Cybersecurity Framework – Protect – part 1
Cybersecurity Framework in OT
The NIST Cybersecurity Framework (CSF) has been widely adopted by various organizations in both the public and private sectors. It serves as a guide for conducting cybersecurity activities and addressing cybersecurity risks. This framework encompasses five interconnected and continuous functions: Identify, Protect, Detect, Respond, and Recover. These functions present industry standards, guidelines, and practices in a way that facilitates communication about cybersecurity activities and outcomes throughout the organization. Together, they offer a holistic and strategic approach to managing cybersecurity risks.
The functions of the CSF provide guidance for the following actions:
Identify (ID) – Establish a comprehensive understanding of the organization’s cybersecurity risks, including systems, personnel, assets, data, and capabilities.
Protect (PR) – Create and enforce suitable safeguards to ensure the uninterrupted delivery of critical services.
Detect (DE) – Establish and execute appropriate measures to identify cybersecurity events as they occur.
Respond (RS) – Develop and implement suitable actions to address detected cybersecurity incidents promptly.
Recover (RC) – Develop and implement effective strategies to restore impaired capabilities or services and maintain resilience in the face of cybersecurity incidents.
Protect – part 1
Identity Management and Access Control
Organizations should prioritize the management of credentials throughout the lifecycle in their Operational Technology (OT) environments, encompassing issuance, revocation, and updates. Centralizing the identification and authentication processes for users, devices, and processes within OT environments offers several benefits, such as reducing the burden of account management and enhancing monitoring capabilities. Common network technologies like Active Directory and Lightweight Directory Access Protocol (LDAP) can be employed to facilitate the centralization of identity management across various environments.
However, when authenticated accounts from the IT environment are granted access within the OT environment, organizations must carefully assess the increased risk associated with such permissions compared to the benefits derived from using centralized accounts.
In cases where OT systems cannot support authentication or it is deemed unadvisable due to adverse impacts on performance, safety, or reliability, the organization should adopt compensating countermeasures. These may include employing physical security measures, such as control center keycard access for authorized users, to provide an equivalent level of security capability or protection for the OT environment. The guidance also extends to the implementation of session lock and session termination protocols within OT environments.
One unique challenge in OT environments is the necessity for immediate access to a Human-Machine Interface (HMI) during emergency situations. The time required to enter user credentials may impede operators’ response or intervention, potentially leading to adverse consequences for safety, health, or the environment.
Logical Access Controls
Logical access controls are implemented to restrict access to systems, data, and networks within an organization. Access Control Lists (ACLs) are frequently employed to support these controls. An ACL consists of one or more rules that determine whether an access request should be granted or denied. ACLs are instrumental in enforcing the principle of least functionality and managing access to restricted areas.
ACLs are commonly utilized in conjunction with isolation technologies, such as firewalls. In this context, an ACL specifies the permitted source, destination, and protocol for traffic passing through the isolation device to or from the protected network segment. Additionally, ACLs may be employed for managing both physical and logical access to areas or information, including network file shares, databases, data repositories, and applications. By utilizing ACLs, organizations can effectively control and regulate access to critical resources, ensuring that only authorized entities are granted access.
Organizations should take into consideration the following points:
– Utilize logical access controls, such as Role-Based Access Control (RBAC), to support the principle of least privilege and separation of duties. These controls provide a standardized method for managing access to OT devices, reducing the cost of maintaining individual device access levels and minimizing errors. By configuring roles based on the principle of least privilege, OT user privileges can be restricted to only the necessary permissions for each person’s job. Access levels can encompass viewing, using, and altering specific OT data or device functions.
– Implement solutions that offer credential management, authentication and authorization, and system use monitoring capabilities. These technologies aid in managing risks associated with OT devices and protocols by providing a secure platform that enables authorized personnel to access OT devices.
– Design access control systems to verify the identity of individuals, processes, or devices before granting access, while minimizing latency or delays in processing OT system access or commands.
– Implement highly reliable systems that do not disrupt the routine or emergency duties of OT personnel. Solutions should be designed in a way that reduces the impact on OT operations and safety when determining identity and authorization.
To support access controls, organizations are not limited to a single approach. Depending on criticality, safety, and operational requirements, employing different access control techniques in different zones can be more efficient and effective. For example, using Access Control Lists (ACLs) on network zone firewalls, RBAC on engineering workstations and servers, and Attribute-Based Access Control (ABAC) integrated into physical security for sensitive areas can meet an organization’s risk-based access control requirements.
Physical Access Controls
Physical security controls encompass a range of measures aimed at restricting physical access to assets. These measures are implemented to prevent various undesired outcomes, such as unauthorized entry into sensitive locations, the introduction of unauthorized systems or infrastructure, unauthorized access to communication interfaces or removable media, and the unauthorized disruption of physical processes. Examples of physical access controls include mechanisms for managing and monitoring physical access, maintaining comprehensive logs, and implementing protocols for handling visitors.
Ensuring the physical protection of cyber components and associated data in Operational Technology (OT) environments is an essential aspect of overall security. In many OT facilities, security measures are closely intertwined with operational safety considerations. The primary objective is to safeguard personnel from hazardous situations while allowing them to perform their duties and respond to emergencies effectively.
Physical access controls are frequently employed in the OT environment as compensating controls when legacy systems lack modern IT logical access controls. For example, if an asset cannot have its USB port or power button disabled through logical means, it may be secured by locking it in a cabinet. When implementing these mitigations, organizations should carefully assess whether the physical security controls can be bypassed through wireless or network connections, potentially compromising the protected OT component.
It is crucial to consider the overall security landscape and potential vulnerabilities to ensure that physical access controls are effective in mitigating risks. By evaluating both the physical and logical aspects of security, organizations can establish a comprehensive defense strategy for their OT environments.
A defense-in-depth solution to physical security should consider the following attributes:
– Physical Location Protection: Traditional physical security practices involve implementing layered security measures, such as fences, anti-vehicle ditches, walls, reinforced barricades, gates, locks, and guards, to create multiple barriers around buildings, facilities, rooms, equipment, or other valuable assets. These measures are intended to safeguard physical locations and assets.
– Physical Access Control: It is important to secure equipment cabinets when not in use for operation or safety purposes. Neat wiring should be maintained within cabinets or under floors. Furthermore, consider storing all computing and networking equipment in secure areas. Keys for OT assets like Programmable Logic Controllers (PLCs) and safety systems should remain in the “Run” position unless actively programmed.
– Access Monitoring Systems: Access monitoring systems encompass electronic surveillance capabilities, including still and video cameras, sensors, and identification systems like badge readers, biometric scanners, and electronic keypads. These systems do not prevent access to specific areas but instead record and store information about the physical presence or absence of individuals, vehicles, or other entities. Adequate lighting should be provided based on the type of access monitoring device deployed. Additionally, these systems can sometimes generate alerts or trigger actions upon detecting unauthorized access.
– People and Asset Tracking: Tracking the location of individuals and vehicles within a facility serves both safety and security purposes. Asset location technologies can be utilized to monitor the movements of personnel and vehicles, ensuring that they remain within authorized areas, identifying individuals who may require assistance, and supporting emergency response efforts.
The following are additional physical security considerations:
– Portable Devices: Organizations should implement a verification process to scan portable devices (such as laptops, USB storage devices, etc.) for malicious code before allowing their connection to OT devices or networks. This process helps mitigate the risk of introducing malware or other threats into the OT environment.
– Cabling: While unshielded twisted pair communications cable is suitable for office environments, it may not provide adequate protection against various environmental factors in certain OT environments. These factors include interference from magnetic fields, radio waves, temperature extremes, moisture, dust, and vibration. Organizations should evaluate alternative cabling options or consider using shielding techniques that offer sufficient protection against these environmental threats. Additionally, employing color-coded cables, connectors, and conduits, along with labeling, helps clearly distinguish between OT and IT network segments and reduces the potential for cross-connections.
– Control Centers / Control Rooms: Securing control centers and control rooms is crucial to mitigate multiple threats, including unauthorized access. Access to these areas should be restricted to authorized personnel, given the presence of sensitive servers, network components, control systems, and consoles used for continuous monitoring and rapid response. Gaining physical access to a control room often implies gaining logical access to the entire system or its components. In some cases, organizations may need to consider designing blast-proof control centers or establishing offsite emergency control centers to ensure operational continuity in the event that the primary control center becomes uninhabitable.
Network Segmentation and Isolation
Implementing a defense-in-depth cybersecurity approach often involves utilizing network segmentation or zoning to effectively organize devices based on their location or function. Network segmentation can be achieved through physical means, such as utilizing separate network switches, or through logical configurations using Virtual Local Area Network (VLAN) setups. By appropriately configuring network segmentation, organizations can enforce security policies, control segmented traffic at the Ethernet layer, and establish network isolation. This helps enhance overall cybersecurity by reducing the impact of potential breaches and limiting the lateral movement of threats within the network.
Implementing network segmentation and isolation is a crucial aspect of an organization’s defense-in-depth architecture for OT cybersecurity. While VLANs can offer a cost-effective solution for segmenting OT networks, it is important for organizations to consider using physically separate switches for critical devices, especially those supporting safety systems.
During the configuration of network isolation devices, organizations may face challenges in determining the necessary network traffic for proper OT operations. In such cases, organizations can temporarily allow and record all communication between network segments. This approach allows for the review of communication logs to identify and document authorized communication, which can then be used to establish network isolation rules. This activity may also uncover previously unknown or undocumented communication that requires further review by the organization.
Organizations should also consider regulatory requirements that dictate the use of specific network isolation devices for OT environments or particular network segments. If firewalls are chosen for network isolation, it is advisable to utilize modern firewalls with features such as stateful and deep packet inspection, as well as those designed specifically for OT environments. Enforcing a deny-all, permit-by-exception policy wherever possible and referring to resources like the Centre for the Protection of National Infrastructure’s (CPNI) Firewall Deployment for SCADA and Process Control Networks: Good Practice Guide can assist with effective firewall implementations.
It is essential to note that network isolation devices may not provide protection against all network-based risks. For instance, they do not address risks related to lateral movement within a network segment, such as the propagation of worms or malicious code. Additionally, certain IT and industrial communications protocols have known security vulnerabilities that could be exploitable even with network isolation in place. To mitigate these risks, organizations should consider limiting the use of insecure protocols, enforcing unidirectional information flow, and utilizing secure and authenticated protocols for exchanging information between the OT environment and other network segments.
User, Device, and Asset Authentication
Physical Token Authentication
Physical token authentication addresses the primary vulnerability of easily duplicating or sharing a secret code. It effectively mitigates the common scenario where passwords for “secure” systems are written down and easily accessible. Physical tokens cannot be duplicated without specialized access to specific equipment and supplies, enhancing their security.
Another advantage of physical token authentication is the ability to store a large, physically secure, and randomly generated secret within the token. This secret, embedded in metal or silicon, eliminates the risks associated with manually entered passwords. In the event of a lost or stolen token, the token owner is immediately aware of the situation and can promptly notify security personnel to disable access. In contrast, traditional passwords can be lost or stolen without notice, leaving credentials more susceptible to exploitation.
Various forms of physical/token authentication are commonly used, including:
- Traditional lock and key mechanisms for physical access control.
- Security cards equipped with magnetic strips, smart chips, or optical coding.
- Radio frequency devices such as cards, key fobs, or mounted tags that can be scanned or detected wirelessly.
- Dongles containing secure encryption keys that can be attached to USB, serial, or parallel ports of computers.
- One-time authentication code generators, often in the form of key fobs, that provide unique codes for each authentication instance.
Single-factor authentication using a physical token has a significant weakness: possession of the token automatically grants access. For example, if someone finds a lost set of keys, they can gain access to any locked areas associated with those keys. To enhance security, physical token authentication is more effective when combined with a second form of authentication, such as a memorized PIN that is used in conjunction with the token.
When implementing token-based access control that utilizes cryptographic verification, it is important for the access control system to comply with the requirements outlined in NIST SP 800-78 [SP800-78]. This standard provides guidelines and recommendations for the secure use of cryptographic tokens in various systems and environments. Adhering to these requirements helps ensure the integrity and effectiveness of the access control system.
Biometric authentication provides an added layer of security to software-based authentication methods like passwords, eliminating the need for individuals to remember complex secrets. By utilizing unique biological characteristics, biometric authentication mitigates the risks associated with lost or stolen physical tokens and smart cards. Biometric devices serve as an effective secondary authentication measure, offering a reliable means of verification compared to other authentication methods that can be misplaced or shared.
Integrating biometric authentication with token-based access control or employee time clocks operated by badges significantly enhances the overall security level. This combination ensures that the authentication process is more robust and reliable, further reducing the potential for unauthorized access or fraudulent activity. By leveraging the strengths of both biometric authentication and token-based systems, organizations can establish a stronger and more comprehensive security framework.
When considering the implementation of biometric authentication in industrial applications, organizations should exercise caution and conduct a thorough assessment. The unique challenges present in OT environments, including physical and environmental factors, may impact the reliability and effectiveness of biometric authentication.
To ensure the successful integration of biometric technology, organizations should collaborate closely with system vendors or manufacturers. It is crucial to discuss and understand the specific physical and environmental properties of the OT environment and identify any potential limitations or requirements for biometric authentication.
Smart Card Authentication
Smart cards are available in a range of form factors, offering diverse options for organizations. These form factors include USB devices as well as cards with embedded chips, similar in size to credit cards, which can be printed and embossed. Smart cards offer flexibility in terms of customization and individualization, allowing organizations to tailor them to their specific needs.
Organizations have the option to manage the entire smart card issuance process in-house or outsource it to service providers. These service providers have the capacity to issue a large volume of smart cards, potentially reaching hundreds of thousands per day. This enables organizations to efficiently distribute smart cards to their intended users while ensuring scalability and streamlined operations.
While smart cards offer valuable functionality, their implementation in an OT environment must carefully consider the overall security context. Several factors need to be addressed, including the identification of individuals, card issuance, revocation in case of suspected compromise, and the assignment of authorizations to authenticated identities. These tasks pose significant challenges both initially and throughout the card’s lifecycle.
In some cases, organizations may be able to leverage corporate IT resources or other support systems for deploying smart cards and establishing the necessary public key infrastructures. However, it is crucial to assess the impact on OT operational capabilities if reliance on IT systems and services is required to support smart card technology.
Furthermore, organizations should consider provisions for managing lost or damaged cards, the associated costs of implementing and maintaining an access control system, and establishing efficient processes for card distribution and retrieval. It is important to account for temporary access arrangements for OT personnel to prevent disruptions to operations or compromise of safety.
Organizations should consider that the authenticity of a person, device, or system can be determined through various factors, such as something you know, something you have, or something you are. When multiple factors are employed, it is referred to as multi-factor authentication (MFA). Generally, the inclusion of more factors in the authentication process enhances its strength and reliability.
For instance, authentication can be based on something known, such as a PIN number or password, something possessed, such as a key, dongle, or smart card, or something inherent to the individual, such as a biological characteristic like a fingerprint or retinal signature.
Organizations should carefully evaluate the need for implementing multi-factor authentication (MFA) to protect their OT environments, whether in its entirety or specific segments. MFA is widely recognized as a best practice for securing remote access to OT applications. However, when determining the implementation and usage of MFA within an OT environment, organizations must take into account various authentication scenarios, as certain OT components may only support single-factor authentication or lack authentication altogether.
To address this, organizations should consider adapting credential requirements based on the type of access and other mitigating factors present in the environment. For instance, remote access to the OT environment may necessitate MFA to ensure robust security, while local access may be limited to a user ID and password due to additional mitigating factors. These factors could include physical access controls that require individuals to undergo authentication before gaining physical access to the area where the user ID and password are utilized.
While password authentication is widely used and considered straightforward, it comes with several vulnerabilities and risks that organizations need to be aware of. Relying solely on password authentication can pose significant security challenges. One such vulnerability is the prevalence of default passwords that are easily guessed, discovered, or even found through online research. This increases the risk of unauthorized access to systems.
Another weakness is the potential for third-party eavesdropping. Passwords entered on keyboards can be visually observed by malicious individuals or captured using keystroke loggers, compromising the security of the authentication process. In some cases, network services and protocols transmit passwords as plaintext, leaving them exposed to interception by any network capture tool. This lack of encryption further increases the vulnerability of passwords.
Furthermore, the practice of sharing passwords or using shared credentials poses additional risks. When multiple individuals or devices use the same credentials, it becomes challenging to identify the specific entity responsible for accessing a protected resource. This limits accountability and raises concerns about unauthorized modifications or misuse of privileges.
To mitigate these risks, organizations adopt a defense-in-depth approach, where multiple layers of security controls are implemented. This approach ensures that password authentication is not the sole barrier against unauthorized access or modifications.
Ensuring the secure and reliable handling of passwords is crucial for the continuous operation of OT systems, especially since many of these systems lack password recovery mechanisms. Organizations are advised to change the default passwords on OT equipment to increase the difficulty for adversaries attempting to guess them. However, once changed, it is essential to provide access to the new passwords to authorized personnel. To streamline password management, organizations may consider implementing a secure password management tool that is accessible to authorized individuals.
It is worth noting that some OT operating systems present challenges in setting secure passwords. This could be due to password size limitations that do not meet current standards or the system’s requirement for group passwords at each level of access, rather than individual passwords. Additionally, certain industrial and Internet protocols transmit passwords in plaintext, rendering them vulnerable to interception. In cases where avoiding this practice is not feasible, users should employ different and unrelated passwords for encrypted and non-encrypted protocols to mitigate risks.
Moreover, when implementing policies based on login password authentication in the OT environment, special considerations are necessary. Without an exclusion list based on machine identification (ID), applying such policies to non-operator logons can have adverse effects on the operation of the OT system. For example, policies like auto-logoff timeout and administrator password replacement may inadvertently disrupt the system’s functionality.
The following are general recommendations and considerations with regards to the use of passwords:
Here are some rewritten recommendations regarding password management in OT environments:
- Change all default passwords in OT components to enhance security and prevent unauthorized access.
- Passwords should be selected with appropriate length, strength, and complexity, considering both security requirements and operational ease of access within the capabilities of the software and underlying operating systems.
- Avoid using passwords that can be found in a dictionary or contain predictable sequences of numbers or letters to mitigate the risk of password guessing attacks.
- Exercise caution when using passwords on specialized OT devices like control consoles for critical processes. Password protection on these consoles should be evaluated to avoid potential safety issues, such as operator lockouts or delayed access during critical events. Consider implementing physical or network isolation for devices where password protection is not recommended.
- Maintain copies of shared or master passwords in a secure location with limited access. Access to these passwords should also be available in case of emergencies. Organizations should establish procedures for periodic password changes in the event of compromised passwords or when individuals with access leave the organization.
- Apply additional safeguards for privileged (administrative) account passwords. This includes implementing stronger password requirements, more frequent password changes, and additional physical safeguards to protect against unauthorized access.
- Avoid sending passwords across networks unless they are protected by FIPS-approved encryption or salted cryptographic hash specifically designed to prevent replay attacks.