In August 2022, the threat intelligence and cybersecurity company Cyble found 8,000 virtual network computing (VNC) instances exposed online. Additionally, this research revealed that most of these ports are in the United States, China and Sweden — putting many critical infrastructure companies at risk of attack.

In an age where cybersecurity threats are omnipresent, it’s vital to maintain good security practices around remote computing access — especially concerning the nation’s most critical sectors. It’s crucial to examine why VNCs are vulnerable and what enterprise security teams can do to further protect these gateways to critical infrastructure.

What is VNC, and why does it matter in critical infrastructure?

VNC is a graphical desktop-sharing system that uses the Remote Frame Buffer (RFB) protocol, enabling remote control of other computers and machinery via a network connection. This technology is integral to critical infrastructure sites, such as water treatment plants, manufacturers and research facilities.

According to the Cybersecurity and Infrastructure Security Agency (CISA), there are 16 critical infrastructure sectors in the U.S:

1. Chemical Sector
2. Commercial Facilities Sector
3. Communications Sector
4. Critical Manufacturing Sector
5. Dams Sector
6. Defense Industrial Base Sector
7. Emergency Services Sector
8. Energy Sector
9. Financial Services Sector
10. Food and Agriculture Sector
11. Government Facilities Sector
12. Healthcare and Public Health Sector
13. Information Technology Sector
14. Nuclear Reactors, Materials and Waste Sector
15. Transportation Systems Sector
16. Water and Wastewater Systems Sector.

The National Institute of Standards and Technology (NIST) defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.”

And that begs the question: if these sectors are so crucial to the stability and security of the nation, why are they so vulnerable?

Operational technology is the weak spot for critical infrastructure

Operational technology (OT) combines computing software, hardware and communication systems that monitor and control manufacturing equipment, industrial processes, devices and infrastructure. We use OT in global industries, including manufacturing, oil and gas, aviation, maritime and rail.

As work-from-home policies became the norm during the COVID-19 pandemic, granting remote access to industrial control systems (ICS) and IT/OT infrastructure assets became a widely adopted practice across key sectors.

Companies actively disabled authentication protocols on machines to make access more convenient for remote employees. However, this shift in the nature of OT environments leaves the door open to hackers who use other tactics, techniques and procedures (TTP) to infiltrate a network.

What is the current state of firewall protection in OT?

Most OT networks connect directly to public networks that don’t use strong firewalls or security protocols. Case in point: On February 5, 2021, hackers targeted the SCADA system of a water facility in Oldsmar, Florida.

The threat actor attempted to increase sodium hydroxide levels in the town’s water supply to dangerously high levels. Luckily, an alert employee spotted the remote mouse activity during the attack and promptly took action.

The water plant’s computers had an open internet connection without a firewall. Also, the facility’s network ran on Windows 7 — an outdated operating system that Microsoft discontinued support for in 2020.

What components of OT are most likely to be targeted in a remote attack?

CISA warned that the system’s lack of security updates leaves Oldsmar more susceptible to further exploitation. This case is a warning to enterprises in critical infrastructure sectors.

Here are five areas of OT that are vulnerable to a remote attack:

1. Aging technology. Most OT systems were built years before cybersecurity was a concern. Furthermore, Microsoft estimates 71% of systems still run on legacy systems that don’t check for new vulnerabilities or evolving cybersecurity threats.
2. Limited patching. As critical infrastructure sectors and ICS environments operate around the clock, long periods of downtime are not an option. This makes it extremely difficult to patch systems regularly.
3. Weak passwords. OT devices lack strong authentication and encryption. As a result, sophisticated hackers can easily gain access through brute force attacks.
4. Limited security resources. 47% of ICS organizations don’t have an internal team that offers 24-hour support during cybersecurity incidents.
5. Port 5900. There was a surge in cyberattacks on Port 5900 — the default port for VNC — between July 9 and August 9, 2022. Attackers actively scan and target this port, which may indicate a growing trend of future ransomware attacks on critical infrastructure facilities.

Tim Silverline, Vice President of Security at Gluware, explains, “Remote desktop services such as VNC are some of the easiest targets for hackers to identify.”

Not every hacker has serious activist or terrorist motivations. However, if someone compromises the systems of a critical sector and sells VNC assets on the Dark Web, the nation’s security and societal stability could be at stake.

What can enterprise security teams do?

Here are eight recommendations to improve the security posture around your virtual network computing infrastructure:

1. Keep critical assets within the IT/OT environment behind firewalls. Regardless of whether you need to provide easier access to employees or partners, critical assets must remain protected.
2. Limit exposure to VNC over the internet. If possible, use segmentation strategies to further isolate critical infrastructure from production networks, IT devices and office automation.
3. Update devices regularly. Ensure all devices within the ICS environment are patched with the most recent updates.
4. Implement a strong password policy. Everyone in the organization must follow mandatory parameters to create robust, complex passwords across all devices.
5. Establish advanced access controls. With two-factor authentication and biometrics, you can implement role-based Identity and Access Management (IAM) for all employees.
6. Prioritize logging and monitoring assets. Continuous logging and analysis of network traffic will help identify anomalies and potential threats at an early stage.
7. Enable all the necessary security measures for VNC. Given the sensitive nature of critical infrastructure networks, it’s best to centralize device management and encrypt all traffic and data. You can also set tighter network security controls within the OT environment, including sandboxing and next-generation firewalls.
8. Provide access to cybersecurity awareness and training programs. You can cultivate a stronger security culture by offering ongoing education for employees, such as a focus on zero trust policies.

How would these recommendations work in OT?

The threat to OT in public utility systems is growing, as 80% of OT/ICS organizations had an incident in the last year. It’s clear that companies must act, but an overhaul of best practices and processes in OT is a complex path forward.

Above all, one of the biggest challenges with defending critical infrastructure environments is the prevailing misconception that an “air gap” separates traditional IT networks from ICS networks.

However, in the wake of the COVID-19 pandemic, 65% of IT/OT security professionals in the U.S. say their IT and OT networks are now more interconnected. As more OT comes online, the chances of cyberattacks trickling through IT environments increase.

Subsequently, enterprise security teams must find a balance between IT and OT that protects and optimizes both environments. For example, while endpoint detection and response tools are well-suited to IT systems, they are cumbersome in OT. Every detection can be a drain on the CPU as the system sends data to the cloud.

Final thoughts: A cultural shift drives the change

In the past, OT environments were seldom connected to the internet. But when the digital world interrupted the physical world, perceived air gaps between IT and OT began to close.

The average cost of a data breach in the United States is $9.44 million — more than double the global average. Aside from the financial cost, when the nation’s stability is at risk, companies must do more to protect critical assets.

As soon as possible, a cultural shift in how OT is connected and protected may be essential. With a proactive stance to understanding the evolving threats and how you can prepare, your company can take the first step to develop stronger cyber resilience.

Are you ready to improve the security of your OT environment? Check out X-Force 2022 Insights to understand the Expanding OT Threat Landscape.