A better security for critical infrastructure using strong authentication

  /  ICS Security   /  Cybersecurity   /  A better security for critical infrastructure using strong authentication
ICS security

A better security for critical infrastructure using strong authentication

November is National Critical Infrastructure Security and Resilience Month so I thought it would be a great opportunity to discuss some of the security challenges concerning critical infrastructure, specifically the weak access controls in sensitive operational technology (OT) environments.

Strong authentication is an essential requirement for critical infrastructure

When defending critical infrastructure, it’s necessary to authenticate the identity of an individual, device or machine that requires access to sensitive networks, facilities or information. Poor authentication mechanisms are commonly exploited by adversaries seeking to gain access to, and control over, sensitive systems. One would expect that access to these systems is limited to authorized users. However, these environments have an inherent vulnerability – weak access controls. Related: Facility Managers Guide to Building Systems and Cybersecurity

The implementation of strong authentication (aka multi-factor authentication) is a very popular method as it requires users to provide an additional means of authentication to validate their identity before granted access to sensitive systems. Yet until today, implementing MFA in these environments has been nearly impossible.

The challenge with critical infrastructure environments

Critical infrastructure environments include both IT and OT networks. Although they are comprised of different technologies, and in most facilities, these networks are segregated, there are a few challenges that are common to both types of environments:

  • Comprised of “Unprotectable systems”: both IT networks and OT environments include systems that until today were considered “unprotectable.” This is because there is no out-of-the-box solution for these systems and it’s impossible to deploy third-party software agents on them:
    • Non-standard proprietary systems: In most cases, these systems were not designed with security in mind. As a result, they have very weak access controls. However, non-standard systems are typically unsupported by MFA solutions. Creating a custom solution for these systems is both expensive and resource consuming.
    • Legacy systems: Legacy systems often utilize hard-coded passwords, easily cracked passwords, passwords stored in easily recoverable formats, and passwords sent in clear text. An attacker who obtains these passwords can often interact with the controlled process at will. Yet most MFA vendors are not interested in providing support for these systems.
    • Systems under vendor warranty: Many systems, especially in the OT environment, require the vendor approval for installing 3rd-party software. Without this approval, any attempt to install 3rd-party software may revoke the warranty.
  • 24-7-365 availability is required: Many systems in these environments must remain operational at all times. It is not possible to reboot them – a common requirement for software installation. Since most MFA solutions require the deployment of a software agent on each protected system, following a system reboot, organizations can’t implement MFA to secure access to these systems.

Further reading: Critical Infrastructure and ICS Security Remain a Network Segmentation Problem

For the same reason solutions that require the deployment of in-line proxies are also difficult to implement.

The usability of authentication approaches remains a significant challenge for many control systems, as many existing authentication tools are available only for standard computing platforms.

Want to find out more about MFA and AI in cybersecurity, read the full article here.

dana tamirDana is the VP Market Strategy at Silverfort. Prior to this, Dana served as VP Marketing at Indegy. Before that, she served as Director of Enterprise Security at Trusteer (acquired by IBM in 2012). She also held various roles at Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications.