside world. Many industrial protocols, such as Modbus and DNP3, have no built-in security, which leaves them at-risk for exploitation by malicious users connected through a VPN. The same dangers exist due to weaknesses in remote protocols (like RDP or SMB), frequently encapsulated in VPN tunnels.
A large industrial automation vendor called attention to this issue just this week when it released a security notice advising “customers to take ‘immediate’ action and check whether any devices that are not specifically designed for public connectivity are exposed to the web.” The recommendation is to proactively disconnect any such devices.
Needless to say, most organizations today have become dependent on connectivity and remote access. There will be no return to isolation, which is precisely the reason that more effective and secure remote access solutions, like Cyolo PRO, are needed.
Unlike a VPN, Cyolo PRO can securely connect industrial protocols. In addition to providing granular access on an individualized application-level (as noted above), the solution’s zero-trust architecture provides the controls needed to connect safely.
Cyolo PRO encapsulates all application traffic in outbound port 443 (HTTPS) and does not require the opening of any inbound ports. No network changes are required because all internal network infrastructure is hidden from the platform.
A VPN is an agent, a piece of installed software that run autonomously in the background of a device. Agents are not inherently bad, but they can be problematic when it comes to securing access for third-party vendors, technicians, and contractors.
Industrial enterprises tend to rely heavily on support from third parties, and it is crucial that these third parties can securely access the critical resources they’ve been hired to work on. Third-party vendors frequently use their own devices and forcing them to install a VPN is not practical, particularly for vendors who work with dozens of different companies operating many different VPNs. If a key subset of users is unwilling to install an organization’s VPN, it clearly is not a tool that can be depended on to provide remote access.
Securing third-party access is one of the primary challenges Cyolo PRO was designed to solve. The solution is agentless, enabling third parties to easily connect with no downloads needed. Admins also face less of a burden as they can add new users to the correct access policies with only a few clicks.
Besides being a much more convenient remote access solution for vendors to onboard and work with, all of the security capabilities and controls we’ve already highlighted are especially important when it comes to third-party access. Third parties typically work on unmanaged devices and are not beholden to internal security policies and best practices. When they connect remotely via VPN, their activity is largely unmonitored and organizations are left at significant risk. With its access, connectivity, and supervisory controls, Cyolo PRO allows organizations to monitor and oversee third-party connections from the initial access point through to the session termination.
By redefining secure remote access for OT with an extensive set of features and functions tailored to the distinctive needs of industrial organizations, Cyolo PRO solves all the major security shortcomings of the VPN. In addition to its security advantages, Cyolo PRO also overcomes the issue of VPN latency with fast, reliable connections that increase productivity and keep both users and admins happy.
Check out part two of this blog series, in which we explore the weaknesses of the jump server as a secure remote access solution.
1 Gartner, Innovation Insight: CPS Secure Remote Access Solutions, Katell Thielemann, Abhyuday Data, Wam Voster, 18 April 2024.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Author
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.