Control device security
Critical infrastructure
Features
ICS Security Framework
Identity and Access Management (IAM)
Industry
IT/OT Collaboration
Transportation
Utilities: Energy & Power, Water, Waste

OT, ICS environments call for calculated handling of access management and controls

December 05, 2021
access management

Industrial and manufacturing environments have traditionally taken advantage of the convenience brought about by access management, which acts as a go-between the user and the OT (operational technology) target within the organization. However, digital transformation has pushed operational environments to adopt varied and complex access management systems and controls that support heterogeneous environments, with diversified security risks and privileges.

The access management systems are typically used to authenticate authorized individuals to the devices and facilities to which the companies are giving access rights with a high degree of certainty. In addition, they need to enforce access-control policies such as allow, deny, or inquire further, consistently, uniformly, and quickly across all of their resources. 

Unfortunately, these systems are fragmented and controlled by numerous departments, leading to various negative outcomes, such as a lack of overall traceability and accountability on who has access to both critical and non-critical assets, increased risk of attack and service disruption, and inability to identify potential sources of a problem or attack.

Cybersecurity expert Christian Hager said that he is finding the level of convenience that has permeated the ICS and OT networks is beyond expectations. Hager is the director of business development at Fend Inc.

“Technicians and engineers are relying predominantly on remote service access via MFA rather than trusting a predictive maintenance program established around actionable raw data from the critical infrastructure,” Hager told Industrial Cyber. “This opens cyber threat vectors that should be closed. The ICS (Levels 0,1,2) in the OT networks should be hardened as the many legacy devices still in operation today were not designed with robust cybersecurity in mind.”

Cybersecurity expert Christian Hager

Further, in more complex OT networks, the common practice is still to treat the network as one would an IT network, Hager pointed out. “In fact in many instances, IT still manages the OT networks. This is bad cyber hygiene as the latest DHS-CISA Advisories (see Oct 14th AA21-287A regarding Water & Wastewater facilities).”

“With more advanced entities, the OT & IT networks should be segmented, something that can be accomplished with air gaps, one-way communication diodes, and enhanced firewalls. Firewalls however only protect us from yesterday’s known threat vectors,” Hager added.

Access management isn’t just about policies and controls, but a holistic approach governing personnel, services, privileges, content ingress, devices, network separation, and the protection of physical assets, Oren T. Dvoskin, vice president of marketing for OT and ICS solutions at OPSWAT, told Industrial Cyber.

Oren T. Dvoskin, vice president of marketing for OT and ICS solutions at OPSWAT

“When securing critical infrastructure, one of the key points is getting back to the basics and applying the most fundamental best practices. Focusing on cyber hygiene is always a good start. Ensure all systems are up to date and patched against the latest vulnerabilities,” Dvoskin said. “Run an extensive review of internet-facing services and applications to ensure they are protected, with updated access credentials. Far too many attacks involve the usage of ports that shouldn’t be open with services using default passwords,” he added.

Dvoskin further advised a review of “business-critical processes and assets. Contains these into protected, isolated, and even air-gapped network segments. An incident on the business/IT network might be inevitable but shouldn’t propagate to your OT and ICS environments. Protect your critical equipment at the cabinet-level to create micro-segmentation of the Industrial networks,” he added.

He also recommended running “strict supply-chain protocols, securing the ingress – scan devices, transient assets, files, and emails for malware and exploits before they enter your critical networks. Additionally, secure the access not only of external data but also of personnel. Monitor and regulate the entry of OEM and 3rd party contractors into the environment, an issue before Covid, now even more important. Ensure you have full visibility of all devices and files introduced by suppliers and partners,” he added.

Further, relying on network access controls and firewalls not designed specifically for OT/ICS environments can be a major pitfall, Dvoskin said. “Industrial access mechanisms must have granular control on which services, devices, and which OT/ICS specific protocol and commands can be configured and activated remotely – down to specific HMIs, PLCs, and other engineering assets,” he added.

The integration of Industry 4.0 technologies in ICS environments has created more complex cyber-physical systems with a higher number of threat vectors and potential gaps, Willem Ryan, vice president for marketing and communications at AlertEnterprise, told Industrial Cyber. “As a result, historically siloed IT and OT systems have opened the door – sometimes literally – to increased security vulnerabilities for many organizations.”

Willem Ryan, vice president for marketing and communications at AlertEnterprise

Policy-based access as it applies to the physical workplace is another overlooked area in ICS and OT environments, Ryan said. “Because legacy physical access control systems lack the capacity to manage large-scale changes to individual cardholder work schedules, security teams who want to create more tailored physical access policies have had to tackle them by hand, creating multiple reports,” he added.

The system limitations, coupled with overwhelming manual requirements for managing access, lead many security teams to simply assign 24/7 access for each cardholder – meaning shift workers can access highly regulated physical environments at any time, Ryan added.

Recent cybersecurity and ransomware attacks, such as the Oldsmar water treatment plant hack and the Colonial Pipeline attack, have increasingly compelled industrial and manufacturing environments to review their access management and controls.

Hager absolutely agreed and said, “especially where we have seen that MFA & 2FA controls are not as secure as they are believed to be. The Syniverse breach which lasted over 5 years highlights how flawed the secure MFA premise just might be.”

“We have increasingly seen water utilities start to patch some of their access protocols & policies and rely more on predictive maintenance with emergency service calls generated in the cloud where raw ICS/ alerts have been securely transported through low-cost one-way communication diodes,” Hager pointed out. 

The same can be said for larger manufacturers who are not allowing modems in new ICS equipment that normally broadcast data back to OEMs, he added. “These typically offered an app to service the equipment. Instead, they too are focusing on hardening the ICS layers, ensuring operations will continue should the enterprise network be locked down by ransomware,” according to Hager.

The Colonial Pipeline attack served as a catalyst for awareness and change because of its dramatic real-world service interruption, according to Dvoskin. “A tangible and alarming impact on one of the nation’s most critical infrastructures, causing policymakers to spring into action. First, the DHS Transportation Security Agency (TSA) announced new regulations in May 2021, requiring pipeline operators to establish and enforce access control policies for monitoring remote user access, and establish required procedures and controls for approving and controlling all remote and third-party connections,” he added. 

Then TSA followed up with additional regulations in July, and subsequently, U.S. President Joe Biden issued his ‘National Security Memorandum on ‘Improving Cybersecurity for Critical Infrastructure Control Systems,’ Dvoskin said. Between these directives, industrial and manufacturing environments are tasked with seriously evaluating the effectiveness of their access management and controls, he added.

Both cybersecurity and ransomware attacks that exploit vulnerable gaps between IT and OT systems are forcing industrial and manufacturing environments to rethink how they handle workforce identity and access management, Ryan said. “A converged approach that brings together the systems that govern HR, physical security and IT clarifies discrepancies between physical and digital workforce identities and creates a consolidated view of workforce identities, threat detection, and access-related data to more easily identify root cause when there’s an issue,” he added.

Given the challenges of the ICS and OT environments, it is essential for access management and control techniques to stay ahead of cyber attackers, who are always ahead of organizations both in terms of their tactics and techniques.

“The major issue we face is the level of complexity in our MIS/IT and OT systems today, with no one person being responsible for maintaining complete oversight,” Hager said. Logically, patches and new solutions tend to be even more complex and not always address dependent entities within an organization, he added.

“I always advocate a simpler approach: if a malicious actor cannot reach your network or ICS, there is little chance they can gain access to your infrastructure,” he said. “This comes back to air gaps and one-way communication diodes. Both protect against malware, unauthorized penetration, and/or manipulation. There are several offerings on the market and a wide range of cost structures, covering everything from small budgets to those of megaproject caliber.”

Access to the infrastructure should be physical, access to the data should be from within the OT network or in the MIS network after the data has been securely transported out of the OT, Hager said. “If we are serious about the importance of critical infrastructure, we should be just as serious about keeping a human in the loop to physically access the ICS when needed and not entrust it to ML/AI or non-secure remote access,” he added.

When reviewing remote access policies, the convergence of IT, OT, and cyber-physical systems (CPS) must be considered, Dvoskin said. Role-based controls should be implemented that limit access to authorized users, and policies should conform to least privilege access. Furthermore, remote access should be enabled using technologies designed specifically for securing connections into the ICS and OT environments. Additionally, networks must be segmented for unidirectional data communications and replications, he added. 

At the production environments, networks must then be micro-segmented using specifically designed Industrial firewalls, according to Dvoskin. Finally, physical security controls around the use of portable media and transient devices should be established. Verifying the security of updates or other content on portable media devices before entering air-gapped networks is essential to staying ahead of malicious actors, he added.

Looking into the future, organizations must continually improve the effectiveness of their controls with vulnerability assessments, breach attack simulations, and lateral movement simulations, Dvoskin said. “Another important step in staying ahead of the tactics and techniques of cyber attackers is analyzing threats through malware analysis technologies, including the analysis of OT/ICS software update packages and patches, to establish safe baselines, to understand how adversaries behave, and subsequently to update security controls in advance of attacks,” he added.

Ryan provided a three-point response on how ICS and OT environments can use access management and control techniques to stay ahead of their adversaries. The three points were – three-dimensional GRC (governance risk compliance), aligning with human resources (HR) forces, and policy-based access implementation.

3D GRC brings together HR GRC, physical GRC, and OT GRC into one converged solution for coordinated policy enforcement across an enterprise, no matter how large or complex, according to Ryan. “We help companies align physical and digital workforce identities and automate access policies with one clear (and secure) view of all relevant data,” he added.

“Our cyber-physical security solutions allow HR, OT and IT teams to work as one to strengthen an organization’s security posture while also improving the employee experience, according to Ryan. “From a security perspective, HR teams can provide critical insights to inform least privilege access strategies that ultimately strengthen Insider Threat Programs. And with shared data, as well as visibility, access management, and control teams can work in tandem with HR to automate real-time compliance.” AlertEnterprise is currently developing a policy-based access control (PBAC) solution for physical security,” he added.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems