Redefining PAM to Secure OT and IoT Devices

Left to their own devices, your organization’s devices can be a significant source of risk. Consider operational technology (OT), which is crucial for organizations but is not engineered and operated with a security-first mindset. Often, OT systems are beyond the purview of CISOs and are focused on meeting key objectives for system uptime and efficiency – leaving them vulnerable. Attackers seek to exploit human and non-human identities with high-risk access, including:
- Devices used by third-party vendors that often remotely operate and service their client organizations’ OT systems.
- Devices used by employees whose access to applications or endpoints leading to OT are protected by passwords that can be easily compromised through phishing or ransomware.
- Devices embedded with machine identities with high-risk access to data and infrastructure, such as industrial control systems (ICS) and SCADA systems.
Outside of OT are Internet of Things (IoT) devices, including interconnected devices like smart thermostats or lightbulbs, wearable devices, and connected security cameras. What do these variables across OT, IoT and ICS have in common? The risks of interconnectivity.
One compromised identity can allow attackers to employ tactics such as installing malware that enables control over OT or IoT devices – often with devastating outcomes, including shutting down a manufacturer’s equipment, preventing compliance with regulations or taking IoT devices offline due to a widespread DDoS attack. These technologies are crucial for running business operations, making them appealing to attackers.
Understanding the Risks Embedded in OT and IoT Devices
Attackers have always sought to exploit privileged access, and now they’ve broadened their view of privilege. Securing this access remains critical, but now attackers know they can chart a similar attack path by exploiting human and non-human identities within OT environments and IoT devices. It is vitally important to know the status of all the devices on your network and take actionable steps to protect them from potential attacks.
According to the Microsoft Digital Defense Report 2023 (MDDR), 25% of OT devices use unsupported operating systems, making them more susceptible to cyberattacks. Traditionally, organizations separated OT from the internet by “air-gapping” these devices. However, increasing device interconnectedness, even in once-air-gapped environments, has posed new threats to business continuity. This change increases the need for comprehensive protection outside of foundational practices that once satisfied OT security.
In 2022, transportation, discrete manufacturing, and the food and beverage industries were the top three targeted sectors. The reason for the targeting? Interdependencies between IT and OT systems are the main factor. The consequences of cyber-attacks on OT systems are significant and only growing. 2023 saw an increasing number of more sophisticated attacks, with “More than 80% of the OT/ICS incidents started with an IT system compromise attributed to increased interconnectivity…”
Why It’s Essential to Redefine Your PAM Program for OT and IoT Threats
There are many challenges when we look at OT security, such as aging, fragile technology, no longer supported operating systems and software – and a longer lifespan that suggests vulnerability. There is also an opportunity to improve and prepare before it’s too late. Organizations must redefine their PAM programs to secure a broader set of identities with high-risk access.
While OT and IoT are inherently different, these devices have common ground from a security perspective. Let’s look at three core areas of risk and how to reduce that risk when securing the broader ecosystem of unmanaged or loosely connected devices, including OT, IoT devices, and ICS.
1. Discovery of Devices and Firmware Updates
Privileged access management (PAM) programs should continuously discover and onboard new devices and accounts when added to your network(s), enhancing control and oversight. These accounts and the credentials used to run your organizational devices and assets must be securely managed and rotated, especially away from default passwords.
Isolating access to monitor and record sessions helps proactively report on and achieve continuous compliance. Managing privileged credentials on certain OT devices can be daunting due to the complexity and lacking visibility of the whole environment. Best-in-class PAM solutions allow you to control and rotate credentials on these devices securely, ensuring unauthorized access is mitigated. Leading PAM solutions can work with the gateway controlling these devices to ensure credentials are secured, rotated regularly and centrally managed to reduce the risk of credential theft.
It is crucial to safely provide credentials for device management solutions performing firmware updates and patches. Secrets management capabilities securely store and provide these credentials, ensuring the devices remain updated and maintain security protocols.
2. Gateway and Remote Access Vulnerability
Manage endpoint privileges to secure workstations (with desktop MFA, if possible) and stop the spread of ransomware and malware to OT. Endpoint security should also be implemented on IT-like systems that sit inside the OT boundary. For example, shared workstations that sit on factory floors. Sensitive equipment requires stringent security controls over workstations and servers that can reach OT devices by network.
Utilize an endpoint privilege manager (EPM) to harden the systems, maintain strict endpoint privilege security, and enforce least privilege, reducing the risk of unauthorized changes to critical systems. Ransomware remains the most significant threat to industrial infrastructure, and there’s been an observed shift towards ransomware attacks specifically targeting OT environments.
Many different identities can physically and remotely access IoT devices and OT environments. Ensuring a secure remote connection and advanced controls when these machines are being used is crucial. Remote access capabilities in PAM solutions provide secure access to credential vaults without VPNs, passwords or agents, plus the ability to provide offline access to credentials.
Secure, remote access is a vehicle to the vault or entry point to the OT environment. Apply controls to ensure vendors or contractors operating air-gapped environments can securely retrieve credentials offline. Rotate credentials based on organizational policy and sync them to users’ mobile devices after they leave and before they re-enter offline worksites.
3. Defense in Depth: Paperclip Resets, Unidirectional Gateways and Device Monitoring
Attackers will never stop innovating their methods to exploit credentials and data. They will also use old tricks like the Paperclip reset on devices, allowing them to reset devices to default passwords and then take over. Look for security-first solutions designed to detect this type of action and automatically remediate the threat by rotating the credentials for the device.
Actively observing, analyzing and managing the activities of connected devices and systems is paramount when securing your IoT devices and OT environments. Leading PAM solutions offer identity threat detection and response (ITDR) capabilities such as real-time monitoring, anomaly detection, security event and integrity monitoring, user behavior analytics and regulation compliance monitoring to ensure all interconnected devices are accessed properly by authorized personnel.
Securing and strengthening the flow of data in OT environments is essential. Unidirectional gateway, or a data diode, integrations with CyberArk’s OT and ICS partners allow you to monitor and detect any attempt to bypass PAM, preventing unauthorized access and high-risk account usage.
Don’t Forget Visibility for Audits and Compliance
Redefining your PAM program to satisfy OT and IoT use cases will satisfy industry-specific audits and compliance such as SOC, NIST and NERC CIP – and help you start implementing a Zero Trust architecture. Organizations involved in computer-integrated manufacturing (CIM) or rely heavily on ICS security and follow the Purdue Enterprise Reference Architecture (PERA/Purdue Model) or follow the IEC 62443 framework for the growing prevalence of Industrial Internet of Things (IIoT) technologies can fend off vulnerabilities and challenges in terms of cybersecurity threats.
Layering Identity Security for Operational Resilience
According to the Waterfall 2023 Threat Report, adding additional layers of security improves cyber and operational resilience in your manufacturing plants, automation systems, healthcare devices and smart cities. OT and ICS cybersecurity incidents in the last three years have already exceeded the total number reported between 1991 and 2000. Building a comprehensive cybersecurity program does not start and end with IT. Extending identity security concepts to go beyond the “walls” of IT to strengthen OT allows your organization to proactively thwart cyber threats that can impair business-critical operations, disrupt essential services and possibly threaten public health safety.
Ryne Laster is a product marketing manager at CyberArk.
Editor’s note: Attackers are constantly setting their sights on any aspect vulnerable to an organization. To explore how you can build a defense-in-depth approach to securing all human and non-human identities across OT systems, check out our webinar, “13 Ways to Improve OT Security.” And, for a dive into OT cybersecurity and its challenges and opportunities, listen to our Trust Issues podcast conversation with Mike Holcomb, the Fellow of Cybersecurity and the ICS/OT Cybersecurity Lead at Flour. You can check it out in the player below or wherever you get your podcasts.