Today’s technology requires today’s identity and access management (IAM). In the past, operational technology (OT) systems were physically and logically separated from a company’s enterprise corporate business environment and the external world. That served as a control to protect them from common cyberattacks. Starting in the 1970s, serial-based analog processes controlled, managed and monitored these OT systems and their infrastructure through serial-based analog processes. These ran using proprietary protocols, software and products. Robust physical security controls managed worker access to these environments and limited the exposure to outside threats.
Over the past few years, companies have transformed their OT environments. Modern digital OT technologies use similar techniques and concepts as those in corporate IT systems. For example, they now connect OT systems using standard TCP/IP network protocols and network technologies such as firewalls, switches and routers. Developers make industrial applications that can run on common operating systems connected to Internet of Things (IoT) devices or robotics. In addition, companies analyze more data from OT processes to become more efficient and competitive.
These bring more efficiency into organizations in terms of operations, compliance, productivity and maintenance. However, they also expose OT systems to a greater risk of attacks. Remote access for both their employees and third parties exposes them further. Therefore, it’s time to secure the OT.
Are IT Practices Enough for OT?
Although we have come a long way over the past 25 years, companies haven’t advanced much when it comes time to address their OT environments. Because the OT is different from corporate IT systems, new approaches are required. To make matters worse, industry-specific rules may require unique security techniques. This means most OT systems do not interact with traditional IT security products. For example, applying a fix or patch to an application may not work within the OT environment. There are many reasons for this. For example, maybe you can’t stop the production line to apply the patch or the OEM vendor doesn’t have a patch for a known vulnerability.
Therefore, extending IT controls to protect an OT environment often leaves blind spots. These provide a false sense of security and open the OT environment to the risk of cyberattacks. This is made clear in the numerous OT security practice guidelines issued by the National Institute of Standards and Technology, the Cybersecurity and Infrastructure Security Agency, the International Organization for Standardization and other groups. Keep these in mind to meet the cybersecurity requirements specific to your company.
All security workers know that building a comprehensive security program is complex and will take time. OT security is a maturing field. So, many companies think they can cut corners by using a tech-only solution. We’ve learned differently from the past 25 years of protecting corporate business environments. It takes a security program supported by a risk-based strategy, plan, governance and budget. Without these things, the OT environment will not achieve robust cybersecurity.
Evaluating Access and IAM
Identifying and evaluating cyber risks in an OT environment is not straightforward. After all, these environments are highly complex. When doing an assessment and evaluation of an OT environment, consider a large number of assets and distributed environments. Attacks typically focus on access control vulnerabilities and should be considered one of your top threats. In turn, treat identity and access management (IAM) as one of the top security priorities in an OT security program. The access attack surface in OT environments is growing. Threat actors now use more advanced methods to target gaps within OT environments.
As the remote workforce grows, having vulnerable OT remote access methodologies has security implications for any organization. Consider carefully how employees access OT devices remotely. What kind of exposure do they have on the OT ecosystem or on third-party networks? In most cases, there is no level of control from a session management perspective. That could allow remote users to find a way to damage other connected devices that they are not authorized to access.
Asset Password Management
As more and more devices connect to OT networks, the attack surface grows by leaps and bounds. After all, most of these devices use weak password policies or even defaults. This provides an easier way for an adversary to take control of the asset. From there, they can infiltrate the network and cause damage to the OT/IoT ecosystem. After all, these devices have access to critical infrastructure systems and data.
Supply Chain and Third Parties and IAM
Over the past few years, adversaries started targeting third parties. Their goal? Exploit the supply chain and gain access to their clients’ OT environments.
Insider Threats
As in a traditional IT environment, threats from insiders are very common in OT/IoT environments.
Securing Your IAM Footprint
Nowadays, more organizations with OT environments implement OT digital transformation programs. As a result, it’s essential to apply stringent access controls. A proper identity management strategy can serve as a focal point of an OT IAM security program. It should deliver a holistic and repeatable IAM framework for the OT ecosystem designed to protect against emerging access-related attack vectors.
Understand Your Risks
Perform a full maturity assessment of your IAM capabilities in your OT environment. Then, look at your future state and perform a gap analysis. You need to define business goals, objectives and security drivers in order to identify your threat profile and where you stand from a risk perspective. The gap analysis will in essence become your transformation program roadmap.
Inventory and Prioritization
Identify all your OT assets and define what needs to be protected first from an identity management perspective.
Define Your IAM Roadmap
Once you know what you want to achieve and create a more mature IAM capability in your OT ecosystem, you can define the detailed scope of your IAM OT transformation. That includes people, processes, assets and controls, as well as the business value that you realize with each change. It is crucial at this point to develop a strategy in alignment with your OT target operating model, key performance indicators and key risk indicators to implement your vision.
More In-Depth Analysis
One more thing before you start your transformation journey. First, perform a deep analysis of the current access control model and your business and governance processes. Along with this, perform a data cleansing exercise. This will make the transition to the future state smoother and more efficient.
OT Security Solution Design
Define the security components and solutions that meet your needs. Below are the key areas of focus for your future state design:
- Isolate your critical infrastructure from the IT network and devices using segmentation methodologies
- Enforce least privilege. Create a role model that allows remote users to access what they need for their roles
- Enforce multi-factor authentication for all users, including employees, contractors and third parties
- Develop a strong password policy and enforce it in your OT assets. At best, users with elevated access should not have access to passwords in cleartext. Rotate passwords after each use.
- Enforce session isolation for all remote users accessing a target OT asset
- Enforce continuous logging and monitoring of users’ activities in your OT ecosystem
- Transform your business and governance processes to meet your IAM security goals. These may include the life cycle of a user, role assignment and continuous review of accesses. One of the critical challenges is the evaluation and transformation of the overarching business processes that supplement logical controls. Even if logical controls are in place, if the underlying business and governance processes are not fit to your OT security objectives, there will always be a way for an attacker to bypass the processes and damage the OT ecosystem.
- Focus on user experience while designing your solution aligned to your vision.
Implement the IAM Solution
Implement your solution using a risk-based approach. Monitor progress and value. Transition to operations following the principles defined in your target operating model.
Training and Awareness
Deliver OT/IoT training and awareness to the entire organization tailored to each audience. The level of training an engineer requires differs from an operator. Besides the logical controls that can be imposed, focus on defining processes and procedures to minimize the impact of such incidents as well as include OT/IoT in the training and awareness program for the entire workforce.
Focus on Ongoing Improvement
As requirements and program objectives evolve in a rapidly changing IT/OT environment, transformation becomes an ongoing process of implementing, testing, documenting, training and operating. Maintain discipline for your OT ecosystem from an IAM point of view. That discipline will help you overcome future impediments that can harm your environment.
If you need assistance building a program to transform and mature your IAM capabilities in the OT security domain, IBM Security experts can help.
Watch this recent virtual panel that provides insights from the IBM X-Force teams of hackers, responders, researchers and investigators. Visit the X-Force Red website to set up a one-on-one meeting with IBM’s experts.
Senior Managing Security Consultant