Author: Roman Arutyunov, Xage Co-founder and VP of Product

A recently disclosed attack against an operational technology (OT) component highlights the rapidly growing need for improved security hygiene in critical infrastructure. For operational technology in critical infrastructure, improving security hygiene is inextricably linked with modernizing remote access methods.

The attack in question involved a hacker group being referred to as GhostSec or Anonymous Operations, claiming that it had used ransomware to successfully encrypt an industrial Remote Terminal Unit (RTU) for the first time. As reported by IndustrialCyber on Friday, January 13, security researchers quickly uncovered other details of the attack, including the fact that the device ships with easily-cracked default root access credentials, and that there were many instances of the device type exposed to the public internet, visible via Shodan. These characteristics make the device far more likely to be exposed to being attacked in the first place, and vulnerable to being encrypted by ransomware.

While this attack was very specifically focused on sending a political message to Russia, there are several actionable takeaways from this scenario for anyone responsible for securing critical infrastructure:

1. OT in critical infrastructure is a more compelling target for attackers than IT for many adversaries. The sensitivity and value of industrial targets makes for a more compelling news story than hitting a corporate target’s IT network. Shutting down train service or a gas pipeline has enormous, highly visible consequences, including significant threats of financial harm and risk to human safety. This is why adversaries such as GhostSec prioritize developing and publicizing their OT attack capabilities. 
2. The OT attack surface is growing. The increase in IT-OT convergence, and the rising number of OT assets that continue to be accidentally or intentionally exposed to the public internet creates an enormous attack surface for attackers to impact critical infrastructure operations. As demonstrated by the attack on Colonial Pipeline, even the potential of OT being compromised through a connection with corporate IT infrastructure can lead to downtime, brand damage, and enormous incident response costs. Critical infrastructure providers need to take steps to minimize their attack surface and be prepared to provide concrete evidence that their systems have not been compromised in the event that some attacker group makes a claim, or successfully intrudes on the corporate IT or OT environment.

The Challenge of Secure Remote Access for Operational Technology

An enormous challenge that faces critical infrastructure operators today is that of providing secure remote access to operational technology without exposing vulnerable devices to corporate or public networks. The reason for the ballooning OT attack surface is driven in large part by the urgent need for remote access, and the lack of effective mechanisms for providing it securely. IT-centric remote access tools are not built for the requirements of secure remote access for OT. They need to allow remote technicians and vendors to access critical components that can have a physical impact on the real world, in order to provide upgrades or manage urgent issues rapidly, without opening up attack vectors.

As OT assets grow more distributed, along with the experts who build, operate, and maintain them, this challenge will only increase. Now is the time for critical infrastructure organizations to invest in modernizing their remote access systems to stay ahead of cyberattackers.

How Xage Provides Secure Remote Access to OT without Compromising Cyber Hygiene

The attack vector in this case was an internet exposed interface with a default credential. This is a very common attack vector. How does one expose unsecured interfaces and not manage credentials and expect not to get hacked? The reality is that for business reasons such as enabling remote technicians (or vendors) to troubleshoot the process when production is down or sending data to business intelligence systems for data-driven process optimization these industrial assets are often exposed to external or corporate networks. Operations lack the tools to be able to secure these assets while enabling collaboration that are easy to use and administer. 

The Xage Fabric addresses these needs using an asset-centric approach for cyber physical asset protection:

• Delivers zero-trust with defense-in-depth to any industrial asset interaction (user, machine, app, data)
• Asset interfaces and protocols are never exposed
• Credentials are rotated on per session or scheduled basis
• Provides identity-based access management with multi-layer MFA for any assets at any location
• Provides zero-trust remote access to any asset including assets such as PLCs and RTUs, enabling multi-user collaboration, shadowing, and recording
• Enables and controls file and data transfer by user and asset identity and policy with overlay malware scanning and integrity validation

Xage is already being used to provide Zero Trust Remote Access (ZTRA) to major critical infrastructure organizations around the world. Read our case study of how a Top 10 energy provider modernized their remote access with Xage.