Secure remote access: awareness is high, confidence is low – Technologist

Industrial operational technology (OT) and industrial control systems (ICS) are typically complex and specialised systems that are installed, maintained, and supported by product vendors and often third-party technicians, operators, and contractors. This cadre of external parties provides product/system support and maintenance due to their specific technical expertise and industry knowledge.

Additionally, owing to the locations where most industrial facilities are built, remote access to OT assets and operations is all but mandatory. The TakePoint Research report, The State of Industrial Secure Remote Access, states that remote access is now a universal and fundamental requirement for most industrial enterprises.

The same report, however, noted that ensuring all access is safe and secure and cannot be exploited or abused by malicious actors, whether external or internal, remains a challenge.

The report concludes that industrial secure remote access (I-SRA) strategies have become a critical building block for every OT environment. The report recommends that securing remote access and building an overall cybersecurity strategy should be approached like any other business decision, with advantages and associated risks that must be reviewed.

The report cautions that many challenges around people, technologies, and processes need to be considered and that these will likely vary between and within industries. It also recommends that organisations begin by identifying their operational objectives and risk appetite to develop an appropriate strategy.

“A diverse, multidisciplinary approach will help organizations align with various stakeholders and expectations while successfully deploying and securing remote access to industrial environments.”

TakePoint Research

The sponsor of the report, Cyclo, picked three key findings:

1. Third-party access is the top reason for enabling I-SRA

Across all industries, 72% of respondents ranked third-party access as the number-one reason for securing remote access.

“This isn’t too surprising, as OT environments tend to depend heavily on third parties due to a significant skills gap, original equipment manufacturer (OEM) maintenance requirements, and risk mitigation, among other factors,” said Kevin Kumpf, chief OT/ICS security strategist at Cyclo.

2. I-SRA is not just a “big company” problem

The TakePoint report reveals a linear relationship between company size and the sheer volume of remote connections: the bigger the company, the more connections (see Figure 1).

Kumpf acknowledged that larger companies may have a larger attack surface to secure, but they are also more likely to have teams robust enough to do so. “In contrast, small companies may lack the budget, headcount, and experience necessary to adequately defend their systems,” he added.

Figure 1: Concern about remote access threats to OT/ICS systems

3. Across all industries, concerns outweigh confidence

Kumpf says the most striking finding of the survey is that across all industries, respondents were more concerned about threats than confident in their current I-SRA solutions. “A common practice is to give teams remote access to critical systems because operations depend on it. However, that access is far less secure than these organisations would like them to be,” he noted.

Figure 1: Concern about access risks vs confidence in current solutions

Kumpf opined that industrial settings have built brittle workarounds for securing remote access, like firewalls and virtual private networks (VPNs), and have sought to implement frameworks like NIST 800-82 or ISA/IEC62443.

“Still, they recognise that the problem is not solved,” commented Kumpf who wrote that VPNs struggle to scale and cannot cover the full range of OT use cases.

“Due to a lack of SRA solutions built specifically for OT, there’s a frequent need to rely on tools designed for IT. These are far from ideal because they often require a cloud connection, need regular patching that requires downtime, or interrupt sensitive OT processes.”

Kevin Kumpf