Meeting regulations doesn’t necessarily equate to operating securely. It’s necessary to build security on top of requirements according to the level of risk. When it comes to protecting critical IT and OT systems, certain organizations have increased efforts to lead the way in developing and implementing regulations that help critical infrastructure companies to adopt a strong security posture.
The North American Electric Reliability Corporation, for example, has established the Critical Infrastructure Protection (CIP) program to improve the North American power systems’ security from physical and cyber threats. Specifically, NERC CIP v5 incorporates key requirements based on the National Institute of Standards and Technology (NIST) Risk Management Framework to help registered entities (utilities and other power facilities) achieve operations reliability excellence. This reliability in turn improves the cyber security posture for the Bulk-Power System (the grid).
Three key requirements of note:
- Registered Entities are now required to enforce authentication of interactive user access and to identify individuals who have authorized access to shared accounts. They also must implement strong passwords and change known default passwords per cyber asset capability. (CIP-007-5 R5 – Systems Security Management – Access Control)
- The use of an intermediate system is now required, so that cyber assets initiating interactive remote access do not directly access the applicable cyber asset within the Electronic Security Perimeter (ESP). Entities must also utilize encryption that terminates at the intermediate system and use multi-factor authentication for all interactive remote access sessions. (CIP-005-5 R2 Electronic Security Perimeter(s) – Interactive Remote Access Management)
- Entities must remove an individual’s interactive remote access within 24 hours of termination, and the removal of an individual’s access to the designated storage locations must be the end of the next calendar day after termination. (CIP-004-5.1 R5 – Personnel & Training – Access Revocation)
The North American Electric Reliability Corporation has recognized the key role that privileged accounts play in advanced external and internal cyber-attacks, especially as they enable users to initiate interactive remote access sessions to critical cyber assets. The NERC CIP v5 requirements on privileged account security ensure that entities have accountability for every use of privileged and shared accounts as well as secure remote access for external vendors with “over-the-shoulder” real time monitoring. Additionally, the standard has requirements related to privileged session isolation in order to keep credentials from being exposed, while securing privileged credentials in a tamper-proof vault.
Securing privileged accounts is not only critical in order to meet the NERC CIP v5 but it is also an effective way to reduce the risk of cyber-attacks. Privileged accounts are extremely useful for malicious actors as they allow access to critical assets and the opportunity to roam the system, and in many cases, undetected. Privileged session isolation and monitoring mitigates the risks associated with unauthorized users exploiting accounts that access critical systems. These measure also keep malware that could be present in the users’ end-point contained.
The NERC CIP v5 has raised the bar in the cyber security regulatory world by improving on many basic cyber “hygiene practices” that give organizations a strong starting point in their journey to implementing a holistic risk-based approach to securing critical assets. NERC CIP v5 standard enforcement begins on April 1, 2016.
Watch our recorded webinar (16 mins): CyberArk and NERC CIP v5 compliance to learn how you can meet all the privileged accounts related requirements.