NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

Transcription

1 NIST Revision 2: Guide to Industrial Control Systems (ICS) Security How CyberArk can help meet the unique security requirements of Industrial Control Systems

2 Table of Contents Executive Summary 3 The Role of Privileged Accounts 3 Addressing the NIST Revision 2 Recommendations Regarding Privileged Access 4 Applying IT Security Controls to ICS 6 Access Control 6 Audit and Accountability 7 Identification and Authentication 8 About CyberArk Privileged Account Security 8 Conclusion 10 Cyber-Ark Software Ltd. cyberark.com 2

3 Executive Summary In 2006 the National Institute of Standards and Technology (NIST) published Special Publication (SP) , Guide to Industrial Control Systems (ICS) Security. This standard provides an overview of ICS typical system topologies, identifies common threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. In June 2015, NIST published the second revision to SP This revision includes new guidelines on how to adapt traditional Information Technology (IT) security controls to accommodate unique ICS performance, reliability and safety requirements. As modern IT integrates with industrial control systems that were never built for external connectivity, the threat landscape continues to expand. This IT and Operational Technology (OT) convergence has been driven, in part, by the need for comprehensive operational data at the corporate level and the procurement of Commercial-Off-The-Shelf (COTS) technology for the operational environment. This IT and OT convergence has been deemed a significant risk by security experts and in this revision, NIST makes several recommendations to protect this connection from outside attackers and malicious insiders. The Role of Privileged Accounts Privileged user and application credentials are the conduit for access that could enable attackers to infiltrate critical systems through this vulnerable IT-OT connection and compromise their operation. Given known risks associated with ICS privileged credentials, NIST has included a new attack vector in this guide: the exploitation of privileged and/or shared accounts. NIST recommends the addition of privileged account security as a layer in the defense-in-depth architecture for all industrial control systems in all sectors. Additionally, NIST recommends that the IT-OT connection is protected by a boundary protection strategy that includes physical devices and monitoring controls. It strongly advises that only a minimum number of connections be allowed and that the connections are through a firewall and a Dimilitarized Zone (DMZ), along with more advanced monitoring, logging and auditing controls that can be found in secured IT environments. CyberArk can help critical infrastructure sectors to implement the necessary controls for managing the risks of privileged and administrative identities and access to critical assets in the IT and OT environments and through the IT-OT connection. CyberArk solutions: Manage and control access to all privileged accounts - including automating password changes and rendering hard-coded application credentials invisible to all users Isolate, control and monitor privileged access - to critical servers, applications or virtual machines Cyber-Ark Software Ltd. cyberark.com 3

4 Addressing the NIST Revision 2 Recommendations Regarding The following table of the solution brief will review NIST recommendations for addressing the IT-OT connectivity vulnerability and advise how CyberArk can address guidelines for boundary protection (5.2), Remote Support Access (5.10.2) and Monitoring, Logging and Auditing (5.16). NOTE: The list of recommendations is provided as general summary information only and limited to a subset of the requirements pertaining to privileged access; organizations should refer to the NIST Special Publication Revision 2 for comprehensive guidance on the complete set of standards. Explanation regarding CyberArk solutions and how they help organizations to meet the standards related to privileged access are also provided as general summary information only. 5.2 BOUNDARY PROTECTION - Implement proxy servers that act as an intermediary for external domains requesting information system resources (e.g., files, connections, or services) from the ICS domain. External requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. CyberArk Privileged Session Manager is an intermediary device in which all of the remote connections are routed to a server where predefined workflows for access are enforced, then new sessions are opened to the target devices accordingly. CyberArk Privileged Session Manager is the central point of control for protecting the ICS domain accessed by privileged users and applications REMOTE SUPPORT ACCESS - Remote support personnel connecting over the Internet or via dialup modems should use an encrypted protocol, such as running a corporate VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme, in order to connect to the general corporate network. Once connected, they should be required to authenticate a second time at the control network firewall using a strong mechanism, such as a token based multi-factor authentication scheme, to gain access to the control network. Proxy servers can also provide additional capabilities for securing remote support access. Addressing Encryption The connections between a remote device or user and the CyberArk Privileged Session Manager jump server are fully encrypted. Additionally, the jump server can be integrated with an existing VPN for maximum protection. Once the remote user connects over the VPN, he or she then logs into the jump server via a secure (HTTPS) web access portal. From the web access portal, the user selects the target machine to which they need access. Once the target is selected, a direct connection is created from the jump server over a standard protocol such as RDP or SSH, establishing complete isolation between the user s endpoint and the target system. In this process, the jump server uses centralized policies to manage who has access to which systems, and communicates with the digital vault to allow access to specific applications, acting as a single control point between all external users and target machines on the ICS domain. Cyber-Ark Software Ltd. cyberark.com 4

5 REMOTE SUPPORT ACCESS - Addressing Multi-factor Authentication The CyberArk Solution allows organizations to add an additional layer of authentication to existing password authentication solutions, without making any changes directly to the ICS system. Leveraging the ability to support multiple authentication capabilities including two-factor authentication to the CyberArk Solution, users are strongly authenticated before accessing the ICS domain. The solution supports various authentication technologies such as LDAP, RSA SecurID, RADIUS, PKI, smartcards and more. CyberArk supports additional capabilities for securing remote support access such as session isolation, dual control, monitoring, recording and the added peace of mind that system passwords do not leave the secured network MONITORING, LOGGING, AND AUDITING The security architecture of an ICS must also incorporate mechanisms to monitor, log, and audit activities occurring on various systems and networks. Monitoring, logging, and auditing activities are imperative to understanding the current state of the ICS, validating that the system is operating as intended, and that no policy violations or cyber incidents have hindered the operation of the system. Network security monitoring is valuable to characterize the normal state of the ICS, and can provide indications of compromised systems when signaturebased technologies fail. Additionally, strong system monitoring, logging, and auditing is necessary to troubleshoot and perform any necessary forensic analysis of the system. CyberArk Privileged Session Manager enables organizations to monitor all privileged session activity in real-time so that security teams have the opportunity to rapidly detect the misuse of privileged accounts. The solution records all privileged session activity and generates detailed audit logs and video recordings that can be later reviewed by security and audit teams. Provide indications of compromised systems when signaturebased technologies fail CyberArk Privileged Threat Analytics automatically constructs a behavioral profile of privileged users and privileged accounts, and maintains a baseline profile in the system. The system then automatically looks for deviations from the baseline profiles to discover anomalous activity indicating a compromise. The solution automatically detects and scores each individual anomaly and then determines the threat level based on the correlation of events. Alerts can be sent immediately via , which include details on the incident and a link to the CyberArk Privileged Threat Analytics system, allowing the security officer to drill down and further review it. CyberArk Privileged Threat Analytics is in a constant state of learning from the environment within which it is operating (so it is not based on signature-based technologies) to improve the effectiveness of its alerting. Cyber-Ark Software Ltd. cyberark.com 5

6 Applying IT Security Controls to ICS NIST SP Revision 2 includes a comprehensive list of NIST-developed security standards and guidelines commonly used to secure traditional IT systems. Due to the unique performance, reliability and safety requirements of ICS, it is often necessary to make adaptations and extensions to these controls so they can be used effectively in the operational technology environment. This section of the solution brief will address three important control families and their application in OT environments: Access Control ( , ), Audit and Accountability (6.2.3) and Identification and Authentication (6.2.7). Access Control Access Control is the mechanism to protect information and assets from unauthorized access. The Access Control family covers policies and procedures for specifying the use of system resources by authorized users, applications or other systems. This family specifies controls for managing information system accounts. These controls govern the access and flow enforcement issues such as separation of duties, least privilege, unsuccessful login attempts, system use notification, concurrent session control, session lock, and session termination ROLE-BASED ACCESS CONTROL (RBAC). RBAC should be used to restrict ICS user privileges to only those that are required to perform each person s job (i.e., configuring each role based on the principle of least privilege). The level of access can take several forms, including viewing, using, and altering specific ICS data or device functions. RBAC tools can set, modify, or remove authorizations in applications, but they do not replace the authorization mechanism; they do not check and authenticate users every time a user wants to access an application. Restriction of ICS user privilege Utilizing the CyberArk web access portal, each user will have access to the systems that he or she is authorized to view, use or alter, with the appropriate access level for each one. Additionally, the user can select the system needed and logon without knowing or seeing the actual username or password, adding another layer of security to safeguard access credentials. The CyberArk Solution significantly reduces the usage of privileged rights within the organization through the enforcement of a least privilege policy for Windows and Unix privileged users. By enabling users to run in standard user mode and elevating the rights of individual users and applications in a controlled and pre-defined manner, organizations can realize improved security in their ICS domain. ICS device interfaces The CyberArk Priviledge Account Security solution has been proven to work with many ICS devices as an access control and privileged account management solution. Cyber-Ark Software Ltd. cyberark.com 6

7 DIAL-UP MODEMS - Ensure that default passwords have been changed and strong passwords are in place for each modem. Configure remote control software to use unique user names and passwords, strong authentication, encryption if determined appropriate, and audit logs. Use of this software by remote users should be monitored on an almost real-time frequency. The CyberArk Privileged Account Security solution provides the capability to automatically change default passwords to unique new passwords. These passwords can then be rotated on a regular schedule using automated processes. Each time a password is changed, it is generated to meet specific requirements established by the organization, eliminating errors that can occur in manual processes while meeting length, complexity and system availability requirements. The CyberArk solution also supports strong authentication and multifactor authentication to manage access of remote access users and applications into the ICS network. CyberArk Privileged Session Manager supports encryption, acting as the intermediary system in the connections between the remote access software and the target system. Aditionally, Cyberark Privileged Session Manager provides detailed remote access session recording (such as DVR-like recording) to allow for the granularity of command-level audit. This provides a mechanism of continuous monitoring and recording for real-time viewing or later playback for forensic analysis. The option to terminate the session is also available should it be determined that the current session is a threat to the system. The CyberArk Solution can integrate with various SIEM solutions to enable further visibility and real-time alerts into privileged account threats in the ICS domaim. Audit and Accountability The Audit and Accountability family of controls provides policies and procedures for generating audit records, their content, capacity, and retention requirements. The controls also provide a process to mitigate adverse issues such as audit failures or reaching audit log capacity. It is imperative that organizations have a mechanism to preserve audit data, protect it from modification and be designed to enforce non-repudiation AUDIT AND ACCOUNTABILITY - There should be a method for tracing all console activities to a user, either manually (e.g., control room sign in) or automatic (e.g., login at the application and/or OS layer). Policies and procedures for what is logged, how the logs are stored (or printed), how they are protected, who has access to the logs and how/when are they reviewed should be developed. Tracing all console activities to a single specific user is very problematic in ICS environments where shared accounts are commonly used. The anonymous, unchecked access to these accounts leaves the systems open to misuse. The CyberArk Solution removes all anonymous use of privileged accounts making sure that all activities can be traced to a specific user (internally or a third-party). Cyber-Ark Software Ltd. cyberark.com 7

8 Identification and Authentication Authentication is the process of positively identifying potential network users, hosts, applications, services, and resources using a variety of identification factors or credentials. Once positive authentication has been made, the result then becomes the basis for permitting or denying the potential users access to the system applications or resources IDENTIFICATION AND AUTHENTICATION CONTROLS - Passwords should have appropriate length and complexity for the security requirements of ICS. Privileged users passwords should be most secure and changed frequently. A password audit record, especially for master passwords, should be maintained separately from the control system. Passwords should not be sent across any network unless protected by some form of FIPS-approved encryption or salted cryptographic hash specifically designed to prevent replay attacks. Master passwords should be kept by a trusted employee, available during emergencies. Any copies of the master passwords must be stored in a very secure location with limited access. CyberArk Enterprise Password Vault provides the capability to automatically change application and user passwords to unique new passwords. The solution can rotate passwords following a regular schedule using automated processes and according to specific requirements established by the organization. The CyberArk Solution eliminates errors that can occur in manual processes while meeting length, complexity and system availability requirements. Overall, The CyberArk Solution offers the optimal balance of security and operational ease of access to critical systems. With CyberArk the passwords are secured in the CyberArk vault server, which has high-availability and disaster recovery capabilities; so there is no dependency on any human keeper of master passwords. Organizations can trust that their passwords will be readily available in critical times. Multi-factor Authentication The CyberArk Solution allows organizations to add an additional layer of authentication to existing password authentication solutions, without making any changes directly to the ICS system. The solution supports various authentication technologies such as LDAP, RSA SecurID, RADIUS, PKI, smartcards and more. CyberArk only uses a FIPS validated encryption in its communications protocol. In environments with a high risk of interception or intrusion, organizations should consider supplementing password authentication with other forms of authentication such as multi-factor authentication using biometric or physical tokens. For network service authentication purposes, passwords should not be passed as plain text. Cyber-Ark Software Ltd. cyberark.com 8

9 About CyberArk Privileged Account Security Behavioral Analytics Privileged Threat Analytics Proactive Controls, Monitoring & Management Enterprise Password Vault Management Portal / Web Access SSH Key Manager Privileged Session Manager Application Identity Manager TM Viewfinity On-Demand Privileges Manager TM Shared Technology Platform Master Policy Secure Digital Vault TM Privileged Account Security Solution CyberArk is the trusted expert in privileged account security. Designed from the ground up with a focus on security, CyberArk has developed a powerful, modular technology platform that provides the industry s most comprehensive Privileged Account Security Solution. Each product can be managed independently or combined for a cohesive and complete solution for operating systems, databases, applications, hypervisors, network devices, security appliances and more. The solution is designed for on-premises, hybrid cloud and ICS/SCADA environments. The CyberArk Privileged Account Security Solution includes the following products: Enterprise Password Vault fully protects privileged credentials based on privileged account security policy and controls for who can access which credentials, and when. SSH Key Manager prevents unauthorized access to privileged accounts protected by SSH keys. Privileged Session Manager isolates, controls, and monitors privileged user access as well as activities for critical UNIX, Linux, and Windows-based systems, databases, and virtual machines. Privileged Threat Analytics analyzes and alerts on previously undetectable anomalous privileged user behavior enabling incident response teams to disrupt and quickly respond to an attack. Cyber-Ark Software Ltd. cyberark.com 9

10 Application Identity Manager eliminates hard-coded credentials, including passwords and encryption keys from applications, service accounts and scripts with no impact on application performance. On-Demand Privileges Manager allows for control and continuous monitoring of the commands super-users run based on their role and task. Viewfinity enables organizations to remove local administrator privileges and control applications on Windows endpoints to reduce the attack surface without halting business user productivity or overwhelming IT teams. The CyberArk Privileged Account Security Solution is built on a common, Shared Technology Platform that delivers a single management interface, centralized policy creation and management, a discovery engine for provisioning new accounts, enterprise-class scalability and reliability, and the secure Digital Vault. The individual products in the CyberArk Privileged Account Security Solution integrate with the Shared Technology Platform, enabling organizations to centralize and streamline management. To help organizations get started with their privileged account security project, CyberArk offers a free assessment tool, CyberArk DNA (Discovery and Audit) that discovers and identifies privileged accounts throughout an enterprise. With a clear record of all service accounts, devices, and applications, CyberArk DNA helps organizations achieve an understanding of the size and magnitude of their privileged account security risk. Conclusion The convergence of IT and OT environments has resulted in cost-savings and operational efficiencies for critical infrastructure companies. However, this connectivity has created security vulnerabilities in industrial control systems, which were not designed to be connected to IT or the internet. The NIST SP Revision 2 Guide provides organizations with a set of traditional IT security controls that can be adapted to mitigate these vulnerabilities and meet the unique performance, reliability and safety requirements of ICS. It includes comprehensive guidelines for addressing access controls, audit and accountability and identification and authentication requirements in order to secure ICS from local and remote users. Realizing Key Benefits CyberArk is uniquely qualified to address the set of recommendations related to Privileged Account Security put forth by the NIST in this second revision to the guide. The CyberArk Solution can help to effectively and efficiently meet and exceed these standards through an integrated, full-lifecycle solution for managing privileged and shared identities, privileged sessions, as well as embedded passwords found in applications and scripts. Cyber-Ark Software Ltd. cyberark.com 10

11 All rights reserved. This document contains information and ideas, which are proprietary to Cyber-Ark Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of Cyber-Ark Software Ltd. Copyright by Cyber-Ark Software Ltd. All rights reserved.