Securing Operational Technology (OT) with Privileged Remote Access and Network Tunnels

As Operational Technology (OT) environments become more interconnected with IT systems, the need for advanced OT security measures becomes ever more pressing. Traditional perimeter-based security models are no longer sufficient to protect critical infrastructure and access to devices for cyber-physical systems and OT environments, such as pharmaceutical facilities, manufacturing plants, or oil rigs, from increasingly sophisticated cyber threats. This is where Privileged Remote Access Network Tunnels come into play, bringing a Zero Trust Network Access (ZTNA) solution that secures access to your OT environments as well as it does for IT environments. This ensures access is only granted after stringent identity verification, regardless of the user’s location, making it an essential component of modern OT security strategies.

Network Tunnels create encrypted, point-to-point connections to any device or endpoint, regardless of the protocol they’re based on, the software needed to connect to it, or where they are located. They compliment all the other protocol specific access that the BeyondTrust product provides (like SSH, RDP, SQL, and Kubernetes) by safeguarding the sensitive communication with, and prevent unauthorized access to, critical OT operations.

What sets apart is its seamless integration of ZTNA principles with identity-secure, just-in-time access tailored specifically for OT environments. Unlike traditional VPNs, BeyondTrust’s network tunnels offer a more scalable and secure solution, allowing organizations to control and monitor access in real time across both traditional IT and cyber-physical systems. BeyondTrust’s Network Tunnels offer a more scalable and secure solution, allowing organizations to control and monitor access in real time across both traditional IT and cyber-physical systems.

By combining advanced ZTNA capabilities with robust session monitoring, auditing, and short-lived certificates, BeyondTrust ensures that, even in the event of credential compromise, malicious actors are quickly shut out.

Read on for my interview with Sebastian Mankowski, Principal Product Manager of Privileged Remote Access, to learn more about what makes Privileged Remote Access the best choice for securing OT environments.

Sebastian: Privileged Remote Access originally found its roots in the Privileged Access Management (PAM) space, securing access to privileged accounts remotely in IT environments. Since then, the product has established itself as a PAM leader, and then expanded its capabilities and use cases to become the single unified solution for all environments and workforces, regardless of where they are located or what kind of equipment they are operating. By bringing the lessons of Zero Trust into the world of OT, along with our best-in-class session management and access controls from IT, Privileged Remote Access enables easy point-to-point access without having to use unreliable VPNs or other middleware for your entire OT environment. Gartner refers to this as remote privilege access management, or RPAM.

Sebastian: There are a number of challenges in the OT sector that Privileged Remote access can directly solve for:

1) Legacy operating systems

Many OT environments rely on legacy operating systems, like Windows 10, Windows 7, and older. These are the systems driving a lot of the valuable and critical equipment that businesses depend on, and they’re not getting upgraded or updated. Organizations still need a way to facilitate access to them, but they need to make sure that access can be done remotely and securely. BeyondTrust Privileged Remote Access enables secure access to any device used in the OT space, regardless of operating system, either using remotely deployed agents or in a completely agentless approach.

2) Use of non-standardized equipment

OT environments typically require a lot of non-standardized, custom equipment, like Siemens devices or Rockwell PLCs that run on custom protocols and require bespoke manufacturer software to connect with. This has historically forced businesses to rely on managing vulnerable, unreliable, and hard-to-configure VPNs, to circumvent security practices by punching holes through firewalls to allow people who are not on site to interact with this equipment.

This is exactly what our Privilege Remote Access Network Tunnels are tailor made for–providing point-to-point access to custom systems on isolated and non-routable OT networks, without need for VPN or broad network access—and enabling outbound-only connections that are fully recorded for auditing purposes. Privileged Remote Access does not require deployment of multiple heavyweight appliances and satisfies Purdue Model security requirements.

3) Tool sprawl

Lastly, there’s the challenge of reducing the operational surface area of software, tools, and vendors an organization needs to manage on a regular basis just to keep things running. As organizations grow and scale, and business systems become more complex, the more technology resources are required by the increasing number of technical workers. This often comes with the added overhead of onboarding more and more software tools, which need to be managed by several different teams and stakeholders, ballooning the operating costs exponentially.

As a unified access solution that fully encompasses all organizational technology resources – cloud, on-prem, or hybrid for both IT and OT – Privileged Remote Access solves this challenge in one consistent and easy-to-use platform. Technical end users don’t have to keep switching between solutions, depending on what work they’re doing. IT and infrastructure administrators can control everything in the same place with a consistent set of policies; and security teams have a consolidated set of auditable logs and reports so that they can confidently identify paths to compliance. It’s sort of the ‘one tool to rule them all’ that is needed across both IT and OT environments right now.

Sebastian: Privilege Remote Access Network Tunnels emerged as our latest step towards solving for the specific challenges organizations in the OT space are facing. The capability is specifically targeted at enabling secure connectivity from custom software to custom devices and machinery that has historically relied on VPNs.

Organizations have historically been well aware of the insecurity of VPNs, but in many cases were left with few alternatives. Traditional ZTNA approaches that operate only at the application layer fall short when having to work with custom PLC controllers and devices, and the manufacturer-specific software needed to operate them. VPNs became the default “least-worst” option and were commonly adopted despite the known concerns with their security vulnerabilities, their difficulty to maintain, and the challenge of configuring them in ways that reliably prevent cyberattacks and horizontal movement within networks.

The combination of increasing attacks on OT infrastructure and other cyber-physical systems (CPS)—like pipelines, energy facilities, and manufacturing—and a rash of exposed security vulnerabilities in the most common and popular VPN solutions, has accelerated the need for companies to find a better approach to securing OT access, while preserving uptime. We built our Privilege Remote Access Network Tunnels specifically to solve for these customer pain points.

Sebastian: Put simply, Privileged Remote Access Network Tunneling works by extending our zero trust access tunnels from operating solely at the application layer to the entirety of the networking layer. This allows customers to create the same encrypted point-to-point tunnels they’ve always counted on Privileged Remote Access for to gain access to SSH, RDP, Kubernetes, and database resources (like Postgres).

This works for any system, regardless of where it’s located, what protocol it relies on, or what software is used to interact with it. We don’t even require an agent to be installed on the endpoint, and our lightweight Jumpoint proxies mean that remote access can be established with resources living on isolated and non-routable networks (like factory sites) without having to punch holes through any firewall rules, while achieving the requirements of the Purdue model framework.

The experience for end-users is seamless – they just authenticate to Privileged Remote Access and click the OT systems they want to connect to, then start working using whatever local software they need. Administrators don’t have to worry about any wide-open VPNs or security misconfigurations, and security stakeholders know that least privilege is being enforced and that every session of activity is fully recorded for auditing purposes.

Sebastian: One area that we knew upfront would be important to our customers was the ability to continue meeting the standards of the Purdue model security framework, so we invested in ensuring our Jumpoint proxies were easy to deploy and the appropriate segmentation between networks remained in place. We also knew that these standards would be critical in facilitating connections to normally isolated networks on an outbound basis to avoid any firewall manipulation and to maintain a strong security profile.

Something that came up in early feedback that we eagerly iterated on was adding the ability for the Jumpoints themselves to take over the responsibilities of Dynamic Host Configuration Protocol (DHCP), since few OT networks are also running DHCP servers themselves, as well as work with remote Domain Name System (DNS). Both of these features are currently complete and available in Privileged Remote Access!

We love collaborating with our customers as our design and development partners, and their input was key in enabling us to deliver a solution that worked perfectly in their operational and security environments.

Sebastian: Our key objective is to ensure Privileged Remote Access meets all the needs of our customers, including those operating in the OT space, and we are continuing to invest in this area. Some things which we’re already working on and getting ready to release soon include:

• More efficient Jumpoints operating in proxy mode with clustering and adding redundancy for Jumpoints operating in proxy mode.

• Supporting more platforms with Network Tunnels, like workstations running macOS.

Longer-term, we are excited to explore opportunities around automated discovery of endpoints in OT networks. The desired outcome is to reduce or eliminate the repetitive and manual effort required with deployment and ongoing enrollment of new systems. There are a few more secrets we’ll be unveiling this quarter—so stay tuned. And we are also always listening to our customers and eager to hear what their thoughts and ideas are so we can make them make them a reality.

If you’re interested in learning about Privileged Remote Access and its new Network Tunnels, visit our website, check out our free trial, or contact one of our experts today. For more information about the specific challenges faced by organizations in the OT space and how BeyondTrust can help, click here.