Xage’s multi-layer access management solution bolsters cybersecurity of OT, ICS environments

Zero trust security firm Xage announced its multi-layer access management solution, which provides a defense-in-depth approach to every asset across operational technology (OT) and industrial control system (ICS) environments. The solution enables organizations to eliminate attacks on their critical infrastructure by delivering defense-in-depth security for their environments, orchestrating protection across multiple Identity providers, Active Directory instances, network security levels, and locations.

Announced Thursday, the Xage multi-layer access management solution pairs with the company’s multi-layer multi-factor authentication (MFA) offering to protect critical infrastructure, including the ability to stop attackers from compromising critical assets, even if they have access to stolen privileged credentials. It further enables organizations to eliminate attacks on their critical infrastructure by delivering defense-in-depth security for their environments, while orchestrating protection across multiple identity providers, Microsoft AD instances, network security levels, and locations. 

Xage outlines that “this type of strategy leverages the latest in identity and access management (IAM) advancements for zero trust with granular access control over complex and interconnected OT-IT-cloud architecture.”

The Palo Alto, California-based company also announced its membership in the Joint Cyber Defense Collaborative (JCDC) for ICS. Launched last year, the JCDC-ICS works closely with ICS and cybersecurity experts—security vendors, integrators, and distributors—to increase the federal government’s focus on the cybersecurity and resilience of ICS/OT amid rising cyber threats. Some of the companies that are part of the JCDC initiative are Bechtel, Claroty, Dragos, GE, Honeywell, Nozomi Networks, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem.

Xage will provide JCDC-ICS with enhanced threat defense approaches by offering ongoing insights and expertise into IAM and cyber-physical asset protection based on zero trust principles. As new threat intelligence becomes available, this partnership will give JCDC-ICS visibility into emerging threats and help defend against potential attacks.

Addressing the challenges that drove Xage to deliver a multi-layer identity and access management solution, Roman Arutyunov, Xage’s co-founder and vice president of product told Industrial Cyber that multi-layer IAM is needed for a couple of reasons. 

“Operators design systems for high availability and resiliency – no single point of failure. Organizations have multiple layers to their architectures for defense-in-depth as well as separate IAM services (Active Directory) at each layer and often sites as well,” Arutyunov identified. “Separate identities (e.g., login credentials) are used at each layer/site with different admins to ensure that the compromise of credentials at IT doesn’t result in the compromise of OT. Furthermore, compromise of one site does not lead to compromise of all sites. This creates complexity in administration as well as in user experience,” he added.

Critical infrastructure operators, for example, can use Xage multi-layer access management to create separate identities, such as login credentials at each layer and site using different admins to ensure that the compromise of corporate IT credentials does not result in the compromise of OT. The move assures that compromise of one site does not lead to the compromise of all sites, or even other assets at the same site.

The Xage multi-layer access management solution enables the operations teams to reduce complexity in the access management flow for their personnel and improve user experience, as well as block attacks. By controlling, at a granular level, the access that each individual has, organizations are able to block credential-based attacks at earlier stages to limit damage, while allowing mission-critical services to run. 

The multi-layer access management offering allows administrators to configure site/zone level ADs and MFA to achieve distributed authentication and authorization across highly distributed critical infrastructure. It also challenges remote and local users with multiple layers of AD authentication along with nested MFA to reduce the threat surface. It can also be used to restrict remote and/or low-privileged users from even seeing the assets without first passing the site-level authentication, to which the assets belong.

With its advanced capabilities, the new solution enables orchestrating multiple Identity Providers (IdPs) and AD domains with different security zones or network layers, with an ability to configure different IdPs with different authentication protocols such LDAP, SAML, and ADFS. It also restricts asset visibility for all users until after they authenticate. Only allow local and remote users to see the assets and systems for a site or zone after they successfully authenticate against that site-level AD and pass the site-level MFA challenge.

The Xage multi-layer access management solution enables local users to authenticate with the local site-level AD even if that site loses network connectivity. It also allows local and remote users to use passwordless, hardware-based, and biometric MFA through multiple hops that may be mapped to different identity providers.

“Large operational enterprises design systems for high availability and resiliency, yet they face the challenge of cyber hardening complex IT, demilitarized zone (DMZ) and OT environment layers that are increasingly coming under adversarial attack,” Duncan Greatwood, CEO of Xage Security, said in a media statement. “Add to that the federal regulations and guidance from TSA, CISA, and NIST,  and the urgency is clear for our Multi-Layer Identity and Access Management to deliver unified cybersecurity mesh protection for disjointed OT/IT/cloud environments.”

Pointing out that in operational environments where OT systems are increasingly interconnected with IT systems and the cloud, Jonathon Gordon, directing analyst at TakePoint Research, said that it is imperative to strengthen defense-in-depth security measures to protect critical infrastructure. “Simply put, Xage enables the deployment of a new line of defense to secure OT-IT convergence.” 

Gordon added that “with its Multi-layer Access Management solution, Xage markedly reduces risks due to a key attack vector, that of stolen credentials, designed to improve user experience without compromising cybersecurity, and supports OT-IT-cloud interconnectivity securely for digital transformation initiatives.”

Looking into how the Xage multi-layer identity and access management solution deal with insider threats in OT and ICS environments, Arutyunov said that with digital transformation efforts accelerating integration between IT and OT systems, there is a pressing need in OT for defense-in-depth operations that provide layered security controls to protect critical infrastructure.

Arutyunov added that the Xage multi-layer identity and access management solution “enables organizations to eliminate attacks on their critical infrastructure by delivering defense-in-depth security for their environments while orchestrating protection across multiple identity providers, Microsoft AD instances, network security levels, and locations. By controlling, at a granular level, the access that each individual has, organizations are able to block credential-based attacks at earlier stages to limit damage and keep mission-critical services running.”

Following the rollout of the recent global coalition document ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default,’ Arutyunov said that the security-by-design applies to systems and systems-of-systems as well. “Operational enterprises and defense industries build and operate systems-of-systems that span across multiple sites and layers. Xage’s multi-layer IAM solutions enable security-by-design across the entire systems and system-of-systems by providing a converged approach to manage access policies and enforce access in what is otherwise a highly heterogeneous and multi-vendor environment,” he added. 

On joining the JCDC, Arutyunov said that “we understood early on that we must protect today’s critical infrastructure while also building for the future. As a result, Xage has developed capabilities that major organizations use to protect their assets universally without asset or network changes.” 

Working with JCDC, Xage will leverage its expertise in building and deploying zero-trust protection platforms for cyber-physical systems to educate and inform organizations on how to better protect and defend against cyber attacks, he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.