The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
VPN Cyber Security: Proceed with Caution
July 26, 2021 | Robert Bergman
During the COVID pandemic, many companies turned to Virtual Private Networks (VPNs) believing they were providing secure communications for teleworkers. VPNs can indeed enhance online privacy and anonymity by creating a private network from a public internet connection. They also mask internet protocol (IP) addresses so online actions are virtually untraceable. And, perhaps most important, they can establish secure and encrypted connections to provide greater privacy than even a secured Wi-Fi hotspot. But heightened attention during the pandemic exposed many unexploited vulnerabilities, which must be addressed if the VPN protection is to be trusted going forward.
“A laundry list of vulnerabilities in security appliances found in the last 12 months — including Palo Alto Networks, F5 and Citrix (or even the infamous 2020 SolarWinds attack) — provides further evidence. But as an attacker, when it comes to targeting VPNs and other security appliances, it’s not the relative abundance of vulnerabilities that make appliances a prime target, it’s because organizations put too much trust in security tools,” writes David “Moose” Wolpoff, CTO at Randori, a company that develops cyber security they say is designed from a hacker’s perspective.
Wolpoff says that limitation of VPNs and other third-party security appliances is that attackers only have to “pick one lock” to get full access to the network, which results in a single point of failure, as illustrated by the following penetration test that he implemented for a client:
“Because the vulnerability I discovered gave me complete control over the device itself, I completely owned it and all its functionalities in one fell swoop. The VPN this organization was using wasn’t just a VPN — it served as a firewall and did logging and network segmentation as well. This security system was designed to protect them, but every part of its functionality could no longer be trusted” he wrote
Reducing VPN Risk for Teleworkers
While advocating the use of VPNs, the Cyber Security Infrastructure & Security Agency (CISA) grants their limitations and raises the following additional cybersecurity issues that companies using teleworkers should consider:
- Because VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
- Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
- Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
- Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.
The CISA encourages organizations to review the following recommendations when considering alternate workplace options.
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices.
- Alert employees to an expected increase in phishing attempts. See CISA Tip Avoiding Social Engineering and Phishing Attacks.
- Ensure IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery. Per the National Institute of Standards and Technology (NIST) Special Publication 800-46 v.2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, these tasks should be documented in the configuration management policy.
- Implement multifactor authentication (MFA) on all VPN connections to increase security. If MFA is not implemented, require teleworkers to use strong passwords. (See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.)
- Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.
- Contact CISA to report incidents, phishing, malware, and other cybersecurity concerns.
And we would add one more preventative technique: As you upgrade your PLCs, DCSs, RTUs, power supplies and other automation systems, be sure that they have Zero Trust cyber security prevention built in. It should cost you no more than the cost of the systems themselves but will help ensure that if any intruders make it past your network defenses they will have Zero place to go.
Although increasing numbers of control suppliers are claiming to have cyber security built in, very few actually do. For a checklist that will help you tell the difference, see Built-in Cyber Security vs. Built-in Cyber Security (and no, that is not a typo).