Securing Critical Infrastructure: The Vital Role of User Access Control and IAM in OT

In an era where technology integrates seamlessly with operational processes, the importance of robust user access control and identity and access management (IAM) cannot be overstated. As operational technology (OT) environments evolve, they become more susceptible to cyber threats, making it imperative to safeguard these critical infrastructures. Authorisation serves as the gatekeeper, ensuring that only authorised individuals can access sensitive systems and data, thereby mitigating the risk of unauthorised intrusions and potential disruptions.

Proper user hygiene, which involves regular updating and monitoring of access credentials, plays a crucial role in maintaining the integrity of OT environments. By adhering to best practices such as role-based access control, multi-factor authentication, and regular audits, organizations can not only enhance their cybersecurity posture but also ensure compliance with industry standards and regulations like IEC 62443 and NIS2.

In essence, the meticulous management of user access rights is not just a technical necessity but a strategic imperative that fortifies the operational resilience and security of critical infrastructure systems

What do the regulations say about authorisation in OT?

IEC 62443

The IEC 62443 standard, specifically FR2 (Foundational Requirement 2), focuses on User Access Control.

• Role-Based Access Control (RBAC): This ensures that users have access only to the information and resources necessary for their roles. It minimizes the risk of unauthorised access and potential misuse.
  
• Policy-Based Access Control: This involves defining and enforcing policies that govern how access is granted and managed. It ensures that access decisions are consistent and aligned with organizational policies.
  
• Authentication: Strong authentication mechanisms are required to verify the identity of users before granting access. This can include passwords, biometrics, or multi-factor authentication (MFA).
  
• Authorisation: Once authenticated, the system determines what resources and actions the user is allowed to access and perform. This is based on predefined roles and policies.
  
• Audit and Accountability: The standard emphasizes the importance of logging and monitoring access attempts and actions. This helps in detecting and responding to any unauthorised or suspicious activities.

By implementing these controls, organizations can significantly enhance the security of their OT environments and protect against insider threats and external attacks

NIS2

NIS2 emphasizes the importance of Identity and Access Management (IAM) to enhance cybersecurity across various sectors. Here are some key points:

• Role-Based Access Control (RBAC): Ensures that users have access only to the information and resources necessary for their roles.
  
• Principle of Least Privilege: Users are granted the minimum level of access necessary to perform their duties.
  
• Regular Access Rights Reviews: Organizations must regularly review and update access rights to ensure they remain appropriate.
  
• Contextual Access Restrictions: Access controls should consider the context of access requests, such as location, time, and device used.
  
• Multi-Factor Authentication (MFA): Strong authentication mechanisms, including MFA, are required to verify user identities.

These measures help organizations maintain control over user access, protect sensitive data, and comply with NIS2 requirements.

The impact of not having proper authorisation

The impact of not having proper authorisation in OT environments can be severe and far-reaching:

• Security Breaches: Unauthorised access can lead to data breaches, exposing sensitive information and potentially compromising the integrity of operational systems.
  
• Operational Disruptions: Unauthorised changes or access to critical systems can cause operational disruptions, leading to downtime, production losses, and financial damage.
  
• Safety Risks: In industrial environments, unauthorised access can lead to safety hazards, putting workers and the public at risk.
  
• Regulatory Non-Compliance: Failing to implement proper authorisation controls can result in non-compliance with industry regulations and standards, leading to legal penalties and fines.
  
• Reputation Damage: Security incidents and breaches can harm an organization's reputation, eroding trust among customers, partners, and stakeholders.

These measures help organizations maintain control over user access, protect sensitive data, and comply with NIS2 requirements.

Known CVE’s related to improper authorisations

• CVE-2024-41969 is a vulnerability affecting the CODESYS V3 service used in various WAGO devices. This vulnerability arises from a missing authentication mechanism, allowing a low-privileged remote attacker to modify the configuration of the CODESYS V3 service. This could potentially lead to full system access and/or a Denial of Service (DoS) attack. The severity of this vulnerability is rated high, with a CVSS score of 8.8.
• CVE-2024-41967 is a vulnerability affecting certain devices where a low-privileged remote attacker can modify the boot mode configuration setup. This can lead to changes in the firmware upgrade process or even a Denial of Service (DoS) attack. The severity of this vulnerability is rated high, with a CVSS score of 8.1.
• CVE-2024-41968 is a vulnerability where a low-privileged remote attacker can modify the docker settings setup of a device. This can lead to a limited Denial of Service (DoS) attack. The severity of this vulnerability is rated medium, with a CVSS score of 5.4.
• CVE-2024-41974 is a vulnerability where a low-privileged remote attacker can modify the BACNet service properties due to incorrect permission assignment for critical resources. This can lead to a Denial of Service (DoS) attack limited to BACNet communication. The severity of this vulnerability is rated high, with a CVSS score of 7.1.
• CVE-2024-41970 is a vulnerability where a low-privileged remote attacker can gain access to forbidden diagnostic data due to incorrect permission assignment for critical resources. This vulnerability has a medium severity rating with a CVSS score of 5.7.

The Strategic Imperative of Authorisation in OT Security

In the digital age, the security of OT environments is paramount. Proper authorisation and stringent user access controls serve as the first line of defense against potential cyber threats and operational disruptions. By implementing robust identity and access management practices, organizations can significantly enhance their cybersecurity posture, ensuring that only authorised personnel have access to critical systems and data.

This vigilance not only protects sensitive information and infrastructure but also ensures compliance with industry standards and regulations, such as IEC 62443 and the NIS2 Directive. Additionally, fostering a culture of proper user hygiene, including regular updates and audits of access credentials, is crucial in maintaining the integrity and safety of OT environments.

Ultimately, the management of user access rights is not just a technical necessity but a strategic imperative. It fortifies the resilience and security of critical infrastructure systems, safeguarding them against evolving threats in an increasingly interconnected world.

--------------------

Author: Vinny Sagar, Solution Architect, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.