Critical Infrastructure Protection for the Energy Industries Building Identity Into the Network
Executive Summary Organizations in the oil, gas, and power industries are under increasing pressure to implement tougher protections for critical cyber assets. Industry standards and government regulations are driving many of these requirements. Increasingly, organizations in the energy industries are converging business and supervisory command and control traffic onto common network infrastructures to improve efficiencies. In this converged environment, defending enterprise networks is an imperative for critical infrastructure protection. Traditional enterprise network protection strategies focus on protecting the network perimeters with firewalls, DMZs, and border and screening router ACLs. Over time, however, enterprise network boundaries have become increasingly porous. Enterprise networks now extend to remote sites, local offices and wireless networks while VPNs and virtualization solutions make access to enterprise networks possible from virtually anywhere. Protecting the perimeter is no longer a sufficient strategy for enterprise network protection. Applied Identity s Identisphere leverages identity aware networking to provide a simple and elegant solution to the problem of critical infrastructure protection. With the Identisphere solution, a gateway appliance deploys within the enterprise network and enforces access policies to traffic to and from protected resources. These policies can be defined based on user identities and attributes managed in enterprise directories. As a result, only users authorized to access sensitive resources can see those resources on the network, and traffic from unauthenticated or unauthorized users is blocked at the gateway. Identiforce implements network-level policy enforcement that complements application-level controls and helps address regulatory requirements. Applied Identity s Identisphere deploys into existing networks and does not require expensive rip-andreplace or rearchitecting of network infrastructure. System reengineering is also unnecessary since controls are applied at the network layer and are transparent to applications. Identisphere logs access and enforcement activities and provides customizable reporting capabilities for usage monitoring and auditing. Identisphere delivers these benefits with an easy to administer, firewall-like interface and policy rules, utilizing the existing enterprise directory service to provide administrators with centralized identity and policy management. One of the largest petroleum companies in the world deployed Applied Identity s Identisphere to meet its critical infrastructure protection requirements. With a distributed network extending to refineries and extraction facilities, the company recognized the need to protect the critical assets in place at these remote locations from unauthorized access, as well as protect its enterprise network from potential penetration attacks targeting these facilities. Identisphere delivered exceptional time-to-value for this company with a solution that was completely transparent to the existing systems, applications and users. 2
Challenge of Securing Critical Assets In the oil, gas and power industries, critical infrastructure vulnerabilities can potentially translate into major service disruptions and public safety concerns. As a result, organizations in these industries are under increasing pressure to implement tougher standards for protecting their critical cyber assets. Many of these requirements are being driven by industry standards and government regulations. The language from the United States Federal Energy Regulatory Commission s most recent Mandatory Reliability Standards for Critical Infrastructure Protection and the NERC s CIP Reliability Standards reflect the challenges these industries face. For example, the CIP-007 standards require: R2. Ports and Services The Responsible Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled. R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations. R2.2. The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s). R2.3. In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. Under these rules, organizations are required to establish and document processes for controlling access to all ports and services in their cyber infrastructure, have the flexibility to adapt controls for tests and emergency operations, and be capable of demonstrating their compliance with these regulations to management and third parties. Clearly, implementing these capabilities into existing applications and network infrastructures is a daunting task. This paper describes how Applied Identity s identity aware network solutions can be deployed to address these requirements without replacing network The highly distributed nature of the energy industry makes infrastructure protection challenging. 3
infrastructures or reengineering existing software and systems. Limitations of Traditional Strategies Originally, components making up critical infrastructures were segmented onto their own, physically distinct networks. This meant that network elements responsible for supervisory control and data acquisition functions such as switches, valves, pressure monitors, and the like, were physically segregated from business networks. Because of the protection afforded by such physical isolation, building extensive security into these components was not a priority for manufacturers or customers. In recent years, however, this situation has changed as organizations have come to appreciate the economic benefits of converging data on their business and supervisory control networks. Today it is not uncommon to find control and monitoring data for an oil pipeline aggregated into a local field office, or enterprise networks extending to a refinery or oil rig and carrying both business and command-and-control traffic. Because of this network convergence, effectively securing critical infrastructures in these environments has come to rely heavily on protecting the enterprise network. Traditional enterprise network protection strategies focus on defending the network perimeter. These protection strategies include approaches such as firewalls, DMZs, and border and screening router ACLs. Such controls are designed to keep the bad guys from gaining access to the internal network. Industry veterans sometimes describe this approach as hard and crunchy outside, soft and chewy inside. One problem with relying exclusively on perimeter protection solutions is that enterprise network boundaries have become increasingly porous. Extending enterprise networks to remote sites, local offices, wireless networks and semi-public locations expose networks to new threats and introduce new points of vulnerability. VPNs create many potential modes for remote users to access enterprise networks from home computers, laptops and mobile devices. Application virtualization solutions are becoming an increasingly popular approach for reducing operational costs and improving users experience, however they also bring the potential to effectively turn external threats into internal threats. Perimeter network protection is necessary, but not sufficient, to meet the challenges presented in securing today s networks and applications. Infrastructure protection approaches have been introduced which seek to address the limitations of perimeter protection strategies. These effectively move the focus for protection off of the perimeter and into the network. All, however, have their limitations. For example, network partitioning, either physical or virtual, has been used to segregate critical assets from the general enterprise network. These solutions can require network infrastructure upgrades or rearchitecture, however, and may not lend themselves to protecting critical assets in remote locations. Solutions using role-based access control (RBAC) seek to leverage application security to restrict user access to resources. However, these solutions can be expensive and time-consuming to deploy and cumbersome to manage as new applications are deployed and roles proliferate throughout the organization. Protecting Assets with Identity Aware Network Solutions Identisphere from Applied Identity addresses the challenge of critical infrastructure protection with an identity aware network solution. Identity aware networking leverages enterprise identities to effectively protect networks from the inside. With Identisphere, a client agent or hosted gateway authenticates the user against the organization s existing enterprise directory. All subsequent network traffic bound for protected resources originating from the user s client is then securely tagged with the user s identity information. Applied Identity s gateway appliance, ID-Enforce, deploys in front of protected resources, applying access policies to traffic bound for those resources. The ID-Enforce gateway consults the enterprise directory to apply the required access policies and strips the secure 4
With Applied Identity s Identisphere solution, protected resources are accessible only to privileged users. identity tag from the network traffic, making the solution completely transparent to applications and networking devices. The Identisphere Manager provides centralized administration and monitoring of access policies and makes policy definition of reporting easy. Applied Identity s Identisphere is a simple and elegant solution to the problem of protecting critical infrastructure and demonstrating compliance. With Identisphere, only users authorized to access sensitive resources can see those resources on the network. Traffic from unauthenticated or unauthorized users is blocked at the ID-Enforce gateway. The Identisphere solution introduces a network-level access policy enforcement that complements application-level controls and in many cases negates the need to re-engineer applications to address compliance requirements. Identiforce s logging and reporting capabilities make it easier for organizations to respond to compliance audits. Also, since network and application controls remain independent, the solution presents an easy approach to implementing separation of duties required in many regulated environments. Maintaining continuity of operations in the event of an emergency is a major concern for organizations responsible for critical infrastructures. Identisphere s directory-based approach to policy management provides the flexibility to adapt controls for tests and emergency operations. Identisphere Manager, Identisphere s administrative component, has the ability to determine and suggest policy rules based on monitored network traffic. Identisphere Manager then allows administrators to simulate the impact of a given set of policy rules on live network traffic without actually performing the policy enforcement. This capability enables teams to define new policy rules and evaluate their impact on operations on the fly, during live testing exercises, for example. In this way, administrators may build network access policies for normal and emergency operational scenarios which can be managed in the directory and executed at a moment s notice. 5
Applied Identity s Identisphere brings superior ease and time-to-value to the challenge of critical infrastructure protection. With Identisphere, there is no need for expensive rip-and-replace or rearchitecting of network infrastructure. System reengineering is also unnecessary since controls are applied at the network layer and are transparent to applications. Management of access privileges and policies is centralized through the directory service, and administration is simplified with an easy to use, firewall-like interface. Customer Case Study Recently, one of the largest petroleum companies in the world needed to improve critical asset protection at its remote refineries and extraction facilities. The company had far flung operations in remote, relatively unpopulated areas. Many of these locations housed critical process control infrastructure and were locally maintained by a handful of employees. To complicate matters from a security perspective, enterprise networks extended to these remote locations for the purpose of providing supervisory process control and data acquisition. The company recognized the need to protect the critical assets in place at these remote locations from unauthorized access, as well as protect the enterprise networks from potential penetration attacks targeting these facilities. This oil company leveraged Applied Identity s Identisphere to meet its critical infrastructure protection requirements. Their strategy was to deploy a high-availability pair of ID-Enforce appliances at remote locations to control and monitor network access to critical assets at the site. Lightweight agents were deployed on clients only for those users who needed access to those resources, and user authentication was transparent to these users through integration with Windows authentication. The result was that only authenticated and authorized users could access the critical assets on the network and they were rendered invisible to everyone else. The Identisphere solution provided exceptional time-to-value for this company s deployment. Since enforcement was accomplished at the network level, it was completely transparent to the existing systems and applications. The solution also had the advantage of having a low user impact. Only those users who required access to the critical assets required installation of a client agent, and the authentication experience was completely transparent for those users, negating any requirement for additional user training. Likewise, management of the solution was streamlined through centralized administration of users and access privileges through the enterprise directory services. Finally, Identisphere s access logging and reporting capabilities made it easy to track network access to critical resources on an individual user basis and generate reports to demonstrate policy compliance when needed. Summary Identity aware networking provides a superior solution to the challenge of protecting critical infrastructure assets in the energy industry. Applied Identity s Identisphere delivers the power of identity aware networking to augment traditional asset protection approaches by moving accountability and enforcement inside the enterprise network. The Identisphere solution deploys quickly into existing infrastructures with no reengineering of existing systems and applications required. It enables easy, centralized administration with directory-based identity and policy management and protects network assets with no change in user experience. 6
About Applied Identity Building Identity into the Network Applied Identity s identity aware network solutions deploy rapidly into existing infrastructures to reduce administrative overhead, protect critical assets and address your compliance initiatives. Organizations use Applied Identity s solutions to: Support compliance efforts such as GLBA, PCI, HIPAA, FISMA, NERC and EU Privacy Directives. Provide enterprise network access to contractors and others through guest networking solutions. Protect critical infrastructures and defend enterprise networks from breeches at remote sites and foreign offices. Ease the burden of network audits with automated reporting. Founded in 2004, Applied Identity is the only vendor to provide a complete policy lifecycle management solution enabling global policy creation and network-level enforcement based on user identity. Applied Identity s solutions: Save time by deploying rapidly into existing infrastructures. Save money by reducing administrative overhead and easing compliance burdens. Save networks by applying the power of identity aware networking to protect networks from the inside. Add security and accountability to your enterprise network. For more information about Applied Identity and our solutions, or to schedule a FREE Network Activity Assessment, please see our website at www. appliedidentity.com 7
2009 Applied Identity, Inc. All rights reserved. Applied Identity, Applied Identity Logo, Identisphere, ID-Unify, ID-Audit, ID-Policy, and ID-Mark are trademarks of Applied Identity, Inc. 8