remote access – Waterfall Security Solutions https://waterfall-security.com Unbreachable OT security, unlimited OT connectivity Thu, 28 Aug 2025 20:19:01 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.2 https://waterfall-security.com/wp-content/uploads/2023/09/cropped-favicon2-2-32x32.png remote access – Waterfall Security Solutions https://waterfall-security.com 32 32 Secure Industrial Remote Access Solutions https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/secure-industrial-remote-access-solutions/ Thu, 28 Aug 2025 20:19:01 +0000 https://waterfall-security.com/?p=35720 Secure, efficient, and reliable industrial remote access solutions enable monitoring, maintenance, and troubleshooting of SCADA and control systems from anywhere, protecting critical operations.

The post Secure Industrial Remote Access Solutions appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterSecure Industrial Remote Access Solutions

Secure Industrial Remote Access Solutions

Industrial remote access enables secure, efficient connectivity to SCADA, PLCs, and other control systems, supporting maintenance, monitoring, and troubleshooting. Best practices include robust authentication, encryption, network segmentation, and compliance with standards like IEC 62443 and NIST, while solutions like Waterfall’s HERA provide zero-trust, reliable remote access for critical industrial operations.
Picture of Waterfall team

Waterfall team

Secure Industrial Remote Access Solutions

In today’s hyperconnected industrial world, remote access has become both a necessity and a risk. Organizations across manufacturing, energy, utilities, and critical infrastructure rely on remote connectivity to monitor systems, troubleshoot equipment, and enable vendor support without dispatching teams onsite. While this brings significant efficiency and cost benefits, it also introduces new security challenges. Unsecured or poorly managed remote connections can serve as entry points for cyberattacks, threatening operational continuity and even safety.

Industrial remote access, therefore, requires a comprehensive framework—one that balances the operational need for connectivity with rigorous security controls. This framework isn’t just about VPNs or firewalls; it encompasses identity management, secure protocols, granular access policies, and continuous monitoring, all tailored to the unique demands of operational technology (OT) environments.

Definition and Scope

What is Industrial Remote Access?
Industrial remote access refers to the secure ability to connect to industrial systems, equipment, and control environments—such as SCADA, PLCs, and HMIs—from distant locations. This connectivity enables operators, engineers, and vendors to monitor performance, troubleshoot issues, deploy updates, and maintain equipment without being physically present at the facility.

How it differs from IT Access

Unlike general IT remote access solutions (think remote desktop tools or corporate VPNs), industrial remote access must account for the unique requirements of operational technology (OT). OT systems prioritize availability, safety, and reliability over typical IT concerns like data confidentiality. While IT remote access is often focused on office productivity, industrial remote access deals with real-time processes, critical infrastructure, and potentially life-safety functions—making its risk profile significantly higher.

A Brief Historical Evolution

Remote access in industry began with direct connections—dial-up modems or leased lines that allowed engineers to reach specific machines. Over time, this evolved into VPN-based approaches and, more recently, cloud-enabled remote access platforms. Each step has increased flexibility and ease of use, but also expanded the attack surface. Today, modern solutions integrate identity and access management, encrypted communications, and continuous monitoring to strike a balance between connectivity and security.

Importance in Modern Manufacturing

Role in Industry 4.0 and Smart Manufacturing

Industrial remote access is a cornerstone of Industry 4.0, where interconnected devices, automation, and data-driven insights define the future of manufacturing. Smart factories depend on continuous access to machine data, predictive maintenance, and real-time monitoring—all of which require reliable and secure remote connectivity. Without industrial remote access, the promise of fully digitalized and adaptive manufacturing environments would remain out of reach.

Benefits for Modern Operations

The practical advantages of industrial remote access are compelling. Manufacturers can dramatically reduce downtime by enabling engineers to diagnose and resolve problems without waiting for travel or onsite presence. Remote updates and configuration changes cut costs while ensuring systems stay current with minimal disruption. Most importantly, operational efficiency improves when plants can be monitored and optimized from anywhere, allowing scarce engineering talent to support multiple sites simultaneously.

Adoption Rates Across Sectors

Adoption of industrial remote access has accelerated rapidly. According to industry surveys, more than 60% of manufacturers now use some form of remote access for equipment maintenance, with adoption highest in sectors like energy, automotive, and pharmaceuticals. The pandemic further accelerated this trend, as facilities sought safe ways to maintain continuity without sending large teams onsite. These adoption rates underscore that remote access is no longer a “nice-to-have,” but an operational necessity in competitive, modern manufacturing.

Key Stakeholders and Use Cases

Machine Builders and OEMs Providing Remote Support

Original Equipment Manufacturers (OEMs) and machine builders increasingly rely on remote access to deliver timely support for their equipment deployed at customer sites. Instead of dispatching technicians worldwide, OEMs can diagnose faults, apply software patches, and guide operators in real time. This not only enhances customer satisfaction but also opens opportunities for new service-based business models.

System Integrators and Remote Commissioning
 System integrators play a critical role in setting up and maintaining industrial systems. With secure remote access, they can perform commissioning tasks, configure programmable logic controllers (PLCs), and troubleshoot integration issues without physically being onsite. This accelerates project timelines, lowers costs, and ensures quicker adaptation to client needs.

Plant Operators Monitoring Production Lines
 For plant operators, remote access provides continuous visibility into production processes. Operators can track performance metrics, spot deviations, and intervene as necessary from any location. This level of oversight ensures not only higher productivity but also quicker response to emerging issues, which can prevent costly downtime and safety incidents.

Maintenance Teams and Preventive Care
 Maintenance engineers benefit enormously from industrial remote access. With real-time monitoring, they can detect anomalies before failures occur, plan preventive maintenance, and conduct corrective interventions remotely when possible. This proactive approach extends equipment life, reduces unplanned outages, and optimizes spare parts management.

Technical Architecture and Components

Connection Methods

VPN Tunnels and Secure Connection Protocols

Virtual Private Networks (VPNs) are one of the most common methods for establishing secure remote connections to industrial environments. They create encrypted tunnels that shield data traffic between external users and internal control systems, helping to prevent unauthorized interception. When paired with industrial-grade firewalls and authentication controls, VPNs provide a strong security foundation for remote access.

Cellular Connectivity Options (4G/5G)

Cellular connections have become increasingly attractive for remote industrial sites where wired infrastructure is limited or unavailable. With the advent of 4G and especially 5G, industrial facilities can achieve low-latency, high-bandwidth connectivity suitable for real-time monitoring and even control tasks. However, security hardening and proper device management are critical to prevent exploitation of cellular endpoints.

Ethernet Solutions for Local and Wide Area Networks

Ethernet-based connections remain a cornerstone of industrial networking. Whether through local area networks (LANs) within a plant or wide area networks (WANs) linking multiple facilities, Ethernet provides reliable, high-speed data transfer for SCADA, PLCs, and other control devices. Segmenting industrial Ethernet networks into security zones and managing traffic with firewalls ensures safe integration of remote access capabilities.

Internet-Based Access Mechanisms

As Industry 4.0 pushes systems toward cloud integration, internet-based access has become more widespread. Technologies such as secure web gateways, remote desktop protocols (RDP), and vendor-provided cloud platforms enable access through standard internet connections. While highly flexible, these methods also broaden the attack surface, making robust encryption, authentication, and monitoring essential components of secure deployment.

Hardware Infrastructure

Edge Gateways

Industrial-Grade Remote Access Gateways

Edge gateways are specialized devices that serve as secure bridges between external networks and industrial control systems. Unlike generic IT routers, industrial-grade remote access gateways are built with features tailored for OT, such as deep protocol inspection, built-in encryption, and role-based access control. They form a critical first line of defense, ensuring that only authorized and authenticated connections reach sensitive equipment.

Ruggedized Design for Harsh Environments

Industrial environments often involve extreme temperatures, dust, vibration, or electrical noise—conditions that typical IT hardware cannot withstand. Ruggedized edge gateways are designed to operate reliably in these harsh settings, providing uninterrupted remote access even in mission-critical facilities such as oil rigs, power plants, or manufacturing floors. This resilience is essential to maintaining secure connectivity without compromising system uptime.

Integration Capabilities with Existing Infrastructure

One of the strengths of modern edge gateways is their ability to integrate seamlessly with existing industrial infrastructure. They support a wide range of industrial protocols (e.g., Modbus, OPC UA, PROFINET) and can connect legacy equipment to modern remote access frameworks. This makes them invaluable for organizations seeking to modernize their systems incrementally while maintaining backward compatibility with their operational technology.

Control Systems Integration

PLC Connectivity Options

Programmable Logic Controllers (PLCs) are at the heart of industrial automation, and enabling secure remote access to them is essential for monitoring, programming, and troubleshooting. Modern solutions offer connectivity through encrypted VPN tunnels, protocol-specific gateways, or cloud-based interfaces, ensuring engineers can manage PLCs without exposing them directly to the internet. This secure connectivity reduces the risk of unauthorized manipulation while allowing timely interventions.

HMI Remote Visualization Techniques

Human-Machine Interfaces (HMIs) provide operators with a window into industrial processes, and remote visualization extends this capability beyond the plant floor. Techniques such as web-based dashboards, thin-client applications, or secure remote desktop sessions allow engineers to view and interact with HMI screens from afar. When properly secured, this enables faster response times and decision-making without compromising the integrity of the control system.

Control Panel Access Methodologies

Traditional control panels house critical switches, indicators, and manual overrides. With remote access, these panels can be virtually replicated, giving authorized users the ability to monitor or control key functions securely. Methods range from digital twins to secure remote terminal access, which balance the need for operator flexibility with strict safeguards that prevent unsafe operations or accidental activations.

Remote Access Client Applications

Client applications are the user-facing software that enable engineers, operators, and saervice providers to establish secure connections to industrial assets. These lightweight tools often include multi-factor authentication, encryption, and role-based access to ensure that only authorized users can reach sensitive systems. A well-designed client simplifies the user experience while embedding strong security by default.

Server-Side Management Platforms

Behind every secure remote access solution lies a management platform that enforces policies, provisions users, and controls connectivity. These platforms often reside on-premises, in the cloud, or as hybrid solutions, and provide administrators with centralized visibility and governance. By managing sessions, configurations, and permissions from a single interface, they reduce complexity while strengthening compliance and security.

Authentication and Authorization Systems

Robust authentication and fine-grained authorization are the backbone of secure remote access. Beyond simple usernames and passwords, modern solutions employ multi-factor authentication (MFA), certificate-based access, and role-based control to ensure that users can only perform actions aligned with their responsibilities. In SCADA and industrial contexts, this limits the potential impact of compromised accounts or insider misuse.

Monitoring and Logging Tools

Visibility is essential in remote access environments, and monitoring and logging tools provide the audit trail needed for both security and operational oversight. These systems capture session details, command histories, and user activity, which can be analyzed for anomalies or compliance reporting. Real-time monitoring also enables rapid detection of unauthorized actions, helping to contain potential threats before they escalate.

Security Framework for Industrial Remote Access

Threat Landscape

Common Attack Vectors Targeting Industrial Systems

Industrial systems face attack vectors ranging from stolen credentials and phishing to compromised remote access tools and exploitation of unpatched software. Attackers frequently exploit weak authentication, exposed VPNs, and misconfigured firewalls to gain an initial foothold. Once inside, they may move laterally across the network to target control systems, disrupt operations, or exfiltrate sensitive data.

Documented Incidents and Case Studies

Real-world incidents highlight the risks of insecure remote access. For example, the 2021 Oldsmar water treatment facility breach involved an attacker remotely accessing operational systems and attempting to manipulate chemical levels in the water supply. Similarly, ransomware campaigns have locked out operators from remote monitoring systems, forcing costly shutdowns. These cases underscore the dangers of inadequate security controls.

Emerging Threats Specific to Remote Industrial Environments

As industrial environments increasingly rely on cloud-based connectivity, IoT devices, and mobile access, new threats emerge. Attackers are developing malware tailored to industrial protocols, exploiting insecure edge devices, and leveraging supply chain compromises to infiltrate trusted systems. The rise of ransomware-as-a-service and nation-state actors targeting critical infrastructure further amplifies the risk, making proactive defense measures essential.

Compliance and Standards

IEC 62443 Requirements for Remote Access

IEC 62443, the leading standard for industrial automation security, establishes strict requirements for secure remote access. It outlines measures such as strong authentication, session encryption, access control policies, and audit logging. Compliance ensures that remote connectivity to control systems is governed by the principle of least privilege and monitored to detect anomalies.

NIST Cybersecurity Framework Application

The NIST Cybersecurity Framework (CSF) provides a flexible model for managing risk in industrial environments, including remote access. By applying its five core functions—Identify, Protect, Detect, Respond, and Recover—organizations can align remote access strategies with broader cybersecurity goals. For example, the “Protect” function stresses identity management and access controls, while “Detect” highlights continuous monitoring of remote sessions.

Industry-Specific Regulations and Guidelines

Different industrial sectors have their own compliance mandates for remote access security. Energy companies must follow NERC CIP standards, while pharmaceutical manufacturers often adhere to FDA regulations for electronic records integrity. The oil and gas sector may face additional regional requirements. Aligning remote access practices with these sector-specific guidelines not only reduces risk but also ensures legal and regulatory compliance.

Certification Processes for Secure Remote Access Solutions

Vendors offering remote access technologies are increasingly seeking certifications to demonstrate compliance and trustworthiness. Certifications such as IEC 62443-4-2 for components or third-party security audits validate that solutions meet stringent cybersecurity requirements. For end-users, choosing certified solutions helps reduce vendor risk and provides assurance that the tools enabling remote access won’t become the weakest link in the control environment.

Securing industrial remote access is no longer optional—it’s essential for protecting operations, maintaining uptime, and safeguarding critical infrastructure. By implementing best practices across authentication, encryption, network segmentation, and monitoring, organizations can reduce risk while reaping the benefits of modern connectivity. 

To see how these principles are applied in practice, explore Waterfall’s HERA remote access solution, a purpose-built platform that provides secure, reliable, and zero-trust remote connectivity for industrial systems. 

Learn more about HERA and how it can safeguard your operations today.

About the author
Picture of Waterfall team

Waterfall team

FAQs About Industrial Remote Access Solutions

Industrial Remote Access Solutions are specialized technologies that allow authorized personnel to securely connect to industrial control systems—such as SCADA, PLCs, and HMIs—from remote locations. These solutions enable monitoring, troubleshooting, maintenance, and updates without requiring on-site presence, all while addressing the unique requirements of operational technology (OT) environments where availability, reliability, and safety are critical. They typically combine secure connectivity methods, robust authentication and access controls, monitoring and logging, and seamless integration with both modern and legacy industrial systems, ensuring that remote access enhances efficiency without compromising security.

 
 
Ask ChatGPT

We need industrial remote access solutions because modern industrial operations demand real-time monitoring, rapid troubleshooting, and efficient maintenance across geographically dispersed facilities. Remote access enables engineers, operators, and vendors to respond quickly to issues, reduce downtime, and optimize production without the delays and costs of traveling on-site. Additionally, with the rise of Industry 4.0, cloud integration, and smart manufacturing, secure remote connectivity is essential for leveraging data-driven insights, predictive maintenance, and continuous process optimization—all while maintaining strict security controls to protect critical infrastructure from cyber threats.

The main use cases for industrial remote access solutions include equipment monitoring, troubleshooting, and maintenance, allowing engineers and operators to diagnose issues and apply fixes without being physically on-site. They also support system commissioning, configuration updates, and software patching for PLCs, SCADA, and HMIs. Additionally, remote access enables vendor and contractor support, real-time production monitoring, and data collection for analytics and predictive maintenance. These use cases improve operational efficiency, reduce downtime, lower costs, and ensure that industrial facilities can respond rapidly to both routine and emergency situations while maintaining security and compliance.

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Secure Industrial Remote Access Solutions appeared first on Waterfall Security Solutions.

]]> Rethinking Secure Remote Access for Industrial and OT Networks https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/rethinking-secure-remote-access-to-industrial-and-ot-networks/ Wed, 06 Aug 2025 09:38:01 +0000 https://waterfall-security.com/?p=35035 Discover which remote access technologies truly secure industrial and OT networks—and which leave critical operations exposed.

The post Rethinking Secure Remote Access for Industrial and OT Networks appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterRethinking Secure Remote Access for Industrial and OT Networks

Rethinking Secure Remote Access for Industrial and OT Networks

Rethinking Secure Remote Access for Industrial and OT Networks
Download now

Remote access is essential—but traditional solutions like VPNs and jump hosts are increasingly under fire from both attackers and regulators. With guidance from CISA and CCCS urging organizations to move beyond legacy remote access tools, the stakes for industrial and OT networks have never been higher.

This ebook demystifies secure remote access technologies, from classic firewalls and 2FA to hardware-enforced solutions and unidirectional gateways. Discover which approaches truly protect against today’s threat landscape—and which leave critical operations exposed.

Download the book now to:

arrow red right Gain a deep understanding of modern and legacy remote access technologies – including VPNs, firewalls, 2FA, jump hosts, cloud systems, and hardware-enforced solutions.

arrow red right Explore common attack scenarios and assess how different combinations of security technologies perform against actual threats

arrow red right Learn which security measures are most effective for specific attack types, helping you make informed decisions about protecting remote access in your organization

About the author
Picture of Waterfall team

Waterfall team

FAQs About Remote Access

Remote access for OT (Operational Technology) networks is the ability to connect to and control industrial systems from outside the facility—often over the internet or corporate IT networks.

This allows engineers, vendors, or operators to:

  • Monitor and manage ICS, SCADA, and other OT systems remotely

  • Perform maintenance, updates, or troubleshooting without being on-site

  • Enable emergency intervention from anywhere

✅ Common technologies for remote access:

  • VPNs – Secure encrypted tunnels into OT networks

  • Jump servers / Bastion hosts – Controlled gateways between IT and OT

  • Remote Desktop (RDP/VNC) – Access to HMI or control workstations

  • OT-specific platforms – Purpose-built tools for safe industrial remote access

  • MFA / 2FA – Authentication to ensure only authorized users connect

⚠ Remote access increases convenience, but also creates potential entry points for attackers if not properly secured.

Organizations use remote access to:

1. Improve Efficiency

  • Engineers can diagnose and configure systems without traveling

  • Reduces downtime for routine maintenance

2. Support Vendor Access

  • Equipment vendors can update or troubleshoot systems remotely

  • Faster support without waiting for on-site technicians

3. Handle Emergencies

  • Teams can respond to incidents outside working hours

  • Quick intervention minimizes production impact

4. Lower Costs

  • Saves money on travel, labor, and incident response

  • Enables small OT teams to manage multiple sites

5. Enable Remote Operations

  • Operators can control or monitor sites across large geographic areas

  • Ideal for distributed infrastructure like pipelines, wind farms, or utilities

While powerful, remote access brings serious cybersecurity risks to industrial environments:

⚠ Top Risks Include:

  1. Unauthorized Access

    • Stolen or reused credentials can give attackers access

    • Weak or shared authentication increases exposure

  2. Vulnerable Technologies

    • VPNs, RDP, and web tools may have unpatched flaws

    • Attackers exploit them to gain a foothold in OT

  3. Lateral Movement

    • Once inside, attackers move from one device to another

    • Can lead to control over critical operations

  4. Human Error

    • Remote staff may misconfigure systems

    • Vendors might introduce malware accidentally

  5. Malware and Ransomware

    • Remote sessions can be used to inject malicious code

    • Poor segmentation allows malware to cross into OT from IT

  6. Regulatory and Safety Violations

    • Unauthorized changes can impact safety and compliance

    • Could trigger penalties, outages, or safety incidents

✅ Conclusion: Remote access brings flexibility, but also risk. Implementing strong authentication, network segmentation, monitoring, and vendor controls is essential to stay secure.

Share

Fill out the form and get it by email

The post Rethinking Secure Remote Access for Industrial and OT Networks appeared first on Waterfall Security Solutions.

]]> Selecting OT “Secure” Remote Access Solutions – Options, Criteria & Examples https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/selecting-ot-secure-remote-access-solutions-options-criteria-examples/ Mon, 14 Apr 2025 08:36:27 +0000 https://waterfall-security.com/?p=32424 Which OT remote access solution is right for you? It depends on the sensitivity of your OT/physical process, on your risk tolerance, and on your assessment of credible threats.

The post Selecting OT “Secure” Remote Access Solutions – Options, Criteria & Examples appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterSelecting OT “Secure” Remote Access Solutions – Options, Criteria & Examples

Selecting OT “Secure” Remote Access Solutions – Options, Criteria & Examples

Which OT remote access solution is right for you?
Picture of Andrew Ginter

Andrew Ginter

secure remote access

Which OT remote access solution is right for you? It depends on the sensitivity of your OT/physical process, on your risk tolerance, and on your assessment of credible threats. In Waterfall’s upcoming webinar, we look at the landscape of available OT remote access solutions, how they compare risk-wise, and what a decision tree for choosing between the alternatives looks like.

One core assumption: we are trying to prevent cyber attacks pivoting from the Internet (possibly via intervening IT and other networks) into sensitive OT networks and sabotaging physical operations

remote access solutions comparison table

In our webinar on April 21st, we look at different types of systems:

  • 2FA, DMZ, VPN, Jhost, NGFW – this is a conventional IT/OT remote access system, such as the system described as the minimum acceptable for NERC CIP Medium Impact sites, including (more or less) two-factor authentication, a demilitarized zone “network between networks,” a virtual private network, a jump host, and a next-gen firewall.

  • OT SRA – is a typical OT “secure” remote access solution that works roughly like Microsoft Teams – there is a client in the OT network and it reaches out through an IT/OT firewall to connect to remote laptops and other clients, either by contacting those clients directly or by reaching into a cloud service or other server to rendezvous with clients.
  • Timed switch – a timed hardware switch that temporarily connects / disconnects a conventional type (1) or (2) software-based remote access solution to an IT network or the Internet. The timed switch is normally in a disconnected state and enables temporary remote connectivity infrequently.

  • Hardware-Enforced Remote Access – Waterfall’s HERA, which consists of cooperating inbound and outbound gateways designed to prevent attacks pivoting from the Internet into OT systems.

  • Unidirectional remote screen view technology – tech that lets the remote user “look but not touch” and requires an engineer or other human operator in the protected OT network to cooperate with the remote expert providing remote support.
Join the webinar

Features & Characteristics of Remote Access Solutions

To compare risks in these solutions, we look at a number of features & characteristics:

  • High connectivity – CISA and other authorities recently requested that high-consequence sites stop using VPNs for remote access, in large part because VPNs very often provide more connectivity into IT and OT networks than is needed and is wise.

  • Dangerous features – many “secure” remote access solutions have a myriad of features including dangerous ones such as file transfers (of potentially malicious files) and clipboard cut-and-paste operations (of potentially large attack scripts).
  • Firewalled – most “secure” remote access solutions demand a firewall at the IT/OT interface. Firewalls have a role inside OT networks and inside IT networks but are often not strong enough to defend a consequence boundary – when OT and IT networks have dramatically different worst-case consequences of compromise.

  • Server pivot – most “secure” remote access solutions have fairly constant IP addresses. They are in a sense “sitting ducks” for any adversary who cares to test them, any time that adversary cares to test them – for zero days, for unpatched known vulnerabilities, for misconfigurations and so on. And once these remote access servers are compromised, the attacker can pivot through the compromised remote access equipment, using the compromised equipment to attack more valuable assets deeper into the OT network.
  • Client pivot – most remote access solutions can be mis-used by attackers if he remote workstation or laptop is taken over. Two-factor authentication makes this harder, but not impossible, since 2FA is also software with vulnerabilities, both known and zero-day. Attackers thus are able to pivot through a compromised remote endpoint into the protected OT network.

  • Constant exposure – most remote access solutions are “always on” – constantly exposed to attacks from compromised external networks, such as IT networks and the Internet.
  • Personnel – most remote access solutions are designed for unattended operation, meaning that no OT personnel need be present at or internally connected to remote sites, such as substations, pump stations, lift stations, compressor stations or other remote installations. Attended operation systems that work only if there are local personnel present to help them along tend to be more secure, but those personnel are not always available.

Join the webinar

How do we use these characteristics to choose between the options?

Well, we need to understand our needs and especially the criticality of our physical operations. A key question: what is the worst consequence possible due to a credible attack scenario? The question has three key parts:

  • Worst possible consequence – what is the worst that can happen if compromised computers either fail to function correctly, or more often are deliberately made to function maliciously. And beware – many risk programs have blind spots, such as bricked control equipment. What happens if the bad guys get in and load dummy firmware into most of our 10-year-old PLCs, damaging them so thoroughly that it is now impossible to reload them with correct firmware? Where do we get spares to replace these components when the manufacturer no longer produces this equipment?
  • Credible attacks – in the spectrum of possible attacks (see Waterfall’s report on the Top 20 Cyber Attacks on Industrial Control Systems), which attack scenarios and consequences do we deem credible threats, given the defenses we have already deployed and the remote access systems we are considering, and which consequences and attacks do we not believe will be realized in our network or in any similar networks, any time soon?
  • Acceptable consequences – which credible consequences, due to credible attacks on our systems, do we deem acceptable vs. unacceptable?

All this and more, in greater detail, with industry-specific examples, is coming up in our Apr 21 webinar ‘Building a Game Plan for OT Remote Access‘. 

I hope you can join us.

Join the webinar
About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

FAQs About Remote Access Solutions

2FA, DMZ, VPN, Jhost, NGFW – this is a conventional IT/OT remote access system, such as the system described as the minimum acceptable for NERC CIP Medium Impact sites.
Another type is OT SRA, which is a typical OT “secure” remote access solution that works roughly like Microsoft Teams.
Timed switch – a timed hardware switch that temporarily connects / disconnects a conventional type (1) or (2) software-based remote access solution to an IT network or the Internet. 
Hardware-Enforced Remote Access, like Waterfall’s HERA, which consists of cooperating inbound and outbound gateways designed to prevent attacks pivoting from the Internet into OT systems.
And finally, unidirectional remote screen view technology which lets the remote user “look but not touch” and requires an engineer or other human operator in the protected OT network to cooperate with the remote expert providing remote support.

The main features and characteristics of a remote access solution are the degree of connectivity, the location of firewalls, server & client pivots, exposure time to potential attacks, and the personnel required to operate them.

To know which remote access solution to choose, we first need to understand our needs and especially the criticality of our physical operations. A key question to answer is: what is the worst consequence possible due to a credible attack scenario? Once we understand what is at stake, we will have a better understanding of how to choose the solution that prevents this scenario from occuring.

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Selecting OT “Secure” Remote Access Solutions – Options, Criteria & Examples appeared first on Waterfall Security Solutions.

]]> Building a Game Plan for OT Remote Access https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/building-a-game-plan-for-ot-remote-access/ Mon, 17 Mar 2025 09:39:41 +0000 https://waterfall-security.com/?p=31658 OT remote access is seen as essential for many industries, but there are a variety of OT solutions out there. Watch the webinar as we help you make the right decision for your OT network.

The post Building a Game Plan for OT Remote Access appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterBuilding a Game Plan for OT Remote Access

Building a Game Plan for OT Remote Access

Watch the webinar where we’ll provide an overview of the current landscape of OT remote access solutions and help you make the right decision for your OT network.

OT remote access is seen as essential for many industries – partly to save costs, and partly because physical travel to very distant substations, compressor stations, mine sites, and other physical assets is difficult, time-consuming, and sometimes even dangerous. 

The problem is that there is a bewildering variety of OT remote access solutions out there, with different kinds of needs in different kinds of industries and use cases.

In this webinar Andrew Ginter takes us through:

  • Provide an overview of the current landscape of solutions and needs.

  • Recommend a decision process – how to gather critical information, the steps required to make informed decisions in a specific order.

  • Provide examples of the decision process across various industries and contexts – from municipal utilities to backbone / heavy infrastructure to manufacturing and building automation.

Watch the webinar as we "fly low and fast" - in 60 minutes see all the options in one place, and where and why each one makes sense, with concrete examples.

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Building a Game Plan for OT Remote Access appeared first on Waterfall Security Solutions.

]]> Secure Remote Access for Critical Infrastructure: What’s at Stake? https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/secure-remote-access-for-critical-infrastructure-whats-at-stake/ Tue, 31 Dec 2024 07:34:04 +0000 https://waterfall-security.com/?p=30134 One of the most significant vulnerabilities when it comes to OT security for critical infrastructure are the risks posed by the use of remote access into OT.

The post Secure Remote Access for Critical Infrastructure: What’s at Stake? appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterSecure Remote Access for Critical Infrastructure: What’s at Stake?

Secure Remote Access for Critical Infrastructure: What’s at Stake?

OT Remote Access needs to be far more secure than IT remote access. There is a good reason why.
Picture of Waterfall team

Waterfall team

OT Remote Access with OT security in mind

In our hyper-connected world, critical infrastructure—power plants, water systems, transportation networks, airports, seaports, and anything else that can’t simply be “turned off”—is the backbone of modern society. These systems provide essential services that underpin daily life and economic stability. However, as these infrastructures become increasingly digitized and interconnected, the challenge of securing them from cyber threats becomes ever more important. 

One of the most significant vulnerabilities when it comes to OT security for critical infrastructure are the risks posed by the use of remote access into OT. While remote access is essential for operational efficiency and emergency response, it also opens doors for potential cyberattacks. Understanding what’s at stake and how to address these challenges is vital for understanding what is required when it comes to securing critical infrastructure. 

Critical infrastructure is a juicy target for cybercriminals [and] nation-state actors…

The High Stakes of Critical Infrastructure

Industrial secure remote access for OT such as this industrial operation.Critical infrastructure is a juicy target for cybercriminals, nation-state actors, and hacktivists. A successful breach can lead to: 

Widespread Disruption: An attack on the power grid could result in prolonged blackouts, affecting millions. Similarly, a breach in water systems could disrupt supply or even compromise water safety. 

Economic Impact: Downtime in transportation networks or energy systems can cost billions in lost productivity and revenue. 

Public Safety Risks: Malicious actors could manipulate transportation systems, potentially causing accidents, or disrupt healthcare facilities reliant on stable power. 

National Security Threats: Infiltration of critical systems can serve as a precursor to broader attacks during geopolitical conflicts. 

You get the picture. Critical infrastructures are heavily cyber-targeted. And at the same time the option of “turning it off” is not a good option, and if it does go off, it must come back on as a top priority.

Challenges in Securing Remote Access

Securing remote access to critical infrastructure is uniquely challenging due to several factors: 

So much legacy still operationalSo Many Legacy Systems: Many critical infrastructure systems run on legacy technology designed decades ago. Back then they didn’t build with cybersecurity in mind. Retrofitting or replacing these systems with modern security measures is overly complex and not cheap. 

The OT vs IT Standoff: OT environments prioritize availability and safety, while IT focuses on data confidentiality and integrity. Bridging this cultural and technological gap is a persistent challenge across many critical industries. Large strides have been made on this issue with Cyber-informed Engineering (CIE). One interesting facet about CIE, which was originally championed by the Idaho National Laboratory, is that it presents new solutions to cyber security problems that don’t need to exist in the first place.
Get a complimentary copy of Andrew Ginter’s new book on this topic >>

Far and Away: Critical infrastructure often spans vast and distant areas, requiring remote access for maintenance and monitoring. This reliance on remote connectivity increases the attack surface if not done in a way that deterministically keeps away remote threats.

Cloudy with a chance of Third-Party Access: Vendors and contractors often require remote access for system updates and repairs. Sometimes that access is even required as part of warranty agreements. Many of the more recent analytical services require connecting critical machinery to the cloud. This external access poses a significant attack surface. 

Advancing Advanced Threats: Attackers targeting critical infrastructure are often highly skilled and well-funded, employing sophisticated methods such as supply chain attacks and zero-day vulnerabilities. They seem to be growing as governments are able to build-up and develop their cyber capabilities.

Hardware Enforcements for Secure Remote Access

Despite all these challenges and evolving threats, Waterfall has several solutions to all these problems:

HERA – Hardware Enforced Remote Access. HERA uses hardware to enforce the remote access. Software can be hacked from afar, but hardware can only be modified when you are standing right next to it. This is how HERA provides secure OT remote access:

OT secure remote access laptop woman's handsOne-way remote screen connection: HERA’s outbound connection that shows the remote screen is independent of the inbound connection. The remote screen is duplicated using a one-way fiber-optic cable and then that duplicate is viewed remotely. The hardware required for sending information back through this connection is physically missing, denying such a possibility to cyberattackers.

One-way connection for mouse and keyboard: HERA’s inbound connection also flows in only one direction, from a dedicated laptop using the ███████ protocol, and only transmitting mouse movements and keyboard strokes. No files or images can be uploaded over this connection. No information from this connection can flow back into the laptop, only outbound, and only mouse moves and keys.

There are no TCP/IP packets crossing the IT/OT boundary. If you’d like clarification regarding this technical point, we encourage you to speak to one of our OT remote access specialist that can fully explain how it works Contact us >>

Additional hardware measures for additional security: Additional security measures are in place on the embedded hardware of the laptop, such as Intel’s TPM, while the keystrokes and mouse moves are encrypted.

The Strictly Unidirectional Option: For certain systems and machinery, a Unidirectional Security Gateways will suffice, without the need for full remote access. The machinery’s OT data is duplicated onto a server which is then accessed remotely. The data going to the duplicate server is constantly updated in real-time using a unidirectional connection. This way it can be updated immediately, yet not a line of code can ever make it back onto the machinery’s systems. If occasional changes need to be made remotely, the remote user can phone someone physically near the machinery and have them make the required adjustments.

Waterfall Blackbox
Waterfall Tamperproof Blackbox

Tamper-proof Logs: While unidirectional technology is able to neutralize remote threats, there still persists the risk from insiders as well as embedded threats -threats that might come from foreign-made machinery that has a “backdoor” embedded into the technology, such as ship-to-shore cranes. Cyberattacks that make use of such sophisticated attacks are known for “covering their tracks” and erasing event logs of their actions. By maintaining a tamper-proof copy of the logs, if any breach is ever suspected, the logs can be compared for any discrepancies so that whatever was deleted is quickly found. This usually also helps narrow down what the attackers were after.

Let’s Not Forget Compliance and Regulations

Unidirectional technology and hardware enforced OT remote access also boast strong regulatory compliance. This includes adherence to IEC 62443, NIS2, NERC CIP, and many more, including recommended best practices such as connecting OT to AWS (Amazon Web Services).

So, in Conclusion

The stakes for securing remote access to critical infrastructure could not be higher. Disruptions to power, water, or transportation systems can ripple across societies, causing economic turmoil, public safety crises, and national security vulnerabilities. While the challenges in securing remote access for OT are complex, a deterministic approach that combines hardware enforcement with advanced software can neutralize these risks, safeguard these vital systems, and all while adhering to strict regulatory requirements.

In this digital age…the question is not if we can afford to invest in secure remote access but if we can afford not to.

In this digital age, ensuring the security of critical infrastructure is not just an operational necessity—it is a strategic imperative. The question is not if we can afford to invest in secure remote access but if we can afford not to.

 

Want more details about Waterfalls secure remote access solutions?
Speak to an ot remote access expert >>

About the author
Picture of Waterfall team

Waterfall team

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Secure Remote Access for Critical Infrastructure: What’s at Stake? appeared first on Waterfall Security Solutions.

]]> Webinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/webinar-navigating-ot-remote-access-technologies-limitations-and-the-latest-recommendations/ Tue, 08 Oct 2024 12:13:04 +0000 https://waterfall-security.com/?p=27795 Watch for an insightful webinar as we delve into the rapidly evolving landscape of OT remote access. With the surge in remote access to OT networks, industrial operations and critical infrastructures are under pressure to enhance their security measures.

The post Webinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterWebinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations

Webinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations

Watch the webinar to discover cutting-edge OT remote access strategies.

Watch the insightful webinar where we delve into the rapidly evolving landscape of OT remote access. With the surge in remote access to OT networks, industrial operations and critical infrastructures are under pressure to enhance their security measures. 

In this webinar, Andrew Ginter takes us through:

arrow red right The Rise of Remote Access: Understand the dramatic increase in remote access to OT networks and its implications.

arrow red right Technology Choices: Explore a variety of remote access technologies, each with unique costs, benefits, and security limitations.

arrow red right Security Challenges: Learn why CISA and other authorities are advising against traditional VPNs and other “secure” remote access technologies.

arrow red right In-Depth Analysis: Get a detailed look at the limitations of current technologies and the evolution of the solution space.

arrow red right Latest Recommendations: Discover the cutting-edge OT remote access technologies recommended by recent government guidelines.

Meet Your Expert Guide:

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Webinar: Navigating OT Remote Access – Technologies, Limitations, and the Latest Recommendations appeared first on Waterfall Security Solutions.

]]> Hardware-Enforced Remote Access (HERA) – Under the Hood https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/hardware-enforced-remote-access-hera-under-the-hood/ Wed, 17 Jul 2024 08:32:39 +0000 https://waterfall-security.com/?p=25424 Waterfall's HERA is a true interactive OT remote access with unidirectional protection for OT. How does it work?

The post Hardware-Enforced Remote Access (HERA) – Under the Hood appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standardsHardware-Enforced Remote Access (HERA) – Under the Hood

Hardware-Enforced Remote Access (HERA) – Under the Hood

Waterfall's Hardware-Enforced Remote Access is something new in the world - true interactive OT remote access with unidirectional protection for OT networks. How is this possible?
Picture of Andrew Ginter

Andrew Ginter

Hardware enforced remote access for OT - UNDER THE HOOD

HERA® - Big Picture

The big picture of HERA is similar to that of conventional, software-based remote access solutions:

Diagram of HERA - Hardware Enforced Remote Access

 

In a highly automated mine, for example:

  • A remote user – say a laptop is on a conference hotel’s Wi-Fi network remoting into the mine across the Internet,

  • The HERA gateway is located at the protected mine site, and

  • The protected OT network is “behind” the gateway – in this example the mining safety and other automation.

The big difference from conventional software-based remote access is what happens inside the HERA gateway.

“The big picture of HERA is similar to that of conventional, software-based remote access solutions….The big difference from conventional software-based remote access is what happens inside the HERA gateway.”

HERA Gateway

Under the hood of HERA are two instances of Waterfall’s flagship Unidirectional Security Gateways technology. One Unidirectional Gateway is oriented from the protected OT network out to the Internet-exposed IT network or to the Internet directly. That gateway’s hardware is physically able to send information in only one direction – the gateway sends HERA screen images out to the remote user across the Internet. Nothing can get back.

The second gateway under the hood of HERA is a variation of the standard Unidirectional Gateway. This gateway does two things. First, this second gateway sends HERA encrypted keystrokes and mouse movements (KMM) back into the OT network through the unidirectional hardware – nothing can get back out through that hardware. Second, the inbound hardware has gate array logic built in, and this logic scans the unidirectional communications and allows only the very simple encrypted HERA KMM information to pass – all other attempts at communication are rejected. Finally, on the OT network, that gateway’s receiving CPU runs virtual machine (VM) software, creating a brand new VM for each remote user session.

To recap, under the hood of the HERA gateway is:

  • An inbound Unidirectional Gateway, which contains:

    • An Internet-exposed CPU interacting with the remote user / laptop,

    • One-way hardware that permits only encrypted KMM data to pass, and

    • A CPU on the OT network receiving the encrypted KMM data, decrypting that data and sending keystrokes and mouse movements to the remote users’ session VMs,

  • An outbound Unidirectional Gateway, which contains:

    • A CPU on the OT network receiving screen images from the HERA VMs,

    • One-way hardware,

    • A CPU on the IT/Internet sending copies of HERA’s session VM screens across the Internet to remote users.

The whole solution fits in 2u of rack space.

Contact Waterfall to request a free consultation

A HERA Session

With that background, what does a HERA session look like? The remote user launches the HERA application on their desktop or laptop and chooses one of the configured destinations. This app runs only on computers equipped with a hardware-based Trusted Platform Module (TPM) and uses the TPM hardware to encrypt two (2) standard TLS connections to the HERA gateway. One connection sends encrypted KMM information, and the other receives screen images. The remote user sees the image of a VM screen come up, and the user is challenged for a username and password. This is in fact two-factor authentication, with the HERA encryption credentials stored in the laptop’s KVM hardware being the second form of authentication.

At this point, the user can move the mouse and type on the keyboard. The HERA app encrypts each keystroke and each mouse movement – this time using a different key in the TPM hardware. The app sends the encrypted KMM through the encrypted TLS connection into the HERA gateway.

Here’s the tricky part: the Internet-exposed CPU on the HERA gateway decrypts the TLS connection using its own TPM but does not have the keys to decrypt the encrypted KMM. So, the Internet-exposed CPU sends the encrypted KMM through the one-way hardware into the OT CPU in the HERA device. That OT CPU has the keys to decrypt the KMM and sends the decrypted KMM into the remote user’s virtual session. The virtual mouse moves. Keystrokes are used by the VM, and new screen images are sent back to the user.

How Secure Is this?

What does this mean security-wise? Well imagine that an attacker reaches across the Internet into the target’s IT network and uses a zero-day vulnerability to compromise both of the Internet-facing CPUs in the HERA gateway. What is the worst that can happen? Well, the attacker can interrupt the flow of screen images and KMM. But – can the attacker send arbitrary attack messages into the OT network to propagate the attack further into the network? No. The outbound gateway hardware lets nothing back in, and the HERA inbound gateway hardware lets only encrypted KMM messages back in. And if the attacker tries to forge keystrokes and mouse movements, it does not work – the compromised CPU does not have the keys to encrypt and authenticate keystrokes. Those keys are on the protected OT-resident CPU.

Contrast this with a firewall and software-based remote access solution. Exploit unpatched vulnerabilities in the firewall, VPN server or a complex remote access protocol server and we are in serious trouble. The attacker can reach through the compromised system software and send whatever messages they wish into the OT network to wreak havoc there. Yes, an attack on HERA’s Internet-exposed CPUs can cause the remote access solution to become inoperative, but at most sites this is an inconvenience, not a serious incident. At most sites, remote access saves a little money by reducing travel costs – remote access is generally not required to assure minute-by-minute correct operation of the industrial process.

Bottom Line - a Spectrum of Security

Where does HERA fit within the broader spectrum of remote access solution security? In the illustration, HERA is positioned as stronger than software security, between Unidirectional Secure Bypass and Unidirectional Remote Screen View technologies:

HERA hierarchy of security

  • Conventional software-based remote access products at the bottom of the diagram have vulnerabilities, and rely on firewall software secure OT networks,

  • Secure Bypass is a technology that temporarily enables bi-directional communications into a conventional software-based solution – Secure Bypass provides the OT site with local, physical control over when and how long remote users can access OT networks,

  • HERA is hardware-enforced remote access,

  • Unidirectional Remote Screen View makes copies of OT screen images out to external users through unidirectional hardware, while remote experts provide real-time feedback over the phone to engineers on site moving the mouse, and

  • No remote access at all at the top of the illustration is the most secure option, but is also generally the most expensive option, because industrial sites are unable to take advantage of remote services and service providers.

The bottom line – HERA is something new in the world – the benefits of true interactive remote access without the risk that Internet-based attacks will use remote access vulnerabilities to attack OT targets.

For more details, please contact Waterfall to request a free consultation with a Waterfall HERA expert.

Contact Waterfall to request a free consultation
About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Hardware-Enforced Remote Access (HERA) – Under the Hood appeared first on Waterfall Security Solutions.

]]> Remote Access Vulnerabilities and a Hardware-Enforced Solution https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/remote-access-vulnerabilities-and-a-hardware-enforced-solution/ Tue, 16 Jul 2024 08:06:50 +0000 https://waterfall-security.com/?p=25239 Remote access for OT is vital for maintaining efficiencies, troubleshooting, and is also important for retaining remote workers. But most remote access solutions pose a range of security risks. We introduce HERA – Hardware-Enforced Remote Access – as a safer alternative.

The post Remote Access Vulnerabilities and a Hardware-Enforced Solution appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standardsRemote Access Vulnerabilities and a Hardware-Enforced Solution

Remote Access Vulnerabilities and a Hardware-Enforced Solution

Remote access for OT is vital for maintaining efficiencies, troubleshooting, and also important for retaining remote workers. But most remote access solutions pose a range of security risks that might be exposing critical systems to the Internet. We take a look at three major breaches of remote access VPN and two-factor authentication systems and introduce HERA – Hardware-Enforced Remote Access – as a safer alternative.
Picture of Andrew Ginter

Andrew Ginter

HERA remote access banner

Remote access is seen as essential by many industrial operations – essential for trouble-shooting remote installations, enabling vendor experts to log in and help out with difficult problems, and sometimes even as a perk to help retain a white-collar workforce that grew accustomed to remote work in the pandemic. Remote access is also seen as dangerous by most practitioners – remote access provides both legitimate users and our enemies with direct access from the Internet into our critical systems. This concern is well-placed – in this article we review three serious, widespread breaches of remote access VPN and two-factor authentication systems, and we introduce HERA – Hardware-Enforced Remote Access – an alternative to vulnerable, software-based solutions.

“HERA – Hardware-Enforced Remote Access – is a secure alternative to vulnerable, software-based remote access solutions.”

Tunnel Vision VPN Breach

In the beginning of May 2024, Levathian Security disclosed the “Tunnel Vision” vulnerability that lets attackers intercept VPN traffic for almost all VPN software running on almost all operating systems except Android. By using the DHCP protocol to attack the operating system rather than the VPN, Tunnel Vision works below the level of the VPN and thus impairs most VPN products that allow laptops to participate “virtually” in distant, sensitive networks – on all of Windows, MacOS, iOS and Linux.

For the technically inclined, to attack a target, the attacker must be on the same local network as the target – a public coffee shop Wi-Fi hot spot for example. When the victim’s machine connects to the network and issues a DHCP request to acquire an IP address, the attacker responds to the request faster than the coffee shop router responds. The attacker’s response sets up routes in the victim’s machine. These routes send traffic to the attacker’s machine – traffic that would normally go to the victim’s VPN. This traffic arrives in the attacker’s machine without being encrypted by the VPN.

There are reports that this vulnerability was known, at least in part, as early as 2015, and there is speculation that the vulnerability, or a variation thereof, has been used for some time by nation-state adversaries.

Chinese Attackers Infect 20,000 Fortinet VPN Devices

In late 2022 and early 2023, Chinese attackers infected between 14,000 and 20,000 Fortinet VPN appliances. The attack vector was a remote code exploitation vulnerability that let the attackers take control of the VPN devices and install their “CoatHanger” malware. CoatHanger is a Remote Access Trojan (RAT) that lets the attackers remotely monitor and further attack the “protected” network to which the compromised VPN device was providing remote access. CoatHanger is reported to be extremely difficult to detect on a compromised VPN appliance, even if you know what you are looking for. Worse, CoatHanger survives device reboots and in some cases even survives upgrading the firmware on the compromised devices.

EvilProxy Bypasses Remote Access 2FA

In 2023, Proofpoint documented a phishing attack that included technology to defeat two-factor authentication on web-based accounts. The phishing emails tricked victims into clicking on links to what they thought were their legitimate Microsoft cloud services. In fact, the links led to malicious websites that in turn, forwarded requests (eventually) to the legitimate Microsoft sites, and forwarded responses back to the victims. The malicious sites thus looked and behaved just like the Microsoft sites did. These users then used their normal passwords and two-factor authentication mechanisms to log into the legitimate Microsoft websites.

The malicious sites of course saw all these credentials exchanged un-encrypted. Once the two-factor authentication was complete, the malicious sites stole web browser cookies from the intercepted communications – these cookies were the session cookies that identified the legitimate sessions. The attackers then immediately started using these session cookies themselves, to impersonate the victims, essentially “stealing” their active login sessions to the Microsoft services.

This same attack technique works with essentially all web services, including web-based remote access systems.

Hardware-Enforced Remote Access

The common theme? These are all vulnerabilities that compromise software-based remote access systems. Hence the problem: many critical infrastructures really do need remote access, but today’s software-based remote access systems are vulnerable to too many kinds of attacks. What the world needs now is hardware-enforced remote access.

The good news – Waterfall Security has just announced a new Hardware-Enforced Remote Access (HERA) solution. The hardware sends only encrypted keystrokes and mouse movements into the OT network, not arbitrary TCP packets through a firewall. Even if all the software on the Internet-facing CPUs in the HERA device are compromised, the attacker still cannot reach into, manipulate, nor propagate malware into the protected OT network. HERA delivers the benefits of remote access, without the risk of attacks compromising the HERA server and propagating into the OT network.

To learn more about HERA click here, or register for Waterfall’s July 31, 2024, webinar on HERA.

Learn more about HERA - Hardware-Enforced Remote-Access
About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Remote Access Vulnerabilities and a Hardware-Enforced Solution appeared first on Waterfall Security Solutions.

]]> 5 Ways Waterfall Central™ Improves Situational Awareness  https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/5-ways-waterfall-central-improves-situational-awareness/ Thu, 18 Jan 2024 12:07:55 +0000 https://waterfall-security.com/?p=17756 Introducing Waterfall Central: Come for simple remote monitoring of multiple devices, stay for operational awareness.

The post 5 Ways Waterfall Central™ Improves Situational Awareness  appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standards5 Ways Waterfall Central™ Improves Situational Awareness 

5 Ways Waterfall Central™ Improves Situational Awareness 

Introducing Waterfall Central™: Come for simple remote monitoring of multiple devices, stay for the situational awareness.
Picture of Waterfall team

Waterfall team

WF Central Situational Awareness

Situational awareness (SA) is one of the most important facets when considering any form of security, and especially cybersecurity. Network Operation Centers (NOC) and Security Operation Centers (SOC) are keen to have a strong grasp of what is going on within their scope of responsibilities. This way, they can be proactive instead of reactive to threats, risks, and general operational incidents.  

Waterfall Central™ is a browser-based solution designed to enable personnel responsible for multiple Waterfall devices to easily monitor all their devices.  

Waterfall Central™ is a browser-based solution designed to enable personnel responsible for multiple Waterfall devices to easily monitor all their devices.  

Waterfall Central OT Security Device Dashboard

All Your Waterfall Devices on a Single Pane of Glass

Beyond simply allowing 1 person to monitor multiple Waterfall assets, the Waterfall Central delivers something else: Situational Awareness. If youre an analyst in a NOC (network operating center) or SOC (security operating center) and you need better operational awareness, Waterfall Central™ was designed for you. While Central primarily addresses the increasing demand for monitoring multiple Waterfall appliances, Central can serve other important purposes that facilitate added security. 

5 Examples of Improved Situational Awareness with Waterfall Central™

1. Heartbeat Signal Monitoring

In the event that a Waterfall device stops sending a heartbeat signal, Waterfall Central™ provides immediate awareness. This could be indicative of various issues, such as a loose cable, server room power failure, or a blown fuse. Identifying and addressing such issues promptly can prevent complications.  

2. Real-time Issue Resolution

Waterfall Central™ presents a clear picture of all Waterfall devices on a single screen, allowing for the swift identification and resolution of emerging issues. The built-in wizard generates issue tickets for prompt communication with the OEM, which saves time and helps resolve any issues faster.  

The opposite of situational awareness is ‘being distracted’, so by helping avoid the distraction of chasing down inconsequential incidents and OEM reporting, attention can be applied elsewhere. 

3. Confirmation of OT Connectivity

Central assists in confirming OT connectivity, ensuring that various IT systems are receiving data from Waterfall devices. This feature is particularly valuable when onboarding new solutions to optimize industrial processes, offering a quick way to verify proper integration and functionality. 

4. Automated Alerts for Anomalies

Waterfall Central™ is equipped with built-in alerts that notify users of device failures or abnormalities. These alerts can be configured to draw attention to anomalies that may indicate security incidents or other problems, providing an additional layer of proactive security measures.  

5. Rapid Incident Evaluation

One of the most useful capabilities that comes from having all your Waterfalls on a single pane of glass is knowing that an “incident” is nothing. A good example would be connectivity dropping across many devices at the same time for a few minutes, and then goes back up. Such a scenario is most often just IT resetting an internet router or switch. If such an incident was to be reviewed after-the-fact on each device’s logs, it would probably require a good amount of work before determining it was just an inconsequential event. By seeing all Waterfall devices in real-time, such conclusions can be reached quickly and easily.  

Centralized Security, Better Awareness

By keeping a centralized dashboard for all your Waterfall devices, it is easier to ensure that everything is running smoothly, while reducing the person hours needed to simply confirm certain details and knowing about important issues sooner. And keep in mind this is in addition to the primary benefits that Central has to offer, which is monitoring multiple Waterfalls 

Want to learn more? Contact us

Talk to an OT security expert
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post 5 Ways Waterfall Central™ Improves Situational Awareness  appeared first on Waterfall Security Solutions.

]]>