Monitoring remote access to Operational Technology environments
Remote desktop connections (otherwise known as Remote Desktop Protocol, or RDP) are often used for support staff and vendors for access into the Operational Technology (OT) environment. OT systems often control critical equipment and handle sensitive data, and they need to be protected against threats that could shut down critical operations. A security breach through remote access can create production shutdowns, data loss and safety risks in these environments. This article shows you how to use the Splunk platform to detect RDP traffic in your environment.
It is strongly recommended to use more secure alternatives to RDP, such as solutions with MFA or specialized remote access software that is designed for OT environments.
Data required
Data from manufacturing hosts to monitor the Windows security logs is required for this use case. To bring in events from the Windows event store, it is recommended to use the Splunk Add-on for Microsoft Windows, which ensures these events are Common Information Model (CIM) compliant. This add-on is most often used with a Splunk universal forwarder on the host or on a Windows event collector (WEC) host.
How to use Splunk software for this use case
Stage 1: Identify critical remote access hosts
Access to OT environments often occurs by accessing specific hosts (often known as jump servers). In order to identify remote access from external environments, you'll need to create a macro that limits searches to only those hosts that are exposed externally. If access is allowed to any host, then the macro can be adjusted to specify any host.
Create a macro called is_remote_access_host . This should take in a host and then return true or false to confirm whether the host can be used to connect externally to the OT environment.
To do this, you can:
- Use a lookup table that has a list of remote access hosts.
- Use a lookup table that has a list of IP ranges for OT devices (for example, specific networks that can be used within an OT DMZ).
- Use a static list of OT devices or characteristics (such as host name pattern or asset type).
Stage 2: Identify remote desktop connections with Windows Security logs
Windows security logs provide details on any authentication attempts made to hosts, whether internal or external. In addition, specific event IDs and login types are associated with successful local and remote access. Because many OT environments include both legacy and newer Windows operating systems, you'll use event IDs for both legacy and newer Windows operating systems.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
source=WinEventLog:Security Logon_Type=10 ((EventCode=4624 OR EventCode=528) OR (EventCode=4625 OR EventCode=529)) | eval action=CASE(EventCode=4624 OR EventCode=528, "Success", EventCode=4625 OR EventCode=529, "Failure") | search `is_remote_access_host(dest)`=true | table _time, user, src, dest,action
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|---|---|
|
|
Search only Windows Security logs. |
|
|
Search for logon type 10, which indicates remote logons. |
|
|
Search for event codes 4624 and 528, which indicate successful logins. |
|
|
Search for event codes 4625 and 529, which indicate failed logins. |
|
|
Enumerate the login results as success or failure. |
Stage 3: Identify remote desktop connections with network traffic logs
Network traffic logs provide details on any connections made to hosts whether internal or external. However, they might be less reliable than Windows security events since many firewalls might only be able to identify a port and not a specific application.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
tag=network tag=communicate (dest_port=3389 OR app=RDP) | search `is_remote_access_host(dest)`=true | table _time, user, src, dest
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|---|---|
|
|
Search only network traffic logs. |
|
|
Search port 3389 for traffic that has been labeled as RDP. |
|
|
Search for connections to the remote access host as a destination. |
|
|
Show the time, user, source, and destination. |
Next steps
The following dashboard shows an example of how you might monitor remote access hosts in OT environments:
Using this data, excessive login failures can be analyzed to determine if they are attempts to compromise critical OT systems. Excessive login failures can also represent poor practices like disconnecting RDP sessions versus logging out of the system.
In addition, it is important to monitor other kinds of remote access such VPN, screen sharing software (such as VNC), or logins for non-Windows based systems. These data types could be added to the above dashboard and tagged with the appropriate application.
The following dashboard shows an example of monitoring remote access in the OT Security Add-on for Splunk:
Other resources you might be interested in include:
- The OT Security Add-on for Splunk provides additional dashboards for perimeter monitoring, including different kinds of remote access. These visualizations aid in proactively identifying access which might pose a risk to OT environments.
- The CISO’s guide to complete security for industrial control systems might be useful to identify key areas of focus for protecting OT and industrial control system environments.