Leo TaddeoApril 16, 2020
3 Reasons Why VPNs Fail to Protect Industrial Controls
A CISO’s View
For data center operators, maintaining building management is mandatory. In the past, the only option for CISOs was to allow access through a VPN. But VPNs have limitations that make them unsuitable for protecting corporate networks.
COVID-19 is forcing businesses to scramble to keep employees productive as they transition from the office to home work stations. Fortunately, most office employees can remain productive by using videoconferencing and familiar applications that are highly scalable in cloud-based SaaS offerings.
But what about highly skilled technical employees who need access to systems that run only on corporate networks? These include sensitive industrial controls like building management systems.
CISOs are concerned with ensuring only the right people have access at the right time and for the right purpose. In the pre-COVID-19 world, the employee had to be on site to access the system. The social distancing and travel restrictions recently put in place put great strain on these employees and add additional risks to critical operations.
For data center operators, maintaining building management systems is a non-negotiable requirement. In the past, the only option for CISOs was to allow access through a traditional VPN. But VPNs have severe limitations that make them unsuitable for building management systems. First, they are vulnerable to common attack vectors. Second, they are complex and difficult to manage. Lastly, they do not allow for dynamic access based on conditions and user context.
Many data center operators are looking for an alternative to the VPN. The answer for Cyxtera, and many other operators of sensitive industrial systems, is the Appgate's Software Defined Perimeter (SDP).
One of the big advantages Appgate SDP provides Cyxtera is the ability to enforce least privilege access to third party support organizations. Unlike with a VPN, Appgate SDP allows access to specific systems included in a contractor’s support agreement without giving them wide access to the network.
As an example, the RF code wireless temp/humidity sensors in our data centers are supported by specialized service providers. With Appgate, we can limit the contractor’s access to those servers without opening up our other building management system platforms. We also use Appgate to ensure that the contractor’s machines meet our security requirements before they connect. If a laptop is not sufficiently updated and protected by antivirus software, Appgate blocks the connection. These additional audit and security controls are a far superior solution than legacy VPNs.
COVID-19 is rapidly changing the way we work and the security controls we deploy. Legacy VPNs no longer meet modern needs for dynamic and fine-grained access controls. The answer for Cyxtera is Appgate SDP.
Leo Taddeo is the President of Cyxtera Technologies’ Federal Group, and the former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office.