Most of the targeted, OT specific attacks, where the adversary has lived on the OT for many months, began with a compromise of remote access to OT. The limited OT cyber incident data we have clearly shows that multi-factor authentication (MFA) for OT remote access is a critical control. We even saw US Senators professing how important MFA is after the Colonial Pipeline incident.
This week’s task is to identify through interview and inspection all remote access methods to your OT environment. And then confirm each OT remote access method requires MFA.
If you find any that don’t require MFA, raise this issue to executive management and start a project to address this clear security deficiency. If you have difficulty getting approval, go back to the Colonial Pipeline incident and grab quotes, or video from congressional hearings, to show executives that a breach related to a lack of MFA will have a major impact on the company’s and their reputation, in addition to the more tangible consequences.
This is another opportunity to poke around for Shadow OT. Ask how contractors are gaining after hour or offsite access to the system being deployed. Ask how key employees support the ICS when they are on vacation.
Identify all OT remote access methods by technology and purpose. For each method indicate if MFA is required and what the factors are.
Remote Access System Purpose MFA