Credential Management and Enforcement for ICS/SCADA environments

September 3, 2019 by

Yash Tiwari

Introduction

In the world of Operational Technology (OT), Industrial Control Systems (ICS) comprise the majority of the segment. Where ICS assets are dispersed and require centralized data acquisition and control, Supervisory Control and Data Acquisition (SCADA) systems are used.

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

Start Learning

The SCADA systems allow users to monitor and control the ICS through simple interfaces. SCADA system users can view the current status of the system, make adjustments to the industrial process, review alarms or alerts and much more. 

The main components of SCADA systems are display units, the control unit, remote terminal units and communication links. 

Why are security and credential management important for SCADA systems?

SCADA systems were initially used for water distribution or electric utilities. Now SCADA systems are found in a range of industries, implemented by organizations and businesses needing large automated data collection and centralized control of related equipment.

Though SCADA has significant benefits, there is a constant threat of security breaches. 

• Third-party firms and service vendors are often given remote access to the ICS/SCADA, taking security control away from the client company. Vendor equipment is not regulated by the client company and may not be secure. Breaches caused by vendor security failure could disrupt business services, halt industrial processes, collect vital information or compromise critical infrastructure
• ICS/SCADA systems generally have access codes and passwords hardcoded into the system during time of manufacture. Most businesses and organizations don’t bother changing the access codes from the default set. An intruder with a list of default access codes could easily gain unfettered access to sensitive information and data
• These systems are also connected to traditional IT systems, high-valued assets and host Industrial Internet of Things (IIoT) devices. SCADA systems linked to IT systems and business assets pose a major security risk. A breach of  ICS/SCADA systems also exposes other critical business assets and systems
• A non-functioning SCADA system can and does disrupt business operations. ICS systems are mission-critical, high-value machines. Any malware or threat that gains access to these systems is capable of disrupting business operations

How can SCADA systems be protected?

Implementing layers of security can minimize risk and attacks from external sources. The primary security methods are as follows:

• Ensure secure network infrastructure by turning off unused ports, sealing high-value devices in secure rooms and restricting access to routers and switches
• Identify and implement access management by granting users with different roles different levels of permission so there is no unauthorized access to critical infrastructure
• End-to-end protection for all devices can minimize external attacks and exposure to threats
• Adequate security best practices and awareness training can significantly decrease major risks

Implementing credential management for the ICS/SCADA environments

Access control or credential management is the first and most important line of defense for SCADA systems. What is access control? It ensures that your systems, programs, procedures and processes is only accessed by authorized users. What do access control and policies cover?

• Manages information system accounts by activating, modifying, reviewing, disabling and establishing accounts as well as providing different privileges to new users
• Addresses and controls the use of portable or remote devices that can be connected wirelessly or through external hardware ports
• Separates and controls flow enforcement, includes session terminations, checks for unsuccessful login attempts, separates duties and separates users with fewer privileges
• Identifies and authenticates through password protection and biometric devices, giving authorized users access to the system

Access control is designed mainly to regulate and direct the flow of information between devices and systems once authorization levels and protocols have been verified. 

What is Role-Based Access Control?

Role-Based Access Control (RBAC) is ideal for organizations that have many intelligent devices and assets. Implementing RBAC can minimize the complexity and cost of security administration. By using roles, hierarchies and constraints to organize user access levels, control and access over network security infrastructure can be efficiently implemented. For instance, RBAC should be able to restrict a person from carrying out a task which he is not authorized to do. 

Implementing authentication and authorization in SCADA systems

SCADA systems are either distributed or centralized in nature when identifying and authenticating users. Distributed systems are easily maintained and accessed but they are not suitable for larger infrastructures and can’t be easily scaled.

In centralized systems the authentication servers create a single system that manages all accounts in an organization. This system requires high availability, as failure can lead to users being locked out of the system. Caches can be implemented to authenticate and authorize users in the case of a server failure.  

User accounts, devices and processes can be verified and identified by specific credentials such as:

• Passwords: User accounts are set up with passwords and allowed access to the system only upon successful validation of the password
• Biometrics: Biometric devices can validate the user with their biometrics such as fingerprint, voice, face or retina
• Security tokens: Constantly changing security tokens can provide high security to sensitive assets or networks

Enforcing other access policies and safety features in ICS/SCADA

Securing web servers 

Web servers and connectivity are sometimes provided for remote areas to access ICS information. Though this makes the ICS easily accessible, it also makes it prone to attacks from hackers. Security appliances or gateways need to be implemented in these web applications to prevent issues. Unless there are significant benefits and a need for connecting the ICS to the internet, it is better left unconnected. 

Securing dial-up modems

SCADA systems have high availability requirements so third-party vendors and technicians or engineers can connect to the system through a modem rather than being physically present in the control room unit. Modems can be configured to give administrative privileges to remote users, so it’s important to secure the connection against unauthorized access or installation of backdoor entries. 

Conclusion

Credential management and enforcement often negate the need for further security measures by screening out malicious users prior to system access. Systems like Role-Based Access Control (RBAC) minimize the complexity and cost of security administration, making greater security possible for any industry and any size business. Credential management is the locked door behind which ICS/SCADA systems can operate as they always have, all the while avoiding potential threats that could cause business disruption and data breach.

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

Start Learning

Sources

1. Guide to Industrial Control Systems (ICS) Security, NIST
2. SCADA/ICS Dangers & Cybersecurity Strategies, Fortinet
3. OT, ICS, SCADA – What’s the difference?, KupperingCole