In the past, OT environments were well controlled by physical measures and access restrictions to facilities. Today, with increasing digitalization and related growing attack surface, these physical measures are no longer sufficient to protect environments. OT networks and components are increasingly connected to enterprise-wide services. In the race of digitalization to achieve highly efficient production processes, low outage times, and increasing product quality, many enterprises started efforts to leverage production data for optimization and mainly cost-saving targets. This data usage led to the exposure of production specific equipment and information outside of physically protected facilities and thereby needed additional compensating forms of security besides physical access restrictions.
At BxC, we believe that IAM in connected factories and legacy OT is a cornerstones of adequate protection against digital attacks. In IT, attacks mainly affect digital assets and information. In OT, they can potentially destroy resources and, in extreme cases, even cost human lives. With this Point of View, we want to share our beliefs on the key areas for efficient IAM controls when starting to grasp this major and often overwhelming dimension of IAM in OT.
This PoV is based on one grounding assumption: The different IAM domains should not be apprehended as independent areas. They are strongly interlinked with each other, and the effectiveness of one can only be as good as its dependencies. The order of approaching, planning, and implementing improvements usually differs, based on the individual enterprise business focus, regulatory requirements, and the reasons driving the IAM strategy.
In the overall IAM strategy the individual domains will have different priorities, nevertheless areas connecting different domains are from special importance. These areas must align processes and technical implementations to comply with the requirements of the connected domains. In organizations with distributed responsibility for the IAM domains over different departments, close interaction is necessary for IAM success.
Fig. 1: IAM Domains and their key areas
Effective IAM as a Fundamental Control
During the past years, the number of cyber-attacks based on identity theft has continuously increased. Verizon’s DBIR 2020 confirms that credential and identity theft is a dominant attack vector and is not going to disappear. Although the majority of such attacks targeted the IT environment of enterprises, there is a growing impact on the value chain of companies with a strong OT footprint. Along with the changing threat landscape, regulators commonly adopt requirements forcing companies to address those threats to reduce the overall risks.
But the more OT services get connected with enterprise networks, a review of IAM controls in OT should be conducted. Reliable digital access controls are one crucial pillar for effective OT security of enterprises with the aim to succeed in the digital age and last their business.
Common Problems to Address
In enterprises’ IT, Identity and Access Management is one of the main focus areas for every cybersecurity improvement effort. Within many organizations, CISOs have at least started to establish processes and solutions to address the growing IAM challenges. Today, these challenges are oftentimes not addressed comprehensively in OT environments as engineers are often still under the impression that their manufacturing lines are fully air-gapped production processes.
In reality, fully isolated production facilities become a rare example due to the growing demand for production data analysis. C-Level management has identified the potential of such information to save cost, reduce downtimes of their value chain components, and increase product customization. Such production insights require a constant flow of information from facilities to enterprise applications in the company networks or cloud provider offerings. This connectivity can affect production stability, intellectual property, and even safety if not designed and implemented with a Security-by-Design principle.
Overview of the IAM Domains
In the following sections, we give a brief overview of the role and targets of the different IAM domains. There is no silver bullet for their implementation as IAM shall support the business processes of enterprises and not be seen as an isolated cybersecurity function.
Identity Management ensures transparency and validation of all parties with whom the enterprise interacts. In IT, the Identity Management domain is mainly linked to individuals who get and hold access to business services and data. This also applies to OT as there are internal employees, such as engineers and operators and third parties, to manage.
External service providers play an important role in OT environments. Many production lines are managed by vendors or external operators within the production enterprises’ environments. In these cases, external staff requires on-demand access to production equipment, often from remote locations. Organizations and individuals, who access sensitive areas of OT environments, must be consequently verified and maintained.
Devices play an essential role in OT, which is a potential difference to typical IT IAM controls. Many OT components are from embedded nature and closed systems. During day-to-day production, they act mostly autonomously in the network, often without human interaction. Their firmware, configuration status, and role in the process give IAM controls useful context for access decisions. To gain these devices’ insights, suitable asset management practices and solutions must be available to deliver this information allowing a trustworthy identity generation and use.
In existing IT IAM implementations, Identity Management processes are often well established to cover the management of individuals and can be extended to cover the demands of OT. However, they often lack the built-in logic to manage OT devices as identities comprehensively. With a flexible product and data model, these relationships can be implemented with reasonable effort and are worth the evaluation in favor of choosing another solution for this purpose.
In order to enforce least privilege principles, a solid design of access rights and roles is a requirement. It is crucial to implement an integration with existing Identity Management to utilize unique identities for access assignments and allow transparency of access responsibility and accountability.
The clear majority of enterprises have established some form of RBAC – Role-Based Access Controls. Models, such as the following, can be found very often for RBAC implementations.
Fig. 2: Exemplary RBAC Role Model
Commonly, such models can be easily adapted to roles and functions within OT and form a solid baseline to harmonized access governance throughout the enterprise. BxC is preparing an upcoming PoV to discuss the different role models in greater detail.
Overall, OT access governance should target automatic access provisioning and reconciliation of access profiles from target systems. If permissions can be immediately set and revoked, occasional provider access can be enabled, and disabled on-demand and rarely used permissions are not enabled permanently in OT systems.
Passwords are by far the most used form of credentials in OT. Especially for embedded systems, the technical integration into central password management solutions is often not possible. Thus, the standard management of passwords in OT components is hard to enforce. Organizational processes should exist to make sure passwords are regularly changed, and this is documented for audit purposes.
Within newer OT components, other forms of key-based or multi-factor authentication are on the rise. Wearables, which communicate over NFC, offer key-based authentication to equipment and can be an improvement to consider. With initial activation and continuous use until detached from the body, they deliver convenience for workers and better control of credentials and their use in the field.
Remote Access to OT networks should always require Multi-Factor Authentication. Such access scenarios mean higher risk for the enterprise because access devices are not under the control of the enterprise. Thus, multi-factor authentication offers a strong validation of credentials, which should be strongly bound to an individual and cannot be stolen easily.
Privileged Access Management
Privileged user accounts are often the dominant target of attackers for device compromise, malware deployment, and lateral movement in the victim’s network. The isolation of high privileged access from day-to-day business processes is already a recurring task of many IT departments. This includes the reduction of daily work with local admin rights, monitoring of user sessions with high privileges, and recording of such to allow review when required.
In OT, engineers often still work with local admin privileges on a daily basis on their workstations. Processes to temporarily assign high privileges when needed must be developed and implemented in a way that integrates well with operational demand.
Where enterprises have already established PAM solutions and processes in place for IT, they should evaluate if such solutions can be adapted to the needs of OT. PAM products’ jump server components combined with session monitoring and recording give OT security staff good solutions to limit native access of VPN users to OT networks.
The process of accessing business services or OT equipment is called Access Management. It defines which credentials must be provided to access a service with certain privileges. Furthermore, it enables the communication of various vendor solutions in different networks by using globally standardized protocols for authentication and authorization on application level.
A flexible Access Management architecture is vital to allow secure integration into different services provided by OT, IT, and cloud services. Tasks, like the transformation of access tokens and evaluation of application data, must be supported by Access Management solutions.
API gateways offer further services to transform application data and thus map different application protocols and data models. This allows enterprises to integrate OT equipment and business analysis solutions, which is the foundation for the success of IIoT and Industry 4.0.
Identity and Access Management is a broad field and covers a lot of technologies, which need to be combined to achieve a sufficient level of security. Enterprises should evaluate their existing IAM services in IT and assess which parts can be re-used in OT. Given the usually high investment in comprehensive IAM solutions and processes, this can save significant investment and operational labor and technology.
OT security experts should establish a regular exchange with their IAM and IT security staff to learn more about existing solutions and their potential. Many IAM solutions are very flexible and can well integrate into the OT landscape but require some form of adaption to meet the expectations and needs of production environments and processes.
This PoV is the starting point of an extended series, where we dive deeper into particular topics and provide more insights into use cases and potential solutions.
At BxC, we are convinced that a clear big picture with a pragmatic approach for implementation of IAM controls gives organizations rapid development and validation cycles for the envisioned controls and their effectiveness. We support our clients to establish a constant flow of improvements along with tangible reporting to all stakeholders in the entire organization.