How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

Transcription

1 How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

2 Table of Contents Introduction 3 Industrial Control Systems Security Vulnerabilities 3 Prolific Use of Administrative Accounts 3 Increased Use of Applications With Hard-Coded Credentials 3 Use of Shared Accounts 3 Lack of Visibility of Remote Access Users 4 Security Challenges in Industrial Control Systems 4 The Increased Risk of Operational Downtime 4 The Increase in Operational Costs 4 Meeting Industry Standards and Regulations 4 The Role of Privileged Accounts 4 The CyberArk Solution 5 Discover Privileged Accounts and Credentials 5 Manage and Secure Credentials 5 Secure and Monitor Privileged Sessions 6 Enforce Application Control Policies 7 Identify Suspicious Activity 7 CyberArk Privileged Account Security Solution 8 Conclusion 9 Cyber-Ark Software Ltd. cyberark.com 2

3 Introduction For decades, Industrial Control Systems (ICS) were not connected to other systems or the Internet. They were physically separated from other networks within industrial organizations, a practice known as air gapping. The critical nature of industrial operations required ICS manufacturers to focus on system availability and interoperability but not necessarily on security; so this air gap practice became the main security feature that protected critical systems from outside intrusions or cyber-attacks. The obscurity of these systems, which rely on unique, proprietary equipment and communication protocols, contributed to the idea that built-in security was not really needed. In the past decade, business objectives such as the need to lower costs, improve operational efficiencies, meet regulatory compliance and provide decision-makers with a holistic view of plant operations prompted the introduction of costeffective and more connected IT technologies and Commercial-of-the-Shelf (COTS) products into the operational environment. These COTS products have made ICS more connected to business systems on corporate networks and even to the outside world through Internet connectivity. This connectivity has introduced a number of vulnerabilities that the IT world has been dealing with for a long time, and while the new ICS systems are faster, more intuitive and less costly, they have not necessarily been designed with the level of security existent in IT. Industrial Control Systems Security Vulnerabilities Prolific Use of Administrative Accounts The number of users and applications (corporate and remote) actively accessing and extracting operational data from ICS has dramatically increased 1. This is likely in part due to the need to provide decision-makers with greater insights and actionable information about their operations and allow remote access for third parties and remote employees. The privileged or administrative accounts necessary to access industrial networks and critical systems are numerous and in many cases, unmanaged. Support and maintenance personnel, along with operators and control engineers, remote vendors, corporate applications and automated batch applications all use these privileged accounts. This large number of accounts makes them difficult to track and manage, and to provide adequate oversight. Increased Use of Applications With Hard-Coded Credentials The introduction of COTS equipment into ICS has increased the use of applications and devices with hard-coded credentials. This poses an increased risk of compromise and unauthorized access to the overall system. In many cases, these hard-coded credentials may be remotely exploitable and could result in the manipulation of physical devices, the execution of arbitrary code or a denial of service attack. Use of Shared Accounts Except for legacy application running on proprietary operating systems, most ICS software applications are now running on COTS technology, but significantly less securely than in the IT environments 2. This is evidenced by the prolific use of shared accounts, creating an accountability challenge for many organizations. When shared accounts are widely used, it is very difficult for an organization to assign specific activity to users and report on actions taken by multiple parties, whether internal or external. 1 U.S. Department of Homeland Security. (2015, November/December). ICS-CERT Fiscal Year 2015: Final Incident Response Statistics. ICS-CERT Monitor, pp Chatham House The Royal Institute of International Affairs. Cyber Security at Civil Nuclear Facilities- Understanding the Risks. chathamhouse/field/field_document/ cybersecuritynuclearbaylonbruntlivingstone.pdf Cyber-Ark Software Ltd. cyberark.com 3

4 Lack of Visibility of Remote Access Users Given the unique skills necessary to support and maintain the increasingly connected systems in an Operational Technology (OT) environment, industrial organizations may rely on remote support from many vendors. This involves remote connectivity sessions that may sometimes go unsecured and unmonitored for days or weeks and present a risk for intrusion and compromise of the overall control system. Security Challenges in Industrial Control Systems The Increased Risk of Operational Downtime The many, varied vulnerabilities present an elevated risk of intrusion to industrial control systems and the companies where they are used. Unauthorized access to ICS and the potential manipulation of physical devices could result in damage to equipment, adverse impact to operations, loss of product, discharge to the environment and even the loss of life 3. Understanding the potential risks to ICS can help organizations develop a sustainable plan to mitigate the vulnerabilities with the highest impact to operations. Experts agree that the general purpose computers (Human-Machine Interfaces [HMIs], servers, workstations, etc.) in control systems are considered to be at the greatest risk of compromise, as they typically run commercial operating systems (Windows, UNIX, Linux). The connections to internal networks (business systems in IT Infrastructure) represent the second greatest risk of compromise 4. Both of these can be exploited by compromising the privileged credentials used to access these critical assets. The Increase in Operational Costs The implementation of security controls designed to mitigate the risks associated with these vulnerabilities, if not planned carefully, can be very costly. ICS require a high-degree of skill from a dedicated workforce. Additionally, ICS personnel are already in high demand as a result of a maturing workforce. Organizations trying to implement in-house solutions have found that home-grown tools are not sufficiently comprehensive, are difficult to implement and time-consuming to maintain 5. Meeting Industry Standards and Regulations Organizations as well as government agencies have recognized that critical infrastructure protection is directly related to the security of the industrial control systems controlling the various production and manufacturing processes. As a result, critical infrastructure sectors are subject to regulatory oversight or required to meet cyber security standards in their OT environments. There is a need for tools and workflows that help organizations to demonstrate their compliance with these standards and regulations. The Role of Privileged Accounts Privileged accounts are found in every piece software on a network as well as in many hardware devices, and can provide anyone in possession of a privileged credential with access to and control over sensitive data or critical systems. When used, these accounts permit access to critical assets such as operator workstations to facilitate automated processes, maintain systems, modify manufacturing process parameters, and store historical data and other important operations. But in the wrong hands, these accounts can be used to gain access to the ICS and cause irreparable damage. Yet, some organizations are unaware of the risks that unmanaged privileged accounts pose to the business or neglect to secure them due to the perceived operational difficulty of finding and managing privileged accounts and their credentials. 3 National Institute of Standards and Technology. Special Publication Rev 2: Guide to Industrial Control Systems (ICS) Security. Retrieved from 4 The State of Security in Control Systems Today. A SANS Survey. SANS Institute. Retrieved from 5 CyberArk Software. (2013, October 10). Isolation, Control and Monitoring in Next Generation Jump Servers. Newton, Massachusetts. Cyber-Ark Software Ltd. cyberark.com 4

5 The CyberArk Solution Organizations operating industrial control systems do have options for protecting their networks and critical assets. With appropriate controls and monitoring, organizations can provide IT and OT internal users, third parties and applications the access needed without sacrificing security standards. The CyberArk Privileged Account Security solution provides a comprehensive solution for managing privileged access to the IT and OT environments. The CyberArk solution addresses the vulnerabilities originating from the connectivity between ICS, the IT environments and remote users by allowing organizations to secure privileged credentials, isolate connections originating outside of ICS environments and monitor and control these sessions. This comprehensive end-to-end suite is scalable and built for complex distributed environments to provide increased protection from advanced external and insider threats. Discover Privileged Accounts and Credentials The first critical step in mitigating the risk of compromised credentials is for an organization to identify all users, applications and associated credentials used for granting access into the ICS. Included in this discovery process should be all accounts and credentials assigned to users as well as application-to-application accounts accessed using passwords embedded in applications or SSH keys stored locally. The discovery process begins by scanning the network segments using a tool specifically designed to identify privileged accounts in assets running commercial operating systems. CyberArk Discovery and Audit is a free, standalone tool designed to find privileged user and application accounts and credentials. The tool generates a full report of the scanned asset that includes a list of accounts and associated credentials (passwords and SSH keys) as well as account status related to the company s security policy. With this report, organizations have an initial view of privileged accounts being used for access into the ICS network by internal and external users. Manage and Secure Credentials Once the organization has identified all privileged accounts and their credentials, it is possible to discover accounts that may no longer be needed as well as stale credentials that should be changed. This is the ideal opportunity for an organization to help reduce the ICS cyber-attack surface by reducing the number of accounts accessing ICS and store the remaining credentials in a secure digital vault. Once the organization stores credentials in the vault, users log in to the vault to access the credentials they have permission to use. The users can then securely retrieve the password or SSH key, or request a direct connection to the account. This is particularly beneficial when working with users from remote vendors who frequently change roles. Once organizations store and manage credentials using the digital vault, regular, automated rotation of credentials by the system reduces the risks associated with stale credentials. Another recommended practice in Privileged Account Security is the use of one-time passwords, which can be achieved with the rotation of credentials after every use. Organizations can further protect account access with multi-factor authentication to the vault and workflow approval processes can be required before the most sensitive credentials are retrieved. With these security solutions in place, internal and remote users who require access to critical systems have convenient, secure access to the credentials stored in the vault while credential management and control is back in the hands of the organization. One of the most important benefits of the digital vault solution is the introduction of individual accountability that goes beyond securing and controlling access to the credentials. As users have to log in to the digital vault to access a credential and individual activity can be tracked and reported, the risks associated with shared accounts are reduced, effectively bolstering the auditing and forensics processes. This is particularly important for ICS given the prolific practice Cyber-Ark Software Ltd. cyberark.com 5

6 of sharing credentials between internal and external users. By introducing this granular level of individual accountability, the organization has insight into who is responsible for an action someone within the organization or the vendor. Secure and Monitor Privileged Sessions Unmanaged endpoints accessing the ICS network, whether from the corporate environment or from the outside, provide an opportunity for attackers to install and use malware including keylogging software or other tools to obtain direct access to sensitive assets and capture privileged credentials. The primary tactic to mitigate this risk is to isolate all sessions originating outside of the ICS network 6. This isolation can be achieved by an organization requiring connections go through the CyberArk Privileged Session Manager which is used as a next generation jump server and provides added security by monitoring and recording privileged sessions. The CyberArk Privilege Session Manager can be used alongside an existing VPN for maximum protection. Once the user connects via a VPN for remote users or direct for corporate users-, he or she then logs into the CyberArk Privileged Session Manager via a secure web portal. From the web portal, the user selects the target machine to which they need access (each user will only be able to view the systems that are relevant for him). Once the target is selected, a direct connection is created from the remote user device to the jump server over a standard protocol such as RDP or SSH, establishing complete isolation between the user s endpoint and the target system. In this process, the jump server communicates with the digital vault to access and use the privileged credential of the target system, by doing so the credential will not leave the DMZ or ICS environment and will be kept away from the remote device. A second session is created between the Privilege Session Manager jump server and the target system, connecting both sessions and allowing the remote user a secure connection to the target system. Corporate Network Web Portal VPN DMZ Firewall 3rd Party Vendor DMZ Supervisor PSM ICS Firewall Password Session Recording ICS Network Vault Databases Unix Servers Windows Servers Routers & Switches SCADA Devices Figure 1. Secure jump server architecture, integrated with a credential vault 6 International Society of Automation. (2009). ANSI/ISA ( ) 2009 Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program. Cyber-Ark Software Ltd. cyberark.com 6

7 The CyberArk Privilege Session Manager helps organizations protect the target asset in three key ways: Blocks the spread of desktop malware. With the use of the Privilege Session Manager, the session is actually running on the isolated proxy server, not on the user s endpoint. Therefore, if an attacker attempts to gain access to the ICS network by installing malware on a privileged user s endpoint, the jump server blocks the spread of malware, protecting the network from infection. Mitigates the risk of credential theft. The Privileged Session Manager retrieves the credential from the digital vault and initiates the session, which means the user never types in the password and it is never disclosed to the user. Therefore, keylogging software installed on the endpoint is largely ineffective and the password is less susceptible to poor management practices of any third-party user including sharing, writing down or storing passwords in digital files. Monitors and records every session. Once the connection is made, the session can be viewed and terminated in real time and recorded for future forensics analysis. Also, because the Privileged Session Manager acts as the single access control point, every session is monitored and recorded, or as prescribed by the organization security policy. Working together with digital vault solutions, the Privileged Session Manager jump server solution is quite effective in protecting against attacks originating from accounts or users outside of the ICS network. Enforce Application Control Policies According to the US Department of Homeland Security 7, implementing application whitelisting in top-hierarchy control computers such as Human Machine Interfaces (HMIs) represents one of the most critical steps in securing an Industrial Control System network. Organizations can help reduce the attack surface and mitigate the risk of a serious data breach by controlling what applications are allowed to run in these computers, in addition to implementing tools that enforce flexible least privilege policies for business and administrative users. CyberArk Viewfinity enables organizations to remove local administrator rights from the HMI, and it seamlessly elevates privileges, based on an organization s policy, as required by trusted (whitelisted) applications. This measure helps to mitigate the risk of malware-based attacks. Identify Suspicious Activity Adding threat detection capabilities to security solutions is critical in order to help an organization to detect suspicious behavior before real damage is done. At the core, threat detection is based on identifying irregular behavior of users and assets, potentially indicating that the authorized user is not in control of the account. The good news is that authorized users external to the ICS network have definable activity patterns that can be used as a baseline to identify suspicious activity. In the case that an attacker compromises a remote vendor s credential or exploits an account to access the ICS network, anomalies in the remote user s patterns are likely to appear. Analytics tools that learn the typical patterns of activity and continuously monitor user and account activity can identify and alert on suspicious activity. The alerts can be used by IT, OT and security teams to help detect and disrupt in-progress attacks, dramatically reducing any damage to operations and the business. 7 Department of Homeland Security ICS-CERT Seven Steps to Effectively Defend Industrial Control Systems. Cyber-Ark Software Ltd. cyberark.com 7

8 CyberArk Privileged Threat Analytics integrates seamlessly with components of the Privileged Account Security solution and existing Security Information and Event Management (SIEM) solutions to collect and analyze data on privileged account use. The data is continuously compared to baseline normal behavior and alerts are sent to the CyberArk dashboard or the SIEM solution for prompt action by security teams. With a focus on privileged accounts, including third-party accounts, CyberArk Privileged Threat Analytics provides targeted alerts on the most often-used attack vector, privileged accounts. CyberArk Privileged Account Security Solution The CyberArk Privileged Account Security solution includes several integrated components delivered on a single platform infrastructure, allowing organizations to manage and secure all privileged credentials including: Enterprise Password Vault - secures, rotates and controls access to privileged passwords SSH Key Manager - secures and controls access to private SSH keys and rotates SSH key pairs Privileged Session Manager isolates, controls, and monitors privileged user access as well as activities for critical UNIX, Linux, and Windows-based systems, databases, and virtual machines. Privileged Threat Analytics analyzes and alerts on previously undetectable anomalous privileged user behavior enabling incident response teams to disrupt and quickly respond to an attack. Application Identity Manager - removes passwords embedded in applications and SSH keys locally stored on machines, and centrally secures, manages and rotates them CyberArk Viewfinity - enables organizations to remove local administrator privileges and control applications on Windows endpoints to reduce the attack surface without halting business user productivity or overwhelming IT teams. Cyber-Ark Software Ltd. cyberark.com 8

9 On-Demand Privileges Manager allows for control and continuous monitoring of the commands super-users run based on their role and task. Working together in any combination, an organization can implement the components of the solution to help secure and manage all credentials used by all users to access the ICS network. Conclusion The CyberArk Privileged Account Security solution can help organizations operating industrial control systems to protect their most critical and sensitive assets from advanced external and insider threats. It offers a comprehensive suite for managing, securing and monitoring privileged access to the systems located in IT and OT environments. It enables organizations to realize the operational efficiencies that can be gained from their ICS environments with COTS software and devices, but without necessarily introducing the associated risks. The CyberArk solution enables organizations to: Discover privileged accounts and the associated credentials used to access critical systems in the OT environment. This step allows organizations to understand all entry points into the ICS and establish effective security policies based on organizational risk tolerance. Improve visibility of remote access users by understanding the scope of privileged accounts throughout the organization. This means accountability of all corporate users and applications outside of the ICS network as well as remote users from third-party companies. Reduce the risk of unauthorized access to privileged accounts by securing privileged credentials in a centrally secure vault. This includes eliminating hard-coded credentials from applications accessing the ICS. Increase individual accountability by reducing the blind spots associated with shared account usage. Users logging into the vault to retrieve privileged credentials means the organization will have a clear picture of what users are accessing on an individual basis. Isolate privileged sessions to separate users and devices from critical assets in the ICS, as well as establish an isolated network segment with or without the use of a VPN. Monitor all privileged session activity in real-time so that security teams can rapidly detect the misuse of privileged accounts. Proactively prevent attackers from using malware to gain a foothold into the ICS environment by controlling which applications are permitted to run Detect and disrupt in-progress attacks by identifying the typical patterns of activity and continuously monitoring and comparing user and account activity against baselines. Demonstrate regulatory compliance by clearly showing auditors what security policies and processes are in place and easily report on individual user s activity. Cyber-Ark Software Ltd. cyberark.com 9

10 CyberArk and the CyberArk logo are registered trademarks of CyberArk Software in the U.S. and other countries. Copyright 2016 CyberArk Software. All rights reserved. Published in the U.S., CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is subject to change without notice. This document contains information and ideas, which are proprietary to CyberArk Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of CyberArk Software Ltd. CyberArk Software Ltd. cyberark.com