VPNs and Critical Infrastructure Risks

Cybercriminals are increasingly exploiting VPN vulnerabilities.

Roman Arutyunov
Jan 15, 2025
Hacking Alarm

For years, virtual private networks (VPNs) have been the default method for enabling remote access in industrial and operational environments. Their widespread adoption soared during the pandemic, as companies scrambled to maintain connectivity and productivity with a suddenly remote workforce. VPNs provided a quick fix, allowing employees and third parties to connect to corporate and operational networks from home.

Yet, what was implemented as a temporary, emergency solution has become an entrenched practice. Many organizations still rely on VPNs to enable remote access, despite significant security risks. In 2024, multiple high-profile cyberattacks that leveraged VPN vulnerabilities made news, renewing urgency around the need to adopt more secure alternatives.

High-Profile VPN Breaches

By design, VPN solutions put remote users into local networks. Any malicious code that may exist on the remote endpoint can travel in and infect any asset in the local network. In addition, VPNs are deployed in strategic points within network environments that, if compromised, give attackers wide access into critical networks. 

Some of the most severe breaches of 2024 stemmed from VPN vulnerabilities, compromising organizations responsible for critical infrastructure and sensitive operations.

Ivanti VPN suffered a series of critical vulnerabilities early in the year, allowing attackers to gain root-level persistence—meaning attackers could maintain control even after a factory reset. The impact of these vulnerabilities escalated in March when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was breached using the very flaw it had warned others about. The situation worsened in April when MITRE fell victim to a similar attack. By September, additional Ivanti Cloud vulnerabilities were added to the Known Exploited Vulnerabilities catalog.

In April, the ArcaneDoor cyber espionage campaign targeted Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, exploiting multiple vulnerabilities. The attackers, believed to be linked to Chinese APT groups, were able to bypass authentication, extract device configurations, disable logging, and monitor network traffic, posing a significant risk to many critical infrastructure providers that relied on the faulty Cisco systems.

In May, researchers uncovered TunnelVision, a decades-old flaw in the DHCP protocol. The vulnerability allows attackers to reroute traffic and disable encryption for nearly any VPN. 

In November, a zero-day vulnerability in Fortinet’s Windows VPN client was exploited by the BrazenBamboo threat actor, a group linked to China. Using the DeepData malware framework, attackers extracted usernames, passwords, and other sensitive credentials directly from application memory. This vulnerability had been reported in July but remained unpatched for months.

These cyberattacks made it clear that VPNs are an attractive target for threat actors.

For Critical Infrastructure

VPN vulnerabilities pose a risk in critical infrastructure environments, where downtime, data breaches, and operational disruptions can have catastrophic consequences.

When a VPN is compromised, attackers gain direct access to the internal network, often with minimal restrictions. In critical infrastructure, this means cybercriminals can move laterally across industrial control systems (ICS), SCADA environments, and sensitive operational assets. Many operational technology (OT) environments were designed decades ago, before cybersecurity became a priority. These assets often lack even basic security controls, making them easy targets for attackers who breach the network through a VPN.

Once inside, attackers can implant persistent malware, exfiltrate sensitive data, or even manipulate critical operations. The consequences of such an attack extend far beyond financial losses. A cyberattack on critical infrastructure can result in disruptions or tampering with essential services like electricity, water, and transportation, potentially putting lives at risk.

Compounding the problem, recovering from a cyberattack in critical infrastructure environments is significantly more complex than in IT environments. Critical infrastructure assets can sometimes bespread across vast geographic areas, requiring manual intervention to restore functionality. Some systems lack backup capabilities entirely, meaning that once they are compromised, there may be no way to recover them without extensive downtime. This dramatically increases the operational and financial impact of an attack and raises the likelihood that organizations will feel compelled to pay a ransom just to restore service.

Implementing a More Secure Approach

If VPNs are no longer an option, what should organizations use instead? The answer lies in a zero trust, defense-in-depth approach that prioritizes continuous verification and asset protection:

  • Remote access must be tightly controlled.  Access should be constrained to only the systems necessary for their role, with granular permissions enforced at every level.
  • Continuous verification is key. Every user and device should be continuously reverified, ensuring that access permissions are still valid and that no suspicious activity is occurring.
  • Remote access should always be paired with asset protection. Even if an attacker breaches a remote access mechanism, they should not be able to compromise industrial assets. Strong segmentation, identity-based authentication, credential management, and strict policy enforcement must be in place.
  • Identity-based controls should extend to OT environments. Organizations should implement identity-based access directly on operational technology assets with Multi-Factor Authentication (MFA) and network and asset levels, ensuring that authenticated users can only interact with the specific systems they are authorized to access. Additionally, administrators should have the ability to revoke access instantly if a security threat is detected.

The transition away from VPNs may require effort, but the risks far outweigh the inconvenience of replacing them. Organizations that fail to act now will be left vulnerable to the next wave of attacks—while those that embrace a modern, zero trust approach will be far better positioned to defend against the evolving cyber threat landscape.

Latest in Cybersecurity
Industrial Media Unboxing Video
Sponsored
Industrial Media Unboxing Video
January 15, 2025
Intllectual Property
Encryption Becoming Essential for U.S. Manufacturers
January 16, 2025
American flags are displayed with Chinese flags on top of a trishaw on Sept. 16, 2018, in Beijing.
Biden Executive Order Aims to Shore Up U.S. Cyber Defenses
January 16, 2025
Hacking Alarm
VPNs and Critical Infrastructure Risks
January 15, 2025
Related Stories
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
2024 in Review: Cyber Threats and the Fight to Secure Critical Infrastructure
Intllectual Property
Cybersecurity
Encryption Becoming Essential for U.S. Manufacturers
Cybersecurity In A Bubble
Cybersecurity
Ghosts of Systems Past: Future-Proofing Industrial Control Systems
Security Breach Podcast
Sponsor Content
Security Breach Podcast
More in Cybersecurity
Industrial Media Unboxing Video
Sponsored
Industrial Media Unboxing Video
IEN Unboxed is a new show in which our editors unbox new tools on the market and discuss their features.
January 15, 2025
Intllectual Property
Cybersecurity
Encryption Becoming Essential for U.S. Manufacturers
Research found that manufacturers are aware of threats and have turned to encryption to fortify their data.
January 16, 2025
American flags are displayed with Chinese flags on top of a trishaw on Sept. 16, 2018, in Beijing.
Cybersecurity
Biden Executive Order Aims to Shore Up U.S. Cyber Defenses
The order makes it easier to go after foreign adversaries or hacking groups.
January 16, 2025
Cybersecurity In A Bubble
Cybersecurity
Ghosts of Systems Past: Future-Proofing Industrial Control Systems
Adopting a comprehensive security strategy that sees, protects and manages critical assets across the attack surface.
January 15, 2025
Ep127
Cybersecurity
Security Breach: Breaking Down the Latest ICS Hack
The continued evolution of the CyberAv3ngers hacking group and its IIoT-focused malware.
January 15, 2025
Hacking Alarm
Cybersecurity
Partnership Produces RedTeam Innovation Hub
It will focus on gamifying cybersecurity to stay ahead of AI-driven threats.
January 9, 2025
Industrial Cyber
Cybersecurity
What We Learned in '24 to Improve in '25
OT cybersecurity saw it all, from high-profile incidents to maturing risk management.
January 9, 2025
The Ultrahuman Rare luxury smart ring is on display at the Ultrahuman booth during the CES tech show Wednesday, Jan. 8, 2025, in Las Vegas.
Cybersecurity
The 'Worst in Show' at CES 2025
The products that put your data at risk and cause waste.
January 9, 2025
Us Binary Flag Mirsad Sarajlic
Cybersecurity
White House Launches U.S. Cyber Trust Mark
The voluntary cybersecurity labeling program for 'smart' products is focused on educating consumers.
January 9, 2025
Digitaltransformation
Operations
What’s Holding Manufacturers Back from Investing in Technology?
Manufacturers are moving cautiously despite the advantages.
January 9, 2025
People Cyber Metamorworks
Cybersecurity
Humans: Cybersecurity’s Biggest Threat and Best Protectors
How employees can transform from security risks into frontline defenders.
January 8, 2025
The American and Chinese flags wave at Genting Snow Park ahead of the 2022 Winter Olympics, Feb. 2, 2022, in Zhangjiakou, China.
Cybersecurity
China Protests U.S. Sanctions for Alleged Role in Hacking
Spokesperson says Washington was using the issue to "defame and smear China."
January 6, 2025
American flags are displayed with Chinese flags on top of a trishaw on Sept. 16, 2018, in Beijing.
Cybersecurity
Treasury Says Chinese Hackers Remotely Accessed Workstations, Documents in 'Major' Cyber Incident
Chinese hackers compromised a third-party software service provider.
December 31, 2024
Ransomware
Cybersecurity
Resilience Is the Best Weapon Against Ransomware
Even though high-profile attacks are more common, security leaders may not realize their true impact.
December 19, 2024
Cps (cyber Physical Systems) Concept Abstract Image 612622938 2124x1416
Cybersecurity
IoT Security is MIA
Federal agencies' inability to understand cybersecurity priorities is impacting the industrial sector.
December 19, 2024