Latest posts

Managing and Securing Remote Access To Critical Infrastructure


Managing and Securing Remote Access To Critical Infrastructure,
1. Securing Remote Access to OT/ICS Systems Yariv Lenchner Sr. Product Manager CyberArk Software
2. Current ICS Security Status ▪ We all know that many ICS systems and devices are vulnerable to cyber attacks ▪ There are many reasons for this: ■ ■ ■ Preferring system availability over security Lack of focus on security during development No or very little patching to systems in production environments ▪ The usual advice and best practice was to isolate, isolate, isolate!
3. Can We Really Isolate All Critical Networks? ▪ The assumption that our critical network is isolated is very problematic: ■ ■ ■ Removable media Mistakes and temporary connections Remote access ▪ How do we design a truly secure remote access system? ▪ A design that will also help secure against the first two types of threat
4. The Homegrown Proxy Server ▪ The typical and most popular solution is a homegrown proxy server ▪ Usually deployed as an entrance point to the critical network ▪ Let’s go over some of the security challenges with this popular deployment and how to solve them
5. 1) The “All or Nothing” Challenge ▪ The remote proxy usually serves as a access point to multiple users with different target devices and different privileges ▪ Once access to the proxy is granted, the remote user usually has unlimited access to all resources or devices on the critical network ▪ Recommendation: ■ Implement granular restriction of users to connect to specific systems only
6. 2) The Shared Account Issue ▪ Many resources on the critical network are being managed through shared privileged accounts (IEDs, HMIs, Applications, Routers, Servers, FWs…) ▪ Remote access users usually use the “APT intruders…prefer to same shared and privileged accounts leverage privileged accounts “…100% of breaches where possible, such as Domain ▪ Managing passwords on shared accounts that have internal and involved stolen Administrators, service accounts remote users becomes a serious issue Domain privileges, local credentials.” with ▪ Results: Administrator accounts, and privileged user accounts.” Passwords are not updated ■ No track of who knows a password ■ Updating passwords brings the risk of not knowing a password in an Mandiant, M-Trends and APT1 Report emergency ■ No accountability ■ ▪ Recommendation: ■ Implement and enforce the usage of users on the proxy server
7. 3) Workflow and Policy Enforcement ▪ Remote access to the proxy server is available at any time to anyone who has access to it ▪ Policies that control the access process are manual and hard to enforce ▪ Different policies exist for different users and systems ▪ Homegrown proxy servers usually do not enforce policies that consider: ■ Time of day ■ Length of remote session ■ Access request reason ■ Manager’s approval ▪ Homegrown proxy servers do not keep any kind of log about the request reason or on the approval ▪ Recommendation: Implement a proxy server with policy enforcement and dual control capability
8. 4) Monitoring and Control ▪ Once access is granted, there is very little control over what the remote user is actually doing ▪ There is no real time over-the-shoulder monitoring capability ▪ No real records of everything that is being done during a remote session ▪ No quick and easy capability to terminate a remote session immediately ▪ Recommendation: ■ ■ The proxy server should allow a certified supervisor to monitor and control real-time remote sessions The proxy server should be able to video record the session for future review
9. 5) Are You Sure There Are No Bypasses? ▪ The Million Dollar Question: ■ Are you sure there is no other way to access the critical devices on the critical network? ▪ If the proxy is bypassed, the last line of defense is the privileged account password ▪ Passwords tend to be guessed, stolen, hijacked, found or even given away ▪ Recommendation: ■ Privileged passwords should be stored, managed and only known to the proxy server itself
10. 6) Analytics and SIEM Integration ▪ Malicious activity passing through the proxy server can continue for long periods while going undetected ▪ A typical proxy server is not capable of detecting anomalies in remote connections made through it ▪ Recommendation: ■ ■ The proxy server should be able to compare current remote access activity to historical activity in real time Detection of anomalies as they happen allows the incident response team to respond and disrupt the attack
11. Securing Remote Access into ICS Networks CyberArk’s Privileged Session Manager (PSM)
12. Securing Access Into the ICS/OT Network Corporate Network Corporate User VPN DMZ firewall Web Portal Third party vendor Supervisor DMZ PSM ICS firewall Session Recording Password ICS Network Vault Databases UNIX Servers Windows Servers Routers & Switches SCADA Devices
13. Summary ▪ Remote Access – Many critical networks need some type of remote access ▪ It is better to implement a secure remote access solution than to ignore the need for one and end up using non-secure methods ▪ NERC CIP v5 includes new requirements for the proxy server (the intermediate device) – use the new requirements to build the appropriate solution ▪ Align your secure remote access methods with privileged password management to minimize the risk of attack

No comments yet.

Leave a Reply

Your email address will not be published. Required fields are marked *