Local Access of ICS Devices – A Cybersecurity Perspective

7 January, 2021 | Blog

Shayne Casavant

Shayne Casavant, P. Eng.

Industrial control systems cybersecurity specialist

icon linkedin

While cybersecurity risks and concerns are not new to industrial operations and critical infrastructure, there has been a huge increase in cyber attacks and breaches over the last few years. This increase is being driven by several complex factors, such as the Internet of Things (IoT), Industry 4.0, legacy devices, open source hacking tools and a general lack of cybersecurity maturity for industrial control system (ICS) environments, just to name a few.

This blog article reviews a few options to consider as cybersecurity tools for local access management of ICS devices (e.g., protection relays, RTUs, PLCs, HMIs, etc.). Access management of ICS devices can be challenging due to a variety of factors, such as the sheer volume of end devices, travel time to remote locations, management of third-party contractors and maintenance personnel, and the lack of dedicated resources to manage appropriate access.

Although these challenges may seem daunting, doing nothing to address these risks will eventually lead to an incident that impacts production, safety, reputation or the environment. By implementing even the simplest form of controls, industrial businesses can see significant improvements in their overall cybersecurity posture.

Access Management Options

Centralized multi-function cybersecurity tools can provide excellent benefits when deployed properly. However, this option might not be appropriate for smaller businesses and facilities with more restrictive budgets and for those with a lower level of cybersecurity maturity.

The table below lists a few options to consider, but it is important to remember these will be limited to the capabilities of the ICS devices. As a general rule of thumb, it can be advantageous to have more than one method in your toolbox of options. It should also be noted that most of the options listed have free open-source alternatives, although these may lack some features or user interface refinements.

Finally, it is important to highlight that the access management options discussed are for local electronic access, and a dedicated remote access solution must be considered if remote access functionality is required. In this case, this means implementing an intermediate termination point (e.g., DMZ) for remote users and enforcing multi-factor authentication, among other recommended good practices. For more details on remote access considerations, refer to this blog article.

Access Management Option Benefits Cost and other Considerations[1] Open Source / Free Tools Available?
  • Device integration with active directory, RADIUS or similar services
  • Leverage existing domain controller or servers
  • Use existing permission groups
  • Leverage existing administrators to maintain systems
  • Leverage existing security monitoring tools
  • Costs can be low, depending on the amount of existing systems that can be leveraged.
  • The level of effort to deploy can be low to moderate, depending on the complexities of the network infrastructure and user group structure.
  • Yes, for some service types
  • Implement a password vault
  • Securely store and manage usernames and passwords for ICS devices
  • In some cases, can interface with other applications or tools
  • Costs can be low, depending on the tool selected.
  • The level of effort to deploy can be low, depending on the number of features to be implemented
  • Yes, with some open source options that have richer features than purchased alternatives. Plus, some commercial options may offer free versions for smaller installations
  • Implement a centralized engineering workstation
  • In some cases, can leverage existing virtualized infrastructure
  • Restrict or limit other methods of device access
  • Control vendor software versions
  • Use to maintain device configurations in a centralized repository
  • Cost can be low to moderate, depending on the amount of existing systems that can be leveraged.
  • The level of effort to deploy can be low to moderate, depending on the complexities of the network infrastructure.
  • Yes, but will depend on the required operating system and individual vendor software licences
  • Implement a Privileged Access Management (PAM) software solution
  • The users no longer need to know the usernames and passwords of the end devices
  • Provides a protocol break for improved security
  • Restricts certain vendor software versions to specific devices (when multiple versions exist)
  • Cost can be low to high, depending on the tool selected.
  • The level of effort to deploy can be low to high, depending on the functionality to be implemented and the complexities of the network infrastructure.
  • Yes, although with feature limitations. Also, some vendors offer free trials or demos
  • Implement a security gateway
  • Provides local access management (e.g., single substation or one processing area)
  • In some cases, can integrate with existing domain controller for front-end authentication
  • Provides a password vault
  • In most cases, also provides firewall capabilities
  • Can provide a secure IP interface to serial-based devices with protocol mapping
  • Cost can be moderate to high, depending on the tool selected.
  • The level of effort to deploy can be moderate to high, depending on the functionality to be implemented and the complexities of the network infrastructure.
  • No

[1] Typical factors that will impact both cost and the level of effort for deployment include the number of ICS devices and the asset types.

Conclusion

Local access management of ICS devices has some considerable challenges, but there are relatively simple and cost-effective options available. By implementing access management tools for ICS devices, the operational facility and business will have an improved cybersecurity posture. Although this blog article focuses on local access management tools, a similar approach can be taken with other types of cybersecurity tools (e.g., configuration management, threat monitoring, patch management, etc.).

In order to reduce the risk and the time it takes to implement cybersecurity solutions, it is recommended to stage and execute validation tests, proof of concept (PoC) tests or other integration tests in a comprehensive industrial cybersecurity lab.

BBA’s lab has demonstrated its added value in numerous projects. An off-site lab environment can vastly facilitate your project’s success of a large-scale deployment of your cybersecurity tools/solutions across your ICS operating environment.

If you have any questions or want to learn more, feel free to contact us.

This content is for general information purposes only. All rights reserved ©BBA

DO YOU HAVE A SIMILAR CHALLENGE?