As critical infrastructure organizations look for solutions to protect cyber-physical systems (CPS), they may be surprised where their search takes them.
For one, the traditional remote access solutions they may rely on to protect IT-centric systems won’t offer the protection they need for CPS environments, This is due to the fact that access solutions such as jump servers or VPNs are ineffective for the unique constraints presented by CPS environments. Neither, for example, offer the monitoring or auditing capabilities required to adequately protect assets being accessed remotely.
The good news? Secure access solutions purpose-built for CPS protection are proliferating, and the market for such solutions is growing.
In Claroty’s latest Buyer’s Guide for Secure Access Solutions, we take a thorough look at the CPS cybersecurity landscape, what criteria to consider when choosing the right secure access solution to protect such systems, key outcomes of secure access, and more. This post will give a brief overview of what the report covers.
Understanding the CPS Cybersecurity Landscape
At its core, the convergence of operational technology (OT) and IT—in which organizations are bringing assets and equipment online for the first time—is changing the landscape of secure access. From a product point of view, IT-centric tools such as VPNs, which give blanket access once a user authenticates, are not developed specifically for the OT domain and are ill-equipped to handle this shift. When using tools like this, just one compromised credential can lead to an attacker gaining widespread access to the OT network, jeopardizing worker or public safety, leading to equipment shutdowns, process disruption, and service interruption.
What’s more, rapid connectivity has outpaced organizations’ ability to adequately protect critical infrastructure. Without a comprehensive solution in place, managing the operational risks associated with this can quickly become overwhelming. In 2024, Claroty conducted an independent survey of more than 1,100 professionals across OT engineering, biomedical, facilities management, and more, and nearly half of the respondents (45%) said their financial losses from recent cyberattacks totaled $500,000 USD or more.
Core Controls to look for in a Secure Access Solution
OT asset-heavy enterprises are facing unprecedented demands for remote access for maintenance, not only from internal personnel but also third party suppliers and contractors. Therefore, there are a handful of controls buyers should look for when evaluating secure access solutions.
Tools Designed for OT Domains
Secure access solutions should be flexible and offer simplified integration with existing tools. Organizations want tools that reduce the number of costly onsite visits in order to shorten maintenance windows.
Support for Varied Access Control Capabilities
Secure access solutions should support capabilities such as multifactor authentication, role-based access controls, password vaulting, and single sign-on in order to enforce the principle of least privilege and provide users with safe and highly controlled access.
Scalable Architecture
Secure access solutions should also support the extensive universe of OT protocols, allowing for interactions with diverse assets from multiple vendors. Integration with existing identity management frameworks should also be seamless, and policies should carry over.
Ensure Compliance
Logging and recording of remote sessions are a must in order to meet compliance and auditing demands. Real-time session controls should also be an option for buyers who need to have the ability to shut down malicious sessions or activities that violate security policies.
Organizational Criteria for Evaluating CPS Secure Access Solutions
There are several factors to consider when looking at CPS secure access solutions. As detailed in our report, all factors apply to any organization looking to move beyond IT-centric approaches to secure critical infrastructure. Here are a few:
Maturity and Stability
Look at the solution provider’s financial backing, market leadership, and any validation from other vendors. Is the provider a global company? Do they have a strong portfolio of international customers in a variety of industries? Also consider their mission, values, and deep domain expertise.
Portfolio Breadth and Depth
Ensure the solution you’re looking at is not just a one-size-fits-all solution, but something that’s equally robust and scalable. Since the problems you’re looking to solve are complex and will vary depending on your unique infrastructure, choose a solution that can also be deployed on-premise as easily as it can be in the cloud.
Industry Contributions
Beyond just delivering a good product, your solution provider should be a force for good in the CPS security space. Award-winning research teams within these providers can change the face of the industry through thought leadership and helpful information about patching known device vulnerabilities.
OT-Centric Solutions
As discussed earlier, IT-centric solutions like VPNs and jump servers aren’t suitable for the unique constraints of an OT environment. That’s why part of your evaluation criteria should include a solution that operationalizes the right balance between frictionless access and secure control over third-party access to CPS.
Key Outcomes of Secure Access Solutions
Choosing the right secure access solution for CPS can be a huge benefit to not just your OT environment, but for your entire organization. Here are some key benefits and outcomes:
Increased Productivity
The right solution provides seamless first- and third-party access, facilitates quick issue resolution, and ensures high system availability—even in low bandwidth conditions. All of this keeps your critical infrastructure running smoothly.
Reduced Risk
A comprehensive secure access solution safeguards your organization's OT systems by integrating a tailored Zero Trust framework with Privileged Access Management (PAM) and Identity Governance and Administration (IGA), ensuring precise management of the entire identity lifecycle and enforcing least-privilege access to significantly reduce the attack surface and enhance network resilience.
Reduced Complexity
Your ideal solution designed for OT environments should feature a scalable architecture that operates seamlessly across on-premises or cloud deployments, and offers centralized management and integration with Identity and Access Management (IAM) tools to simplify administration and access by efficiently managing access rights.
Maintain Compliance
A purpose-built solution for CPS environments will also provide real-time logging and auditing capabilities of user identities. Monitoring is necessary to maintain adherence to ever-changing regulatory requirements and incident response activities in the event of a breach. In addition to being generally good practice, this all plays an essential role in protecting against legal and financial penalties.
