Access Control Implementation in ICS
Introduction
Industrial Control Systems (ICS) differ from traditional information technology (IT) systems, making the implementation of certain security controls difficult. Access Controls (AC) deal with how users or processes access the system. The National Institute of Standards and Technology (NIST) defines access controls as follows:
“The process of granting or denying specific requests for obtaining and using information and related information processing services for physical access to areas within the information system environment.”
Learn ICS/SCADA Security
NIST Special Publication (SP) 800-82, Revision 2 is used to implement security controls in systems owned and used by the federal government. Those working on ICSes in a federal environment are bound to NIST standards.
The Center for Internet Security (CIS) has created an implementation guide for Industrial Control System (ICS). They are currently on version 7. This guide is useful in helping those working in commercial ICS environments.
Below, we will discuss access controls and the best ways to implement them in ICS environments.
CIS access control implementation
CIS is used in non-federal environments. There are five controls listed that are applicable to access control implementation. They are described below:
CIS Control 4 — Controlled Use of Administrative Privileges
One of the ways potential hackers gain access to a system is by using phishing techniques to get a privileged user to open a malicious email and deliver the payload. Another is using the same technique on a less-privileged user and exploiting password weaknesses to elevate their privileges and wreak havoc on the system.
This is why strong password policies and separation of duty practices are vital in protecting an ICS environment. Ways to implement this control include:
- Implement multi-factor authentication
- Enforce use of a 14+ character password or password with capitals, special characters and numbers
- Remove all default admin accounts
- Force admin users to only use admin accounts when necessary and use standard user accounts when performing non administrative functions (if applicable)
- Automate alerts for when new accounts are created
CIS Control 6 — Maintenance, Monitoring and Analysis of Audit Logs
Audit logs identify what is taking place on a system. These can be things like whether new accounts are created or altered, who is logging in, when they are logging in and other access-related items of interest.
Monitoring audit logs is an important step in ensuring proper access habits are enforced. Embedded systems do not always audit security events at the same default level as traditional IT systems. It also may not be easy to have those logs sent to a centralized monitoring system. Using a SIEM designed for ICSes could prove beneficial.
When implementing a SIEM, if you choose to do so, you may not be able to monitor the audit logs on the same level as a traditional IT system. Despite this, work to configure the SIEM to monitor and analyze the logs as detailed and extensively as you can.
CIS Control 14 — Controlled Access Based on the Need to Know
The protection of data, particularly sensitive data, is the heart of security objectives. Some ways to implement access-based need to know include:
- Compartmentalize data into controlled segments. This includes creating both physical and logical separation of assets
- Creating ACLs to ensure only authorized personnel access data they are supposed to
CIS Control 6 — Wireless Access Control
Ensure wireless traffic uses controlled, preferably private, networks. Wireless traffic should use, at a minimum, AES or ECC encryption to protect network traffic.
CIS Control 6 — Account Monitoring and Control
Some ways to implement account monitoring and control include:
- Use shared accounts and passwords only when necessary
- Create a process for changing shared account passwords and deleting accounts immediately upon termination of any workforce member
- Remove applications leveraging cleartext authentication or basic security authentication. Where not possible, use unique credential sets and monitor their usage
- Enforce complex passwords
- Automatically lock accounts after periods of inactivity
NIST considerations
As stated earlier, NIST SP 800-82, Revision 2, is used to implement security controls in systems owned and used by the federal government.
If you are working in a federal environment, supplemental guidance for the AC controls can be found in the following documents:
- NIST SP 800-63 provides guidance on remote electronic authentication
- NIST SP 800-48 provides guidance on wireless network security with particular emphasis on the IEEE 802.11b and Bluetooth standards 0
- NIST SP 800-97 provides guidance on IEEE 802.11i wireless network security
- FIPS 201 provides requirements for the personal identity verification of federal employees and contractors
- NIST SP 800-96 provides guidance on PIV card to reader interoperability
- NIST SP 800-73 provides guidance on interfaces for personal identity verification
- NIST SP 800-76 provides guidance on biometrics for personal identity verification
- NIST SP 800-78 provides guidance on cryptographic algorithms and key sizes for personal identity verification
- NIST SP 800-82 describes areas in which ICS should ensure access controls are implemented.
The five areas below include
- Wireless: In federal environments, the use of wireless technology is strongly discouraged. It should only be used when the risk is low. Specific guidance is in SP 800-48 and SP 800-97, but the use of strong passwords and encryption are the main suggestions
- Dial-up modems: Some legacy ICSes still use this technology. Ensure default passwords are removed, physical hardware has been identified and protected, and ensure audit logs are monitored
- Virtual Local Area Network (VLAN): Used to divide networks into small and logically separate networks. Useful in compartmentalizing data and protect against a compromise leading to total system access by the hacker
- Web servers: Minimize the use of mobile code and ensure that only appropriate personnel have direct access
- Role-Based Access Control (RBAC): Implement the use of roles, hierarchies and constraints to organize user access levels
Conclusion
Both NIST and CIS address ways to implement access controls in ICS environments. They have similar implementation ideas and requirements. Takeaways from both include:
- Implement multi-factor authentication
- Enforce use of a 14+ character password or password with capitals, special characters and numbers
- Remove all default admin accounts
- Force admin users to only use admin accounts when necessary and use standard user accounts when performing non administrative functions (if applicable)
- Automate alerts for when new accounts are created
- Use shared accounts and passwords only when necessary
- Create a process for changing shared account passwords and deleting accounts immediately upon termination of any workforce member
- Remove applications leveraging clear text authentication or basic security authentication Where not possible, use unique credential sets and monitor their usage
- Enforce complex passwords
- Automatically lock accounts after periods of inactivity
- Use a SIEM or other automated tool to monitor and analyze audit logs
- Compartmentalize sensitive data and implement ACLs
Implementing these suggestions is useful in stopping potential attacks from being successful. Access controls are just one part of the overall security posture of a system so ensure you are implementing an in-depth security strategy.
Learn ICS/SCADA Security
Sources
- NIST Special Publication 800-82, Revision 2, NIST
- CIS Controls ICS Companion Guide, CIS
- Controlled Use of Administrative Privileges, CIS
- Maintenance, Monitoring, and Analysis of Audit Logs, CIS
- Controlled Access Based on the Need to Know, CIS
- Wireless Access Control, CIS
- Account Monitoring and Control, CIS