For years, virtual private networks (VPNs) have been the default method for enabling remote access in industrial and operational environments. Their widespread adoption soared during the pandemic, as companies scrambled to maintain connectivity and productivity with a suddenly remote workforce. VPNs provided a quick fix, allowing employees and third parties to connect to corporate and operational networks from home.
Yet, what was implemented as a temporary, emergency solution has become an entrenched practice. Many organizations still rely on VPNs to enable remote access, despite significant security risks. In 2024, multiple high-profile cyberattacks that leveraged VPN vulnerabilities made news, renewing urgency around the need to adopt more secure alternatives.
High-Profile VPN Breaches
By design, VPN solutions put remote users into local networks. Any malicious code that may exist on the remote endpoint can travel in and infect any asset in the local network. In addition, VPNs are deployed in strategic points within network environments that, if compromised, give attackers wide access into critical networks.
Some of the most severe breaches of 2024 stemmed from VPN vulnerabilities, compromising organizations responsible for critical infrastructure and sensitive operations.
Ivanti VPN suffered a series of critical vulnerabilities early in the year, allowing attackers to gain root-level persistence—meaning attackers could maintain control even after a factory reset. The impact of these vulnerabilities escalated in March when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was breached using the very flaw it had warned others about. The situation worsened in April when MITRE fell victim to a similar attack. By September, additional Ivanti Cloud vulnerabilities were added to the Known Exploited Vulnerabilities catalog.
In April, the ArcaneDoor cyber espionage campaign targeted Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, exploiting multiple vulnerabilities. The attackers, believed to be linked to Chinese APT groups, were able to bypass authentication, extract device configurations, disable logging, and monitor network traffic, posing a significant risk to many critical infrastructure providers that relied on the faulty Cisco systems.
In May, researchers uncovered TunnelVision, a decades-old flaw in the DHCP protocol. The vulnerability allows attackers to reroute traffic and disable encryption for nearly any VPN.
In November, a zero-day vulnerability in Fortinet’s Windows VPN client was exploited by the BrazenBamboo threat actor, a group linked to China. Using the DeepData malware framework, attackers extracted usernames, passwords, and other sensitive credentials directly from application memory. This vulnerability had been reported in July but remained unpatched for months.
These cyberattacks made it clear that VPNs are an attractive target for threat actors.
For Critical Infrastructure
VPN vulnerabilities pose a risk in critical infrastructure environments, where downtime, data breaches, and operational disruptions can have catastrophic consequences.
When a VPN is compromised, attackers gain direct access to the internal network, often with minimal restrictions. In critical infrastructure, this means cybercriminals can move laterally across industrial control systems (ICS), SCADA environments, and sensitive operational assets. Many operational technology (OT) environments were designed decades ago, before cybersecurity became a priority. These assets often lack even basic security controls, making them easy targets for attackers who breach the network through a VPN.
Once inside, attackers can implant persistent malware, exfiltrate sensitive data, or even manipulate critical operations. The consequences of such an attack extend far beyond financial losses. A cyberattack on critical infrastructure can result in disruptions or tampering with essential services like electricity, water, and transportation, potentially putting lives at risk.
Compounding the problem, recovering from a cyberattack in critical infrastructure environments is significantly more complex than in IT environments. Critical infrastructure assets can sometimes bespread across vast geographic areas, requiring manual intervention to restore functionality. Some systems lack backup capabilities entirely, meaning that once they are compromised, there may be no way to recover them without extensive downtime. This dramatically increases the operational and financial impact of an attack and raises the likelihood that organizations will feel compelled to pay a ransom just to restore service.
Implementing a More Secure Approach
If VPNs are no longer an option, what should organizations use instead? The answer lies in a zero trust, defense-in-depth approach that prioritizes continuous verification and asset protection:
- Remote access must be tightly controlled. Access should be constrained to only the systems necessary for their role, with granular permissions enforced at every level.
- Continuous verification is key. Every user and device should be continuously reverified, ensuring that access permissions are still valid and that no suspicious activity is occurring.
- Remote access should always be paired with asset protection. Even if an attacker breaches a remote access mechanism, they should not be able to compromise industrial assets. Strong segmentation, identity-based authentication, credential management, and strict policy enforcement must be in place.
- Identity-based controls should extend to OT environments. Organizations should implement identity-based access directly on operational technology assets with Multi-Factor Authentication (MFA) and network and asset levels, ensuring that authenticated users can only interact with the specific systems they are authorized to access. Additionally, administrators should have the ability to revoke access instantly if a security threat is detected.
The transition away from VPNs may require effort, but the risks far outweigh the inconvenience of replacing them. Organizations that fail to act now will be left vulnerable to the next wave of attacks—while those that embrace a modern, zero trust approach will be far better positioned to defend against the evolving cyber threat landscape.