Is zero trust access the answer to the growing problem of VPN access to industrial control systems? I think so, and I’m not the only one.
What makes VPNs dangerous
Virtual private networks (VPNs) are used to extend network connectivity between users and applications or industrial control systems (ICSs). So it is a natural progression for IT to propose the use of VPNs to enable third-party access to an organization’s ICS. In many cases, the operational technology (OT) or ICS vendors themselves started deploying VPNs to gain remote access to these systems. With remote access, the OT team’s goal is to reduce downtime for the production lines. But VPNs have failed to deliver on that promise as they have become the primary source of unplanned downtime. Let’s take a look at some of the problems with VPNs.
Flat network: By design, VPNs create bidirectional tunnels between two networks, but inbound traffic flows are the source of all things bad. To make things worse, many ICS systems allow IP multicast and IP broadcast communication to ensure the supervisory control and data acquisition (SCADA) or programmable logic controller (PLC) software can discover all the OT devices over the VPN. In many cases, the VPN connects to a jump box on the IT network, which is actually bridging the OT network directly to the third-party. This level of network access to third parties defeats the very goal of achieving an air-gap between OT and IT.
ICS systems communicate in clear text over EtherNet/IP and do not require any form of authentication. But design and configuration software for discrete, process, batch, motion, safety, and drive-based applications was not designed for remote access over VPN and lack security controls commonly found in IT application software. With third-party users using the same laptop to connect to their office network, home network, and many other companies, the attack surface becomes significantly larger.
Vulnerabilities: It seems as if every VPN vendor on the planet has disclosed severe vulnerabilities in its VPN appliances. For OT system owners, this means VPNs are the favorite targets for attackers to gain unauthorized access and inject ransomware into your OT network. Also, VPNs require DDoS protection since they are accessible to anyone on the internet at all times.
“Emerging threats such as ransomware attacks on business processes, potential siegeware attacks on building management systems, GPS spoofing and continuing OT/IOT system vulnerabilities straddle the cyber-physical world.”
– Top 9 Security and Risk Trends for 2020, Gartner, September 2020
Ransomware: VPNs put users’ devices on to your OT network. Ransomware typically propagates over the network, infecting other computers connected to it. OT presents a target-rich environment with many workstations on the OT network running older versions of a Windows operating system (OS). There are several instances where ransomware from a third-party user connected over VPN led to massive disruption in the OT network. Ransomware attacks originating on the IT network and spreading to the OT systems have occurred at multiple organizations, including Norwegian aluminum producer Norsk Hydro, resulting in damages exceeding $1 billion.
Unpatchable systems: Most OT systems use an older version of Windows or purpose-built software that has reached end-of-life or end-of-support. Regularly patching OT systems, irrespective of the underlying OS, is not an option due to the lengthy and cumbersome approval process required by OT vendors. There have been well-documented cases of patches applied to OT systems that have resulted in complete system malfunction. In 2017, a security patch shut down monitoring equipment in a large NASA engineering oven, resulting in a fire that destroyed spacecraft hardware. Unpatchable systems or delayed patching is a major vulnerability that is often exploited by attackers.
Do third-party users really need network access?
It is time to stop bringing users, especially third parties, on to your network when they only need access to the OT systems to perform remote maintenance. The network-centric VPN-based approach, including DMZs and firewalls, has been in use since the Purdue Model for ICS became the standard for OT security in the late 1990s. Instead, the right approach is to connect users to applications.
A zero trust approach is a better way to let third parties access the specific systems they need without allowing any inbound connections to your OT network, even with OT-IT convergence. That’s because this concept does not suggest connecting the networks; rather, it just means that users should be able to access OT systems in a secure and convenient manner. Keeping OT systems known and accessible over the internet only for authorized users eliminates the biggest attack surface and reduces the risk of ransomware or cyberattacks.
Deepak Patel is the senior director of OT network and security transformation at Zscaler.