Remote Access Sprawl Strains Industrial OT Network Security

The exploding demand for remote access into today's industrial control systems (ICS) and operational technology (OT) systems has created a nebulous, Internet-connected attack surface that's too attractive for cyberattackers to ignore. And cleanup is not going to be a simple affair.

Far too many ICS networks are being accessed by employees, partners, suppliers, and customers using a slapped-together mousetrap of tools, leaving these environments woefully exposed while connected to the Internet, according to researchers.

In a new analysis, Claroty's Team82 looked at 50,000 individual remote access-enabled devices running on industrial networks with dedicated OT hardware, and found 55% to have at least four remote access tools (RATs) in their environments. A full third (33%) reported using six or more RATs. Some organizations reported using up to 16 different of them.

Industries represented in the examples examined by the Team82 researchers included pharmaceuticals, consumer goods, food and beverage, automotive, oil and gas, mining, and manufacturing — many of which are considered critical infrastructure sectors.

"Within critical infrastructure, there is sometimes a bigger physical risk associated with a breach, depending on the jeopardized device," says Tal Laufer, Claroty's vice president of products, secure access. "That being said, all organizations with this type of tool sprawl are at risk, since it can create security gaps in their networks for threat actors to exploit."

Making matters even more complicated for cybersecurity teams, the Team82 report found that 79% of the organizations they surveyed have more than two remote access management tools in their environment that don't meet basic enterprise-grade security standards.

"Most of these tools lack the session recording, auditing, and role-based access controls that are necessary to properly defend an OT environment," the Team82 report said. "Some lack basic security features such as multi-factor authentication (MFA) options, or have been discontinued by their respective vendors and no longer receive feature or security updates."

Cyberattackers Notice Sprawling OT Remote Access Attack Surface

Adversaries are already well aware of the malicious possibilities that these remote access tools unlock — and have been for several years.

Laufer notes that several massive breaches in recent years have been the result of misconfigured remote access tools, including Colonial Pipeline in 2021 and Change Healthcare earlier this year.

As far back as 2020, analysts at Kaspersky warned about the risk of cyberattacks against remote access tools like TeamViewer and RMS to breach ICS environments. And in January 2023, CISA joined with the NSA to issue a warning that adversaries were launching widespread campaigns against remote management systems like AnyDesk to breach federal agencies.

Those warnings have played out: A threat actor was discovered attempting to drop XMRing cryptominer malware using TeamViewer in May 2023. Likewise, the remote access tool TeamViewer was targeted in failed attempts to compromise systems by LockBit 3.0 ransomware group in early 2024. Similarly, remote access tool production systems were compromised at AnyDesk last February, forcing the vendor to revoke all of its security clearances and reset all Web portal passwords.

Despite these warnings, ICS/OT operators are in a particularly tough spot without a clear path toward protecting themselves. The Team82 findings demonstrate how the sheer number of these tools can easily pile up within an environment, creating an ever-creeping blob of remote access surface area ripe for adversaries to probe for success. As the report detailed, each tool brings along with it its own supply chain weaknesses, often including a lack of basic, best-practice security features like MFA, auditing, and session recording.

Compounding the issue is a basic lack of monitoring, detection, and policy control tooling that works across disparate remote access systems, leaving them open to misconfigurations, as messy policy and control management, the report added.

The report added that managing all these various RATs, and the hardware behind them, is an expensive operational proposition.

OT Remote Access Cleanup

Unsurprisingly, the first step on the path to securing remote access for ICS/OT networks is to get a full inventory of the tools that provide access to OT assets, according to the report.

"A critical first step is ensuring you have complete visibility into your organization’s OT network to understand how many and which solutions are providing access to OT assets and industrial control systems (ICS)," Laufer explains.

Next, those solutions that don't meet basic enterprise cybersecurity requirements need to go — pronto.

"From there, engineers and assets managers need to actively eliminate or minimize the use of low-security remote access tools in the OT environment — especially taking into consideration those with known vulnerabilities or those lacking essential security features such as MFA," the researcher stresses.

It's also crucial to develop and require baseline security standards across the organization's supply chain. "Beyond this, security teams should also govern the use of remote access tools connected to OT and ICS," Laufer says. "This can help with alignment of security requirements and expansion of those requirements as needed throughout third parties within the supply chain."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!