NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Operational Technology (OT) Cybersecurity: 4 Best Practices

April 6, 2021

  • Blog
  • Archive

OT (operational technology) is responsible for critical processes that, if breached, could have catastrophic consequences, including loss of life. OT encompasses supervisory control and data acquisition (SCADA), industrial control systems (ICS), and distributed control systems (DCS). Emergency services, water treatment plants, traffic management, and other critical infrastructure rely on operational technology solutions to properly function.

Cyber-attacks on critical OT infrastructure have been on a stratospheric trajectory, increasing 2000% in recent years! Audacious attacks have been launched on everything from nuclear plants to water treatment facilities. In fact, a poisoning attack at a Florida water treatment facility was particularly scary because of how easily an attacker gained sensitive access via inadequate password management and how they were able to leverage unsophisticated actions via a consumer-grade remote access tool within the environment to order the system to increase the amount of lye in the water.

Why Cyber Risk to OT Systems is Increasing

For many years, industrial systems relied upon proprietary protocols and software, were manually managed, and monitored by humans, and were not directly connected to the public Internet. In those days, the only way to infiltrate OT systems was to obtain physical access to a terminal—and this was no easy task. OT and IT (Information Technology) integrated little and did not deal with the same kinds of vulnerabilities.

Today, it's a starkly different story as we see more industrial systems brought online to deliver big data and smart analytics as well as adopt new capabilities and efficiencies through technological integrations. This transition from closed to open systems has generated a slew of new security risks that are being actively targeted—often with success—by threat actors, and that need to be addressed.

As industrial systems become more connected, they also become more exposed to vulnerabilities. Add legacy equipment, safety regulations that may prohibit any modifications being made to equipment, and compliance regulations that require sensitive data to be made available to third parties, and you have quite a challenge on your hands.

Additionally, remote vendors, employees (operators), suppliers, and other contractors often remotely access OT systems to perform legitimate maintenance and other actions. Remote vendors and employees have further complicated the situation by using personal devices (BYOD) as well as working from home networks that are not properly hardened. These remote connections have further blurred the IT-OT segmentation and expanded the attack surface, providing new entry points for hackers to exploit.

Often, VPNs are used for privileged remote worker or vendor access, but this is an inappropriate and insecure VPN use case as VPNs lack granular access controls and cannot perform session monitoring or management. While VPNs can provide a secure tunnel from one location to another, the access permitted by a VPN is unrestricted—which is completely unjustifiable for any sensitive environment, let alone OT systems. Of all users, privileged users—whether employee or vendor—pose the most risk as the attacker can ride on whatever privileges that worker has to move laterally from the IT network to the OT and ICS system on the production floor. Once in the ICS network, hackers can potentially monitor and manipulate operational components, including reading commands or changing parameters, which can cause dangerous conditions to the environment, jeopardize the safety of plant personnel or the community, and potentially cause monetary loss due to shut down or a disruption in production

4 OT Cybersecurity Best Practices

How can organizations securely address a large volume of operators, contractors, and vendors connecting remotely into their network, without the use of a VPN and without compromising processes, operations continuity, or inhibiting business agility or productivity?

At minimum, you need to know at all times who (identity) is doing what on your network, from what device, and when. And, critically, you need to be able to exercise complete, granular control over that access at all times—whether it is for an employee or vendor, and whether they are on site, or connecting remotely.

Here are four best practices for protecting Operation Technology environments from cyberthreats:

#1 Implement a Zero Trust Framework

While the zero trust security philosophy is commanding more attention and seeing increased adoption, most organizations remain stuck operating with the traditional network perimeter security model and using VPNs and other tools to grant access for remote access.

Securing any network begins with understanding every connected user and device and every bit of data they are trying to access. This is a basic premise of any security framework—including zero trust. To truly embrace zero trust across your OT network, consider implementing the following:

  • Apply network segmentation: Provide application access independent of network access. This entails enabling contractors and vendors to access only the applications and systems they need--without requiring complex firewall configurations or VPNs.
  • Provide application-level micro-segmentation, which prevents users from discovering applications that they are not authorized to access. In addition to protecting against malicious insiders or external threat actors, this step also helps protect the environment against human errors, which is the one of the leading cause of breaches and system downtime.
  • Establish a centralized point of visibility and accessibility for different systems that require various connectivity methodologies. As more OT systems are integrated with IT systems to drive automation, efficiency, and lower costs, keeping these systems known and available on the internet only for authorized users eliminates the biggest attack surface.
  • Monitor and record all activities performed over remote access via on-screen video recording, keystroke logging, etc. Session monitoring is essential both for security and for compliance.
  • Exert granular control over the sessions by enforcing least privilege and restricting commands that can be executed by identity/user.
  • Implement API Security - Protecting APIs is essential to safeguarding the integrity of data communicated between IoT devices and back-end systems. Only authorized devices, developers, and apps should be permitted to communicate with specific APIs.

#2 Align the Right Remote Access Tools with the Right Use Cases

Over the last year, with the largescale shift to remote work, VPN usage has spiked to an all-time high. Unfortunately, VPNs and other remote access technologies, like RDP, are being stretched beyond their legitimate use cases in ways that are clearly reckless. No where is the risk more potentially dangerous than within OT networks. VPNs and RDPs need to be eliminated from usage in those instances involving privileged access and third-party access.

While adequate for providing basic remote employee access to non-sensitive systems (i.e., email etc.), VPNs lack the granular access controls, visibility, scalability, and cost-effectiveness demanded of third party and remote worker access to OT/IoT devices. VPNs cannot enforce the granular least privilege access or monitoring/management over sessions that is imperative for security and oversight of privileged user access.

Table 1: How VPNs Compare to BeyondTrust Privileged Remote Access, a solution for providing secure, least-privilege access to vendors, privileged users, and service desk personnel, with robust session monitoring and management. The solution can also be used to lock down and segment access to web browsers, cloud control planes, and other systems and resources.

#3 Understanding IT Security Versus OT Security

In most organizations, the policies and service agreements to manage IT systems do not extend to the operational technology environment, creating a security and management gap. Managing security and risk in OT environments isn’t as simple as porting over IT security best practices into the OT system. Relying on consumer-grade remote access / support and other such IT solutions is certainly not adequate when it comes to protecting the most sensitive environments.

OT technology obsolescence periods are much longer than IT. Legacy systems that have sometimes been in place for 20-25 years proliferate in OT environments. Compare that to the IT world where equipment rarely lasts more than five years. This results in outdated, diverse endpoints where patches aren’t available, or updates can’t be made due to low compute power.

IT has had decades to mature security practices and minimize exposure. But the need to manage risk is universal, and organizations must adopt solutions and strategies to secure their OT environments based on their specific needs.

#4 Apply Robust Privileged Credential Management Practices – And No Password Sharing!

Password malpractice abounds in OT environments, and it continues to be a leading cause of breaches. Credentials are often shared internally and externally, and access is not limited to specific network devices or segments.

Reduce the risks associated with privileged credential compromise in your OT environment by safeguarding access to privileged account passwords and SSH Keys. Implement an enterprise-grade privileged credential management solution that provides full control over system and application access through live session management, allowing administrators to record, lock, and document suspicious behavior with the ability to lock or terminate sessions. Such a solution should also eliminate embedded and default passwords, and bring them under active, centralized management.

OT and Military-Grade Cybersecurity from BeyondTrust

BeyondTrust PAM solutions give OT security managers the tools they need to manage privileged access in a challenging OT environment.

To learn how BeyondTrust can help you secure privileged remote access for employees and vendors, enforce least privilege and application control across your OT environment, and ensure all privileged credentials and secrets are consistently security and managed, contact us today.


Whitepapers

The Operational Technology (OT) Remote Access Challenge

Whitepapers

Managing Industrial Control Systems with BeyondTrust

Photograph of Julissa Caraballo

Julissa Caraballo, Product Marketing Manager

Julissa Caraballo is a Product Marketing Manager at BeyondTrust. She has over 10 years of experience in software product marketing and lead generation. Previously, Julissa worked as a Marketing Director for a medical management software company. She holds a BA in Business Administration/Marketing and a MBA in Healthcare Management. Her certifications include, Certified Digital Marketing Manager, Pragmatic Marketing Certified and Certified Medical Practice Executive. She can be found on LinkedIn and all social media platforms.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Azure PIM vs. BeyondTrust PAM

Whitepapers

The Remote Access Challenge

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.