Recently, I attended NERC’s annual Grid Security Conference (GridSecCon) in Philadelphia. A group of cyber security and other industry experts convened to share best practices, lessons learned and emerging security trends. Protecting the grid was the topic on everyone’s mind as well as the theme for the conference. As the sophistication and number of cyber attacks on critical infrastructure increases, it’s more important than ever to understand the landscape of entry points. This landscape extends to remote entry points. So it’s no surprise that supply chain security was also a hot topic of discussion at the conference, particularly in light of a string of recent breaches that demonstrate some of the vulnerabilities exposed by unsecured remote user access.
In Operational Technology (OT), supply chain management includes the oversight of users, both internal and external to the organization, who require access to the industrial control system networks in order to perform a myriad of functions ranging from preventive maintenance to reporting to break-fix services. These remote users perform critical functions that contribute to the plant’s reliable operations. However, remote access into a plant’s industrial control system exposes additional vulnerabilities that can be exploited by malicious actors.
The energy sector is leading the way in taking measures to secure critical assets and share information about remote access best practices and technologies that help to mitigate the impact of a potential cyber-attack. A number of security measures implemented by energy companies can be extended into other industries, and in fact, some of the measures are part of other standards and best practices such as the NIST 800-82 Revision 2: Industrial Control System (ICS) security.
To better protect your organization from threats associated with remote access, consider implementing the following five practices to address IT-OT connectivity vulnerabilities:
- Identify all remote users, accounts and associated credentials. Be sure to include SSH keys, hard-coded credentials and passwords to get visibility into who is accessing an organization’s critical systems.
- Lock down credentials. Once all remote users, accounts and credentials are identified, it’s time to centrally store the credentials in a locked and safe environment where they can be more effectively managed. The users can then securely retrieve the password or SSH key, or request a direct connection to only the accounts they are authorized to access.
- Minimize direct connection to critical assets. Isolating all sessions originating outside of the ICS domain and from unmanaged devices minimizes direct connections to any critical assets and keeps credentials shielded from unauthorized users.
- Trust but verify – keep an eye on remote users. Implementing live monitoring and session recording can facilitate the identification of unauthorized activity. It can also help to confirm that remote users access only those systems they are authorized to see. Session monitoring and logging also supports compliance with industry regulations and standards.
- Deploy analytics tools. To meet high availability requirements, early detection and alerts are key. Analytics tools can identify user and application patterns which in turn can be used to create privileged user and account profiles of normal behavior. When abnormal activity is detected and alerted, incident response teams can address and disrupt in-progress attacks.