ics remote access – Waterfall Security Solutions

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

Andrew Ginter — Thu, 28 Aug 2025 12:03:00 +0000

OT Insights Center PowerRemoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

Watch the webinar to learn how secure access can enhance both safety and performance in renewable energy operations.

As renewable energy continues to dominate new power generation projects across North America and the EU, organizations must find ways to support remote operations without compromising cybersecurity. Wind and solar sites, often remote and digitally connected, demand secure access solutions that meet both operational and regulatory needs.

This webinar explores how energy leaders are balancing efficiency with cyber resilience. We’ll cover the latest guidance from CISA, CCCS, and others, with a spotlight on hardware-enforced, unidirectional remote access, now widely recommended for high-consequence OT environments.

Whether you're planning a new facility or optimizing an existing one, you'll gain insights into:

The business impact of secure remote access

Safe, scalable deployment strategies

Aligning cybersecurity with operational goals

Real-world adoption: how renewables operators are deploying these technologies today.

About the Speakers

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Lior Frenkel

With more than 20 years of hardware and software research and development experience, Mr. Frenkel leads Waterfall Security with extensive business and management expertise. As part of his thought leadership and contribution for the industry, Lior serves as member of management at Israeli High-Tech Association (HTA), of the Manufacturers’ Association of Israel and Chairman of the Cyber Forum of HTA.

Hardware Hacking – Essential OT Attack Knowledge – Episode 145

November 26, 2025

Top 10 OT Cyber Attacks of 2025

November 24, 2025

Cyber Threats to the Manufacturing Industry: Risks, Impact, and Protection Strategies

November 11, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation appeared first on Waterfall Security Solutions.

Hardware-Enforced Remote Access (HERA) – Under the Hood

Andrew Ginter — Wed, 17 Jul 2024 08:32:39 +0000

OT Insights Center OT security standardsHardware-Enforced Remote Access (HERA) – Under the Hood

Hardware-Enforced Remote Access (HERA) – Under the Hood

Waterfall's Hardware-Enforced Remote Access is something new in the world - true interactive OT remote access with unidirectional protection for OT networks. How is this possible?

Andrew Ginter

July 17, 2024

HERA® - Big Picture

The big picture of HERA is similar to that of conventional, software-based remote access solutions:

In a highly automated mine, for example:

A remote user – say a laptop is on a conference hotel’s Wi-Fi network remoting into the mine across the Internet,
The HERA gateway is located at the protected mine site, and
The protected OT network is “behind” the gateway – in this example the mining safety and other automation.

The big difference from conventional software-based remote access is what happens inside the HERA gateway.

“The big picture of HERA is similar to that of conventional, software-based remote access solutions….The big difference from conventional software-based remote access is what happens inside the HERA gateway.”

HERA Gateway

Under the hood of HERA are two instances of Waterfall’s flagship Unidirectional Security Gateways technology. One Unidirectional Gateway is oriented from the protected OT network out to the Internet-exposed IT network or to the Internet directly. That gateway’s hardware is physically able to send information in only one direction – the gateway sends HERA screen images out to the remote user across the Internet. Nothing can get back.

The second gateway under the hood of HERA is a variation of the standard Unidirectional Gateway. This gateway does two things. First, this second gateway sends HERA encrypted keystrokes and mouse movements (KMM) back into the OT network through the unidirectional hardware – nothing can get back out through that hardware. Second, the inbound hardware has gate array logic built in, and this logic scans the unidirectional communications and allows only the very simple encrypted HERA KMM information to pass – all other attempts at communication are rejected. Finally, on the OT network, that gateway’s receiving CPU runs virtual machine (VM) software, creating a brand new VM for each remote user session.

To recap, under the hood of the HERA gateway is:

An inbound Unidirectional Gateway, which contains:
- An Internet-exposed CPU interacting with the remote user / laptop,
- One-way hardware that permits only encrypted KMM data to pass, and
- A CPU on the OT network receiving the encrypted KMM data, decrypting that data and sending keystrokes and mouse movements to the remote users’ session VMs,
An outbound Unidirectional Gateway, which contains:
- A CPU on the OT network receiving screen images from the HERA VMs,
- One-way hardware,
- A CPU on the IT/Internet sending copies of HERA’s session VM screens across the Internet to remote users.

The whole solution fits in 2u of rack space.

A HERA Session

With that background, what does a HERA session look like? The remote user launches the HERA application on their desktop or laptop and chooses one of the configured destinations. This app runs only on computers equipped with a hardware-based Trusted Platform Module (TPM) and uses the TPM hardware to encrypt two (2) standard TLS connections to the HERA gateway. One connection sends encrypted KMM information, and the other receives screen images. The remote user sees the image of a VM screen come up, and the user is challenged for a username and password. This is in fact two-factor authentication, with the HERA encryption credentials stored in the laptop’s KVM hardware being the second form of authentication.

At this point, the user can move the mouse and type on the keyboard. The HERA app encrypts each keystroke and each mouse movement – this time using a different key in the TPM hardware. The app sends the encrypted KMM through the encrypted TLS connection into the HERA gateway.

Here’s the tricky part: the Internet-exposed CPU on the HERA gateway decrypts the TLS connection using its own TPM but does not have the keys to decrypt the encrypted KMM. So, the Internet-exposed CPU sends the encrypted KMM through the one-way hardware into the OT CPU in the HERA device. That OT CPU has the keys to decrypt the KMM and sends the decrypted KMM into the remote user’s virtual session. The virtual mouse moves. Keystrokes are used by the VM, and new screen images are sent back to the user.

How Secure Is this?

What does this mean security-wise? Well imagine that an attacker reaches across the Internet into the target’s IT network and uses a zero-day vulnerability to compromise both of the Internet-facing CPUs in the HERA gateway. What is the worst that can happen? Well, the attacker can interrupt the flow of screen images and KMM. But – can the attacker send arbitrary attack messages into the OT network to propagate the attack further into the network? No. The outbound gateway hardware lets nothing back in, and the HERA inbound gateway hardware lets only encrypted KMM messages back in. And if the attacker tries to forge keystrokes and mouse movements, it does not work – the compromised CPU does not have the keys to encrypt and authenticate keystrokes. Those keys are on the protected OT-resident CPU.

Contrast this with a firewall and software-based remote access solution. Exploit unpatched vulnerabilities in the firewall, VPN server or a complex remote access protocol server and we are in serious trouble. The attacker can reach through the compromised system software and send whatever messages they wish into the OT network to wreak havoc there. Yes, an attack on HERA’s Internet-exposed CPUs can cause the remote access solution to become inoperative, but at most sites this is an inconvenience, not a serious incident. At most sites, remote access saves a little money by reducing travel costs – remote access is generally not required to assure minute-by-minute correct operation of the industrial process.

Bottom Line - a Spectrum of Security

Where does HERA fit within the broader spectrum of remote access solution security? In the illustration, HERA is positioned as stronger than software security, between Unidirectional Secure Bypass and Unidirectional Remote Screen View technologies:

Conventional software-based remote access products at the bottom of the diagram have vulnerabilities, and rely on firewall software secure OT networks,
Secure Bypass is a technology that temporarily enables bi-directional communications into a conventional software-based solution – Secure Bypass provides the OT site with local, physical control over when and how long remote users can access OT networks,
HERA is hardware-enforced remote access,
Unidirectional Remote Screen View makes copies of OT screen images out to external users through unidirectional hardware, while remote experts provide real-time feedback over the phone to engineers on site moving the mouse, and
No remote access at all at the top of the illustration is the most secure option, but is also generally the most expensive option, because industrial sites are unable to take advantage of remote services and service providers.

The bottom line – HERA is something new in the world – the benefits of true interactive remote access without the risk that Internet-based attacks will use remote access vulnerabilities to attack OT targets.

For more details, please contact Waterfall to request a free consultation with a Waterfall HERA expert.

About the author

Andrew Ginter

Top Oil and Gas Security Challenges and Best Practices for Protection

November 11, 2025

Data Diode vs Firewall: Understanding the Key Differences in OT Security

November 4, 2025

Security by Design- The New Imperative for Rail Systems

November 4, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Hardware-Enforced Remote Access (HERA) – Under the Hood appeared first on Waterfall Security Solutions.

Remote Access Vulnerabilities and a Hardware-Enforced Solution

Andrew Ginter — Tue, 16 Jul 2024 08:06:50 +0000

OT Insights Center OT security standardsRemote Access Vulnerabilities and a Hardware-Enforced Solution

Remote Access Vulnerabilities and a Hardware-Enforced Solution

Remote access for OT is vital for maintaining efficiencies, troubleshooting, and also important for retaining remote workers. But most remote access solutions pose a range of security risks that might be exposing critical systems to the Internet. We take a look at three major breaches of remote access VPN and two-factor authentication systems and introduce HERA – Hardware-Enforced Remote Access – as a safer alternative.

Andrew Ginter

July 16, 2024

OT vulnerabilities are security weaknesses in Operational Technology (OT) systems that control industrial equipment and processes. These flaws, such as outdated software, weak authentication, or insecure network connections, can be exploited by attackers to disrupt operations, damage assets, or compromise safety in critical infrastructure environments.

Remote access is seen as essential by many industrial operations – essential for trouble-shooting remote installations, enabling vendor experts to log in and help out with difficult problems, and sometimes even as a perk to help retain a white-collar workforce that grew accustomed to remote work in the pandemic. Remote access is also seen as dangerous by most practitioners – remote access provides both legitimate users and our enemies with direct access from the Internet into our critical systems. This concern is well-placed – in this article we review three serious, widespread breaches of remote access VPN and two-factor authentication systems, and we introduce HERA – Hardware-Enforced Remote Access – an alternative to vulnerable, software-based solutions.

“HERA – Hardware-Enforced Remote Access – is a secure alternative to vulnerable, software-based remote access solutions.”

Tunnel Vision VPN Breach

In the beginning of May 2024, Levathian Security disclosed the “Tunnel Vision” vulnerability that lets attackers intercept VPN traffic for almost all VPN software running on almost all operating systems except Android. By using the DHCP protocol to attack the operating system rather than the VPN, Tunnel Vision works below the level of the VPN and thus impairs most VPN products that allow laptops to participate “virtually” in distant, sensitive networks – on all of Windows, MacOS, iOS and Linux.

For the technically inclined, to attack a target, the attacker must be on the same local network as the target – a public coffee shop Wi-Fi hot spot for example. When the victim’s machine connects to the network and issues a DHCP request to acquire an IP address, the attacker responds to the request faster than the coffee shop router responds. The attacker’s response sets up routes in the victim’s machine. These routes send traffic to the attacker’s machine – traffic that would normally go to the victim’s VPN. This traffic arrives in the attacker’s machine without being encrypted by the VPN.

There are reports that this vulnerability was known, at least in part, as early as 2015, and there is speculation that the vulnerability, or a variation thereof, has been used for some time by nation-state adversaries.

Chinese Attackers Infect 20,000 Fortinet VPN Devices

In late 2022 and early 2023, Chinese attackers infected between 14,000 and 20,000 Fortinet VPN appliances. The attack vector was a remote code exploitation vulnerability that let the attackers take control of the VPN devices and install their “CoatHanger” malware. CoatHanger is a Remote Access Trojan (RAT) that lets the attackers remotely monitor and further attack the “protected” network to which the compromised VPN device was providing remote access. CoatHanger is reported to be extremely difficult to detect on a compromised VPN appliance, even if you know what you are looking for. Worse, CoatHanger survives device reboots and in some cases even survives upgrading the firmware on the compromised devices.

EvilProxy Bypasses Remote Access 2FA

In 2023, Proofpoint documented a phishing attack that included technology to defeat two-factor authentication on web-based accounts. The phishing emails tricked victims into clicking on links to what they thought were their legitimate Microsoft cloud services. In fact, the links led to malicious websites that in turn, forwarded requests (eventually) to the legitimate Microsoft sites, and forwarded responses back to the victims. The malicious sites thus looked and behaved just like the Microsoft sites did. These users then used their normal passwords and two-factor authentication mechanisms to log into the legitimate Microsoft websites.

The malicious sites of course saw all these credentials exchanged un-encrypted. Once the two-factor authentication was complete, the malicious sites stole web browser cookies from the intercepted communications – these cookies were the session cookies that identified the legitimate sessions. The attackers then immediately started using these session cookies themselves, to impersonate the victims, essentially “stealing” their active login sessions to the Microsoft services.

This same attack technique works with essentially all web services, including web-based remote access systems.

Hardware-Enforced Remote Access

The common theme? These are all vulnerabilities that compromise software-based remote access systems. Hence the problem: many critical infrastructures really do need remote access, but today’s software-based remote access systems are vulnerable to too many kinds of attacks. What the world needs now is hardware-enforced remote access.

The good news – Waterfall Security has just announced a new Hardware-Enforced Remote Access (HERA) solution. The hardware sends only encrypted keystrokes and mouse movements into the OT network, not arbitrary TCP packets through a firewall. Even if all the software on the Internet-facing CPUs in the HERA device are compromised, the attacker still cannot reach into, manipulate, nor propagate malware into the protected OT network. HERA delivers the benefits of remote access, without the risk of attacks compromising the HERA server and propagating into the OT network.

To learn more about HERA click here, or register for Waterfall’s July 31, 2024, webinar on HERA.

About the author

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Remote Access Vulnerabilities and a Hardware-Enforced Solution appeared first on Waterfall Security Solutions.

ics remote access – Waterfall Security Solutions

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

Watch the webinar to learn how secure access can enhance both safety and performance in renewable energy operations.

Whether you're planning a new facility or optimizing an existing one, you'll gain insights into:

About the Speakers

Andrew Ginter

Lior Frenkel

Share

Trending posts

Stay up to date

Tags

Hardware-Enforced Remote Access (HERA) – Under the Hood

Hardware-Enforced Remote Access (HERA) – Under the Hood

Waterfall's Hardware-Enforced Remote Access is something new in the world - true interactive OT remote access with unidirectional protection for OT networks. How is this possible?

Andrew Ginter

HERA® - Big Picture

HERA Gateway

A HERA Session

How Secure Is this?

Bottom Line - a Spectrum of Security

About the author

Andrew Ginter

Share

Trending posts

Stay up to date

Tags

Remote Access Vulnerabilities and a Hardware-Enforced Solution

Remote Access Vulnerabilities and a Hardware-Enforced Solution

Andrew Ginter

Tunnel Vision VPN Breach

Chinese Attackers Infect 20,000 Fortinet VPN Devices

EvilProxy Bypasses Remote Access 2FA

Hardware-Enforced Remote Access

About the author

Andrew Ginter

Share

Trending posts

Stay up to date

Tags