Why VPNs and Jump Servers Fall Short for OT Remote Access

By Roman Arutyunov, Xage Co-Founder and VP of Product

While it was once unthinkable to make physically-isolated Operational Technology (OT) and Industrial Control Systems (ICS) remotely accessible, the benefits of enabling secure remote access have grown too great to ignore. Critical infrastructure operators increasingly need to rapidly troubleshoot issues and minimize costly downtime without being onsite in locations that are often remote, hard to reach, and in potentially dangerous places.

As the rise in remote workforces and digital transformation drives greater connectivity to OT systems, operators are seeing an alarming rise in cyber threats targeting OT environments. The escalating risk of disruptive cyberattacks and costly ransomware threatens productivity, safety, and reliability. That is why it’s surprising that many industrial organizations rely on traditional, IT-centric VPNs and jump servers for remote access to critical infrastructure.

Historically, OT teams had little choice but to adopt the tools IT was already using. VPNs have long been a practical means for enabling remote access to IT services and applications. Unfortunately, IT-centric tools rarely come optimized for the unique requirements of OT.

Cyberattackers commonly exploit VPN shortcomings to gain unauthorized access and wreak havoc on at-risk operational systems. The successful attacks on Colonial Pipeline and a Florida water treatment facility are poignant reminders of this new reality.

Xage Security walks you through why VPNs and jump servers fall short as an effective strategy for OT remote access

As demand for reliable remote access continues to increase, operational leaders must embrace a different approach from the status quo. Here’s why VPNs and jump servers fall short as an effective strategy for OT remote access and urgently need to change:

Traditional VPNs Provide All-or-Nothing Access

There are numerous reasons traditional VPNs have become pervasive. A VPN can simplify connecting remote participants to existing networked assets with minimal infrastructure change required. Once logged in, a VPN effectively puts the authenticated remote user directly on the same network as all the operational assets, which often lack strong (if any) native security controls. As a result, VPNs tend to provide all-or-nothing access.

As evidenced by the aforementioned cyber incidents, if a remote user’s credentials are compromised by brute force or phishing or simply stolen and sold on the dark web, an attacker can gain unfettered access to vulnerable OT assets without much effort.

Even legitimate users pose a grave risk to operational networks if connecting from a device infected with malicious software. Malware on a remote user’s laptop can quickly spread unencumbered on such a trusting connection, for example.

VPNs Expose Vulnerable Protocols

OT systems operate atop a range of insecure protocols designed originally for closed and separated environments. Many industrial protocols (such as Modbus and DNP3) have no built-in security leaving them at risk for exploitation by malicious users connected through a VPN. The same dangers exist due to weaknesses in remote protocols (like RDP or SMB) frequently encapsulated in VPN tunnels.

Ransomware attacks such as BlackCat, recently used against several Western European oil terminals, exploit these weak protocols as initial attack vectors into high-value, target-rich OT environments. Firewalls and other network boundaries may help mitigate this exposure. However, these cyber threats can spread unchecked once on the inside through a VPN connection.

Addressing VPN Shortcomings Leads to Added Complexity

The familiar iceberg metaphor, where more lies below the waterline than meets the eye, rings true for VPNs in OT networks.

In response to the highlighted shortcomings, industrial organizations add security controls or make infrastructure changes to close gaps. These changes involve moving remote access traffic to a DMZ, standing up proxy hosts (i.e., jump servers), and implementing privilege access management (PAM) to protect OT environments.

For most OT teams, the complexity builds up quickly, creating new risks as there are new tools to maintain in concert with operational systems and complicated change control challenges to navigate.

DMZ Firewall Rules are Cumbersome to Manage

DMZs rely on hundreds (if not thousands) of complex firewall rulesets. So when there’s an urgent need to provide temporary remote access to an OT asset, firewall changes can take too long to enact. This can lead to costly downtime or extended periods of hampered operations. Or, worse, changes happen quickly but at the cost of being too permissive to avoid breaking existing traffic flows. In either case, one firewall misconfiguration can expose OT environments to cyberattacks.

Jump Servers Build Up Stale Accounts

Using jump servers is a common tactic to avoid direct internet connectivity to OT assets. Placed into a DMZ, these proxies seek to add a layer of protection to weak protocols and offer a way to limit network traffic into OT environments where, according to the 2022 Microsoft Cyber Signal report, 75% of the most common industrial controllers have high-severity, unpatched vulnerabilities. A remote user VPNs into the jump server in the DMZ and then accesses operational assets from the proxy host.

The challenge is that every user needing remote access must have accounts created on the jump server. Over time, these Windows workstations accumulate hundreds, if not thousands, of user accounts. It doesn’t take long for these accounts to go stale, as temporary users or former employee credentials are rarely deprovisioned. Alternately, accounts with the necessary privileges are shared and passed around to expedite access, making it impossible to trace which user took which action.

Furthermore, the jump server requires valid credentials to access operational assets such as PLCs. These accounts commonly remain unchanged due to limited password management capabilities on OT assets.

Jump servers become fertile ground for cyber attackers who capitalize on large caches of unused (or infrequently used) user accounts to compromise a veritable goldmine of OT access. Additionally, the oft-used Windows workstations can run out-of-date software releases that lack fixes for exploitable vulnerabilities.

Once considered an improvement over VPNs, jump servers create a false sense of security.

Unfortunately, mitigating this hazard comes at a cost. OT teams add costly PAM solutions to address the lack of granular controls, further increasing complexity.

Visibility Into Remote Activity Is Limited

A lot can occur during a remote access session, and it is crucial to have visibility into these activities. Once more, VPNs and jump servers fall short of meeting these requirements.

Firstly, these tools lack end-to-end visibility as remote connections traverse multiple pathways. While VPNs and jump servers may have audit logs, it is left up to OT security teams to manually piece together activities into a complete picture of a remote user’s actions.

Additionally, there are few unique identities for many common OT assets. A remote user connecting to an operational device via a jump server likely uses a stored shared password, making the user’s actions difficult or impossible to trace back should an incident occur.

When every minute can lead to thousands in lost revenue during a security incident or production outage, the lack of comprehensive visibility impedes a speedy response.

Go Beyond Failing Strategies and Modernize OT Remote Access

Avoiding these failing strategies starts with adopting a unified approach. Operational leaders must move off traditional VPNs and jump servers to a modern solution based on zero trust principles.

Fortunately, Xage Zero Trust Remote Access makes it easy to shift. See firsthand how one of the world’s largest energy producers eliminated manual processes and a complicated VPN solution for granular, just-in-time access with Xage.