Just two weeks ago, NIST published the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity. The Framework consists of standards, guidelines, and best practices to promote the protection of critical infrastructure and I already highlighted the importance of securing privileged identities in this recent blog post.
The framework also includes an appendix that covers future areas for improvement for the Cybersecurity framework. These areas are important but are still evolving and require further research and understanding. No mature standards for these areas exist yet.
One of these areas is Authentication. The NIST guidelines mention that passwords alone are inadequate to fulfill authentication needs and this is of course true, however, many years will pass until more advanced authentication capabilities will be widely used and adopted in the control systems environments in order to replace the usage of passwords.
We at CyberArk believe that the common usage of privileged passwords in critical system is indeed problematic. In many cases, for example, the privileged passwords are shared between a large number of employees and there is no real tracking of who is using the privileged password (leading to a lack of accountability) and there are no frequent updates of the privileged password. All these issues indicate the problematic usage of passwords—not to mention the fact that many recent cyber attacks have exploited privileged passwords as a critical component of their attack.
I believe that as a first step, critical infrastructure operators should understand that even though passwords are problematic there is a lot that can be done today in order to minimize the risk. A critical infrastructure operator should consider using a privileged account security system that will prevent the problematic usage and exploitation of privileged passwords (mentioned above) which is so common today, especially in control room and control applications. CyberArk is here to help.