Skip to content
Book a Demo

Strengthen your OT Cybersecurity

January 17, 2024
  • Intelligence
strengthen_your_ot_cybersecurity
  • Intelligence
January 17, 2024

Article by the Customer Success Team at Neeve

Have you checked Shodan.io for your OT devices? How many unpatched vulnerabilities are on PCs and servers running your OT applications? Because we can assure you that hackers are using it to find your exposed devices, targeting systems that allow lateral movement like remote desktop protocols, and exploiting well-published, long-standing vulnerabilities to elevate privileges.  That may be exactly how ransomware got Johnson Controls.

The right strategy will let you essentially eliminate that risk in one step while increasing your ongoing ability to securely connect existing and new applications to the cloud and authorized users.

Commercial real estate is navigating through budget constraints and carefully prioritizing tech upgrades in the face of critical imperatives: strengthening Operational Technology (OT) systems against the ever-growing menace of ransomware and the surging demand for operational data.

Defending OT from Ransomware Now

Ransomware is becoming easier and easier to create and launch, high-profile attacks are increasingly in the headlines, and OT is rife with unmanaged and out-of-date devices.  Microsoft reports that 80-90% of ransomware attacks originate on unmanaged devices.

The danger has increased to the point that companies don’t have the time to hunt down all the unpatched vulnerabilities across their OT systems before they protect themselves from ransomware.

This urgent situation calls for a solution that is both practical – you need to build a moat around your OT now – and progressive – whatever you implement has to be easy to use, to keep up to date, and to build new capabilities on top of.

The solution category called a Secure Access Service Edge (SASE) platform emerges as the right answer to this complex environment.

SASE is a cybersecurity concept that combines network security functions with wide-area networking (WAN) capabilities, delivered as a cloud service for protecting and enabling secure access to resources in a distributed network environment. This bundled approach offers a realistic pathway to enhance cybersecurity and data accessibility in commercial buildings.

This article explores how a SASE platform provides a practical and accessible strategy for dramatically improving cybersecurity infrastructure while facilitating the modernization of legacy systems in a cost-effective and manageable manner.

The right SASE strategy for any company meets them where they are, makes an immediate difference with tangible ROI, and then increases the velocity of secure technology adoption going forward.

The Legacy Challenge and A Realistic Approach

The legacy OT infrastructure in commercial buildings presents a formidable challenge. Characterized by a mix of outdated and unsupported systems, these infrastructures are often riddled with vulnerabilities, making them prime targets for cyber threats.

The complexity of these systems, ranging from legacy Windows servers to unmanaged IoT devices, creates a landscape where security gaps are prevalent. However, the idea of overhauling these systems in one sweeping motion is neither practical nor feasible.

Real-world experiences from our diverse clientele, including industry leaders like Alexandria, BGO, Charter Hall, Credit Suisse, Deutsche Bank, Kilroy, Schneider Electric, Tishman Speyer, and others, underscore the need for a realistic approach.

For instance, multiple clients use our SASE platform to centralize OT management across large portfolios, subsequently enabling a systematic modernization of servers and facilitating cloud migration. In parallel, they proceed with new applications that securely access building data for cloud applications while protecting the connections and data flows with SASE.

Another client, while maintaining a meticulously organized server infrastructure from day one, leverages the SASE platform to ensure the highest standards of security and remote access, thereby enabling professional centralized management across their expanding portfolio.

Another is coordinating upgrades across a diverse set of vendors in an acquired portfolio by holding them to the high standards of the SASE approach.

These cases illustrate that a gradual, strategic approach is not just realistic but necessary. A SASE platform allows organizations to start with core systems such as Building Management Systems (BMS), Access Control, and Video Surveillance, and then expand over time.

This phased approach enables organizations to methodically modernize and migrate to cloud-based servers, reducing the inherent risks associated with legacy systems.

Reducing Cybersecurity Vulnerabilities

The cybersecurity landscape in OT environments is fraught with risks. Statistics indicate that 57% of all IoT devices are vulnerable to medium- or high-severity attacks, and 80-90% of ransomware compromises originate from unmanaged devices. Furthermore, 93% of ransomware incident response engagements reveal insufficient controls on privileged access and lateral movement between networks or subnetworks.

proper SASE platform addresses these vulnerabilities head-on by effectively walling off vulnerable unmanaged devices and segmenting network access.

In our recent experience, a client discovered an exposed BMS server at a building using Shodan. Such a server is an ideal candidate for direct disruption and for moving laterally to associated OT systems. Immediately after implementing our SASE platform-as-a-service, with no other changes to underlying systems or their access to the cloud, this server did not register on Shodan.

By implementing a SASE platform, organizations can significantly reduce their exposure to cyber threats. The platform replaces the myriad of unmanaged devices facing the internet and remote users with a robust, secure interface. This interface not only protects against external threats but also prevents lateral movement within the network, a common tactic used in sophisticated cyberattacks.

A strong SASE platform architecture that is grounded in principles like Zero Trust and strong encryption meticulously authenticates and monitors each access point, thereby mitigating the risk of unauthorized access and data breaches.

Economic Payback of Centralized Management

The economic implications of adopting a SASE platform are substantial. Centralized management of OT systems becomes a tangible reality, offering significant cost savings and operational efficiencies for the facilities operations team itself. Further, by consolidating control and oversight to a single platform, organizations can streamline their operations, reducing the need for multiple vendor truck rolls and on-site interventions.

This centralized approach not only lowers operational costs but also enhances the responsiveness and agility of the management team. With secure remote access capabilities, technical teams can address issues promptly, minimizing downtime and improving overall system reliability.

One of our clients reports saving over $1M a year in operating costs by taking this centralized approach.

A SASE platform’s ability to provide a unified view of the entire OT infrastructure simplifies the task of monitoring, maintenance, and upgrades, further contributing to the economic benefits.

Neeve’s Differentiated Secure Edge

While the advantages of a generic SASE platform are clear, Neeve Secure Edge is entirely focused on OT. Neeve has extensive experience with OT technologies and has captured the best practices and highest standards in one platform that we designed for OT professionals based on their feedback.

Further, Neeve Secure Edge offered entirely as a service, stands out in the industry. Our Secure Edge with Remote Access and Edge Compute platform is not only feature-rich but also user-friendly for non-IT personnel, designed to meet the needs of a diverse range of users.

Because Neeve Secure Edge does not require removing any legacy equipment to get started, our clients generally complete the deployment and commissioning process in one day.

As a fully managed service, all features and security patches are always up to date.

A key differentiator is our vendor marketplace, which includes key applications such as Niagara by Tridium, Switch Automation, SkySpark, Nantum, Mapped, Kognition, Iceberg Cyber, and more. This marketplace offers secure, one-click installation of OT applications, simplifying the deployment process and ensuring compatibility and security. It also enables you to deploy your homegrown applications and utilities with the same centralized management and secure remote access.

Our large installed base, with over 650 buildings worldwide, is a testament to the platform’s effectiveness and reliability.

More Than A Moat – A Bridge to a Smart Building Portfolio

Neeve Secure Edge platform presents a realistic and effective solution to the complex challenges of OT cybersecurity in commercial buildings. Its ability to integrate seamlessly with existing systems makes one-day deployment a reality.

It is deployed at over 650 buildings globally. That fact, along with robust security features and a user-friendly vendor marketplace makes Neeve Secure Edge the industry leader. As we continue to expand our capabilities in areas like threat intelligence and pattern detection, our Secure Edge platform evolves to meet the ever-changing needs of our clients.

Neeve Secure Edge offers an affordable and strategic tool that you can deploy very quickly. It is tailored to OT for this moment. Let’s talk about ensuring you have strong defenses now and then getting you on your path to modernizing OT infrastructure, reducing operational costs with a centralized model, and innovating in a secure and cloud-managed environment.