Secure Industrial Control System
From Modern World Threat with Privileged Access Management (PAM)
This article addresses the concerns of the CISOs and their partners with regards to the Industrial Control Systems (ICS) security challenge.
It is crucial to control the access to industrial Operational Technologies (OT) as it can have a high impact on our real life. When we talk about ICS security, this includes supervisory control and data acquisition (SCADA) systems or distributed control systems (DCS), which rely on programmable logic controllers (PLC).
Industrial systems must comply with new usages which increase greatly the attack surface:
> Greater connectivity with remote access needs (remote on-call interventions, third party contractors access, vendors remote activity,etc.), especially if the used accounts have special privileges (admin rights, software update, etc.).
> Global spread maintenance teams.
> Spread infrastructures.
> Scattered tools to remotely access to the OT systems (by vendor, by subsidiary/site, etc.).
It relies more and more on IT components to improve performance and savings, but which may be vulnerable. Most industrial protocols are now based on TCP/IP and even Programmable Logical Controllers (PLC), Remote terminal unit, etc. are running on operating systems from the IT world (Windows, Linux).
At the same time, the cyber threat has never been so present with an increase and a professionalization of the cyber criminality (ransomware, worms and so on).
Consequences may have massive impact in the real world..
At the difference of administrative enterprise networks, which manage information, ICS manage physical operational processes.
A cyber incident could have the following impacts:
> Impossibility of planning production.
> Blocking or stop of the production chain.
> Impossibility of delivering and billing.
> Disconnection of industrial systems as a precaution.
And beyond the operational impact, the financial impact can lead to a huge loss.
Case Study: Changing the Parameter of a Water Treatment Plant
In 2021, an attacker managed to gain access to the industrial network of a water treatment plant in a Florida city through Teamviewer. The attacker then gained access to a Human-Machine Interface (HMI) to control the concentration of sodium hydroxide used by the plant. He then increased this concentration from 100 particles per million to 11,100 particles per million. At this concentration, the water could have been dangerous to any person in contact with it.
The following measures would have prevented this attack:
> Avoiding the exposition of an access protocol to the Internet.
> Prohibiting direct flows between the Internet and the OT network.
> Setting up a secure remote access mechanism when remote control is required.
> Raising operators’ awareness of the need to authenticate people wishing to access workstations.
> Monitoring what is being done on the most critical resources.
Case Study: Colonial Pipeline – Credentials Management Default
The colonial pipeline case has made the headlines news. In May 2021, the American oil tanker Colonial Pipeline is attacked by a ransomware causing a petrol shortage immobilizing cars and planes. A state of emergency is declared by Joe Biden and the company pays a ransom of four million dollars.
The contamination was possible because an employee used the same passwords for his personal and professional activities.
The following measures would have prevented this attack:
> Prohibiting direct flows between the Internet and the OT network.
> Avoiding to disclose credentials by managing them in a Vault and ensuring a rotation with managed policies.
In a path towards Zero Trust, it is fundamental to control the identity of the user but it is as fundamental to monitor the administrators’ actions on the administration IT/OT networks.
Bringing Value to the Business with Accountability
How to guarantee individual accountability for actions done during maintenance of OT systems?
Traditional ICS components have been designed for reliability rather than security:
> No authentication
> No integration into a directory
> Direct connection
How can you assign actions ‘responsibility on an industrial equipment which does not require user authentication?
Only one organization out of two is equipped with a PAM solution
Opinionway - CESIN - 2022
That is where Privileged Access Management brings all its value!
By operating as a proxy, it authenticates admins with a personal account, and with multi factor authentication (MFA) as needed and gives them access only to the devices and SCADA on which they are authorized to work (least privileged access).
Once authenticated, all actions can be audited and recorded, and the logs exported to the solution in place in a SOC/SIEM.
Passwords are stored in a Vault, on which policies can be enforced.
What if you had a single solution for both IT and OT access, for both internal (from within the network) and external (from the Internet) access? PAM for OT is not so different from PAM for IT.
What we suggest doing to secure industrial control system
You can’t protect what you can’t control.
The following measures can be taken to protect facilities:
> Delete or disable the accounts of administrators no longer working on the industrial system.
> Conduct a review of third-party service providers ‘access rights to OT systems.
> Ensure that high-privilege actions require authentication together with strong authentication (MFA).
> Tier privileged accounts to dissociate them according to their needs (Tier 1, 2, 3, for example, separate administration accounts from maintenance accounts).
> Control of external access to industrial systems with strong authentication, local validation/ approval workflows.
> Monitor sessions to detect abnormal behaviors.
> Most complex intrusions are preceded by reconnaissance phases, the operator’s control of legitimate actions on its industrial network must make it possible to identify abnormal activities.
PAM for securing industrial control system is about making compliance easy with security, visibility & reporting
PAM projects are not recognized to be plug & play. But now, new next generation PAMaaS solutions accelerate the time-to-value and allow to reach quickly a ‘security-to-cost’.