CyberArk Solutions for Secured Remote Interactive Access Addressing NERC Remote Access Guidance Industry Advisory
Table of Contents The Challenges of Securing Remote Access 3 Using CyberArk s Privileged Account Security for Secured Interactive Remote Access 5 How Does CyberArk Address the NERC Secured Access Recommendations? 8 CyberArk s Privileged Session Management Product 10 Summary CyberArk Solutions for addressing NERC Remote Access Guidance 11 About CyberArk 11 Cyber-Ark Software Ltd. cyberark.com 2
The Challenges of Securing Remote Access Interactive remote access to cyber assets is a common practice and is performed on a daily basis across all organizations. This practice is also very common in organizations that operate critical infrastructures such as Energy, Oil and Gas, Chemicals, Transportation, Pharmaceuticals and others. Parallel to the general IT environment that exists within these organizations operates a critical Operational Technology (OT) environment, consisting of Industrial Control Systems (ICS) and other critical infrastructure. As such, remote access to an OT environment can lead to much more detrimental consequences than the general IT environment if abused. In light of this, recent findings highlighted the vulnerabilities of this practice leading many organizations to review the security aspects of this access point and implement measures to mitigate the risk. One possible risk is that of a cyber attack aiming to take advantage of this connectivity and inflict damage to the organization and its critical infrastructure e.g. disrupting the power supply to a large populated area. Besides the actual capability to remotely access the critical infrastructure of the organization there is another important aspect to this method, which is the need for a privileged account. Privileged accounts are typically shared by multiple employees to remotely access the environment, providing no accountability as to who is using The realization of remote access vulnerabilities require a reassessment of current practices to better manage risk them and often never being replaced. In many cases they are default or weak passwords with no structured policies to manage and enforce who has access rights and when and how they should be replaced. This becomes critical when 3rd parties are having to enter the network. Without being able to track privileged account activity organizations are exposed to:audit failures Leaving the remote access passwords unchanged and unaudited compromises compliance regulations (such as NERC-CIP, PCI-DSS and others) which require organizations to ensure accountability as to who accessed privileged and shared accounts, what actions were performed, and whether passwords were protected and updated according to policy (including frequency of password change and its strength). Security risk In large organizations many employees and 3rd party vendors know the username and password to the privileged remote access accounts hence the risk of inflicting damage, whether intentional or accidental, increases and no one knows who exactly caused it. Loss of productivity A password that was manually changed by one of the IT or operations personnel without informing relevant parties, may cause hours of delay in recovering from a failure and other damages, leaving users unproductive and information inaccessible. Productivity is also hindered when there is no built-in process to easily request and approve remote access or requires unnecessary administrative overhead which prolongs the process. Cyber-Ark Software Ltd. cyberark.com 3
The issue of securing remote access into organizations has been raised as a serious focus point by multiple government regulations and industry bodies: The National Institute of Standards and Technology (NIST) developed standards and guidelines that include the issue of remotely accessing information and control applications. The NIST 800-53 requires specific authorization control, monitoring and documentation when allowing each remote connection. The NIST published the NISTIR 7628 document for Smart Grid Cyber Security with specific reference to secure and authorized remote access prior to each connection. NERC Industry Advisory Remote Access Guidance,August 2011 In light of the vulnerabilities highlighted above, the North American Electric Reliability Corporation (NERC) published an industry advisory guidance1 2 in August 2011, with recommended methods for securing interactive remote access. This advisory provides detailed guidance and requests of Energy utilities to implement the recommendations described in the advisory for an effective remote access solution. The Payment Card Industry (PCI) issued the Data Security Standard (DSS) which includes specific requirements on remote access (e.g. two-factor authentication and monitoring remote usage of accounts). The Monetary Authority of Singapore (MAS) published its Technology Risk Management (TRM) Guidelines that require close supervision and implementation of strong controls over remote access of privileged users. While there are multiple industry verticals and guidance papers on how to secure remote access into a critical network we chose to focus on the NERC recommended guidelines since it appears that they are the most detailed and most relevant to critical infrastructure. Some of the most common use cases include: A company employee on the corporate network needs occasional access to data that resides on the critical network. This access to information could be a read-only operation or an interactive session. Emergency and off-hours activities that require a company employee to connect to the Industrial Control System (ICS) network through an internet connection. Third Party contractor personnel connecting remotely to perform maintenance or support on the ICS network using an internet-based connection. Field maintenance employees connecting through a mobile (public network based) connection from the field. 1 NERC Industry advisory Remote Access Guidance, August 2011 - www.nerc.com/fileuploads/file/events Analysis/A-2011-08-24-1-Remote_Access_Guidance-Final.pdf 2 NERC Guidance for Secure Interactive Remote Access, July 2011- www.nerc.com/fileuploads/file/events Analysis/FINAL-Guidance_for_Secure_Interactive_Remote_Access.pdf Cyber-Ark Software Ltd. cyberark.com 4
Using CyberArk s Privileged Account Security for Secured Interactive Remote Access Many organizations that manage critical infrastructure usually operate at least two enterprise networks. The first one is the general corporate network, used by all employees for common applications such as e-mail, productivity applications and various business applications. This network is usually extensively connected to the Internet, linking partners, customers and so on. The second network is used for connecting to, monitoring and controlling the critical operational systems. For energy utilities, this includes SCADA, Industrial Control Systems, Energy Management Systems and other applications that monitor and control the actual generation, transmission and distribution of electric power. This network is separated from the corporate network, with an Electronic Security Perimeter established around the Cyber Assets, enforcing regulations and, especially, preventing unauthorized access. The two networks are usually connected through a DMZ network, which employs firewalls and other security controls to protect the operational networks and limit the communications between the networks to permitted sessions only (see figure #1). While several network configurations may be employed, this paper describes a specific configuration, which is very common and considered best practice. Corporate Network Internet 1. DMZ DMZ Firewall 2. 1. Connecting into the DMZ 2. Connecting through the DMZ Firewall 3. Logging into CyberArk s Privileged Account Security Solution 4. Session initiation to the target system ICS Firewall ICS Network Password PSM 3. 4. Session Recording Vault Databases UNIX Servers Windows Servers Routers and Switches SCADA Devices Figure 1 - CyberArk Architecture in securing Remote Access Cyber-Ark Software Ltd. cyberark.com 5
1. Connecting into the DMZ - A remote user connecting over the Internet will usually use the corporate VPN service to reach the DMZ network. A user connecting from the enterprise network will usually have a direct connection to the DMZ network. The VPN usually implements encryption and multi-factor authentication to ensure that the remote user connection to the corporate/dmz network is done in a secure manner and according to the NERC remote access recommendations. 2. Connecting through the DMZ Firewall - All incoming traffic from the DMZ (either from the corporate network or the Internet) will need to pass through the DMZ firewall. This firewall will only let through traffic directed to the Privileged Session Management (PSM) server, so that any other traffic trying to bypass PSM will be blocked at the firewall. The PSM server acts as the single entry point into the network through which access to privileged accounts can be controlled and monitored. 3. Logging into CyberArk s Privileged Account Security Solution - The remote user connects to the CyberArk web portal with the option of utilizing strong authentication (such as, RSA SecureID, RADIUS and LDAP). After logging into the portal each user will be able to see and access only the systems that he is entitled to. The user will be able to choose the system he needs and be able to log on without knowing or seeing the actual username or password. This is especially important when third party contractors need to connect to the network enabling them to securely connect without divulging the privileged credential has security and productivity benefits for the enterprise. By refraining from password exposure, the password never reaches the client s endpoint, which ensures that the privileged credential is kept secure even if an endpoint has been compromised. By employing CyberArk s solution, multiple users can use the same privileged and shared account, while each individual user becomes accountable for their actions with a detailed audit log. Figure 2 - PSM Architecture in securing Remote Access The NERC guidance for secure interactive remote access 3 also describes a scenario in which the control room supervisor needs to provide a third party vendor with a token in order for the vendor to be able to connect to the organization s VPN. CyberArk solutions improve this process by enforcing control and management workflows in handling requests for remote access into the critical networks, thereby saving time and resources. All approval processes are logged and activity monitored and securely stored in a tamper-proof Digital Vault. 3 NERC Industry advisory Remote Access Guidance, August 2011 - www.nerc.com/fileuploads/file/events Analysis/A-2011-08-24-1-Remote_Access_Guidance-Final.pdf Cyber-Ark Software Ltd. cyberark.com 6
4. Session initiation to the target system - Once the user clicks on the connect button within the web portal a secure connection is established between his endpoint and the PSM server, and then on to the target machine. The PSM server acts as a proxy to the target system, retrieving the privileged credential to connect to the target device without disclosing it. The credentials never reach the end user station and so remain secure while the target machine is isolated from any potential malware that may exist on the endpoint. A session to the target system is now open (using protocols such as RDP, SSH or others) and the remote user can now perform the tasks at hand. The ICS facing firewall will only let incoming traffic, originating from the PSM server to get through to the ICS network so that no other communications is allowed. This configuration will assure that the PSM will be act as an Intermediate Device (ID) and no direct communication will be enabled to the ICS network. With PSM every privileged session is recorded providing continuous monitoring for real-time viewing or playback for forensic analysis. The option to terminate the session is also avilable to the supervisor in case he decides that the current session is a threat to the system. PSM does not require agent installation therefore there is zero footprint on target machines eliminating any performance overhead on target systems The NERC industry advisory letter recommends logging and monitoring all user activity on the proxy server. PSM addresses this recommendation by creating a DVR recording of the entire session and enabling command-level audit to easily search for privileged actions and watch the recording from that point in time. PSM stores the recordings and the audit data in the tamper-proof Digital Vault in highly compressed format (approx. 200kb/min for GUI sessions and 70kb/min for console sessions). A complete session recording provides crucial forensic information in trying to understand exactly which actions occurred during the session and in easy to understand context. Session events are written as part of the session recording and can also be sent to any Security Information Event Monitoring (SIEM) solution for further analysis, real-time alerting and correlation with other security-related information. Cyber-Ark Software Ltd. cyberark.com 7
How Does CyberArk Address the NERC Secured Access Recommendations? NERC Requirement CyberArk Solution 1 Using encrypted and securely authenticated access CyberArk s solutions are based on a highly secure controls when interactively remotely accessing infrastructure using its patented Vaulting control and monitoring systems Technology to store, protect and log access to privileged accounts. With multiple layers of security, the Digital Vault provides comprehensive security capabilities for authentication, session encryption, tamper-proof audit and data protection. CyberArk also seamlessly integrates with other encryption and authentication tools for stronger authentication. 2 Utilization of multi-factor (two or more factors) CyberArk supports various forms of authentication when authenticating users of interactive remote including, RSA SecureID, Web Single sign on (SSO), access. RADIUS, PKI and smartcards and more. 3 Provision of specific and personal accounts, which are used for remote access. CyberArk s solution provisions personal accounts for accessing the Privileged Account Security Solution and creates accountability on the usage of every privileged account. Users can also transparently connect to a target system they are entitled to access without showing the privileged credential upon remote connection 4 Implementation of an intermediate device as a VPN/encryption termination device, and multifactor authentication device. CyberArk s PSM is an intermediate device in which all of the remote connections are routed to the PSM server and then new sessions are opened to the target devices 5 Implementing an inactivity timeout to automatically With CyberArk s PSM you have full session control disconnect the remote interactive access after a you can set time periods for defined session pre-defined period of inactivity. connection times and enable session disconnection after a pre-defined period of inactivity. 6 Implementing logging and monitoring of all user activity including file transfers and program activation at the access point, as part of the proxy server, or with a specialized device for accountability. Full logging and monitoring is available with PSM including both real-time monitoring and screen recording for comprehensive forensic analysis or change management review. PSM supports keystroke logging and command level audit of SSH and SQL sessions where the session can be played back from a specific point in time where a defined privileged command occurred. Real-time monitoring also enables the termination of sessions if necessary. 7 Implementing an account lockout feature such that an account is locked out for a period of time following a pre-determined a number of repetitive, unsuccessful login attempts. Multiple failures will result in account lock out and can be pre-defined in the policy. Cyber-Ark Software Ltd. cyberark.com 8
Additional capabilities of CyberArk s Privileged Account Security Solution include: Security and Audit Centralized audit and compliance management through built-in audit-ready reports and self-serve access for auditors Highly secure repository utilizing FIPS 140-2 validated cryptography for storing all audit logs and recorded sessions Privacy regulation support allowing on-screen user notification when a session is being recorded Search for privileged events with point in time viewing within a session recording Enterprise Readiness Highly scalable with load balancing/high availability and DR support Distributed architecture with central management and storage that is ideal for multi-network and multi-site environments and benefits from a single administration, audit and monitoring interface Integration with enterprise infrastructure, including strong authentication (2-factor, SecurID, Radius, PKI, LDAP and more), monitoring and SIEM integration, SNMP, Syslog and SMTP, built-in HA/DR architecture and much more Integrating with CyberArk Shared Technology Platform Common infrastructure and single policy for managing/accessing shared privileged accounts and monitoring privileged sessions Single interface for auditors to review privileged account policies and reports or launch session recordings Manage administrator credentials and monitor sessions on sensitive web-based applications or configuration interfaces Cyber-Ark Software Ltd. cyberark.com 9
CyberArk s Privileged Session Management Product CyberArk s Privileged Session Management is a central control point for protecting target systems requiring privileged (administrator) access by remote and local users across the organization. It complements CyberArk s market-leading Privileged Account Security Solution, an enterprise-class, unified policy-based solution that secures, manages and enforces policies and workflows for all privileged and shared accounts. CyberArk Privileged Account Security Solutions share a common, pre-integrated shared technology platform for continuous protection, risk management and compliance around privileged access and session initiation across the organization. The solution supports the needs of both IT and industrial control operations. CyberArk enables organizations to implement 7 out of the 10 NERC recommendations for securing remote interactive access Unix and Windows Admins Control Room Operators DBAs 3rd Party Contractor Auditor/ Security & Risk Remote Vendor Support Servers Databases SCADA Network Security Applications RTUs/PLCs Devices Appliances Figure 3 - Protect Critical Assets with the CyberArk Privileged Account Security Solution Cyber-Ark Software Ltd. cyberark.com 10
Summary CyberArk Solutions for addressing NERC Remote Access Guidance CyberArk s Privileged Account Security Solution is a comprehensive solution for password management, continuous activity monitoring and compliance of privileged access to the OT/ICS environment. Using a common infrastructure, organizations can isolate, control and monitor all privileged sessions whether on servers, databases or virtual machines, providing both ease of management and unified reports for times of audit. This allows you to control and secure all privileged activity in a single solution. The NERC advisory provides details on the best practice and recommended ways to secure interactive remote access into critical networks, and in this paper we demonstrated how CyberArk Privileged Account Security Solution provides a solution for implementing the NERC recommendations. CyberArk s unified solution also goes beyond the requirements for securing remote interactive access to address other requirements defined by NERC. For example, the NERC CIP v4 standard defines the requirements for account management including the implementation of the concept of need to know, the proper management of shared accounts, sufficient logging of users activities to create historical audit trails and the changing of factory default accounts. These requirements are enforced by pre-defined policies and workflows in CyberArk s solution, enabling continuous compliance with NERC-CIP. About CyberArk CyberArk Software is a global information security company that specializes in protecting and managing privileged users, sessions, applications and sensitive information to improve compliance, productivity and protect organizations against insider threats and advanced external threats. With its award-winning Privileged Account Security Solution, organizations can more effectively manage and govern data center access and activities, whether on-premise, off-premise or in the cloud, while demonstrating returns on security investments. CyberArk works with over 1500 customers, including more than 30 of the Fortune 100. Headquartered in Newton, Mass., CyberArk has offices and authorized partners in North America, Europe and Asia Pacific. For more information, please visit www.cyberark.com Cyber-Ark Software Ltd. cyberark.com 11
All rights reserved. This document contains information and ideas, which are proprietary to Cyber-Ark Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of Cyber-Ark Software Ltd. Copyright 2000-2014 by Cyber-Ark Software Ltd. All rights reserved.