Industrial Control Systems – A High Value Target for Cyber Attackers

For decades Industrial Control Systems (ICS) –critical production systems which are part of the Operational Technology (OT) environment in industrial enterprises- were isolated from other systems or the Internet. But as IT systems and OT environments increase connectivity to each other, industrial control systems are now exposed to IT systems and the Internet, significantly increasing the risk of intrusion from malicious actors.

The addition of Commercial-Off-The-Shelf (COTS) equipment into the operations and supervisory levels of ICS architectures -where Human Machine Interfaces (HMIs), historians, engineering workstations and other computing assets are located- has introduced new risks associated with running commercial operating systems. Due to the high availability requirements of ICS assets, by enlarge, they remain unaddressed in ICS. Some of these risks include:

  • The high number of administrative or privileged accounts that enable user and application access to ICS
  • The use of shared accounts that enable access to critical systems without individual oversight
  • The use of industrial applications with embedded hard-coded credentials
  • The use of workstations with full administrator rights

To mitigate these risks and to address compliance requirements, industrial enterprises must proactively protect and monitor privileged accounts that enable access to ICS environments. The CyberArk Privileged Account Security Solution helps organizations secure, monitor and control access to privileged accounts that provide access to the heart of these critical systems. The CyberArk solution offers end-to-end privileged account protection for industrial control systems enabling organizations to:

  • Discover all privileged accounts and trust relationships in Windows and Unix environments
  • Remove and securely store hard-coded credentials from industrial applications
  • Securely store and automate rotation of privileged account credentials (passwords and SSH keys), including those used by remote users and applications
  • Secure privileged sessions, which isolate critical systems from vulnerable user devices utilizing a hardened jump server and also providing privileged session recording and live monitoring capabilities
  • Enforce Least privileges policies for super-users on critical systems
  • Receive real-time alerts on anomalous privileged account activity

The CyberArk solution is integrated on a single platform, managed behind a single pane of glass, proven to scale in large, complex and diverse OT environments. This means, CyberArk can help organizations to realize operational efficiencies when managing many remote users’ accounts with granular oversight and a variety of approval workflows.

Key Benefits:

  • Identify privileged account risks by locating all privileged user and application accounts, credentials and trust relationships, including accounts associated with remote access
  • Reduce the risk of unauthorized access to critical systems by securing and controlling access to privileged accounts
  • Strengthen industrial application security by eliminating the use of hard-coded credentials
  • Enable secure remote access while reducing the risk of malware from spreading from user devices to critical systems
  • Address compliance requirements with a complete audit trail of privileged account access and user activity
  • Reduce the risk of intentional abuse or accidental misuse of elevated user privileges
  • Dramatically shorten an attacker’s window of opportunity and reduce damage with accurate and prioritized real-time alerting of in-progress attacks

Standards and Regulations:

The CyberArk Privileged Account Security Solution enables organizations to meet various standards and industry regulations related to Privileged Account Security including:

  • North American Electric Reliability Corporation, Critical Infrastructure Protection (NERC CIP)
  • National Institute of Standards and Technology (NIST) SP-800-82
  • European Union Agency for Network and Information Security (ENISA)