With the growth of remote workforces and distributed locations, OT secure remote access (SRA) solutions are vital for enabling operators, contractors, and third-party vendors to remotely monitor, manage, and maintain ICS/OT assets fast, efficiently and securely.  

But what is behind the speed and efficiency of the Dispel Zero Trust Engine?

As the systems and methods of deploying Moving Target Defenses to Operational Technology (OT), Internet of Things, or other cyber physical systems have matured to the point of seeing use in some 20% of the productive capacity of most core industry verticals in the United States. Let’s review how hybridized Static Defense and Moving Target Defense structures are emerging in the field, and the financial benefits driving this adoption.

How We Got Here: Cracks in the Castle Walls 

Until the mid 2010s, for lack of an alternative option, defending industrial systems in the commercial world was an exercise in building castles. You set up walls and gates, positioned sensors to cover those walls and gates, deployed systems to make sense of the sensor data, and hired guards to respond to attacks.  

People built castles in cyberspace because it was intuitive and, for the first two thirds of the existence of the Internet, it largely worked. But castles do not move, and unlike real castles, cyber castles built by commercial entities aren’t allowed to have cavalry that can charge forth to chase away the barbarians searching for weaknesses. So, if you are going with the strategy of building a castle, unless you have the financial, technical, and logistical wherewithal to constantly, and correctly anticipate the types of attacks that will be launched against you and invest in defeating those attacks, someone will eventually focus on the problem long enough to punch a hole through the wall.

Years of building numerous gates and walls has inadvertently resulted in complex systems that slow down the very people they’re meant to protect. For example, remote access connections to Industrial Control Systems (ICS), a subset of OT, when aligned with the NIST 800-82 moderate baseline, typically involve a 7-to-12 minute connection process and require 15 minutes of administrative overhead. That is insane. And not efficient. 

Static Defense and Layered Defense 

The strategy of building walls is known as “Static Defense.” It’s easy to understand, easy to market, and easy to sell. Every heard, “Oh, you already have a competing product? No problem. You should have ‘a layered defense.’” It still works most of the time too. But static defense as it has been implemented forgets the fundamental reason why computers and networks exist within an organization—computers and networks are not cybersecurity tools. They are efficiency and enablement tools with necessary cybersecurity attributes. 

What is Moving Target Defense? 

The alternative to Static Defense is Moving Target Defense. You take what you care about, your assets, your “crown jewels” and move it around—ideally in a medium where it is difficult to be followed. Think a submarine. The way Moving Target Defense is applied in cyber is typically not by moving the asset itself (in the case of OT, you can’t very well pick up an assembly line, drive it around, and hope to accomplish anything) but rather by moving the network through which that asset can be reached.  

To truly move a network, you need to launch a set of virtual machines to serve as traffic nodes, then launch more virtual machines, turn those into traffic nodes, and shift the network traffic from the original nodes over to the new ones. To make all that movement difficult to track (ideally in a medium where it is difficult to be followed), you need to launch these virtual machines on commercial clouds where right after you’re done using a virtual machine, the cloud provider will take the freed up processing power and memory and lease it to someone else. 

Done properly, Moving Target Defense networks force an adversary to continuously expend resources trying to obtain target lock on a system. It puts the adversary in the position of needing to think their strategy continuously.  

Terminology Tip: This idea of building a network of virtual machines in an environment where the processing power and memory used to build those virtual machines can be subsequently allocated to someone else is a concept known as “compostability.” The characteristic of deliberately launching something to be difficult to track is known as “managed attribution.” The network you are building, then, is a “compostable, managed attribution, network.”

Why Moving Target Defense Got Traction with Commercial Organizations 

If you’ve automated the launch of a network, it’s not a significant technical leap to automate integrating other systems into that network—such as AIs, monitoring and prognostics systems, resource planning tools, patch management systems, log servers, event managers, recording servers, or access approval systems. In turn, this means you can eliminate many of the manual processes traditionally required to connect a person to a device. 

Which brings us full circle to the core purpose of networks and computers: They are not cybersecurity tools; they are efficiency and enablement tools with necessary cybersecurity attributes. 

What this all leads to is a world where Moving Target Defense networks built to provide remote access to OT systems were delivering connection times of 30 seconds versus the 7 to 12 minute Static Defense systems they were replacing. In worlds where a minute of downtime can cost 6 figures, it was time saved, not cybersecurity, that provided the “why” for adoption of Moving Target Defense in industrial environments.  

Simplifying the Problem: Why Hybrid Systems Make Sense 

Pure Static Defense is a sound defensive strategy. But it comes at great cost to the usability of the systems it is protecting. What we would suggest is that, by using both Moving Target Defenses and Static Defenses, you can make a more performant, secure, system.  

Let’s start with remote access, the “why” for the existence of network connections from Operational Technology environments to the rest of the world. We’ve dividing the problem space into three sections. 

Environment Being Accessed 

The walls and gates used to explain Static Defense are, in cyberspace, just computers applying rules to traffic flows. The simpler the rule, the more likely the firewall is to pull it off effectively. Imagine a world in which you established this set of rules:  

• No traffic stream is allowed to initiate from the outside.  

• All traffic streams must initiate from inside the network. 

• All traffic streams must initiate from an uplink device (i.e. the toaster can’t reach out).     

That’s a relatively easy rule to follow, it doesn’t slow down traffic flows, and it stops all inbound, randomized attacks from across the Internet. 

Now imagine further you have some things inside the environment that never need remote access (think a sensor). Andrew Ginter would correctly point out that the right thing to do would be to park that sensor behind a physical data diode so there was no technical way for an attack to push in. You’ve now further narrowed the problem set to the handful of things that sometimes do need to reach the rest of the world in a bidirectional fashion.  

Connecting Network 

Now, imagine a compostable, managed attribution network deployed to serve as a dedicated network for establishing remote access connections. On the network itself, those virtual machines must be configured to block any traffic from non-network sources. It must include monitoring and logging capabilities in case of a flaw in the network or if someone using it has malicious intent. Additionally, it should have scanning software to detect malware attempting to pass through. These are all Static Defense concepts applied within a Moving Target Defense network.

The Remote User 

Finally, let’s look at whoever is trying to reach the environment with the thing or asset we care about. It doesn’t matter who this person is, we don’t (and shouldn’t) entirely trust the device they are on. Further, we want to prevent an adversary from identifying that person’s device as being a potential entry point into our factory. We want to disassociate it.   So instead of having the remote user directly connect through the channel from their device, we have the managed attribution network include a single-use virtual desktop launched in a data center close to where that remote user is physically located. From the human’s standpoint, that virtual desktop will appear, with the appropriate configuration, to be the interface they meant to reach inside the environment being accessed, but at a technical level, that virtual desktop is a miniature castle, hardened to the DISA STIG. Due to its geographic proximity, it should also appear blazing fast to the user. And from an adversary’s point of view, unless they are investing the resources needed to dynamically map the managed attribution network (a technically achievable but phenomenally costly task), your user isn’t going to appear associated with the system they are accessing.   

When the remote session is done, the network through which remote access was being conducted can be destroyed. The user no longer has a pathway in, and the environment that was being accessed reverts to having no traffic flows in or out whatsoever.   What we’ve just described is a hybrid strategy. It works from a cybersecurity point of view and it’s fast. 

Deploy Hybrid MTD and Static Defense with Dispel 

Dispel delivers a hybridized Moving Target Defense and Static Defense OT Secure Remote Access system. A key differentiator from other remote access providers is Dispel’s ability to supply a virtual desktop in geographic proximity to the user—one of the 767 critical security controls often bypassed by competitors to reduce costs. 

The Dispel Zero Trust Engine offers a new path forward on your OT secure remote access journey:  

• Rapid OT Secure Remote Access – Eliminate connection delays and login fatigue with an OT remote access solution designed for speed and security. Faster connections mean faster response times and reduced downtime. 

• Minimize Risk, Maximize Security for OT – Dispel Zero Trust Engine eliminates static entry points with Moving Target Defense, shutting down ‘living off the land’ threats and closing attack vectors—dramatically reducing your OT network’s exposure to cyber risks. 

• Unmatched Remote Access Security – Dispel’s Virtual Desktop (VDI) Workstations deliver the highest level of secure remote access, built for organizations that require uncompromising protection. With automatic credential cycling, dynamic IPs, continuous OS patching, and full compliance with industry standards, our VDI ensures resilience against phishing, DDoS, and cyber threats 

• Collaboration – Seamlessly integrate with your technology ecosystem for full visibility, while securing remote access without complexity.