Access Control Implementation in ICS

Introduction

Industrial Control Systems (ICS) differ from traditional Information Technology (IT) systems. This can make the implementation of certain security controls difficult. Access Controls (AC) deal with how users or processes access the system. The National Institute of Standards and Technology (NIST) defines Access controls as:

“The process of granting or denying specific requests for obtaining and using information and related information processing services for physical access to areas within the information system environment.”

NIST Special Publication (SP) 800-82 revision 2 is used to implement security controls in systems owned and used by the federal government. Those working on ICSs in a federal environment are bound to NIST standards.

The Center for Internet Security (CIS) has created an Implementation guide for Industrial Control System (ICS). They are currently on version 7. This guide is useful in helping those working in commercial ICS environments.

Below we will discuss access controls and best ways to implement them in ICS environments.

CIS Access Control Implementation

CIS is used in non-federal environments. The below picture illustrates the CIS control list:

There are 5 controls listed that are applicable to access control implementation. They are described below:

1. CIS Control 4 – Controlled Use of Administrative Privileges

One of the ways potential hackers gain access to a system is by using phishing techniques to get a privileged user to open a malicious email and deliver the payload. Another is using the same technique on a less privileged user and exploiting password weaknesses to elevate their privileges and wreak havoc on the system. This is why strong password policies and separation of duty practices are vital in protecting an ICS environment. Ways to implement this control include:

• Implement multi-factor authentication
• Enforce use of a 14+ character password or password with capitals, special characters and numbers
• Remove all default admin accounts
• Force admin users to only use admin accounts when necessary and use standard user accounts when performing non administrative functions (if applicable)
• Automate alerts for when new accounts are created

• CIS Control 6 – Maintenance, Monitoring and Analysis of Audit Logs

Audit logs identify what is taking place on a system. If new accounts are created or altered, who is logging in, when they are logging in, and other access related items of interest. Monitoring audit logs is an important step in ensuring proper access habits are enforced. Embedded systems do not always audit security events at the same default level as traditional IT systems. It also may not be easy to have those logs sent to a centralized monitoring system. Using a SIEM designed for ICSs could prove beneficial. When implementing a SIEM, if you choose to do so, you may not be able to monitor the audit logs on the same level as a traditional IT system. Despite this, work to configure the SIEM to monitor and analyze the logs as detailed and extensively as you can.

• CIS Control 14 – Controlled Access Based on the Need to Know

The protection of data, particularly sensitive data, is the heart of security objectives. Some ways to implement access based need to know include:

Compartmentalize data into controlled segments. This includes creating both physical and logical separation of assets.

Creating ACLs to ensure only authorized personnel access data they are supposed to.

• CIS Control 6 – Wireless Access Control

Ensure wireless traffic uses controlled, preferably, private networks. Wireless traffic should use, at a minimum, AES or ECC encryption to protect network traffic.

• CIS Control 6 – Account Monitoring and Control

Some ways to implement this include:

• Use shared accounts and passwords only when necessary
• Create a process for changing shared account passwords and deleting accounts immediately upon termination of any workforce member 
• Remove applications leveraging clear text authentication or basic security authentication Where not possible, use unique credential sets and monitor their usage
• Enforce complex passwords
• Automatically lock accounts after periods of inactivity

NIST Considerations

As stated earlier, NIST special publication 800-82 revision 2 is used to implement security controls in systems owned and used by the federal government.

If you are working in a federal environment, supplemental guidance for the AC controls can be found in the following documents:

NIST SP 800-63 provides guidance on remote electronic authentication

NIST SP 800-48 provides guidance on wireless network security with particular emphasis on the IEEE 802.11b and Bluetooth standards 0.

NIST SP 800-97 provides guidance on IEEE 802.11i wireless network security

FIPS 201 provides requirements for the personal identity verification of federal employees and contractors

NIST SP 800-96 provides guidance on PIV card to reader interoperability

NIST SP 800-73 provides guidance on interfaces for personal identity verification

NIST SP 800-76 provides guidance on biometrics for personal identity verification

NIST SP 800-78 provides guidance on cryptographic algorithms and key sizes for personal identity verification

NIST SP 800-82 describes areas in which ICS should ensure access controls are implemented.

The 5 areas below include:

Wireless -in federal environments the use of wireless technology is strongly discouraged. It should only be used when the risk is low. Specific guidance is in SP 800-48 and SP 800-97, but the use of strong passwords and encryption are the main suggestion.

Dial-up Modems – some legacy ICSs still use this technology. Ensure default passwords are removed, physical hardware has been identified and protected, and ensure audit logs are monitored.

Virtual Local Area Network (VLAN) – used to divide networks into small and logically separated networks. Useful in compartmentalizing data and protect against a compromise leading to total system access by the hacker.

Web Servers – Minimize the use of mobile code and ensure only appropriate personnel have direct access.

Role-Based Access Control (RBAC) – implement the use of roles, hierarchies, and constraints to organize user access levels.

Conclusion

Both NIST and CIS address ways to implement access controls in ICS environments. They have similar implementation ideas and requirements. Takeaways from both include:

• Implement multi-factor authentication
• Enforce use of a 14+ character password or password with capitals, special characters and numbers
• Remove all default admin accounts
• Force admin users to only use admin accounts when necessary and use standard user accounts when performing non administrative functions (if applicable)
• Automate alerts for when new accounts are created
• Use shared accounts and passwords only when necessary
• Create a process for changing shared account passwords and deleting accounts immediately upon termination of any workforce member 
• Remove applications leveraging clear text authentication or basic security authentication Where not possible, use unique credential sets and monitor their usage
• Enforce complex passwords
• Automatically lock accounts after periods of inactivity
• Use a SIEM or other automated tool to monitor and analyze audit logs
• Compartmentalize sensitive data and implement ACLs

Implementing these suggestions are useful in thwarting potential attacks from being successful. Access controls are just one part of the overall security posture of a system so ensure you are implementing an in-depth security strategy.