Uncontrolled use of remote access tools is posing a threat to operational technology, security researchers have warned.
Team82, the research arm of cyber and physical security company Claroty, found more than half of organizations (55%) used four or more remote access tools (RATs). A further 33% used six or more.
The researchers surveyed data from more than 50,000 remote access enabled devices. They also discovered that businesses used “non enterprise grade” tools on operational technology (OT) network devices.
These tools lack basic security measures, such as multi-factor authentication or privilege access management capabilities. Using these tools could allow criminal attackers easy access to OT systems and wider enterprise networks.
Team82 also found that RATs developed for IT administration purposes were causing issues on OT networks. These included a lack of visibility for OT network admins and no central management of the tools’ activity. Administrators also face a growing burden managing network access rights and credentials.
By adding external connections, excessive use of RATs increases an organization’s attack surface. Even enterprise IT RATs can fail to take the security requirements of OT into account.
Some RATs have also been linked to cyber-attacks: Team82 reports that TeamViewer suffered a compromise, linked to the APT29 threat group. AnyDesk, another remote access tool, also reported a breach earlier this year.
Team82’s researchers recommend that organizations control the use of RATs in OT and industrial control systems (ICS) and centralize management of them with common access control policies.
OT teams should also ensure security standards are applied across the supply chain and to any third-party vendors. In addition, the use of “low security remote access tools in the OT environment” should be minimized.
“Unregulated remote access software is a major issue for us all. Many of these tools are free and are a main source of toolware for scammers and organized criminals,” David Spinks of CSIRS and chair of the Cyber Security in Real Time Systems LinkedIn group, told Infosecurity.
“As a minimum all remote access software needs to be licensed. When I worked for an outsourcer, our second- and third-line support who used remote access services had many levels of policy and security controls to protect them and their organizations.”
Attacks against OT and manufacturing have grown sharply over the last few years, with nation-state actors linked to the increase.
Read more about attacks against OT: US and UK Warn of Disruptive Russian OT Attacks