By Leonard Wills, NERC Reliability Specialist
Your entity should require anyone who works from home – or any authorized remote location – to remotely connect to the corporate or operational technology (OT) network through a virtual private network (VPN). A VPN establishes a secure tunnel over the internet, encrypting user traffic to enable access to internal resources such as applications, tools, and systems located within the corporate or OT network.
Because VPNs provide a secure entry point into corporate and OT networks, threat actors view these services as an attractive target. Threat actors often attempt to exploit misconfigurations, outdated software, weak encryption protocols, and stolen credentials to compromise VPNs and gain unauthorized access to corporate or OT networks. To mitigate these risks, your entity should implement the following VPN security best practices:
- Request and review a Software Bill of Materials (SBOM) from your VPN vendor.
An SBOM provides a detailed inventory of all software components, libraries, and dependencies used in a product. This inventory provides visibility into vulnerabilities so that your entity can implement the appropriate security measures and mitigation strategies to safeguard your corporate and OT network.
- Configure VPN services with strong encryption (e.g., AES-256), secure protocols (e.g., IKEv2/IPSec), and enforce multi-factor authentication (MFA).
Threat actors exploit weak or deprecated encryption algorithms and protocols (e.g., PPTP, L2TP without IPsec). Enforcing MFA ensures that stolen or guessed credentials alone do not grant access to your entity’s corporate or OT network.
- Disable all non-essential features and services to reduce your attack surface.
Unused services and default configurations may provide threat actors with additional attack vectors to compromise your corporate or OT network. Only enable the specific features required for business or plant operations to minimize your attack surface.
- Disable split tunneling and prevent users from disconnecting from the VPN while accessing the corporate or OT network.
Configure VPN settings to enforce full tunnel routing and ensure users remain continuously connected while accessing the corporate or OT network. Split tunneling allows users to simultaneously access the internet and the VPN, which potentially enables threat actors to exploit the unsecured internet path to infiltrate the internal network or exfiltrate sensitive data.
- Continuously monitor VPN logs to detect unauthorized access, configuration changes, and anomalous traffic.
Logs record user access, configuration changes, and other critical information to detect anomalous network activity. Additionally, monitoring tools can detect brute-force attempts, lateral movement, and configuration changes in real time.
- Apply software updates and security patches to VPN services, appliances, and client software promptly.
Threat actors target known vulnerabilities in unpatched VPN software to gain initial access. Implement a robust patch management program and subscribe to vendor security bulletins, E-ISAC, and CISA Cybersecurity Alerts and Bulletins to stay informed of threats to the energy sector.
