Claroty released new research from Team82 on remote access tool sprawl and the
risk exposures it introduces to operational technology (OT) environments. Data
from more than 50,000 remote-access-enabled devices showed that the volume of
remote access tools deployed is excessive, with 55% of organizations having
four or more and 33% having six or more.
Team82's research also
found that a staggering 79% of organizations have more than two
non-enterprise-grade tools installed on OT network devices. These tools lack
basic privileged access management capabilities such as session recording,
auditing, role-based access controls, and even basic security features such as
multi-factor authentication (MFA). The consequence of utilizing these types of
tools is increased, high-risk exposures and additional operational costs from
managing a multitude of solutions.
"Since the onset of the
pandemic, organizations have been increasingly turning to remote access
solutions to more efficiently manage their employees and third-party vendors,
but while remote access is a necessity of this new reality, it has
simultaneously created a security and operational dilemma," said Tal Laufer, VP
Products, Secure Access at Claroty. "While it makes sense for an organization
to have remote access tools for IT services and for OT remote access, it does
not justify the tool sprawl inside the sensitive OT network that we have
identified in our study, which leads to increased risk and operational
complexity."
Learn more about Team82's findings in the report, "The Problem
with Remote Access Sprawl."
While many of the remote access solutions found in OT networks may be used
for IT-specific purposes, their existence within industrial environments can
potentially create critical exposure and compounding security concerns that
include:
- Lack of visibility: In cases where third-party vendors connect to the OT
environment using their own remote access solutions, OT network administrators
and security personnel who are not centrally managing these solutions have
little to no visibility into the associated activity
- Increased attack surface: More external connections into the network via remote
access tools mean more potential attack vectors through which substandard
security practices or leaked credentials can be used to penetrate the network.
- Complex
identity management: Multiple remote access
solutions require a more concentrated effort to create consistent
administration and governance policies surrounding who has access to the
network, to what, and for how long. This increased complexity can create blind
spots in access rights management.
According to
Gartner, security and risk management (SRM) leaders should,
"perform a full inventory of all remote connections across the entire
organization, as shadow remote access likely exists throughout operational
networks, particularly at field sites," and "remove older remote access
solutions when deploying newer CPS secure remote access solutions.
Organizations commonly deploy new solutions without focusing on what is left
behind, and with the number of exploited VPN vulnerabilities growing, this
could be a significant blind spot."