With the advancement of digitization and the industrial internet of things (IIoT), industrial energy environments are increasingly interconnected and remotely accessible. Historically, this hasn’t been the case, but with these advancements, these previously inaccessible industrial control systems, owned by critical infrastructure providers, are now accessible, often unsecured, and frequent targets of cyberattackers.
The costs of such an attack can be significant. In addition to a potential ransomware payout, these critical infrastructure providers face the possibility of unacceptable downtime, theft of sensitive data, and the ever-looming threat of a catastrophic event, should a bad actor gain control of critical industrial systems.
How are these attacks happening? Unfortunately, third-party partners are the most common entry point, with 63 percent of breaches attributed to third parties. These third parties and contractors are granted remote access to industrial control systems and IIoT to provide timely support and ongoing maintenance through a variety of solutions, such as unsecured desktop sharing tools and unmonitored VPNs. However, these tools can make networks more susceptible to attacks, leaving utility companies without the centralized oversight, visibility, and control they need over their third parties.
Take the recent example of the cyberattack on a water plant in Oldsmar, Florida in early 2021. A bad actor was able to easily gain remote access via a remote desktop sharing tool and adjust the ratio of sodium hydroxide in the water supply to dangerous levels. Luckily, an employee saw this attack happening in real-time and was able to immediately react before anything catastrophic happened. This is just one example of many, highlighting the increasing risks utility and energy organizations face with unsecured remote access methods.
Correspondingly with this increase in cyberattacks, there are also growing compliance requirements that the energy sector and utility industry face specifically around third parties and their access to these critical environments. Take North American Electric Reliability Corporation (NERC) compliance for example: The NERC CIP (critical infrastructure protection) cybersecurity standards were recently updated to directly address third-party access requirements and overall risk management of an organization’s supply chain. If an organization is using a variety of ad-hoc remote access methods, NERC compliance requirements, as well as others, can be difficult to meet.
With increasing regulatory requirements and a growing number of cyberattacks and threats against the energy and utility sectors, these organizations cannot ignore the cybersecurity risks associated with their third parties and supply chain and the consequences for failing to fully secure third-party industrial remote access.
Learn more about regulatory requirements and how to achieve compliance with our compliance hub.
solution brief
Breaches and cyberattacks against the energy sector and utility companies are rising at an alarming rate. Learn more about the recent changes to the NERC CIP cybersecurity standards and how a dedicated third-party access management platform can help ensure your compliance and secure your network.
Detailed audit and reporting | Capture all third party session activity with HD video and keystroke logs, files transferred, commands entered, services accessed, and work completed |
Multi-factor authentication tied to individual accounts | Ensure approved third-party access with individual accounts for each user, layered with multi-factor authentication |
Native credential vault or integration with your PAM | Store credentials securely and inject them directly into a session, ensuring third parties have zero visibility and access to network or application credentials |
Access controls | Define allowed access down to the host and port level with access timeframes, and assign granular permissions to each user, ensuring zero trust access to industrial machines for all users |
Built-in best practice security checklist | Use the built-in checklist to verify your SecureLink server is configured to satisfy NERC CIP cybersecurity standards, as well as ICS security best practices, such as NIST remote access, or ISO-2700 |
Access and approval workflows | Define required access approvals needed by each site, application, and PLC
Delegate access approvals to local staff or managers who are on-site at each location |
Self-registration | Allow third-parties to register for their own user account, and send the approval request directly to the plant manager without needing central IT involvement |
Universal access methods | Support connectivity and audit for all TCP and UDP protocols, including, but not limited to, RDP, SSH, Telnet, HTTP(S), FTP, and custom protocols as well as connectivity to PLCs
Allow vendors to use their own native tools in providing support |
Single source for all reporting and documentation | View all vendors, activity, and access for all sites and locations via a single, central source |