Account Management Concepts for ICS/SCADA environments
Industrial Control Systems (ICS) are part of the Supervisory Control and data acquisition environments. These systems are responsible for the infrastructure of our cities and towns. ICS are used to control water distribution, electricity, some mass transit functions and other industry-related activities.
Traditionally, ICSes were air-gapped or had minimal network connectivity. Times have changed, meaning security needs have changed as well.
US-CERT has determined that there is an increased focus on gaining access to privileged accounts within the SCADA environments. Protecting these accounts is of the utmost importance.
There are two major security categories used to provide account management in SCADA environments:
- Manage authentication
- Monitor and respond
We’ll explore these in detail below.
Managing user authentication includes all of the items related to minimizing the potential for bad actors to get access to a system and ensuring users are using their credentials in a proper manner.
One of the ways potential hackers gain access to a system is by using phishing techniques to get a privileged user to open a malicious email and deliver the payload. Another is using the same technique on a less privileged user and exploiting password weaknesses to elevate their privileges and wreak havoc on the system. This is why strong password policies and separation of duty practices are vital in protecting an ICS environment.
The protection of data, particularly sensitive data, is the heart of security objectives.
Controlled Use of Administrative Privileges and Controlled Access Based on the Need to Know are two CIS controls that are useful in implementing authentication management principles. Some steps to take to manage authentication include:
- Implement multi-factor authentication. This includes enforcing something you have, something you know and something you are. For example, forcing a user to input username and password (something you have) and using a token that generates random number
- Enforce the use of a 14+ character password to include the use of capital letters, special characters and numbers
- Remove any and all default admin accounts
- Admin users should only use admin accounts when necessary and use standard user accounts when performing non-administrative functions
- Enforce use of separate credentials between the corporate network and the ICS network
- Send automated alerts when new accounts are created, altered or deleted
- Compartmentalize particularly sensitive or proprietary data into controlled segments. This includes creating both physical and logical separation of assets
- Create Access Control Lists (ACLs) to ensure only authorized personnel have access to sensitive or proprietary data
- Implement the use of roles, hierarchies, and constraints to organize user access levels (Role-Based Access Control, or RBAC)
- Implement one-way hash salts for password management
Another item to consider is remote accounts. ICSes traditionally did not allow remote access, but, again, times are changing. Implementing strong remote access policies is important for a good system security posture.
All of the above items are applicable to remote account management as well. You especially want to also ensure these privileged users use strong password policies. You may want to also ensure these users don’t use the same password for their privileged accounts versus their standard user or corporate accounts. Consider enforcing the use of a VPN or other type of encrypted tunneling.
One last thing to consider is ensuring the network does not have unnecessary ports open. These ports could provide an unintended access point for unauthorized users.
Monitor and respond
Auditing all user account activities is an important step in ensuring proper account management activities are taking place.
Audit logs identify and document what is happening on a system. They store information on new accounts that are created or altered, who is logging in, when they are logging in and other access-related items of interest. Monitoring audit logs is an important step in ensuring proper access habits are enforced. Two CIS controls related to monitoring and responding are:
- Maintenance, Monitoring and Analysis of Audit Logs
- Account Monitoring and Control
Some ways to implement monitoring and control techniques include:
- Only use shared accounts and passwords when necessary
- Create and document a process for changing shared account passwords and deleting accounts immediately upon termination of any workforce member
- Remove applications leveraging cleartext authentication or basic security authentication. Where not possible, use unique credential sets and monitor their usage
- Enforce complex passwords
- Automatically lock accounts after periods of inactivity
- Implement the use of a Security Information and Event Manager (SIEM) or other centralized monitoring system
ICS systems may still differ from traditional IT systems, but as they mature, they still have many of the same vulnerabilities. Implementing strong security controls in reference to access management is important for keeping your system free from unwanted users.
- Seven Steps to Effectively Defend Industrial Control Systems, US-CERT
- NIST Special Publication 800-82, Revision 2, NIST
- CIS Controls ICS Companion Guide, CIS
- Controlled Use of Administrative Privileges, CIS
- Maintenance, Monitoring, and Analysis of Audit Logs, CIS
- Controlled Access Based on the Need to Know, CIS
- Wireless Access Control, CIS
- Account Monitoring and Control, CIS
- Configuring and Managing Remote Access for Industrial Control Systems, US-CERT
- Securing ICS and SCADA Systems with Privilege and Vulnerability Management, BeyondTrust