Introduction
Industrial Control Systems (ICS) are part of the Supervisory Control and data acquisition environments. These systems are responsible for the infrastructure of our cities and towns. ICS are used to control water distribution, electricity, some mass transit functions, and other industrial related activities. Traditionally ICSs were air gapped or had minimal network connectivity. Times have changed, meanings security needs have changed as well.
US Cert has determined that there is an increased focus on gaining access to privileged accounts within the SCADA environments. So, protecting these accounts are of the utmost importance. There are two major security categories used to provide account management in SCADA environments:
- Manage Authentication
- Monitor and Respond
They are described in detail below.
Manage Authentication
Managing user authentication include all of the items related to minimizing the potential for bad actors to get access to a system, and ensuring users are using their credentials in a proper manner. One of the ways potential hackers gain access to a system is by using phishing techniques to get a privileged user to open a malicious email and deliver the payload. Another is using the same technique on a less privileged user and exploiting password weaknesses to elevate their privileges and wreak havoc on the system. This is why strong password policies and separation of duty practices are vital in protecting an ICS environment.
The protection of data, particularly sensitive data, is the heart of security objectives.
Controlled Use of Administrative Privileges and Controlled Access Based on the Need to Know are two CIS controls that are useful in implementing authentication management principles. Some steps to take to manage authentication include:
- Implement multi-factor authentication, this includes enforcing something you have, something you know, and something you are. For example, forcing a user to input username and password (something you have) and using a token that generates random number
- Enforce the use of a 14+ character password to include the use of capital letters, special characters and numbers
- Remove any and all default admin accounts
- Admin users should only use admin accounts when necessary and use standard user accounts when performing non administrative functions
- Enforce use of separate credentials between corporate network and ICS network
- Send automated alerts when new accounts are created, alerted or deleted
- Compartmentalize particularly sensitive or proprietary data into controlled segments. This includes creating both physical and logical separation of assets.
- Create Access Control Lists (ACL)s to ensure only authorized personnel have access to sensitive or proprietary data
- Implement the use of roles, hierarchies, and constraints to organize user access levels (Role-Based Access Control [RBAC]).
- Implement one-way hash salts for password management
Another item to consider is remote accounts. ICSs traditionally did not allow remote access, but, again, times are changing. Implementing strong remote access policies is imperative to a good system security posture. All of the above items are applicable to remote account management as well. You especially want to also ensure these privileged users use strong password policies. You may want to also ensure these users don’t use the same password for their privileged accounts verses their standard user or corporate accounts. You also may want to enforce the use of a VPN or other type of encrypted tunneling. One last thing to consider is ensuring the network does not have unnecessary ports open that could provide an unintended access point for unauthorized users.
Monitor and Respond
Auditing all user account activities is an important step in ensuring proper account management activities are taking place. Audit logs identify and document what is happening on a system. They store information on new accounts that are created or altered, who is logging in, when they are logging in, and other access related items of interest. Monitoring audit logs is an important step in ensuring proper access habits are enforced. Two CIS controls related to monitoring and responding are:
Maintenance, Monitoring and Analysis of Audit Logs
and
Account Monitoring and Control
Some ways to implement monitoring and control techniques include:
- Only use shared accounts and passwords when necessary
- Create and document a process for changing shared account passwords and deleting accounts immediately upon termination of any workforce member
- Remove applications leveraging clear text authentication or basic security authentication Where not possible, use unique credential sets and monitor their usage
- Enforce complex passwords
- Automatically lock accounts after periods of inactivity
- Implement the use of a Security Information and Event Manager (SIEM) or other centralized monitoring system
Conclusion
ICS systems may still differ from traditional IT systems, but as they mature, they still have many of the same vulnerabilities. Implementing strong security controls in reference to access management is imperative to keeping your system free from unwanted user.
References
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
www.cisecurity.org
https://www.cisecurity.org/controls/controlled-use-of-administrative-privileges/
https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/
https://www.cisecurity.org/controls/controlled-access-based-on-the-need-to-know/
https://www.cisecurity.org/controls/wireless-access-control/
https://www.cisecurity.org/controls/account-monitoring-and-control/
https://www.beyondtrust.com/blog/entry/securing-ics-scada-systems-privilege-vulnerability-management