Author: Roman Arutyunov, Co-founder and Senior Vice President of Products, Xage Security
Compromised identities and stolen credentials are a major attack vector for cyberattackers. So a huge range of products has sprung up to manage identities, manage credentials, manage privileged credentials. IAM, PAM, IASM ICAM, PEDM, PASM…the list goes on.
And that’s just for IT!
When you get into operational technology (OT), the sensors and actuators that control the flow of molten steel in a factory, or the vibration of windmill blades on a wind farm, you encounter a whole other set of identity challenges. As these operational systems that control critical infrastructure become more interconnected and remotely accessible over the internet, the risk of cyberattack via compromised identity skyrockets.
Here are five major Identity and Access Management challenges faced by critical infrastructure organizations, and some potential solutions:
1. Users Have Multiple Identities for Different Environments, leading to bad experiences and high friction
Regulations and frameworks such as NIST SP 800-82 Rev. 2, and the CISA Performance Goals, recommend or require critical infrastructure organizations to maintain multiple sets of identities and credentials for different assets. Their IT infrastructure uses one Active Directory instance with one set of credentials, and their OT environment has multiple different identity providers and instances per site, while their DMZ may have yet another. This is important for security because it means that a compromised IT credential does not grant access to OT assets, and a compromise at one OT site does not expose all the others. However, requiring multiple sets of credentials, sometimes dozens per employee, creates friction both for end-users and for the administrators of identity management systems. In cases where a technician needs to access a faulty PLC controlling the flow of oil in a pipeline, every minute counts, and identity-based friction can have extreme negative consequences.
2. OT assets are not compatible with modern identity and access management solutions such as Active Directory
Even for organizations that closely follow best practices, there are likely to be assets that are completely incompatible with modern identity management infrastructure. Many operational technology assets are built to last for decades, and use embedded operating systems that are not compatible with IAM systems such as Active Directory. Programmable Logic Controllers (PLCs), Human Machine Interfaces (HMIs) , Remote Terminal Units (RTUs) and other common pieces of operational technology often require insecure workarounds to interface with an organization’s identity infrastructure. In the past, the airgapped nature of OT networks provided a layer of protection. As that protection dissipates due to digital transformation, a large new attack surface is opening up, and hacker groups are eager to prove that they can compromise these assets. Identity and Access Management for these devices has never been more important for the security of critical infrastructure.
This challenge is further exacerbated as new identity and authentication technologies are introduced. For example, as more organizations adopt hardware tokens for authentication, it becomes a challenge to authenticate users into devices they cannot physically access because they’re deep inside an offshore oil rig or wind farm. The delta between the rapid cadence of new security technology development and the risk-averse, slow-changing nature of operational technology will continue to create such challenges.
3. Friction in identity management leads to insecure sharing of accounts
Because of the challenges in managing identity infrastructure, and the challenge of using access control against devices with no built-in capabilities, administrators often create shared accounts. These accounts may be used by internal technicians as well as third party contractors, with little possibility for recording or auditing who does what. Malicious behavior or honest mistakes end up being difficult to track down, and can cause costly operational downtime as issues are investigated and resolved.
4. Privileged accounts are not deprovisioned and end up being weaponized
The challenges in managing identities means that things fall through the cracks. Privileged identities are often created for third parties or contractors to fulfill a specific task. If those accounts are not deprovisioned in a timely manner, they risk being stolen and abused by attackers. Stolen credentials are one of the most common attack vectors, and operational technology is not immune to having privileged accounts stolen, sold on the dark web, and used in an attack.
5. OT sites have intermittent connectivity, losing connection to centralized identity infrastructure, and cutting off access to OT assets when the network is down
Mines, offshore oil rigs, and wind farms tend to be in remote, desolate locations relying on satellite internet or other connections that are not as stable as you’d get in an urban, populated area. The technology at the site has to keep working even if the internet goes down. If the identity and access management solution relies on a connection to the cloud to be able to retain and enforce policy, then a site with intermittent connectivity is less secure every time the internet goes out, which can last for days or weeks in some cases.
How Do You Solve The IAM/PAM Challenges for interconnected OT-IT-Cloud Environments?
When you are looking at IAM/PAM solutions that can support digital transformation across OT, IT, and Cloud without causing friction or requiring undue levels of cost and management, here are a few traits to look for:
- Multi-IAM policy orchestration and enforcement across OT, IT, and Cloud: You may still need to operate multiple instances of Active Directory for your IT, OT, and DMZ environments, but you don’t have to pass that complexity on to your end users, such as technicians working on OT assets. Look for IAM/PAM solutions that can orchestrate policy and enforcement across multiple identity providers and enable secure access through a single interface to deliver zero trust in a multi-layer environment.
- Multifactor Authentication at every layer, from Cloud to IT to DMZ to OT: One of the biggest security risks in many critical infrastructure organizations is colloquially known as “RDP-and-Free.” This refers to a situation in which someone who accesses your OT environment via RDP then has blanket access to every asset in the zone. This is the opposite of a zero trust approach, and introduces a ton of risk. Look for IAM tools that can enforce MFA at every layer and down to the individual device level.
- Works Offline: At operational sites in remote locations, technology has to work without the internet. If any aspect of your identity infrastructure requires an internet connection, it won’t hold up to the intermittent connectivity at many OT sites.
- Logs Every Interaction: The ability to track every interaction taken by a specific identity or set of credentials is a huge requirement for securing assets and assuring identities are not misused. Environments with shared accounts, “RDP and Free” setups, and implicit trust zones make this very challenging. Any successful Identity-based Access Control system for OT needs granular logging and auditing capabilities.
- Machines have identities, too: Every device is a potential vector for an attacker to move laterally and spread malware. Identity-based access management needs to be able to identify and control the access privileges of machines to each other, as well as users to machines.
- Granular user-to-application access: The whole goal is to control every interaction. If any aspect of access control is “all or nothing” then it isn’t good enough. Controlling which applications a user may access, even after they are already allowed to access an individual device, is a must-have capability.
How The Xage Fabric Delivers Multi-layer Identity-based Access Management for OT, IT and Cloud
The Xage Fabric is a highly available cybersecurity mesh that overlays existing infrastructure without requiring any down time or changes to current architecture. The Fabric can manage credentials and access privileges across multiple systems, and provides MFA at every layer, down to the individual asset level, both locally and remotely. The Xage Fabric can reduce or eliminate your need for separate costly Privileged Access Management platforms. The Fabric can reduce your attack surface, improve user experience and enable a defensible architecture to assure the best possible security posture for your OT environment.
Join our upcoming webinar, A SANS First Look at Zero Trust Access Management and Secure Remote Access for Interconnected OT-IT-Cloud, to learn more about how to solve these pressing challenges.