February 20, 2023 By C.J. Haughey 5 min read

In August 2022, the threat intelligence and cybersecurity company Cyble found 8,000 virtual network computing (VNC) instances exposed online. Additionally, this research revealed that most of these ports are in the United States, China and Sweden — putting many critical infrastructure companies at risk of attack.

In an age where cybersecurity threats are omnipresent, it’s vital to maintain good security practices around remote computing access — especially concerning the nation’s most critical sectors. It’s crucial to examine why VNCs are vulnerable and what enterprise security teams can do to further protect these gateways to critical infrastructure.

What is VNC, and why does it matter in critical infrastructure?

VNC is a graphical desktop-sharing system that uses the Remote Frame Buffer (RFB) protocol, enabling remote control of other computers and machinery via a network connection. This technology is integral to critical infrastructure sites, such as water treatment plants, manufacturers and research facilities.

According to the Cybersecurity and Infrastructure Security Agency (CISA), there are 16 critical infrastructure sectors in the U.S:

  1. Chemical Sector
  2. Commercial Facilities Sector
  3. Communications Sector
  4. Critical Manufacturing Sector
  5. Dams Sector
  6. Defense Industrial Base Sector
  7. Emergency Services Sector
  8. Energy Sector
  9. Financial Services Sector
  10. Food and Agriculture Sector
  11. Government Facilities Sector
  12. Healthcare and Public Health Sector
  13. Information Technology Sector
  14. Nuclear Reactors, Materials and Waste Sector
  15. Transportation Systems Sector
  16. Water and Wastewater Systems Sector.

The National Institute of Standards and Technology (NIST) defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.”

And that begs the question: if these sectors are so crucial to the stability and security of the nation, why are they so vulnerable?

Operational technology is the weak spot for critical infrastructure

Operational technology (OT) combines computing software, hardware and communication systems that monitor and control manufacturing equipment, industrial processes, devices and infrastructure. We use OT in global industries, including manufacturing, oil and gas, aviation, maritime and rail.

As work-from-home policies became the norm during the COVID-19 pandemic, granting remote access to industrial control systems (ICS) and IT/OT infrastructure assets became a widely adopted practice across key sectors.

Companies actively disabled authentication protocols on machines to make access more convenient for remote employees. However, this shift in the nature of OT environments leaves the door open to hackers who use other tactics, techniques and procedures (TTP) to infiltrate a network.

What is the current state of firewall protection in OT?

Most OT networks connect directly to public networks that don’t use strong firewalls or security protocols. Case in point: On February 5, 2021, hackers targeted the SCADA system of a water facility in Oldsmar, Florida.

The threat actor attempted to increase sodium hydroxide levels in the town’s water supply to dangerously high levels. Luckily, an alert employee spotted the remote mouse activity during the attack and promptly took action.

The water plant’s computers had an open internet connection without a firewall. Also, the facility’s network ran on Windows 7 — an outdated operating system that Microsoft discontinued support for in 2020.

What components of OT are most likely to be targeted in a remote attack?

CISA warned that the system’s lack of security updates leaves Oldsmar more susceptible to further exploitation. This case is a warning to enterprises in critical infrastructure sectors.

Here are five areas of OT that are vulnerable to a remote attack:

  1. Aging technology. Most OT systems were built years before cybersecurity was a concern. Furthermore, Microsoft estimates 71% of systems still run on legacy systems that don’t check for new vulnerabilities or evolving cybersecurity threats.
  2. Limited patching. As critical infrastructure sectors and ICS environments operate around the clock, long periods of downtime are not an option. This makes it extremely difficult to patch systems regularly.
  3. Weak passwords. OT devices lack strong authentication and encryption. As a result, sophisticated hackers can easily gain access through brute force attacks.
  4. Limited security resources. 47% of ICS organizations don’t have an internal team that offers 24-hour support during cybersecurity incidents.
  5. Port 5900. There was a surge in cyberattacks on Port 5900 — the default port for VNC — between July 9 and August 9, 2022. Attackers actively scan and target this port, which may indicate a growing trend of future ransomware attacks on critical infrastructure facilities.

Tim Silverline, Vice President of Security at Gluware, explains, “Remote desktop services such as VNC are some of the easiest targets for hackers to identify.”

Not every hacker has serious activist or terrorist motivations. However, if someone compromises the systems of a critical sector and sells VNC assets on the Dark Web, the nation’s security and societal stability could be at stake.

What can enterprise security teams do?

Here are eight recommendations to improve the security posture around your virtual network computing infrastructure:

  1. Keep critical assets within the IT/OT environment behind firewalls. Regardless of whether you need to provide easier access to employees or partners, critical assets must remain protected.
  2. Limit exposure to VNC over the internet. If possible, use segmentation strategies to further isolate critical infrastructure from production networks, IT devices and office automation.
  3. Update devices regularly. Ensure all devices within the ICS environment are patched with the most recent updates.
  4. Implement a strong password policy. Everyone in the organization must follow mandatory parameters to create robust, complex passwords across all devices.
  5. Establish advanced access controls. With two-factor authentication and biometrics, you can implement role-based Identity and Access Management (IAM) for all employees.
  6. Prioritize logging and monitoring assets. Continuous logging and analysis of network traffic will help identify anomalies and potential threats at an early stage.
  7. Enable all the necessary security measures for VNC. Given the sensitive nature of critical infrastructure networks, it’s best to centralize device management and encrypt all traffic and data. You can also set tighter network security controls within the OT environment, including sandboxing and next-generation firewalls.
  8. Provide access to cybersecurity awareness and training programs. You can cultivate a stronger security culture by offering ongoing education for employees, such as a focus on zero trust policies.

How would these recommendations work in OT?

The threat to OT in public utility systems is growing, as 80% of OT/ICS organizations had an incident in the last year. It’s clear that companies must act, but an overhaul of best practices and processes in OT is a complex path forward.

Above all, one of the biggest challenges with defending critical infrastructure environments is the prevailing misconception that an “air gap” separates traditional IT networks from ICS networks.

However, in the wake of the COVID-19 pandemic, 65% of IT/OT security professionals in the U.S. say their IT and OT networks are now more interconnected. As more OT comes online, the chances of cyberattacks trickling through IT environments increase.

Subsequently, enterprise security teams must find a balance between IT and OT that protects and optimizes both environments. For example, while endpoint detection and response tools are well-suited to IT systems, they are cumbersome in OT. Every detection can be a drain on the CPU as the system sends data to the cloud.

Final thoughts: A cultural shift drives the change

In the past, OT environments were seldom connected to the internet. But when the digital world interrupted the physical world, perceived air gaps between IT and OT began to close.

The average cost of a data breach in the United States is $9.44 million — more than double the global average. Aside from the financial cost, when the nation’s stability is at risk, companies must do more to protect critical assets.

As soon as possible, a cultural shift in how OT is connected and protected may be essential. With a proactive stance to understanding the evolving threats and how you can prepare, your company can take the first step to develop stronger cyber resilience.

Are you ready to improve the security of your OT environment? Check out X-Force 2022 Insights to understand the Expanding OT Threat Landscape.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today