OT Cybersecurity Best Practices for SMBs: Identity and Access Management in OT

This blog is part of a blog series detailing best practices for operational technology (OT) cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), which provides free resources to help small and medium businesses (SMBs) create or enhance their OT cybersecurity program. Not yet a member? – join OT-CERT and get started today.  

Larger Organizations Take Note

If you have been increasing your security posture and reduced risk of a significant cyber attack in your enterprise, including your OT environment, that’s excellent news! However, does your risk assessment include the possibility of a cyber attack on one of your critical suppliers, and the impact that would have on your company’s operations? Could you still produce your product or provide services to your customers? Read on to ensure that you are quantifying the likelihood and impact of that risk correctly in light of the current threat environment. And strengthen your supply chain security risk posture by promoting OT-CERT to your suppliers.

Legal Disclaimer 

OT-CERT resources are intended to provide guidance to help under-resourced organizations, those lacking sufficient financial resources or technical expertise, to establish minimum baseline OT cybersecurity protections and do not necessarily meet the usual best practice standards for a mature OT cybersecurity program. Dragos, Inc. does not provide any warranty or guarantee that following the guidance provided by OT-CERT alone will safeguard an organization from all OT cybersecurity threats.  Whenever possible organizations should seek additional enhancements to the recommendations provided by OT-CERT resources based on an organization’s own cybersecurity risk profile.

What Is Identity and Access Management (IAM)?

“Who are you and what do you want?” You wouldn’t want to hear that phrase from the restaurant waitstaff, but it’s a perfectly acceptable response from a file server.

Identity and Access Management (IAM) is the domain in cybersecurity that includes policies, practices, and technologies for managing user identities and their access to organizational resources. IAM includes four pillars:  

• Identity Lifecycle Management (ILM)
• Access Control (AC)
• Authentication and Authorization (AA)
• Identity Governance (IG)

IAM in OT uses the same basic principles as in IT. This blog describes each principle in general, and also provides examples of how to apply them in an OT environment. 

Identity Lifecycle Management (ILM)

Identity Lifecycle Management (ILM) includes creating and maintaining accounts for all users, services, and groups for any systems on or off networks or domains.

To monitor activity and enforce permissions, you must be able to identify activities by individual users, services, and groups. The ILM method assigns a user, service, or group to separate accounts. Users have attributes that establish the identity of each user or entity, for example the user’s full name, username(s), contact information, job title, and permissions. 

Practical Examples in OT

• What processes are in place to automatically suspend user accounts? Are processes automated or manual? Do notifications from HR go to all necessary parties, such as does the OT team control accounts and access to OT assets and are they notified at the same time IT teams are? 
• Service accounts are different than user accounts. They allow applications and services such as database applications, windows update servers, etc. to authenticate with applications or services on servers and workstations and allow those applications to function.  Service accounts don’t have a human user to enter usernames and passwords like user accounts. Therefore, managing the lifecycle of service accounts is generally handled differently than traditional user accounts. Some organizations change credentials for service accounts: annually, when an employee who had access to those credentials leaves the organization, or when it is suspected that the credentials may have been compromised.

Important: Service accounts may have access to critical applications and/or sensitive data and therefore extra monitoring of those accounts is often recommended. For example, logging and alerts should be configured for cases where an interactive login was attempted for a service account.  

Access Control (AC)

Accounts enable organizations to track user activities and enable you to set and enforce more granular access policies. Access Control (AC) enables you to grant different permissions to different users rather than giving every user the same privileges or creating group accounts with too many permissions.  

Today, many systems use role-based access control (RBAC). With RBAC, each account’s privileges are based on job roles. RBAC helps streamline setting user permissions and reduces the risks of giving users higher privileges than they need. It also simplifies account management as users change roles inside your organization.  

Practical Examples in OT

• It is recommended that user and administrative accounts be differentiated according to login name convention standards. For example, your organization may choose to prefix or append ADM or -a for administrative account usernames. For example, Mary may be assigned a user account with username MarySmith for normal day-to-day work, but for administrative work, Mary would use the account with administrative privileges and a username indicating it’s an administrative account, such as MarySmith-ADM.  Implementing username conventions make it easier to identify privileged accounts when performing auditing. 
• It is common for HMI/SCADA software to run under administrative accounts on the Windows operating system. It is recommended that you investigate whether it is feasible to run that software under a standard, non-administrative user account.

Authentication and Authorization (AA)

Authentication and Authorization (AA) ensures that the entity using an individual user, service, or group account is who or what they claim to be. When an account logs into a system or requests access to a resource, credentials are used to prove their identity. For instance, an individual user account might obtain access by entering a password, while a service account could be required to authenticate with a digital certificate. The AA system then verifies these credentials against the central database. If they are a match, access is granted. 

Practical Examples in OT

• While usernames and passwords are the most basic form of authentication, they are also the least secure. Multifactor Authentication (MFA) is the current best practice. MFA is a security process that requires users to verify their identity through multiple methods, such as a password and a fingerprint, to enhance account protection. 
• The concept of conditional access is a mechanism to verify that a device is authorized to connect to the network. Tools can be utilized to verify that a device attempting to connect to the network complies with some or more of the following conditional access criteria: the device is part of the domain, the device is within a certain level of patching, the device is running an up-to-date Antivirus/Antimalware tool.

Identity Governance (IG)

Identity Governance (IG) involves monitoring and auditing access rights and activities to prevent abuse and detect unauthorized access. IG also assists in ensuring compliance with regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). You can modify standard policies to meet and exceed security requirements. 

Practical Examples in OT

• IG includes auditing. 
• IG could include requirements for enhanced logging for service and administrative accounts.  
• IG could include policies such as password complexity policy, etc.  
• IG includes processes to ensure logs are gathering evidence to support required auditing policies and compliance.

Stay Up to Date with OT-CERT Resources

Dragos OT-CERT offers FREE resources to help SMBs build their own manufacturing / OT / industrial control systems (ICS) cybersecurity program without hiring any cybersecurity experts. OT-CERT membership is free and globally available to OT asset owners and operators. Resources are oriented toward small and medium businesses and resource-challenged organizations with OT environments that lack in-house security expertise. Members have access to a growing library of resources such as reports, webinars, training, best practices blogs, assessments, toolkits, tabletop exercises, and more.

Currently available resources include:

• OT Cybersecurity Fundamentals Self-Assessment Survey
• OT Asset Management Toolkit
• Self-Service OT Ransomware Tabletop Exercise Toolkit
• Collection Management Framework for Incident Response
• OT Cybersecurity Incident Response Toolkit
• OT Data Backups Guidance
• Host-Based Logging and Centralized Logging Toolkits
• Secure Remote Access Toolkit
• Network Segmentation Toolkit
• Access to an introductory ICS/OT cybersecurity module in Dragos Academy

If you haven’t joined Dragos OT-CERT don’t delay! Membership is open to organizations that own or operate a manufacturing / ICS / OT environment. Please join and spread the word to your community and supply chain so we can all work together to raise the security posture of the entire ecosystem – we are only as strong as our weakest link.

We look forward to working with you to safeguard civilization!