ot remote access – Waterfall Security Solutions https://waterfall-security.com Unbreachable OT security, unlimited OT connectivity Tue, 31 Mar 2026 23:03:17 +0000 en-US hourly 1 https://wordpress.org/?v=6.9 https://waterfall-security.com/wp-content/uploads/2023/09/cropped-favicon2-2-32x32.png ot remote access – Waterfall Security Solutions https://waterfall-security.com 32 32 Webinar: 13 Ways To Break “Secure” OT Remote Access Systems https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/webinar-13-ways-to-break-secure-ot-remote-access-systems/ Sun, 29 Mar 2026 10:58:06 +0000 https://waterfall-security.com/?p=39061 Explore 13 ways attackers can break OT remote access systems, show which SRAs are most vulnerable and which are most deserving of the “secure” title

The post Webinar: 13 Ways To Break “Secure” OT Remote Access Systems appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterWebinar: 13 Ways To Break “Secure” OT Remote Access Systems

Webinar: 13 Ways To Break “Secure” OT Remote Access Systems

and the questions you should be asking your OT SRA vendor...

 

Join us on April 23, 2026, 11am NY Time

How much security do “secure” remote access solutions really provide? We’re laying all the cards on the table.

In this webinar, we’ll explore 13 ways attackers can break OT remote access systems, show which SRAs are most vulnerable & which are most deserving of the “secure” title.

We’ll finish with the questions you should be asking vendors to understand how exposed their solutions are.

Webinar 13 Ways To Break "Secure" OT Remote Access Systems
Register Now

Understanding attacks is essential to designing robust defenses. One way to compare the strength of competing OT SRA solutions is to compare the attacks those solutions defeat reliably, vs the attacks they do not defeat. 

In this webinar, we cover a lucky 13 ways to break “secure” remote access systems, and look at which kinds of systems are vulnerable to each kind of attack.

We finish with questions to ask “secure” OT remote access vendors to understand how exposed their solutions are to these kinds of attacks. 

In this session we cover VPNs, jump hosts and DMZ’s, and we look at the more modern cloud / broker / rendezvous architectures, as well as more deterministic, hardware-enforced solutions. 

The 13 Attacks We’ll Be Covering: 

1) Shoulder surfing attacks – how attackers capture credentials without hacking

2) Social engineering users – exploiting human behavior to gain access

3) Password guessing & brute-force attacks – why weak credentials still succeed

4) Help desk social engineering – bypassing security through support teams

5) Rogue OT remote access (SRA) – unauthorized remote connections into OT networks

6) Exploiting outdated encryption – breaking legacy crypto protocols still supported

7) Malware passing through VPNs – how threats propagate inside trusted remote connections

8) Malware hiding in file transfer & clipboards – hidden risks in everyday remote workflows

9) Session hijacking & stealing logged-in cell phones – taking over active authenticated sessions

10) Exploiting known vulnerabilities – patching gaps and N-days lead to breaches

11) Stealing cookies to hijack browser sessions – compromising web-based remote access and password vaults

12) Zero-day exploitation in OT remote access – how unknown vulnerabilities are weaponized

13) Bypassing remote access entirely – when attackers go straight through the firewall

Join us on April 23rd to understand attacks and look at questions we should be asking our OT "Secure" Remote Access vendors.

About the Speaker

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Register Now

Share

The post Webinar: 13 Ways To Break “Secure” OT Remote Access Systems appeared first on Waterfall Security Solutions.

]]> Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/cyber-informed-engineering-recognized-with-cyber-policy-award-for-research-impact/ Wed, 18 Mar 2026 14:02:45 +0000 https://waterfall-security.com/?p=38923 The recognition of CIE highlights a broader shift in how cyber risk is being understood and managed in industrial environments

The post Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterCyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact

Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact

Picture of Waterfall team

Waterfall team

Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact

The growing importance of Cyber-Informed Engineering (CIE) was recently recognized with a Cyber Policy Award for Research Impact from the Institute for Security and Technology. 

The award honors a team whose work has helped advance CIE as a framework for addressing cyber risk in critical infrastructure. Among those honored were: 
 
Virginia Wright and Benjamin Lampe, leading the development of CIE at Idaho National Laboratory,  
Cheri Caddy of Savannah River National Laboratory who led the development of the CIE strategy and worked in the Whitehouse with the Department of Energy to secure funding for the CIE initiative,  
Andrew Ohrt of West Yost who led the deployment of CIE in the water sector and developed a number of publically-available resources to illustrate how to use CIE in critical infrastructures, and 
• Our own Andrew Ginter, VP Industrial Security at Waterfall Security Solutions, who contributed industry perspectives to the CIE initiative, and whose book, speaking & podcast helped increase awareness of CIE in the OT security community at large. 
 
The recognition of CIE highlights a broader shift in how cyber risk is being understood and managed in industrial environments. 
Cyber Policy Award Winners 2026

What is Cyber Informed Engineering?

Cyber-Informed Engineering is “the big umbrella” – bringing together relevant parts of safety engineering, protection engineering, automation engineering, network engineering, and most of cyber security into a comprehensive body of knowledge for addressing cyber risks to physical operations. The body of knowledge looks at the problem of OT cybersecurity from the engineering perspective:

• Addressing high-consequence risks first, consistent with industrial engineering practices, and addressing high-frequency, low-impact irritants only secondarily,

• Encouraging modest design changes to physical processes to take entire sets of consequences and attack vectors off the table – avoiding / eliminating risk rather than merely mitigating the risk / reducing frequency of high-consequence events,

• Recognizing that the key objective in terms of preventing most truly unacceptable outcomes is preventing sabotage rather than espionage, and recommending strong oversight / control of online and offline communication channels that can transmit attack information into sensitive systems.

In short, CIE is positioned as “a coin with two sides.” One side is cybersecurity – teach engineering teams about cyber threats, about cybersecurity tools, and about the intrinsic limitations of such tools, so that these teams can evaluate residual risks. The other side is engineering – overpressure relief valves, manual fall-backs and other “unhackable” mitigations for all types of risk – including cyber risks. This engineering side of the coin has been under-represented in most OT security advice to date, and represents a big opportunity to dramatically improve OT security outcomes.

Cyber Policy Award winners

“CIE is the most important innovation in OT security in 20 years – bringing the engineering risk-management perspective and powerful engineering tools and approaches to bear on the problem of assuring safe, reliable and efficient physical operations, in an increasingly hostile cyber threat environment.”

Andrew Ginter, VP Industrial Security, Waterfall Security

Waterfall and Cyber Informed Engineering

At Waterfall Security Solutions, we believe in the principles of CIE. Just as the public expects bridges to carry a specified load, in a specified operating environment, for a specified number of decades, with a large margin for error, increasingly society demands that automation systems for physical operations carry a specified threat load, until at least the next opportunity to upgrade our defenses, with a large margin for error. And society generally expects that “carry a specified threat load” means to carry that load deterministically, with a very high degree of confidence.

This philosophy is very compatible with Waterfall’s own Unidirectional Gateways and hardware-enforced solutions. Our solutions are part of the Network Engineering body of knowledge – hardware-enforced / deterministic tools to prevent cyber attacks from pivoting through consequence boundaries: connections between networks with dramatically different worst-case consequences of compromise.

To learn more about Cyber-Informed Engineering and the work of Andrew Ginter, who was recognized with the Cyber Policy Award for Research Impact, you can request a copy of his book, Engineering-Grade OT Security: A Manager’s Guide.

About the author
Picture of Waterfall team

Waterfall team

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact appeared first on Waterfall Security Solutions.

]]> Waterfall Security Solutions recognized by Gartner® https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/waterfall-security-solutions-recognized-by-gartner/ Mon, 09 Mar 2026 10:07:27 +0000 https://waterfall-security.com/?p=38875 Waterfall Security is pleased to announce our inclusion in Gartner’s recent Market Guide for CPS Secure Remote Access report

The post Waterfall Security Solutions recognized by Gartner® appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterWaterfall Security Solutions recognized by Gartner®

Waterfall Security Solutions recognized by Gartner®

Picture of Waterfall team

Waterfall team

Waterfall Security Solutions recognized by Gartner®

Waterfall Security, the leader in hardware-enforced OT security and remote access for cyber physical systems (“CPS”), is pleased to announce our inclusion in Gartner’s recent Market Guide for CPS Secure Remote Access report.

Gartner points out that “traditional remote access methods, such as VPNs, jump boxes or emerging approaches such as IT remote privileged access management (RPAM) products, lack the granularity and contextual knowledge needed for production or mission-critical environments,” and recommends organizations “replace VPNs and proceed with caution with IT-centric tools”. In the representative vendors section, the report identifies Waterfall for its new HERA (Hardware-Enforced Remote Access) product as a Representative Vendor.

Hardware-Enforced Remote Access

How Does HERA’s “physics” work? The Waterfall HERA product is a pair of a-symmetric cooperating Unidirectional Security Gateways, each physically able to send information in only one direction. The outbound gateway sends encrypted screen images out of the OT network. The inbound gateway sends encrypted keystrokes, mouse and other HERA protocol information into the OT network. The inbound gateway contains a hardware filter that passes only HERA information – all IP packets are discarded. In addition, login/encryption credentials are stored securely in TPM hardware in the remote HERA client computer, as well as TPM hardware in the HERA hardware on the OT side of the HERA – this in addition to conventional software-based multi-factor authentication (MFA) mechanisms.

We are pleased to be recognized in the Gartner Market Guide. Waterfall’s hardware-enforced solutions, including Unidirectional Gateways and HERA are designed to eliminate entire classes of network-borne attack vectors.”
Lior Frenkel, CEO


Modern OT Remote Access

Today’s industrial operations expect remote access products with modern features, including: zero-trust-style granular access, MFA, a guaranteed protocol break, just-in-time session control, and the ability to inspect and terminate existing sessions, especially in NERC CIP and other regulated environments. Waterfall’s HERA provides all of these industry-leading features, in addition to the unique hardware-enforced security measures.

OT remote access is increasingly common and is increasingly seen as a serious threat to the security of industrial operations. The latest advice from CISA, CCCS and other government authorities regarding OT remote access states that the risk of exploiting VPN and other software vulnerabilities can “become detrimental to business operations.” As a result, these authorities recommend that “business owners should consider hardware-enforced solutions.” The era of “physics-based” and hardware-enforced solutions is upon us.

To explore Waterfall’s HERA, download the Waterfall Guide: Rethinking Secure Remote Access for Industrial and OT Networks.

Gartner, Market Guide for CSP Secure Remote Access, Katell Thielemann, Wam Voster, Sumit Rajput, 3 February 2026.

GARTNER is a trademark of Gartner, Inc. and/or its affiliates. Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.

About the author
Picture of Waterfall team

Waterfall team

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Waterfall Security Solutions recognized by Gartner® appeared first on Waterfall Security Solutions.

]]> Secure Remote Access for Critical Infrastructure: What’s at Stake? https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/secure-remote-access-for-critical-infrastructure-whats-at-stake/ Tue, 31 Dec 2024 07:34:04 +0000 https://waterfall-security.com/?p=30134 One of the most significant vulnerabilities when it comes to OT security for critical infrastructure are the risks posed by the use of remote access into OT.

The post Secure Remote Access for Critical Infrastructure: What’s at Stake? appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterSecure Remote Access for Critical Infrastructure: What’s at Stake?

Secure Remote Access for Critical Infrastructure: What’s at Stake?

OT Remote Access needs to be far more secure than IT remote access. There is a good reason why.
Picture of Waterfall team

Waterfall team

OT Remote Access with OT security in mind

In our hyper-connected world, critical infrastructure—power plants, water systems, transportation networks, airports, seaports, and anything else that can’t simply be “turned off”—is the backbone of modern society. These systems provide essential services that underpin daily life and economic stability. However, as these infrastructures become increasingly digitized and interconnected, the challenge of securing them from cyber threats becomes ever more important. 

One of the most significant vulnerabilities when it comes to OT security for critical infrastructure are the risks posed by the use of remote access into OT. While remote access is essential for operational efficiency and emergency response, it also opens doors for potential cyberattacks. Understanding what’s at stake and how to address these challenges is vital for understanding what is required when it comes to securing critical infrastructure. 

Critical infrastructure is a juicy target for cybercriminals [and] nation-state actors…

The High Stakes of Critical Infrastructure

Industrial secure remote access for OT such as this industrial operation.Critical infrastructure is a juicy target for cybercriminals, nation-state actors, and hacktivists. A successful breach can lead to: 

Widespread Disruption: An attack on the power grid could result in prolonged blackouts, affecting millions. Similarly, a breach in water systems could disrupt supply or even compromise water safety. 

Economic Impact: Downtime in transportation networks or energy systems can cost billions in lost productivity and revenue. 

Public Safety Risks: Malicious actors could manipulate transportation systems, potentially causing accidents, or disrupt healthcare facilities reliant on stable power. 

National Security Threats: Infiltration of critical systems can serve as a precursor to broader attacks during geopolitical conflicts. 

You get the picture. Critical infrastructures are heavily cyber-targeted. And at the same time the option of “turning it off” is not a good option, and if it does go off, it must come back on as a top priority.

Challenges in Securing Remote Access

Securing remote access to critical infrastructure is uniquely challenging due to several factors: 

So much legacy still operationalSo Many Legacy Systems: Many critical infrastructure systems run on legacy technology designed decades ago. Back then they didn’t build with cybersecurity in mind. Retrofitting or replacing these systems with modern security measures is overly complex and not cheap. 

The OT vs IT Standoff: OT environments prioritize availability and safety, while IT focuses on data confidentiality and integrity. Bridging this cultural and technological gap is a persistent challenge across many critical industries. Large strides have been made on this issue with Cyber-informed Engineering (CIE). One interesting facet about CIE, which was originally championed by the Idaho National Laboratory, is that it presents new solutions to cyber security problems that don’t need to exist in the first place.
Get a complimentary copy of Andrew Ginter’s new book on this topic >>

Far and Away: Critical infrastructure often spans vast and distant areas, requiring remote access for maintenance and monitoring. This reliance on remote connectivity increases the attack surface if not done in a way that deterministically keeps away remote threats.

Cloudy with a chance of Third-Party Access: Vendors and contractors often require remote access for system updates and repairs. Sometimes that access is even required as part of warranty agreements. Many of the more recent analytical services require connecting critical machinery to the cloud. This external access poses a significant attack surface. 

Advancing Advanced Threats: Attackers targeting critical infrastructure are often highly skilled and well-funded, employing sophisticated methods such as supply chain attacks and zero-day vulnerabilities. They seem to be growing as governments are able to build-up and develop their cyber capabilities.

Hardware Enforcements for Secure Remote Access

Despite all these challenges and evolving threats, Waterfall has several solutions to all these problems:

HERA – Hardware Enforced Remote Access. HERA uses hardware to enforce the remote access. Software can be hacked from afar, but hardware can only be modified when you are standing right next to it. This is how HERA provides secure OT remote access:

OT secure remote access laptop woman's handsOne-way remote screen connection: HERA’s outbound connection that shows the remote screen is independent of the inbound connection. The remote screen is duplicated using a one-way fiber-optic cable and then that duplicate is viewed remotely. The hardware required for sending information back through this connection is physically missing, denying such a possibility to cyberattackers.

One-way connection for mouse and keyboard: HERA’s inbound connection also flows in only one direction, from a dedicated laptop using the ███████ protocol, and only transmitting mouse movements and keyboard strokes. No files or images can be uploaded over this connection. No information from this connection can flow back into the laptop, only outbound, and only mouse moves and keys.

There are no TCP/IP packets crossing the IT/OT boundary. If you’d like clarification regarding this technical point, we encourage you to speak to one of our OT remote access specialist that can fully explain how it works Contact us >>

Additional hardware measures for additional security: Additional security measures are in place on the embedded hardware of the laptop, such as Intel’s TPM, while the keystrokes and mouse moves are encrypted.

The Strictly Unidirectional Option: For certain systems and machinery, a Unidirectional Security Gateways will suffice, without the need for full remote access. The machinery’s OT data is duplicated onto a server which is then accessed remotely. The data going to the duplicate server is constantly updated in real-time using a unidirectional connection. This way it can be updated immediately, yet not a line of code can ever make it back onto the machinery’s systems. If occasional changes need to be made remotely, the remote user can phone someone physically near the machinery and have them make the required adjustments.

Waterfall Blackbox
Waterfall Tamperproof Blackbox

Tamper-proof Logs: While unidirectional technology is able to neutralize remote threats, there still persists the risk from insiders as well as embedded threats -threats that might come from foreign-made machinery that has a “backdoor” embedded into the technology, such as ship-to-shore cranes. Cyberattacks that make use of such sophisticated attacks are known for “covering their tracks” and erasing event logs of their actions. By maintaining a tamper-proof copy of the logs, if any breach is ever suspected, the logs can be compared for any discrepancies so that whatever was deleted is quickly found. This usually also helps narrow down what the attackers were after.

Let’s Not Forget Compliance and Regulations

Unidirectional technology and hardware enforced OT remote access also boast strong regulatory compliance. This includes adherence to IEC 62443, NIS2, NERC CIP, and many more, including recommended best practices such as connecting OT to AWS (Amazon Web Services).

So, in Conclusion

The stakes for securing remote access to critical infrastructure could not be higher. Disruptions to power, water, or transportation systems can ripple across societies, causing economic turmoil, public safety crises, and national security vulnerabilities. While the challenges in securing remote access for OT are complex, a deterministic approach that combines hardware enforcement with advanced software can neutralize these risks, safeguard these vital systems, and all while adhering to strict regulatory requirements.

In this digital age…the question is not if we can afford to invest in secure remote access but if we can afford not to.

In this digital age, ensuring the security of critical infrastructure is not just an operational necessity—it is a strategic imperative. The question is not if we can afford to invest in secure remote access but if we can afford not to.

 

Want more details about Waterfalls secure remote access solutions?
Speak to an ot remote access expert >>

About the author
Picture of Waterfall team

Waterfall team

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Secure Remote Access for Critical Infrastructure: What’s at Stake? appeared first on Waterfall Security Solutions.

]]> Webinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/webinar-navigating-ot-remote-access-technologies-limitations-and-the-latest-recommendations/ Tue, 08 Oct 2024 12:13:04 +0000 https://waterfall-security.com/?p=27795 Watch for an insightful webinar as we delve into the rapidly evolving landscape of OT remote access. With the surge in remote access to OT networks, industrial operations and critical infrastructures are under pressure to enhance their security measures.

The post Webinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterWebinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations

Webinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations

Watch the webinar to discover cutting-edge OT remote access strategies.

Watch the insightful webinar where we delve into the rapidly evolving landscape of OT remote access. With the surge in remote access to OT networks, industrial operations and critical infrastructures are under pressure to enhance their security measures. 

In this webinar, Andrew Ginter takes us through:

arrow red right The Rise of Remote Access: Understand the dramatic increase in remote access to OT networks and its implications.

arrow red right Technology Choices: Explore a variety of remote access technologies, each with unique costs, benefits, and security limitations.

arrow red right Security Challenges: Learn why CISA and other authorities are advising against traditional VPNs and other “secure” remote access technologies.

arrow red right In-Depth Analysis: Get a detailed look at the limitations of current technologies and the evolution of the solution space.

arrow red right Latest Recommendations: Discover the cutting-edge OT remote access technologies recommended by recent government guidelines.

Meet Your Expert Guide:

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Webinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations appeared first on Waterfall Security Solutions.

]]> IT Remote Access VS. OT Remote Access https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/it-remote-access-vs-ot-remote-access/ Sun, 01 Sep 2024 12:48:55 +0000 https://waterfall-security.com/?p=26760 Outline comparing key differences between remote access used in an IT environment, and remote access solutions that cater to an industrial OT environment

The post IT Remote Access VS. OT Remote Access appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standardsIT Remote Access VS. OT Remote Access

IT Remote Access VS. OT Remote Access

An outline and comparison of the key differences between remote access used in an IT environment, and remote access solutions that cater to an industrial OT environment.
Picture of Waterfall team

Waterfall team

IT remote access vs OT remote access

When it comes to Remote Access, pretty much all available solutions deliver a very similar user experience. The user logs in and accesses another computer or device. But when we look a bit deeper, there are some very deep variations that come into consideration, especially when it comes to cybersecurity. The purpose and goals of remote access vary greatly between different uses and the acceptable levels of security.

In one of our previous blog posts, HERA Under the Hood, we covered how HERA works by explaining its technical functions and tasks. Here, we are going to outline how HERA is used and all the ways it differs from common IT Remote Access solutions.

“The purpose and goals of remote access vary greatly between different uses and the acceptable levels of security.”

Environment and Criticality

For IT Remote Access: Typically involves accessing corporate networks, applications, and data. Downtime or breaches can affect business operations, and can be costly, but usually have no impact when it comes to physical safety.

For OT Remote Access: Involves accessing industrial control systems (ICS), SCADA systems, and other critical infrastructure. Downtime or breaches can lead to significant physical and safety risks, including potential harm to people and equipment. There is very little “margin-of-error” as anything that might trigger a shutdown, even as a precaution, will have a very public and far-reaching impact.

Network Architecture

For IT Remote Access: Often involves flat network architectures and usually uses technologies like VPNs and remote desktop protocols (RDP).

For OT Remote Access: Requires segmented and isolated networks to prevent cross-contamination. Utilizes unidirectional gateways, secure remote access appliances, and proprietary protocols purpose-build and designed for OT environments.

>>Want to learn more? Talk to an expert >>

Security Focus

For IT Remote Access: Focus is on data security, confidentiality, and integrity. Primarily protecting against data breaches and unauthorized access.

For OT Remote Access: Emphasizes availability, reliability, and safety of physical processes. Protects against disruptions that could impact operational continuity and physical safety.

Update and Patch Management

For IT Remote Access: Regularly scheduled updates and patches are common.

For OT Remote Access: Patching can be more complex and infrequent due to the need for continuous operations and the critical nature of the systems.

Compliance and Standards

For IT Remote Access: Governed by standards such as ISO/IEC 27001, GDPR, and HIPAA.

For OT Remote Access: Governed by standards such as IEC 62443, NERC CIP, and NIST SP 800-82.

Technology and Tools

For IT Remote Access: Uses commercial off-the-shelf (COTS) solutions like VPNs, remote desktop services, and cloud-based remote access tools.

For OT Remote Access: Often requires specialized solutions tailored for industrial environments, such as industrial VPNs, secure remote access hardware appliances and unidirectional security gateways.

While the final result with both OT and IT remote access is a functional way of accessing a workstation remotely, the pathway to each one is of dramatically different considerations, and priorities. The goal of IT cybersecurity is to protect sensitive information from getting OUT, while OT cybersecurity protects sensitive equipment by not allowing anything IN.

When it comes to protecting OT remote access, no one offers the robust protections that HERA delivers. Read more about Hardware Enforced Remote Access (HERA)

Talk to an expert to learn more

About the author
Picture of Waterfall team

Waterfall team

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post IT Remote Access VS. OT Remote Access appeared first on Waterfall Security Solutions.

]]> Hardware-Enforced Remote Access (HERA) – Under the Hood https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/hardware-enforced-remote-access-hera-under-the-hood/ Wed, 17 Jul 2024 08:32:39 +0000 https://waterfall-security.com/?p=25424 Waterfall's HERA is a true interactive OT remote access with unidirectional protection for OT. How does it work?

The post Hardware-Enforced Remote Access (HERA) – Under the Hood appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standardsHardware-Enforced Remote Access (HERA) – Under the Hood

Hardware-Enforced Remote Access (HERA) – Under the Hood

Waterfall's Hardware-Enforced Remote Access is something new in the world - true interactive OT remote access with unidirectional protection for OT networks. How is this possible?
Picture of Andrew Ginter

Andrew Ginter

Hardware enforced remote access for OT - UNDER THE HOOD

HERA® - Big Picture

The big picture of HERA is similar to that of conventional, software-based remote access solutions:

Diagram of HERA - Hardware Enforced Remote Access

 

In a highly automated mine, for example:

  • A remote user – say a laptop is on a conference hotel’s Wi-Fi network remoting into the mine across the Internet,

  • The HERA gateway is located at the protected mine site, and

  • The protected OT network is “behind” the gateway – in this example the mining safety and other automation.

The big difference from conventional software-based remote access is what happens inside the HERA gateway.

“The big picture of HERA is similar to that of conventional, software-based remote access solutions….The big difference from conventional software-based remote access is what happens inside the HERA gateway.”

HERA Gateway

Under the hood of HERA are two instances of Waterfall’s flagship Unidirectional Security Gateways technology. One Unidirectional Gateway is oriented from the protected OT network out to the Internet-exposed IT network or to the Internet directly. That gateway’s hardware is physically able to send information in only one direction – the gateway sends HERA screen images out to the remote user across the Internet. Nothing can get back.

The second gateway under the hood of HERA is a variation of the standard Unidirectional Gateway. This gateway does two things. First, this second gateway sends HERA encrypted keystrokes and mouse movements (KMM) back into the OT network through the unidirectional hardware – nothing can get back out through that hardware. Second, the inbound hardware has gate array logic built in, and this logic scans the unidirectional communications and allows only the very simple encrypted HERA KMM information to pass – all other attempts at communication are rejected. Finally, on the OT network, that gateway’s receiving CPU runs virtual machine (VM) software, creating a brand new VM for each remote user session.

To recap, under the hood of the HERA gateway is:

  • An inbound Unidirectional Gateway, which contains:

    • An Internet-exposed CPU interacting with the remote user / laptop,

    • One-way hardware that permits only encrypted KMM data to pass, and

    • A CPU on the OT network receiving the encrypted KMM data, decrypting that data and sending keystrokes and mouse movements to the remote users’ session VMs,

  • An outbound Unidirectional Gateway, which contains:

    • A CPU on the OT network receiving screen images from the HERA VMs,

    • One-way hardware,

    • A CPU on the IT/Internet sending copies of HERA’s session VM screens across the Internet to remote users.

The whole solution fits in 2u of rack space.

Contact Waterfall to request a free consultation

A HERA Session

With that background, what does a HERA session look like? The remote user launches the HERA application on their desktop or laptop and chooses one of the configured destinations. This app runs only on computers equipped with a hardware-based Trusted Platform Module (TPM) and uses the TPM hardware to encrypt two (2) standard TLS connections to the HERA gateway. One connection sends encrypted KMM information, and the other receives screen images. The remote user sees the image of a VM screen come up, and the user is challenged for a username and password. This is in fact two-factor authentication, with the HERA encryption credentials stored in the laptop’s KVM hardware being the second form of authentication.

At this point, the user can move the mouse and type on the keyboard. The HERA app encrypts each keystroke and each mouse movement – this time using a different key in the TPM hardware. The app sends the encrypted KMM through the encrypted TLS connection into the HERA gateway.

Here’s the tricky part: the Internet-exposed CPU on the HERA gateway decrypts the TLS connection using its own TPM but does not have the keys to decrypt the encrypted KMM. So, the Internet-exposed CPU sends the encrypted KMM through the one-way hardware into the OT CPU in the HERA device. That OT CPU has the keys to decrypt the KMM and sends the decrypted KMM into the remote user’s virtual session. The virtual mouse moves. Keystrokes are used by the VM, and new screen images are sent back to the user.

How Secure Is this?

What does this mean security-wise? Well imagine that an attacker reaches across the Internet into the target’s IT network and uses a zero-day vulnerability to compromise both of the Internet-facing CPUs in the HERA gateway. What is the worst that can happen? Well, the attacker can interrupt the flow of screen images and KMM. But – can the attacker send arbitrary attack messages into the OT network to propagate the attack further into the network? No. The outbound gateway hardware lets nothing back in, and the HERA inbound gateway hardware lets only encrypted KMM messages back in. And if the attacker tries to forge keystrokes and mouse movements, it does not work – the compromised CPU does not have the keys to encrypt and authenticate keystrokes. Those keys are on the protected OT-resident CPU.

Contrast this with a firewall and software-based remote access solution. Exploit unpatched vulnerabilities in the firewall, VPN server or a complex remote access protocol server and we are in serious trouble. The attacker can reach through the compromised system software and send whatever messages they wish into the OT network to wreak havoc there. Yes, an attack on HERA’s Internet-exposed CPUs can cause the remote access solution to become inoperative, but at most sites this is an inconvenience, not a serious incident. At most sites, remote access saves a little money by reducing travel costs – remote access is generally not required to assure minute-by-minute correct operation of the industrial process.

Bottom Line - a Spectrum of Security

Where does HERA fit within the broader spectrum of remote access solution security? In the illustration, HERA is positioned as stronger than software security, between Unidirectional Secure Bypass and Unidirectional Remote Screen View technologies:

HERA hierarchy of security

  • Conventional software-based remote access products at the bottom of the diagram have vulnerabilities, and rely on firewall software secure OT networks,

  • Secure Bypass is a technology that temporarily enables bi-directional communications into a conventional software-based solution – Secure Bypass provides the OT site with local, physical control over when and how long remote users can access OT networks,

  • HERA is hardware-enforced remote access,

  • Unidirectional Remote Screen View makes copies of OT screen images out to external users through unidirectional hardware, while remote experts provide real-time feedback over the phone to engineers on site moving the mouse, and

  • No remote access at all at the top of the illustration is the most secure option, but is also generally the most expensive option, because industrial sites are unable to take advantage of remote services and service providers.

The bottom line – HERA is something new in the world – the benefits of true interactive remote access without the risk that Internet-based attacks will use remote access vulnerabilities to attack OT targets.

For more details, please contact Waterfall to request a free consultation with a Waterfall HERA expert.

Contact Waterfall to request a free consultation
About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Hardware-Enforced Remote Access (HERA) – Under the Hood appeared first on Waterfall Security Solutions.

]]> Remote Access Vulnerabilities and a Hardware-Enforced Solution https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/remote-access-vulnerabilities-and-a-hardware-enforced-solution/ Tue, 16 Jul 2024 08:06:50 +0000 https://waterfall-security.com/?p=25239 Remote access for OT is vital for maintaining efficiencies, troubleshooting, and is also important for retaining remote workers. But most remote access solutions pose a range of security risks. We introduce HERA – Hardware-Enforced Remote Access – as a safer alternative.

The post Remote Access Vulnerabilities and a Hardware-Enforced Solution appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standardsRemote Access Vulnerabilities and a Hardware-Enforced Solution

Remote Access Vulnerabilities and a Hardware-Enforced Solution

Remote access for OT is vital for maintaining efficiencies, troubleshooting, and also important for retaining remote workers. But most remote access solutions pose a range of security risks that might be exposing critical systems to the Internet. We take a look at three major breaches of remote access VPN and two-factor authentication systems and introduce HERA – Hardware-Enforced Remote Access – as a safer alternative.
Picture of Andrew Ginter

Andrew Ginter

HERA remote access banner

OT vulnerabilities are security weaknesses in Operational Technology (OT) systems that control industrial equipment and processes. These flaws, such as outdated software, weak authentication, or insecure network connections, can be exploited by attackers to disrupt operations, damage assets, or compromise safety in critical infrastructure environments.

Remote access is seen as essential by many industrial operations – essential for trouble-shooting remote installations, enabling vendor experts to log in and help out with difficult problems, and sometimes even as a perk to help retain a white-collar workforce that grew accustomed to remote work in the pandemic. Remote access is also seen as dangerous by most practitioners – remote access provides both legitimate users and our enemies with direct access from the Internet into our critical systems. This concern is well-placed – in this article we review three serious, widespread breaches of remote access VPN and two-factor authentication systems, and we introduce HERA – Hardware-Enforced Remote Access – an alternative to vulnerable, software-based solutions.

“HERA – Hardware-Enforced Remote Access – is a secure alternative to vulnerable, software-based remote access solutions.”

Tunnel Vision VPN Breach

In the beginning of May 2024, Levathian Security disclosed the “Tunnel Vision” vulnerability that lets attackers intercept VPN traffic for almost all VPN software running on almost all operating systems except Android. By using the DHCP protocol to attack the operating system rather than the VPN, Tunnel Vision works below the level of the VPN and thus impairs most VPN products that allow laptops to participate “virtually” in distant, sensitive networks – on all of Windows, MacOS, iOS and Linux.

For the technically inclined, to attack a target, the attacker must be on the same local network as the target – a public coffee shop Wi-Fi hot spot for example. When the victim’s machine connects to the network and issues a DHCP request to acquire an IP address, the attacker responds to the request faster than the coffee shop router responds. The attacker’s response sets up routes in the victim’s machine. These routes send traffic to the attacker’s machine – traffic that would normally go to the victim’s VPN. This traffic arrives in the attacker’s machine without being encrypted by the VPN.

There are reports that this vulnerability was known, at least in part, as early as 2015, and there is speculation that the vulnerability, or a variation thereof, has been used for some time by nation-state adversaries.

Chinese Attackers Infect 20,000 Fortinet VPN Devices

In late 2022 and early 2023, Chinese attackers infected between 14,000 and 20,000 Fortinet VPN appliances. The attack vector was a remote code exploitation vulnerability that let the attackers take control of the VPN devices and install their “CoatHanger” malware. CoatHanger is a Remote Access Trojan (RAT) that lets the attackers remotely monitor and further attack the “protected” network to which the compromised VPN device was providing remote access. CoatHanger is reported to be extremely difficult to detect on a compromised VPN appliance, even if you know what you are looking for. Worse, CoatHanger survives device reboots and in some cases even survives upgrading the firmware on the compromised devices.

EvilProxy Bypasses Remote Access 2FA

In 2023, Proofpoint documented a phishing attack that included technology to defeat two-factor authentication on web-based accounts. The phishing emails tricked victims into clicking on links to what they thought were their legitimate Microsoft cloud services. In fact, the links led to malicious websites that in turn, forwarded requests (eventually) to the legitimate Microsoft sites, and forwarded responses back to the victims. The malicious sites thus looked and behaved just like the Microsoft sites did. These users then used their normal passwords and two-factor authentication mechanisms to log into the legitimate Microsoft websites.

The malicious sites of course saw all these credentials exchanged un-encrypted. Once the two-factor authentication was complete, the malicious sites stole web browser cookies from the intercepted communications – these cookies were the session cookies that identified the legitimate sessions. The attackers then immediately started using these session cookies themselves, to impersonate the victims, essentially “stealing” their active login sessions to the Microsoft services.

This same attack technique works with essentially all web services, including web-based remote access systems.

Hardware-Enforced Remote Access

The common theme? These are all vulnerabilities that compromise software-based remote access systems. Hence the problem: many critical infrastructures really do need remote access, but today’s software-based remote access systems are vulnerable to too many kinds of attacks. What the world needs now is hardware-enforced remote access.

The good news – Waterfall Security has just announced a new Hardware-Enforced Remote Access (HERA) solution. The hardware sends only encrypted keystrokes and mouse movements into the OT network, not arbitrary TCP packets through a firewall. Even if all the software on the Internet-facing CPUs in the HERA device are compromised, the attacker still cannot reach into, manipulate, nor propagate malware into the protected OT network. HERA delivers the benefits of remote access, without the risk of attacks compromising the HERA server and propagating into the OT network.

To learn more about HERA click here, or register for Waterfall’s July 31, 2024, webinar on HERA.

Learn more about HERA - Hardware-Enforced Remote-Access
About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Remote Access Vulnerabilities and a Hardware-Enforced Solution appeared first on Waterfall Security Solutions.

]]>